SLGP Header

Enforcing Access Control to Cloud With Preserved Users Privacy

IJCSEC Front Page

Access Control Policies defines the user roles and their access rights to the confidential data. Fine-grained access control on confidential data hosted in the cloud are based on fine-grained encryption of the data in which data owners are in charge of encrypting the data before uploading them to the cloud and re-encrypting the data whenever user credentials change. When data owners perform the re-encryption they incur high communication and computation costs. To reduce the overhead at data owner, delegate the enforcement of access control to cloud, while assuring data confidentiality from the cloud. In order to delegate access control to cloud, an approach of two layers of encryption is proposed, in which the data owner performs a lower level encryption; whereas the cloud performs a higher level encryption. Using Policy Decomposition algorithm, decompose the ACP between the owner and cloud to perform the two layers of encryption. With TLE, the system guarantees the confidentiality of the data from cloud and preserves the privacy of users from the cloud while delegating most of the access control enforcement to the cloud.
Keywords: Privacy, Identity Attribute, Cloud Computing, Policy Decomposition, Encryption, Access Control.
Security and privacy represents the major concerns in the adoption of cloud technologies for data storage. An approach to mitigate these concerns is the use of encryption. However, encryption assures the confidentiality of the data against the cloud, the use of conventional encryption approaches is not sufficient to support the enforcement of fine-grained organizational access control policies (ACPs). Many organizations have today ACPs regulating which users can access which data; these ACPs are often expresses in terms of the properties of the users, referred to as identity attributes. Such an approach, referred to as attribute- based access control (ABAC), supports fine-grained access control which is crucial for high-assurance. Supporting ABAC over encrypted data is a critical requirement in order to utilize cloud storage services for selective data sharing among different users. Notice that often user identity attributes encode private information and should be strongly protected from the cloud, very much as the data themselves. The approach that overcomes the shortcomings of fine-grained encryption and supports ABAC policy is based on two layers of encryption applied to each data item uploaded to the cloud.
The data owner performs a coarse grained encryption over the data in order to assure the confidentiality of the data from the cloud. Then the cloud performs fine grained encryption over the encrypted data provided by the data owner based on the ACPs provided by the data owner. A challenging issue in the TLE approach is how to decompose the ACPs so that fine-grained ABAC enforcement can be delegated to the cloud while at the same time the privacy of the identity attributes of the users and confidentiality of the data are assured. In order to delegate as much as access control enforcement as possible to the cloud, one need to decompose the ACPs such that the data owner manages minimum number of attribute conditions in those ACPs that assures the confidentiality of data from the cloud. Each ACP should be decomposed to two sub ACPs such that the conjunction of the two sub ACPs results in the original ACP. The two layer encryption should be performed such that the data owner first encrypts the data based on one set of sub ACPs and the cloud re-encrypts the encrypted data using the other set of ACPs. The two encryptions together enforce the ACP as users should perform two decryptions to access the data. The TLE approach has many advantages. When the policy or user dynamics changes then only the outer layer of encryption needs to be updated. Since the outer layer encryption is performed at the cloud, no data transmission is required between the data owner and the cloud.


  1. J. Bethencourt, A. Sahai and B. Waters, “Ciphertext-policy attribute-based encryption”, the IEEE Symposium on Security and Privacy. Washington, DC,USA: IEEE Computer Society, pp. 321-334(2007).
  2. J. Camenisch, M. Dubovitskaya and G. Neven, “Oblivious transfer with access control”, ACM conference on Computer and communications security, NY, USA:ACM, pp. 131-140(2009).
  3. C-K Chu, J. Weng, S. Chow, J.Zhou and R.Deng, “ Conditional proxy based re-encryption”, in the proceedings of 14thAustralasian Conference on Information Security and Privacy, pp. 327-342 (2009).
  4. J-M. Do, Y-J,Song and N.Park, “Attribute based proxy re-encryption for data confidentiality in cloud computing environments”, International Conference on Computers, Networks, Systems and Industrial Engineering. Los Alamitos, CA, USA: IEEE Computer Society, pp. 248-251(2011).
  5. Li and N. Li, “OACerts: Oblivious attribute certificates”, IEEE Transaction on Dependable and Secure Computing, vol. 3, no. 4, pp. 340-352(2006).
  6. M. Nabeel and E. Bertino, “Attribute based group key management”, IEEE Transaction on Dependable and Secure Computing(2012).
  7. M. Nabeel and E. Bertino, “Privacy preserving delegated access control in the storage as a service model”, EEE International Conference on Information Reuse and Integration (IRI), (2012).
  8. M. Nabeel, E. Bertino, M. Kantarcioglu and B.M. Thuraisingham, “Towards privacy preserving access control in the cloud”, International Conference on Collaborative Computing: Networking, Applications and Work sharing, ser. Collaborate Com’ 11, pp. 172-180 (2011).
  9. M. Nabeel, N. Shang and E. Bertino, “Privacy preserving policy based content sharing in public clouds”, IEEE Transaction on Knowledge and Data Engineering (2012).
  10. K.PN. Puttaswamy, C. Kruegel and B.Y. Zhao, “Silverline: Toward data confidentiality in storage-intensive cloud applications”, ACM Symposium on Cloud Computing, ser. Socc ’ 11, NY, USA: ACM, pp. 10:1-10:13, (2011).
  11. N. Shang, M. Nabeel, F. Paci and E. Bertino, “A privacy preserving approach to policy-based content dissemination”, IEE International Conference on Data Engineering (2010).
  12. S.D.C. di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P.Samarati, “Over-encryption: Management of access control evolution on outsourced data”, International Conference on Very Large Data Bases, ser. VLDB’ 07. VLDB Endowment, pp. 123-134 (2007).
  13. V. Goyal, O. Pandey, A. Sahai and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data”, ACM Conference on Computer and communications security, NY, USA: ACM, pp. 89-98 (2006).
  14. X. Liang, Z. Cao, H. Lin, and J.Shao, “Attribute based proxy re-encryption with delegating capabilities”, International Symposium on Information, Computer and Communications Security, ser. ASIACCS’ 09. NY, USA: ACM, 2009, pp. 276-286.
  15. A. Fiat and M. Naor, “Broadcast encryption”, Annual International Cryptology Conference on Advances in Cryptology, ser. CRYPTO’ 93. London, UK: Springer-ssVerlag, pp. 480-491 (1994).