UbiSeC Lab, UB-SUNY

Various sensitive data pooled in the cloud demands the cloud data sharing service to be responsible for secure, efficient and reliable enforcement of data content access among potentially large number of users on behalf of data owners. As cloud server may no longer be in the same trusted domain as the data owners, we have to rethink the problem of access control in this open environment, where cloud server takes full charge of the management of the outsourced data but are not necessarily trusted with respect to the data confidentiality. What makes the problem more challenging is the enforcement of fine-grained data access, the support of access privilege updates in dynamic scenarios, and the system scalability, while maintaining low level complexity of key management and data encryption. Our goal is to provide tools extending owners' full control over cloud data access and enabling all owners/users to benefit well from current capabilities of the cloud, so as to achieve finer, stronger, and more usable secure cloud data sharing services.

To achieve fine-grainedness, we propose to treat data as files associated with a set of meaningful attributes, use logical composition of attributes to reflect fine-grained data access, and enforce owner's control via attribute-based encryption. For the inherent scalability requirement of cloud system, where user access privilege updates happen very frequently and thus inevitably incurs significant user/data management burden on data owner, we further propose to treat the cloud as a mediated proxy, to which data owners can delegate most cumbersome workload, like handling user access privilege dynamics in large system, without affecting the underlying data confidentiality [1,2]. In addition, we are also exploring other security goals in a practical cloud data sharing system, including user access privilege confidentiality, and user accountability in case of user access key abuse attacks [3]. We believe these efforts will lead us to an integrated final solution to a more practice- oriented data sharing service deployment in Cloud.

1. Kan Yang, Xiaohua Jia, and Kui Ren. "Attribute-based fine-grained access control with efficient revocation in cloud storage systems." In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pp. 523-528. ACM, 2013.

 

2. Ming Li, Shucheng Yu, Yao Zheng, Kui Ren, and Wenjing Lou. "Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption." Parallel and Distributed Systems, IEEE Transactions on 24, no. 1 (2013): 131-143.

 

3. Shucheng Yu, Cong Wang, Kui Ren, and Wenjing Lou, "Attribute Based Data Sharing with Attribute Revocation", The 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS'10), Beijing, China, April 13-16, 2010.

 

4. Shucheng Yu, Cong Wang, Kui Ren, and Wenjing Lou, "Achieving Secure, Scalable, and Fine-grained Data Dccess Control in Cloud Computing", The 29th IEEE Conference on Computer Communications (INFOCOM'10), San Diego, CA, March 15-19, 2010.

 

5. Shucheng Yu, Kui Ren, Wenjing Lou, and Jin Li, "Defending Against Key Abuse Attacks in KP-ABE Enabled Broadcast Systems", The 5th International Conference on Security and Privacy in Communication Networks (Securecomm'09), Athens, Greece, Sept. 14-18, 2009.

 

Disclaimer: The papers here are made available for timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders.