ATTRIBUTE-BASED ACCESS CONTROL WITH CONSTANT-SIZE

CIPHERTEXT IN CLOUD COMPUTING

ABSTRACT

With the popularity of cloud computing, there have been increasing concerns aboutits
security and privacy. Since the cloud computing environment is distributed and
untrusted, data owners have to encrypt outsourced data to enforce confidentiality.
Therefore, how to achieve practicable access control of encrypted data in an untrusted
environment is an urgent issue that needsto be solved. Attribute-Based Encryption
(ABE) is a promising scheme suitable for access control in cloud storage systems.
This paper proposes a hierarchical attribute-based access control scheme with
constant-size ciphertext. The scheme is efficient because the length of ciphertext and
the number of bilinear pairing evaluations to a constantare fixed. Its computation cost
in encryptionand decryption algorithms is low. Moreover, the hierarchical
authorization structure of our scheme reduces the burden and risk of asingle authority
scenario. We prove the scheme is of CCA2 security under the decisional q-Bilinear
Diffie-Hellman Exponent assumption. In addition, we implement our scheme and
analyseits performance. The analysis results show the proposed scheme is efficient,
scalable, and fine-grained in dealing with access control for outsourced data in cloud
computing.
 CHAPTER 1

INTRODUCTION

1.1 CLOUD COMPUTING

Cloud storage has emerged as a promising solution for providing ubiquitous,

convenient, and on-demand accesses to large amounts of data shared over the Internet.
Today, millions of users are sharing personal data, such as photos and videos, with
their friends through social network applications based on cloud storage on a daily
basis. Business users are also being attracted by cloud storage due to its numerous
benefits, including lower cost, greater agility, and better resource utilization.

Cloud computing is a recently evolved computing terminology or metaphor

based on utility and consumption of computing resources. Cloud computing involves
deploying groups of remote servers and software networks that allow centralized data
storage and online access to computer services or resources. Clouds can be classified
as public, private or hybrid.

Cloud computing relies on sharing of resources to achieve coherence

and economies of scale, similar to a utility (like the electricity grid) over a network. At
the foundation of cloud computing is the broader concept of converged
infrastructure and shared services. Cloud computing, or in simpler shorthand just "the
cloud", also focuses on maximizing the effectiveness of the shared resources. Cloud
resources are usually not only shared by multiple users but are also dynamically
reallocated per demand. This can work for allocating resources to users.

For example, a cloud computer facility that serves European users during
European business hours with a specific application (e.g., email) may reallocate the
same resources to serve North American users during North America's business hours
with a different application (e.g., a web server). This approach should maximize the
use of computing power thus reducing environmental damage as well since less
power, air conditioning, rack space, etc. are required for a variety of functions. With
cloud computing, multiple users can access a single server to retrieve and update their
data without purchasing licenses for different applications.

The term "moving to cloud" also refers to an organization moving away from a
traditional CAPEX model (buy the dedicated hardware and depreciate it over a period
of time) to the OPEX model (use a shared cloud infrastructure and pay as one uses it).
Proponents claim that cloud computing allows companies to avoid upfront
infrastructure costs, and focus on projects that differentiate their businesses instead of
on infrastructure.

Proponents also claim that cloud computing allows enterprises to get their
applications up and running faster, with improved manageability and less
maintenance, and enables IT to more rapidly adjust resources to meet fluctuating and
unpredictable business demand. Cloud providers typically use a "pay as you go"
model. This can lead to unexpectedly high charges if administrators do not adapt to
the cloud pricing model.

The present availability of high-capacity networks, low-cost computers and

storage devices as well as the widespread adoption of hardware virtualization, service-
oriented architecture, and autonomic and utility computing have led to a growth in
cloud computing. Cloud storage offers an on-demand data outsourcing service model,
and is gaining popularity due to its elasticity and low maintenance cost. However,
security concerns arise when data storage is outsourced to third-party cloud storage
providers. It is desirable to enable cloud clients to verify the integrity of their
outsourced data, in case their data have been accidentally corrupted or maliciously
compromised by insider/outsider attacks.

One major use of cloud storage is long-term archival, which represents a

workload that is written once and rarely read. While the stored data are rarely read, it
remains necessary to ensure its integrity for disaster recovery or compliance with legal
requirements . Since it is typical to have a huge amount of archived data, whole-file
checking becomes prohibitive. Proof of retrievability (POR) and proof of data
possession(PDP) have thus been proposed to verify the integrity of a large file by
spot-checking only a fraction of the file via various crypto-graphic primitives.
 Suppose that we outsource storage to a server, which could be a storage site or
a cloud-storage provider. If we detect corruptions in our outsourced data (e.g., when a
server crashes or is compromised), then we should repair the corrupted data and
restore the original data. However, putting all data in a single server is susceptible to
the single-point-of-failure problem and vendor lock-ins. A plausible solution is to
stripe data across multiple servers. Thus, to repair a failed server, we can

1. Read data from the other surviving servers.

2. Reconstruct the corrupted data of the failed server.

3. Write the reconstructed data to a new server.

POR and PDP are originally proposed for the single-server case. MR-PDP and
HAIL extend integrity checks to a multiserver setting using replication and erasure
coding, respectively. In particular, erasure coding has a lower storage overhead than
replication under the same fault tolerance level.

1.2 CHARACTERISTICS:
Cloud computing exhibits the following key characteristics:

Agility improves with users' ability to re-provision technological infrastructure

resources.

Cost reductions claimed by cloud providers. A public-cloud delivery model

converts capital expenditure to operational expenditure. This purportedly
lowers barriers to entry, as infrastructure is typically provided by a third party and
does not need to be purchased for one-time or infrequent intensive computing tasks.
Pricing on a utility computing basis is fine-grained, with usage-based options and
fewer IT skills are required for implementation. The e-FISCAL project's state-of-the-
art repository contains several articles looking into cost aspects in more detail, most of
them concluding that costs savings depend on the type of activities supported and the
type of infrastructure available in-house.

Device and location independence enable users to access systems using a web

browser regardless of their location or what device they use (e.g., PC, mobile phone).
As infrastructure is off-site (typically provided by a third-party) and accessed via the
Internet, users can connect from anywhere.

Maintenance of cloud computing applications is easier, because they do not

need to be installed on each user's computer and can be accessed from different
places.

Multitenancy enables sharing of resources and costs across a large pool of

users thus allowing for:

 Centralization of infrastructure in locations with lower costs (such as

real estate, electricity, etc.)
 Peak-load capacity increases (users need not engineer for highest
possible load-levels)
 Utilisation and efficiency improvements for systems that are often only
10–20% utilised.

Performance is monitored and consistent and loosely coupled architectures are

constructed using web services as the system interface.

Productivity may be increased when multiple users can work on the same data
simultaneously, rather than waiting for it to be saved and emailed. Time may be saved
as information does not need to be re-entered when fields are matched, nor do users
need to install application software upgrades to their computer.

Reliability improves with the use of multiple redundant sites, which makes

well-designed cloud computing suitable for business continuity and disaster recovery.

Scalability and elasticity via dynamic ("on-demand") provisioning of resources

on a fine-grained, self-service basis in near real-time (Note, the VM startup time
varies by VM type, location, OS and cloud providers), without users having to
engineer for peak loads.

Security can improve due to centralization of data, increased security-focused

resources, etc., but concerns can persist about loss of control over certain sensitive
data, and the lack of security for stored kernels. Security is often as good as or better
than other traditional systems, in part because providers are able to devote resources to
solving security issues that many customers cannot afford to tackle. However, the
complexity of security is greatly increased when data is distributed over a wider area
or over a greater number of devices, as well as in multi-tenant systems shared by
unrelated users. In addition, user access to security audit logs may be difficult or
impossible. Private cloud installations are in part motivated by users' desire to retain
control over the infrastructure and avoid losing control of information security.

1.2.1 Cloud Computing Identifies "Five Essential Characteristices:

ON-DEMAND SELF-SERVICE: A consumer can unilaterally provision

computing capabilities, such as server time and network storage, as needed
automatically without requiring human interaction with each service provider.

BROAD NETWORK ACCESS: Capabilities are available over the network

and accessed through standard mechanisms that promote use by heterogeneous thin or
thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).

RESOURCE POOLING: The provider's computing resources are pooled to

serve multiple consumers using a multi-tenant model, with different physical and
virtual resources dynamically assigned and reassigned according to consumer
demand. 

RAPID ELASTICITY: Capabilities can be elastically provisioned and

released, in some cases automatically, to scale rapidly outward and inward
commensurate with demand. To the consumer, the capabilities available for
provisioning often appear unlimited and can be appropriated in any quantity at any
time.

MEASURED SERVICE: Cloud systems automatically control and optimize

resource use by leveraging a metering capability at some level of abstraction
appropriate to the type of service (e.g., storage, processing, bandwidth, and active user
accounts). Resource usage can be monitored, controlled, and reported, providing
transparency for both the provider and consumer of the utilized service.

1.3 SERVICE MODELS

Though service-oriented architecture advocates "everything as a service" (with
the acronyms EaaS or XaaS or simply aas), cloud-computing providers offer their
"services" according to different models, which happen to form a stack:
infrastructure-, platform- and software-as-a-service.

Fig 1: Cloud-computing layers accessible within a stack

1.3.1 INFRASTRUCTURE AS A SERVICE (IAAS)

In the most basic cloud-service model - and according to the IETF (Internet
Engineering Task Force) - providers of IaaS offer computers – physical or (more
often) virtual machines – and other resources. IaaS refers to online services that
abstract user from the detail of infrastucture like physical computing resources,
location, data partitioning, scaling, security, backup etc. Ahypervisor, such
as Xen, Oracle VirtualBox, KVM, VMware ESX/ESXi, or Hyper-V runs the virtual
machines as guests.

Pools of hypervisors within the cloud operational system can support large
numbers of virtual machines and the ability to scale services up and down according
to customers' varying requirements. IaaS clouds often offer additional resources such
as a virtual-machine disk-image library, raw block storage, file or object storage,
firewalls, load balancers, IP addresses, virtual local area networks (VLANs), and
software bundles.  IaaS-cloud providers supply these resources on-demand from their
large pools of equipment installed in data centers. For wide-area connectivity,
customers can use either the Internet or carrier clouds.

To deploy their applications, cloud users install operating-system images and

their application software on the cloud infrastructure. In this model, the cloud user
patches and maintains the operating systems and the application software. Cloud
providers typically bill IaaS services on a utility computing basis: cost reflects the
amount of resources allocated and consumed.

1.3.2 PLATFORM AS A SERVICE (PAAS)

PaaS vendors offers a development environment to application developers.The

provider typically develops toolkit and standards for development and channels for
distribution and payment.In the PaaS models, cloud providers deliver a computing
platform, typically including operating system, programming-language execution
environment, database, and web server. Application developers can develop and run
their software solutions on a cloud platform without the cost and complexity of buying
and managing the underlying hardware and software layers.

With some PaaS offers like Microsoft Azure and Google App Engine, the

underlying computer and storage resources scale automatically to match application
demand so that the cloud user does not have to allocate resources manually. The
latter has also been proposed by an architecture aiming to facilitate real-time in cloud
environments. Even more specific application types can be provided via PaaS, such as
media encoding as provided by services.

Some integration and data management providers have also embraced

specialized applications of PaaS as delivery models for data solutions. Examples
include iPaaS anddPaaS. iPaaS (Integration Platform as a Service) enables customers
to develop, execute and govern integration flows. Under the iPaaS integration model,
customers drive the development and deployment of integrations without installing or
managing any hardware or middleware. dPaaS (Data Platform as a Service) delivers
integration—and data-management—products as a fully managed service. Under the
dPaaS model, the PaaS provider, not the customer, manages the development and
execution of data solutions by building tailored data applications for the customer.
dPaaS users retain transparency and control over data through data-visualization tools.

1.3.3 SOFTWARE AS A SERVICE (SAAS)

In the software as a service (SaaS) model, users gain access to application

software and databases. Cloud providers manage the infrastructure and platforms that
run the applications. SaaS is sometimes referred to as "on-demand software" and is
usually priced on a pay-per-use basis or using a subscription fee.

In the SaaS model, cloud providers install and operate application software in
the cloud and cloud users access the software from cloud clients. Cloud users do not
manage the cloud infrastructure and platform where the application runs. This
eliminates the need to install and run the application on the cloud user's own
computers, which simplifies maintenance and support.

Cloud applications differ from other applications in their scalability—which

can be achieved by cloning tasks onto multiple virtual machines at run-time to meet
changing work demand. Load balancers distribute the work over the set of virtual
machines. This process is transparent to the cloud user, who sees only a single access-
point. To accommodate a large number of cloud users, cloud applications can
be multitenant, meaning that any machine may serve more than one cloud-user
organization.

The pricing model for SaaS applications is typically a monthly or yearly flat
fee per user, so prices become scalable and adjustable if users are added or removed at
any point. Proponents claim that SaaS gives a business the potential to reduce IT
operational costs by outsourcing hardware and software maintenance and support to
the cloud provider. This enables the business to reallocate IT operations costs away
from hardware/software spending and from personnel expenses, towards meeting
other goals. In addition, with applications hosted centrally, updates can be released
without the need for users to install new software. One drawback of SaaS comes with
storing the users' data on the cloud provider's server. As a result, there could be
unauthorized access to the data. For this reason, users are increasingly adopting
intelligent third-party key-management systems to help secure their data.

1.4 DEPLOYMENT MODELS:

1.4.1 PRIVATE CLOUD

Private cloud is cloud infrastructure operated solely for a single organization,

whether managed internally or by a third-party, and hosted either internally or
externally. Undertaking a private cloud project requires a significant level and degree
of engagement to virtualize the business environment, and requires the organization to
reevaluate decisions about existing resources. When done right, it can improve
business, but every step in the project raises security issues that must be addressed to
prevent serious vulnerabilities. Self-run data centers are generally capital intensive.

They have a significant physical footprint, requiring allocations of space,

hardware, and environmental controls. These assets have to be refreshed periodically,
resulting in additional capital expenditures. They have attracted criticism because
users "still have to buy, build, and manage them" and thus do not benefit from less
hands-on management, essentially "[lacking] the economic model that makes cloud
computing such an intriguing concept".

1.4.2 PUBLIC CLOUD

A cloud is called a "public cloud" when the services are rendered over a
network that is open for public use. Public cloud services may be free. Technically
there may be little or no difference between public and private cloud architecture,
however, security consideration may be substantially different for services
(applications, storage, and other resources) that are made available by a service
provider for a public audience and when communication is effected over a non-trusted
network.
 Generally, public cloud service providers like Amazon AWS, Microsoft and
Google own and operate the infrastructure at their data center and access is generally
via the Internet. AWS and Microsoft also offer direct connect services called "AWS
Direct Connect" and "Azure ExpressRoute" respectively, such connections require
customers to purchase or lease a private connection to a peering point offered by the
cloud provider.

1.4.3 HYBRID CLOUD

Hybrid cloud is a composition of two or more clouds (private, community or

public) that remain distinct entities but are bound together, offering the benefits of
multiple deployment models. Hybrid cloud can also mean the ability to connect
collocation, managed and/or dedicated services with cloud resources.

A hybrid cloud service as a cloud computing service that is composed of some

combination of private, public and community cloud services, from different service
providers. A hybrid cloud service crosses isolation and provider boundaries so that it
can't be simply put in one category of private, public, or community cloud service. It
allows one to extend either the capacity or the capability of a cloud service, by
aggregation, integration or customization with another cloud service.

Varied use cases for hybrid cloud composition exist. For example, an
organization may store sensitive client data in house on a private cloud application,
but interconnect that application to a business intelligence application provided on a
public cloud as a software service. This example of hybrid cloud extends the
capabilities of the enterprise to deliver a specific business service through the addition
of externally available public cloud services. Hybrid cloud adoption depends on a
number of factors such as data security and compliance requirements, level of control
needed over data, and the applications an organization uses.

Another example of hybrid cloud is one where IT organizations use public

cloud computing resources to meet temporary capacity needs that can not be met by
the private cloud. This capability enables hybrid clouds to employ cloud bursting for
scaling across clouds. Cloud bursting is an application deployment model in which an
application runs in a private cloud or data center and "bursts" to a public cloud when
the demand for computing capacity increases.

A primary advantage of cloud bursting and a hybrid cloud model is that an

organization only pays for extra compute resources when they are needed. Cloud
bursting enables data centers to create an in-house IT infrastructure that supports
average workloads, and use cloud resources from public or private clouds, during
spikes in processing demands. The specialized model of hybrid cloud, which is built
atop heterogeneous hardware, is called "Cross-platform Hybrid Cloud". A cross-
platform hybrid cloud is usually powered by different CPU architectures, for example,
x86-64 and ARM, underneath. Users can transparently deploy applications without
knowledge of the cloud's hardware diversity. This kind of cloud emerges from the
raise of ARM-based system-on-chip for server-class computing.

1.5 ARCHITECTURE

Cloud architecture, the systems architecture of the software

systems involved in the delivery of cloud computing, typically involves
multiple cloud components communicating with each other over a loose
coupling mechanism such as a messaging queue. Elastic provision implies
intelligence in the use of tight or loose coupling as applied to mechanisms such
as these and others.

Fig 2: Cloud computing sample architecture

 CHAPTER 2

SYSTEM ANALYSIS

In this phase a detailed appraisal of the existing system is explained. This

appraisal includes how the system works and what it does. It also includes finding out
in more detail- what are the problems with the system and what user requires from the
new system or any new change in system. The output of this phase results in the detail
model of the system. The model describes the system functions and data and system
information flow. The phase also contains the detail set of user requirements and these
requirements are used to set objectives for the new system.

2.1 CURRENT SYSTEM:

The cloud computing paradigm brings many benefits, there are many
unavoidable security problems caused by its inherent characteristics such as the
dynamic complexity of the cloud computing environment, the openness of the cloud
platform and the high concentra-tion of resources. One of the important problems is
how to ensure the security of user data. Security problems, such as data security and
privacy protection in cloud computing,have become serious obstacles which, if not
appropriately addressed. Secure sharing of data plays an important role in cloud
computing. Attribute-based access control can real-ize data confidentiality in the
untrusted environment of server-end, fine-grained access control and large-scale
dynamic authorization which are the difficult problems tosolvethe traditional access
control.

2.2 SHORTCOMINGS OF THE CURRENT SYSTEM:

 Attribute-based access control can real-ize data confidentiality in the untrusted

environment of server-end, fine-grained access control and large-scale dynamic
authorization which are the difficult problems tosolvethe traditional access
control.
 Furthermore, in previous ABE schemes, the size of the ciphertext and the
number of pairing computations vary linearly with the number of attributes.
2.3 PROPOSED SYSTEM:

This paper proposes a hierarchical ciphertext-policy at-tribute-based encryption

(CP-ABE) access control scheme with constant-size ciphertext that can realize
scalable, flexible, and fine-grained access control of outsourced data in cloud
computing. The proposed scheme adopts CP-ABE with constant ciphertextsize and
maintains the size of ciphertext and the computation of bilinear pairing at a constant
value, which improvesthe efficiency of the system and reduces the extra overhead of
space storage, data transmission and computation. Second, we design a hierarchical
access control system. This system supports inheritance of authorization that reduces
the burden and risk in the case of single authority. Finally, we prove our scheme has
indistinguishable security under an adaptive chosen ciphertext attack and we analyze
the performance of our scheme.

2.4 ADVANTAGE OF PROPOSED SYSTEM:

 Shows our scheme hasgood adaptability and scalability in cloudcomputing.

 Making the CP-ABE algorithm simpler and more efficient along with making it
even more suitable for access con-trol in a cloud environment.