An Efficient and Secure Data Sharing Framework using Homomorphic - PowerPoint PPT Presentation

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay anjay Madr adria ia Prof ofes essor or and and Sit ite e Dir irect ector or for or NS NSF F I/UC UCRC Cent enter er on on Net Net-C -Cent entric ic Sof oftwar are e and and Systems ems Mis issour ouri i Univ Univer ersit ity of of Science cience & Tec echnolog hnology, , Rolla, olla, MO O 65401, 65401, US USA madr madrias ias@ms mst.edu .edu Joint oint wor ork k wit ith h Bhar harath K. K. Samant amanthula hula, , Ger Gerry Ho Howser er, , Yous ousef ef Elmehd lmehdwi Mis issour ouri i Univ Univer ersit ity of of Science cience & Tec echnolog hnology, , Rolla, olla, MO O 65401, 65401, US USA

Outli line ne — Motivation — Problem Statement — Related work — Main Contribution — Preliminaries — Proposed Solutions — SDS Framework — Correctness proof — Example — Modified-SDS Framework — Conclusion / Future Work

SYSTEM M MODE DEL

PROBLEM S STATEMENT — Data owner Alice outsources data to the cloud after encryption — Goal: To provide a fine-grained access control to various users authorized by Alice

MOTIV IVATIO ION — Data is outsourced to the cloud — Cost-efficiency and flexibility — For privacy issues – encrypting the data seems to be a better choice — Access Control on Encrypted Data in the Cloud — Relies heavily upon encrypted data in the cloud — One of the reasons in using encrypted data in the cloud is protecting the data from the cloud itself — However, encrypted data on the cloud places limitations upon data searches and queries

Cont.. — Some important issues to be addressed in Access Control — Fine-grained access control with efficient user revocation — Rejoin of revoked users — Collusion between users — Collusion between a user and the cloud — Efficient modification of user access privileges

RELATED W D WORK — Yang et al. [1] proposed a new fine-grained access control protocol using Symmetric encryption and Proxy Re- encryption schemes. — Disadvantages: — Symmetric encryption provides weaker security guarantees — Possibility of Information leakage: — Rejoin of revoked user — Collusion of revoked user with authorized user Bob — Collusion between Bob and the cloud

OUR UR C CONTRIB IBUT UTIO ION — Developed a new Secure Data Sharing (SDS) framework to achieve fine-grained data sharing/access control over data outsourced to the cloud that provides following features: — Efficient user revocation — Efficient and secure re-join of a previously revoked user — Prevention of collusion between a user and the CSP — Prevention of collusion between a revoked user and an authorized user. — Generic Approach

Preli limi mina naries — SDS uses two specific encryption techniques: additive homomorphic encryption + proxy re-encryption — Additive homomorphic (Probabilistic) encryption : — E pk (x + y) = E pk (x) · E pk (y) mod N 2 — E pk (c · x) = E pk (x) c mod N 2 — The encryption scheme is semantically secure where N is the RSA modulus which is also a part of the public key pk.

CONTD… D… — Proxy Re-encryption: — Allows a “semi-trusted” proxy T to convert ciphertext under Alice’s public key into one encrypting the same plaintext under Bob’s public key: PRE(E pka (x), rk pka à pkb ) à E pkb (x) where pk a and pk b are the public keys of Alice and Bob respectively. — Proxy only knows the re-encryption key rk pka à pkb — Nothing is revealed about the plaintext x to T .

Proposed S SDS DS F Frame mework k — Utilizes additive homomorphic encryption and proxy re-encryption schemes as underlying sub-routines — Our Secure Data Sharing (SDS) framework consists of five stages: 1) Key Generation and Distribution 2) Data Outsourcing 3) Data Access 4) User Revocation 5) User Rejoin

Proposed SDS Framework

Key Ge y Gene neration a n and nd Di Distribution n — Acts as an initialization step — The data owner (Alice) generates two kinds of key pairs — Master key pair – (pk a , pr a ). Where, pk a and pr a are the public and private keys of Alice. — For each authorized user, say Bob, Alice creates a public/ private key pair (pk b , pr b ) and sends it to Bob.

Da Data O Outsourcing ng — For each data record d, Alice proceeds as follows: — Let d 1 ,…, d n denote the attribute values of d — Picks n+m number of random numbers - r 1 ,…., r n+m — d’ = < d 1 + r n+1 ,…, d n + r n , r n+1 ,.., r n+m > = < d’ 1 ,…, d’ n+m > where r i is a random number chosen from Z N — Assume E pka (d’) = < E pka (d’ 1 ),…,E pka (d’ n+m )> — For a particular user, say Bob, we have the following two cases: — Case 1: Bob has access to a set of attributes (S) in d — Case 2: Bob is not authorized to access d

Da Data O Outsourcing ng ( (cont ntd…) — For each authorized user Bob on d, Alice creates authorization token T d b — Case 1 : — T d b = {Bob, rk pka-> pkb , <E pkb ( α 1 ),…,E pkb ( α n+m )>} — For, 1 ≤ i ≤ n+m: — If 1 ≤ i ≤ n and d i ∈ S, α i = - r i — Otherwise, α i = - d’ i — Case 2 : — Alice sets T d b = null

Da Data O Outsourcing ng ( (cont ntd…) — Similarly, Alice generates the authorization list for all authorized users – T d — Note that if T d b is null, it is not included in T d — Now Alice exports the new data (T d , E pka (d’)) to the cloud

Da Data A Access — Upon a request from Bob, for each data record d, the cloud checks whether there is a token for Bob — If there is no entry – the cloud simply aborts the request — If there exists an entry (T d b ) for Bob, the cloud proceeds as follows: — E pkb (d’) ← {E pkb (d’ 1 ),…, E pkb (d’ n+m )} using rk pka-> pkb — For all i, computes E pkb (d’ i + α i ) ← E pkb (d’ i ) + E pkb ( α i ) — Sends < E pkb (d’ 1 + α 1 ),……., E pkb (d’ n+m + α n+m ) > to Bob

Da Data A Access — Bob decrypts each entry and gets d’ i + α i (1 ≤ i ≤ n+m) — Note that Bob will successfully decrypt to only those attribute values he is authorized to access — That is, d’ i + α i = d i only if Bob is authorized to access attribute i. — Other attribute values will yield a value of zero upon decryption.

Us User R Revocation & n & R Rejo join n — User Revocation: Whenever Alice wish to revoke user Bob for a data record d, Alice simply asks the cloud to remove T d b from T d — User Rejoin : Bob can have following two scenarios for d. — Scenario 1: Authorized to the same set (S) of attributes — Scenario 2: Authorized to different set of attributes (U) — In any case, Alice uses corresponding set (either S or U) and creates T d b and sends it to the cloud. Then the cloud adds T d b to T d

Correctne ness ( (proof) — Theorem : For any data record d, Bob can only retrieve the set of attributes ( S ) he is authorized to access. On the other hand, if Bob is not an authorized user then he does not get access to d on the cloud (assuming no collusion). — Proof : If Bob is an authorized user, then — The final values retrieved by Bob after decryption are < d’ 1 + α 1 ,…., d’ n+m + α n+m >. — For n+1 ≤ i ≤ n+m, d’ i + α i = -r i + r i = 0 — For 1 ≤ i ≤ n: — If d i ∈ S, then d’ i + α i = d i + r i - r i = d i — Otherwise, d’ i + α i = 0

Example le • Alice: Data Owner • Consider Cherry data record as d • Suppose Bob (Supervisor) is authorized to access <NAME, AGE, ROOM, DISEASE> attribute values of d • Whereas Charles (Friend) is authorized to access only <NAME, ROOM> attribute values of d

Example le ( (Da Data O Outsource) — First, Alice masks the data record d and proceeds as follows: — Let d’ = <Cherry + r 1 , 27+ r 2 , 163+ r 3 , 65+ r 4 , Diabetes+ r 5 , r 6 >, here m=1 — E pka (d’) = < E pka (Cherry + r 1 ), E pka (27+ r 2 ), E pka (163+ r 3 ), E pka (65+ r 4 ), E pka (Diabetes+ r 5 ), E pka (r 6 )> — T d b = {Bob, rk pka-> pkb , <E pkb (-r 1 ), E pkb (-r 2 ), E pkb (-r 3 -163), E pkb (-r 4 ), E pkb (- r 5 ), E pkb (-r 6 )>} — T d c = {Charles, rk pka-> pkc , <E pkc (-r 1 ), E pkc (-r 2 -27), E pkc (-r 3 -163), E pkc (-r 4 ), E pkc (-r 5 -Diabetes), E pkc (-r 6 )>} — T d = < T d b , T d c > — Sends (T d , E pka (d’)) to the cloud

Example le ( (Da Data A Access b by B y Bob) — The cloud c omputes < E pkb (Cherry + r 1 ), E pkb (27+ r 2 ), E pkb (163+ r 3 ), E pkb (65+ r 4 ), E pkb (Diabetes+ r 5 ), E pkb (r 6 )> Bob decrypts using pr b Cloud Cherry E pkb (Cherry ) 27 E pkb (27) 0 E pkb (0) 65 E pkb (65 ) Diabetes E pkb (Diabetes ) 0 E pkb (0)

Example le ( (Da Data A Access b by C y Cha harle les) — The cloud c omputes < E pkc (Cherry + r 1 ), E pkc (27+ r 2 ), E pkc (163+ r 3 ), E pkc (65+ r 4 ), E pkc (Diabetes+ r 5 ), E pkc (r 6 )> Charles decrypts using pr c Cloud Cherry E pkc (Cherry ) 0 E pkc (0) 0 E pkc (0) 65 E pkc (65) 0 E pkc (0) 0 E pkc (0)