DATA ACCESS CONTROL USING COMBINED COMPRESSION AND SECURITY MODEL FOR CLOUD STORAGE

Abstract

Cheap, always-online, pay-as-you-go cloud storage. Recent years have seen more personal and business data in public clouds. Because the public cloud is untrustworthy and should not leak outsourced data without permission, data owners worry about security. Storage systems often use server-based authentication like passwords and certificates. They over trust the cloud provider to protect sensitive data. Any document can be read by cloud providers and their employees regardless of data owners' access policies. Since we don't calculate resource usage, the cloud provider can overcharge payers for file storage without verifiable records. Current server-dominated access control is unsafe. Users of cloud storage want to control access and protect their data from malicious users and providers. Owner-centric access control for sharing encrypted files is possible with ciphertext-policy attribute-based encryption (CP-ABE). This lacks security against other attacks. Many previous schemes didn't let cloud providers verify downloader decryption. All cloud storage users should have access to these files. If a malicious attacker downloads thousands of files, EDoS attacks can drain cloud resources. Payers cover cloud costs. The cloud provider is also the accountant and resource consumption fee payer, denying data owner’s transparency. Real-world public cloud storage should fix this. This study proposes protecting encrypted cloud storages from EDoS attacks and tracking resource use. Our cloud-side and data owner-side access control makes our solution secure and efficient in real-world applications.

Specification

Description:To achieve the security requirements, the scheme consists of two components: 1) A cloud-side access control to block users whose attribute set A_i does not satisfy the access policy A; 2) A proof-collecting subsystem where the cloud provider can collect the proofs of resource consumption from users, and present to the data owners later.
In real-world scenarios, it is reasonable to specify an expected maximal download time, and data owners can remain offline unless it wants to increase this value. This leads to our first protocol: Partially Outsourced Protocol (POP) (V-B). In some other cases where the data owner cannot set an expectations of download times or would be offline for a long time, the data owner can delegate to the cloud. This leads to our second protocol: Fully Outsourced Protocol (FOP) (V-C).
Partially Outsourced Protocol (POP)
In this protocol, the data owner encrypts an ephemeral key in CP-ABE, which is then used for message encryption/decryption and cloud-side access control. The data owner provides the cloud provider with N challenge ciphertexts {〖enchal〗_i }_(i∈[N]) and the hashed challenges {〖hash〗_i }_(i∈[N]). The user proves the legitimacy to the cloud provider by showing the decryption result 〖chal〗_j of the randomly selected unused challenge ciphertext 〖enchal〗_j is a preimage of 〖hash〗_j. If the user response is valid, the cloud provider stores the user response for further resource consumption accounting.
Furthermore, to boost efficiency and together reduce the storage space, we introduce the bloom filter for data owners to store their challenge plaintexts. This bloom filter can be stored locally or remotely on the cloud server. As the process of challenge update should be implemented on demand or periodically by the data owner, which cannot be outsourced to the cloud, we call the scheme Partially Outsourced Protocol (POP).
The procedure of POP is described in detail as follows:
Encrypt and Upload (POP-EU): This operation is implemented independently by an individual data owner.
Cloud-side Access Control: POP-CR.
Challenge update (POP-SU): If the specified upper bound of download times (N) has not yet reached, there is no need to update. But if the data owner wants to provide additional challenges, either on-demand or periodically, both only needs to be online for a short period, it is also supported. The update process is the same as that in the phase of POP-EU-2 under the same key k. We assume the data owner keeps a record of session keys either in local storage or outsourced to cloud in an encrypted form. As the plaintext space for challenges is sufficiently large, we assume no duplicated challenge plaintexts are generated. The bloom filter (and its encryption form) introduced in POP-EU-3 will be reconstructed. Resource Accounting (POP-RA): data owners and the cloud interactively implement this operation.
, C , C , C , Claims:
1. We claim the proposed combined compression and security model significantly reduces the risk of unauthorized access and data breaches by integrating robust encryption techniques with effective data compression methods.
2. We claim implementing compression before encryption enhances performance efficiency, leading to faster data transfer speeds and reduced storage costs without sacrificing security.
3. We claim the model provides a scalable access control mechanism that can adapt to varying data loads and user demands, ensuring consistent security across diverse cloud environments.
4. We claim by utilizing compression techniques, the model effectively reduces bandwidth consumption during data transmission, resulting in cost savings for organizations using cloud services.
5. We claim the integration of data access control, compression, and security features ensures compliance with major regulatory frameworks (e.g., GDPR, HIPAA), thus safeguarding sensitive information.

Documents