ROLE BASED ACCESS CONTROL TO PROTECT CLOUD DATA USING R3 SCHEME

Transcription

1 ROLE BASED ACCESS CONTROL TO PROTECT CLOUD DATA USING R3 SCHEME S. Ranjith Kumar1, G. Pandian1, D. Saravanan1, Mr. R. Raja2 1 2 Department of Computer Science and Engineering, Velammal Institute of Technology, Panchetti Chennai Assistant Professor, Department of Computer science and Engineering, Velammal Institute of Technology Corresponding Author Address: S. Ranjith Kumar Student Department of Computer Science and Engineering, Velammal Institute of Technology, Chennai, India. ABSTRACT: A key approach to secure cloud computing is for data owner to store encryption data in the cloud. Then issue key to authorized user.when a user is revoked the data owner will issue reencryption commands to the cloud to re-encryption the data to prevent the revoked user from decrypting the data and to generate new decryption key to validate user, so that they can continues to access the data. The essence of Role-Based Access Control (RBAC) is that system permissions are assigned to defined roles rather than to individual users using R3 scheme. The data owner will first generate a shared secret key to the CSP. Then, after the data owner encrypts each file with the appropriate attribute structure and time slice, the data owner uploads the file in the cloud. The CSP will replicate the file to various cloud servers. Each cloud server will have a copy of the shared secret key.let us assume that a cloud server stores an encrypted file F with A and TSi. When a user queries that cloud server, the cloud server first uses its own clock to determine the current time slice. KEYWORDS: cloud computing, re-encryption, R3scheme, secret key, CSP, decryption, RBAC. INTRODUCTION Security is one of the main user concerns for the adoption of Cloud computing. Moving data to the Cloud usually implies relying on the Cloud Service Provider (CSP) for data protection. Although this is usually managed based on legal or Service Level Agreements (SLA), the CSP could potentially access the data or even provide it to third parties. Users may loss control on their data. Even the trust on the federated CSPs is outside the control of the data owner. Encryption is the most widely used method to protect data in the Cloud. Encrypting data avoids undesired accesses. A rule-based approach would be desirable to provide expressiveness. An RBAC approach would be closer to current access control methods, resulting more natural to apply for access control enforcement than ABE-based mechanisms. In terms of expressiveness, it is said that ABAC supersedes RBAC since roles can be represented as attributes. This paper presents SecRBAC, a data-centric access control solution for self-protected data that can run in untrusted CSPs and provides extended Role-Based Access Control Page 60

2 expressiveness. The proposed authorization solution provides a rule-based approach following the RBAC scheme, where roles are used to ease the management of access to the resources. This approach can help to control and manage security and to deal with the complexity of managing access control in Cloud computing. Role and resource hierarchies are supported by the authorization model, providing more expressiveness to the rules by enabling the definition of simple but powerful rules that apply to several users and resources thanks to privilege propagation through roles and hierarchies. Policy rule specifications are based on Semantic Web technologies that enable enriched rule definitions and advanced policy management features like conflict detection. A data-centric approach is used for data self-protection, where novel cryptographic techniques such as Proxy Re-Encryption Encryption (PRE), Identity- Based Encryption (IBE) and Identity-Based Proxy ReEncryption (IBPRE) are used. They allow to re-encrypt data from one key to another without getting access and to use identities in cryptographic operations. These techniques are used to protect both the data and the authorization model. Each piece of data is ciphered with its own encryption key linked to the authorization model and rules are cryptographically protected to preserve data against the service provider access or misbehavior when evaluating the rules. It also combines a user-centric approach for authorization rules, where the data owner can define a unified access control policy for his data. The solution enables a rule based approach for authorization in Cloud systems where rules are under control of the data owner and access control computation is delegated to the CSP, but making it unable to grant access to unauthorized parties. RELATED WORKS Diverse methodologies can be found in the writing to hold control over approval in Cloud figuring. In [13] creators propose to keep the approval choices taken by the information proprietor. The get to model is not distributed to the Cloud but rather kept secure on the information proprietor premises. Be that as it may, in this approach the CSP turns into a minor stockpiling framework and the information proprietor ought to be online to process get to demands from clients. Another approach from [14] manages this issue by empowering a module component in the CSP that permits information proprietors to convey their own security modules. These licenses to control the approval systems utilized inside a CSP. Notwithstanding, it doesn't set up how the approval model ought to be secured, so the CSP could possibly gather data and get to the information. In addition, this approach does not cover Inter-cloud situations, since the module ought to be conveyed to various CSPs. Also, these methodologies don't ensure information with encryption techniques. In the proposed SecRBAC arrangement, data encryption is used to prevent the CSP to access the data or to discharge it bypassing the approval component. In any case, applying information encryption infers extra difficulties identified with approval expressiveness. Taking after a direct approach, one can incorporate information in a bundle encoded for the planned clients. This is generally done when sending a file or archive to a specific collector and guarantees that exclusive the beneficiary with the fitting key can unscramble it. From an approval perspective, this can be viewed as a basic lead where just the client with benefit to get to the Page 61

3 information will have the capacity to decode. Just that basic control can be upheld and only one single lead can apply to every information bundle. Consequently, numerous encoded duplicates ought to be made with a specific end goal to convey similar information to various recipients. To adapt to these issues, SecRBAC takes after an information driven approach that can cryptographically ensure the information while giving access control abilities. A few information driven methodologies, generally in light of Attribute-based Encryption (ABE) [5], have emerged for information security in the Cloud [4]. In ABE, the scrambled cipher text is named with an arrangement of properties by the information proprietor. Clients likewise have an arrangement of qualities defined in their private keys. They would have the capacity to get to information (i.e. unscramble it) or not relying upon the match amongst cipher text and key qualities. The arrangement of properties required by a client to unscramble the information is defined by a get to structure, which is specified as a tree with and additionally hubs. There are two principle approaches for ABE relying upon where the get to structure lives: Key-Policy ABE (KP-ABE) [5] and Ciphertext-Policy ABE (CP-ABE) [3]. In KP-ABE the get to structure or strategy is defined inside the private keys of clients. This permits to scramble information marked with qualities and afterward control the entrance to such information by conveying the proper keys to clients. Be that as it may, for this situation the strategy is truly defined by the key guarantor rather than the encryptor of information, i.e. the information proprietor. Along these lines, the information proprietor ought to put stock in the key guarantor for this to appropriately create a satisfactory get to strategy. To unravel this issue, CP-ABE proposes to incorporate the get to structure inside the ciperthext, which is under control of the information proprietor. At that point, the key guarantor just attests the traits of clients by incorporating them in private keys. In any case, either in KP-ABE or CPABE, the expressiveness of the get to control approach is constrained to mixes of AND-ed or potentially ed traits. The information driven arrangement exhibited in this paper goes a stage forward regarding expressiveness, giving a govern based approach taking after the RBAC plot that is not fixing to the impediments of current ABE approaches. Diverse proposition have been additionally created to attempt to reduce ABE expressiveness confinements. Creators in [15] propose an answer in light of CP-ABE with support for sets. Traits are sorted out in a recursive set structure and get to arrangements can be defined upon a solitary set or consolidating qualities from various sets. This empowers the definition of compound traits and specification of approaches that influence the characteristics of a set. An approach named Hierarchical Attribute-based Encryption is introduced in [16]. It utilizes a various leveled era of keys to accomplish fine-grain get to control, versatility and appointment. Notwithstanding, this approach suggests that traits ought to be managed by the same root domain authority. In[17], authors amplify CP-ASBE with a various leveled structure to clients keeping in mind the end goal to enhance versatility and flexibility. This approach gives progressive key structure. Another approach is Flexible and Efficient Access Control Scheme (FEACS) [2]. It depends on KP-ABE and gives a get to control structure spoke to by an equation including AND, OR and NOT, empowering more expressiveness for KP-ABE. The previously mentioned ABE-based arrangements proposed for understanding access control in Cloud registering depend on the Attribute-based Access Control (ABAC) Page 62

4 display. As remarked in Section 1, both ABAC and RBAC models have their own favorable circumstances and hindrances [7] [9]. On one hand, RBAC may require the definition of countless for fine-grain approval (part blast issue in RBAC). ABAC is additionally simpler to set up without need to try on part investigation as required for RBAC. On another hand, ABAC may bring about countless since a framework with n credits would have up to 2n conceivable rule combinations(rule explosion problem in ABAC).ABAC isolates approval rules from client properties, making it difficult to decide authorizations accessible to a specific user, while RBAC is deterministi can privileges can be effortlessly controlled by the information proprietor. In addition, the cryptographic operations utilized as a part of ABE methodologies typically confine the level of expressiveness gave by the get to control rules. Solidly, part chain of importance and protest progression abilities gave by SecRBAC can't be accomplished by current ABE plans. Also, private keys in ABE ought to contain the qualities of the client, which tights the keys to consents in the get to control approach. In SecRBAC, client keys just recognize their holders and they are not attached to the approval display. That is, client benefits are totally free of their private key. At last, no client driven approach for approval guidelines is given by current ABE arrangements. In SecRBAC, a solitary get to arrangement defined by the information proprietor can ensure more than one bit of information, bringing about a client driven approach for govern administration. Moreover, the proposed arrangement offers help for the ontological portrayal of the approval demonstrate, giving extra thinking instruments to adapt to issues, for example, recognition of conflicts between various approval rules. PROPOSED METHODOLOGY We proposed a reliable re-encryption scheme in unreliable cloud.r3 is the time based reencryption scheme,which allows each cloud services to automatically re-encrypt data based on its internal clock. The basic idea of this R3 is to associate the data with an access control and access time. Each user is issued key associated with attibutes and attribute effective time. Data-centric solution with data protection for the Cloud Service Provider to be unable to access it. Rule-based approach for authorization where rules are under control of the data owner. High expressiveness for authorization rules applying the RBAC scheme with role hierarchy and resource hierarchy. Role Manager Role Manager provides user registration service to register user profile that includes a user ID, password, and provide a small amount of additional information, including affiliation, country, and a valid address and importantly role of the users. This information is never provided to any application without a user's explicit permission. Encryption/Decryption Algorithm: Blowfish is a symmetric block cipher algorithm for encryption/decryption. Blowfish is accepted as a fast and strong encryptison algorithm because it has not been cracked. Blowfish is fixed 64 bit block cipher and a takes key length from bits. Total 16 processing Page 63

5 rounds of data encryption is performed in Blowfish. This algorithm is divided into two parts(i) Key expansion and (ii) Data encryption. In key expansion process 448 bits key is converted into 4168 bytes. The advantages of blowfish algorithm are that it is secure and easy to implement and best for hardware implementation, but the disadvantage is it require more space for the cipher text because of difference between key size and block size. Time Based One Time Password: Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. It has been adopted as Internet standard RFC 6238,[1] is the cornerstone of Initiative For Open Authentication (OATH) and is used in a number of authentication systems. TOTP is an example of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a onetime password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal. User Login A login, logging in or logging on is the entering of identifier information into a system by a user in order to access that system (e.g., a computer or a website). It is an integral part of computer security procedures.a login generally requires the user to enter two pieces of information, first a user name and then a password. This information is entered into a login window on a GUI (graphical user interface) or on the command line in a console (i.e., an all-text mode screen), depending on the system and situation. A user name, also referred to as an account name, is a string (i.e., sequence of characters) that uniquely identifies a user. User names can be the same as or related to the real names of users, or they can be completely arbitrary. Key Generator Login: A key generator is used in many cryptographic protocols to generate a sequence with many pseudo-random characteristics. SETUP AND RESULTS Given Below we have provided the setup of the portal Figure-1 Overall Architecture Diagram Page 64

6 During this process the user can register through client interface and get their data encrypted using re-encryption. One public key will be handled by the cloud server and private key will be maintained by the data owner. CSP will handle the private key which encrypt the data in the privacy table. when another user tried to access or modify the data in cloud,propwer access permission is needed. Once permission is issued data is accessed without any retriction. The key manager is responsible for generating the key and sending requested key to client through mail. Once key is received, the user will decrypt the data.role manager is respsible for assigning the roles to users. Cloud admin taking the accessibilities of role manager. Figure-2 Index Page Figure-3 Client registration interfaces Figure-4 Client upload files Figure-5 View of uploaded file before encryption Figure-6 Encrypted file view Figure-7 Key Generator to send key CONCLUSION In this article, we have investigated the privacy challenges in the Cloud computing by first identifying the data privacy requirements and then discussing whether existing privacypreserving techniques are sufficient for data processing. We have also introduced an efficient Page 65

7 and privacy-preserving Two-level encryption in response to the efficiency and privacy requirements of data mining in the cloud. REFERENCES 1. IBM, Big Data at the Speed of Business, X. Wu et al., Data Mining with Big Data, IEEE Trans. Knowledge DataEng., vol. 26, no. 1, 2014, pp S. Liu, Exploring the Future of Computing, IT Professional, vol. 15, no.1, 2013, pp Oracle, Oracle Big Data for the Enterprise, Big Data at CSAIL, 6. R. Lu et al., EPPA: An Efficient and Privacy-Preserving Aggregation Shemefor Secure Smart Grid Communications, IEEE Trans. Parallel Distrib. Sys.,vol. 23, no. 9, 2012, pp P. Paillier, Public-Key Cryptosystems based on Composite Degree Residuosity Classes, EUROCRYPT, 1999, pp M. Li et al., Toward Privacy-Assured and Searchable Cloud Data StorageServices, IEEE Network, vol. 27, no. 4, 2013, pp A. Cavoukian and J. Jonas, Privacy by Design in the Age of Big Data, Office of the Information and Privacy Commissioner, R. Lu, X. Lin, and X. Shen, SPOC: A Secure and Privacy-Preserving Opportunistic Computing Framework for Mobile-Healthcare Emergency, 11. J. W. Byun and D. H. Lee, On a security model of conjunctive keyword search over encrypted relational database, J. Syst. Softw., vol. 84, no. 8, pp , M. Ding, F. Gao, Z. Jin, and H. Zhang, An efficient public key encryption with conjunctive keyword search scheme based on pairings, in Proc. 3rd IEEEInt. Conf. Netw. Infrastruct. Digit. Content (IC-NIDC), Beijing, China, Sep. 2012, pp J. Shao, Z. Cao, X. Liang, and H. Lin, Proxy re-encryption with keyword search, Inf. Sci., vol. 180, no. 13, pp , W.-C. Yau, R. C.-W. Phan, S.-H. Heng, and B.-M. Goi, Proxy re-encryption with keyword search re-encryption with keyword search: New definitions and algorithms, in Proc. Int. Conf. Security Technol., vol Jeju Island, Korea, Dec. 2010, pp L. Fang, W. Susilo, C. Ge, and J. Wang, Chosen-ciphertext secure anonymous conditional proxy re-encryption with keyword search, Theoretical Comput. Sci., vol. 462, pp , Nov X. A. Wang, X. Huang, X. Yang, L. Liu, and X. Wu, Further observation on proxy reencryption with keyword search, J. Syst. Softw., vol. 85, no. 3, pp , R. Canetti, O. Goldreich, and S. Halevi, The random oracle methodology, revisited, J. ACM, vol. 51, no. 4, pp , M. Bellare, A. Boldyreva, and A. Palacio, An uninstantiable randomoracle-model scheme for a hybrid-encryption problem, in Proc. Int. Conf. Theory Appl. Cryptogr. Techn. (EUROCRYPT), vol Interlaken, Switzerland, May 2004, pp Page 66

8 19. J. W. Byun, H. S. Rhee, H.-A. Park, and D. H. Lee, Offline keyword guessing attacks on recent keyword search schemes over encrypted data, in Proc. 3rd VLDB Workshop Secure Data Manage. (SDM), vol Seoul, Korea, Sep. 2006, pp W.-C. Yau, R. C.-W. Phan, S.-H. Heng, and B.-M. Goi, Keyword guessing attacks on secure searchable public key encryption schemes with a designated tester, Int. J. Comput. Math., vol. 90, no. 12, pp , Page 67