Data Access Control Schemes in Cloud Computing: A Review

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 04 Issue: 12 | Dec-2017 www.irjet.net p-ISSN: 2395-0072
© 2017, IRJET | Impact Factor value: 6.171 | ISO 9001:2008 Certified Journal | Page 703
DATA ACCESS CONTROL SCHEMES IN CLOUD COMPUTING: A REVIEW
Mr. Yogesh M. Gajmal1, Dr. K. P. Thooyamani2
1Research Scholar, Department of Computer Science and Engineering, Bharath Institute of Higher Education and
Research -Bharath University, Chennai, Tamilnadu India.
2Research Supervisor, Department of Computer Science and Engineering, Bharath Institute of Higher Education
and Research -Bharath University, Bharath University, Chennai, Tamilnadu India.
---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract - Cloud computing is a developing processing
worldview in which assets of the computing infrastructureare
given as administrations over the Internet. This worldview
delivers numerous new difficultiesforinformationsecurityand
access control when users outsource delicate data for sharing
on cloud servers, which are not inside an indistinguishable
confided in space from data owners. This has raised the
imperative security issue of how to control and prevent
unapproved access to data put away in the cloud. One surely
understood access control model is the Role based access
control (RBAC). A protected RBE-based cross breed cloud
storage engineering that enables an association to store data
safely in an open cloud. The user just needs to keep a solitary
key for decoding. Another entrance control display isattribute
based encryption (ABE).In this proxy re-encryption and lazy
re-encryption is utilized for user get to benefit privacy and
client mystery key responsibility. Another is User BasedAccess
Control (UBAC), in UBAC the access control list (ACL) is
connected to the information, which chose whoareauthorized
to get to the data.
Key Words: Cloud computing,AccessControl,Encryption,
Authentication.
1. INTRODUCTION
There has been a developing pattern in the current
circumstances to store data in the cloud with the emotional
increment in the measure of digital data, for example,
personal data to larger enterprises to bigger endeavors
needing to go down databases or store recorded data. Cloud
data storage can be especially appealing for users with
unpredictable storage demands, requiring an economical
storage level or a low-cost, long haul file. By outsourcing
user’s information to the cloud, specialist co-ops can
concentrate more on the plan of capacities to enhance user
experience of their serviceswithout agonizing overassetsto
store the developing measure of data. Cloud can likewise
give on request resources to capacity which can help
specialist co-ops to diminish their upkeep costs. Moreover,
cloud storage can give an adaptable and advantageous path
for users to get to their data from anyplace on anygadget[1].
In role based access control (RBAC) display, roles are
mapped to get to permissions and users are mapped to
proper roles. For example, users are allocated participation
to the roles based on their responsibilities and qualifications
in the organization. Authorizations are allotted to qualified
roles rather than singular users. Also, in RBAC, a role can
acquire consents from different roles; thusthere is a various
leveled structure of roles.
A protected RBAC based cloud storage frameworkwherethe
accesscontrol approachesare upheld by another role based
encryption (RBE). This RBE plot implements RBAC
arrangementson encoded data put awayinthecloudwithan
effective user repudiation utilizing a communicate
encryption system. In RBE conspire, the owner of the data
encodes the data such that exclusive the users with fitting
rolesasindicated by a RBAC strategy can decode and seethe
information. The role gives authorizations to users who
qualify the role and can likewise disavow the consents from
existing users of the role. The cloud provider(whostoresthe
data) won't have the capacity to see the substanceofthedata
if the provider isn't given the suitable role. RBE conspirecan
manage role pecking orders, whereby rolesacquireconsents
shape different roles. A user can join a role after the owner
has scrambled the data for that role. The user will have the
capacity to get to that data from that point on, and theowner
does not have to re-encode the data [6].
A standout amongst the most difficult issues in data sharing
frameworksis the authorization of access strategiesand the
help of arrangementsrefreshes. Cipher text policy attribute-
based encryption (CP-ABE) is turning into a promising
cryptographic answer for this issue. Itempowersdataowner
to characterize their own particular access arrangements
over user attributes and authorize the approaches on the
data to be dispersed [2]. attribute based encryption (ABE)is
a promising procedure for fine-grained get to control of
encoded data in a cloud storage, in any case, unscrambling
associated with the ABEs is normally excessively costly for
asset compelled front-end users, which extraordinarily
obstructs it’s down to earth ubiquity. Keeping in mind the
end goal to diminish the unscrambling overheadforauserto
recuperate the plaintext, Green et al. recommended to
outsource most of the unscrambling work without
uncovering really data or private keys. To guarantee the
outsider administration sincerely processes the outsourced
work, Lai et al. given a prerequisite of evidence to the
unscrambling of ABE, yet their plan multiplied the span of
the basic ABE cipher text and the computation costs[5].
In practical application scenarios every data file can be
related with an arrangement of qualities which are
Meaningful with regards to intrigue. The access structure of

every user would thus be able to be characterized as a novel
consistent articulation over these ascribes to mirror the
extent of data files that the user is permitted to get to. As the
consistent articulation can speak to any coveted data fileset,
fine-grained ness of data get to control is accomplished. To
implement these access structures, a public key segment for
each attribute. Data files are scrambled utilizing public key
segments comparing to their characteristics. User secret
keys are characterized to mirror their access structureswith
the goal that a user can decode a cipher text if and just if the
data record traits fulfill his access structure [7]. Such a plan
likewise achieves the productivity advantage, when
contrasted with past works, in that, 1) the multifaceted
nature of encryption is simply related the quantity of credits
related to the data file, and is autonomous to the quantity of
users in the system; and 2) data file creation/cancellation
and new user allow operations simply influence current
file/user without including system wide data file update or
re-keying. One to a great degree testing issue with this plan
is the execution of user disavowal, which wouldunavoidably
require re-encryption of data files available to the leaving
user, and may require update of secret keys for all the restof
the users. On the off chance that every one of these
assignments is performed by the dataownerhimself/herself,
it would present an overwhelmingcomputationoverheadon
him/her and may likewise require the data owner to be
constantly on the web. To determine this testing issue,
conspire empowers the information owner to assign
undertakings of data file re-encryption and user secret key
update to cloud serverswithout unveiling data substance or
user get to benefit data. Accomplish plan objectives by
misusing a novel cryptographic primitive, to be specific key
policy attribute-based encryption (KP-ABE) [8], and
remarkably consolidate it with the procedure of
intermediary re-encryption (PRE) [10] and lazy re-
encryption [9].
2. RELATED WORKS
An alternative approach for the administration of keys is
Hierarchical ID-based Encryption (HIBE) [7],[6].
Notwithstanding, in a HIBE conspire, the length of the
personality turns out to be longer with the development in
the profundity of chain of command.Moreover,thecharacter
of nodes must be a subset of its progenitor node with the
goal that its precursor node can infer this present nod
private key for decoding. Hence, this node can't be relegated
as a relative node of another node in the chain of command
tree unless the personality of the other part is additionally
the super arrangement of this current nodes identity.
Recently we have seen the advancement of plans
constructed straightforwardly on RBAC policies. We
presented a role based encryption plot (RBE) [8]. Be that as
it may, the user renouncement in this plan requires the
refresh of all the role related parameters [9]. Another plan
was the extent of the cipher text increments straightly with
the quantity of all the antecedent roles. Moreover, if a user
has a place with various roles, different keys should be
controlled by this user. In addition, the administrationofthe
user enrollment for every individual role requires the
utilization of the framework secret keys. The plan conquers
these constraints, and every role can utilize its own secret
keys to deal with the user participation without the need to
know the framework secret keys. Besides, the plan gives
productive user disavowal. Other than RBAC, there are
likewise different access control models, for example,
Attribute Based Access Control (ABAC). In ABAC, get to is
allowed in light of qualities of the user. System characterize
blend of traits as the access approaches, and users need to
demonstrate that they have these attributeinordertoobtain
access. In 2006, the attribute based encryption (ABE) plot
was proposed [5] and some other ABE plans have been
proposed a while later. In these plans, data is encoded to an
set of attributes, and userswho have the privatekeysrelated
with these characteristics can decode the data. These works
have given an option way to deal with secure the data put
away in a dispersed situation utilizing an alternate access
control instrument, [15] have demonstrated that an ABE
plan can be utilized to uphold RBAC arrangements. In any
case, in that approach, the extent of user key isn'tsteady,and
the denial of a user will bring about a key update of the
various users of a similar part. Likewise researched the
arrangements of utilizing ABE conspire in RBAC show.
However their answer just maps the credits to the role level
in RBAC, and they expected that the RBAC framework itself
would decide the user membership.
Different ways to deal with ensure data security in a cloud
environment incorporate utilizing direct encryption and
intermediary re-encryption. In these cryptographic plans,
data is permitted to be scrambled specifically to the users
with whom the owner wishes to share the data [16], [17].
This is comparable to the access control policies in
Discretionary Access Control (DAC) display. Consequently
they are normally utilized as a role of frameworks where
DAC demonstrate is embraced. Since the authorizations in
such systems are determined either in a level out structure
or in an access lattice.
In [18] Kallahalla et al proposed Plutus as a cryptographic
file framework to secure record storage on untrusted
servers. Plutus bunches an arrangement of files with
comparative sharing attributes as a file-group and partners
each file-group with a symmetric lockbox-key. Each file is
encoded utilizing a special record block key which is
additionally scrambled with the lockbox-keyofthefilegroup
to which the record has a place. On the off chance that the
owner needs to share a file-group, he just conveys the
relating lockbox-key to users. As the many-sided quality of
key management is corresponding to the aggregate number
of file-groups, Plutus isn't appropriate for the instance of
fine-grained get to control in which the quantity of
conceivable "file-groups" could be huge.

In [19] Goh et al proposed SiRiUS which is layered over
existing file systems, for example, NFS yet gives end-to-end
security. With the end goal of access control, SiRiUS joins
each file with a meta data file that contains the document's
access control list (ACL), every passage of which is the
encryption of the files file encryption key (FEK) utilizing the
general public key of an approved user. The expansion form
of SiRiUS utilizes NNL communicate encryption calculation
to scramble the FEK of each file as opposed to encoding it
with every individual users public key. As the many-sided
quality of the user renouncement arrangement in NNL is
corresponding to the quantity of disavowed users, SiRiUS
has a similar many-sided quality as far as each Meta data
files size and the encryption overhead, and in this way isn't
versatile.
In [20] Ateniese et al proposed a protected distributed
storage plan in view of intermediary re-encryption. In
particular, the data owner scrambles pieces of substance
with symmetric content keys. The content keys are
altogether encoded with an ace open key, which must be
decoded by the ace private key kept by the data owner. The
data owner utilizes his lord private key and user’s publickey
to produce intermediary re-encryption keys, with whichthe
semi-trusted server would then be able to change over the
figure content into that for a particular allowed user and
satisfy the undertaking of access control authorization. The
primary issue with this plan is that intrigue between a
pernicious server and any single malevolent user would
uncover decryption keys of all the encrypted data and trade
off data security of the framework totally. What'smore, user
get to benefit isn't shielded from the proxy server. User
secret key responsibility is neither bolstered.
Attribute have been ex-ploited to create a public key for
encrypting data and have been utilized as an access
approach to control users access. The get to arrangement
can be sorted as either key-strategy or ciphertextpolicy.The
key-arrangement is the access structureontheuser’sprivate
key, and the figure ext strategy isthe access structure on the
user's private key. Furthermore, the access structure can
likewise be arranged as either monotonic or non-monotonic
one. Utilizing ABE plans can have the points of interest: (1)
to diminish the correspondence overhead of the Internet,
and (2) to give a one-grained get to control [1].
3. PRELIMINARIES
3.1 Role Based Access Control (RBAC)
I. Role-Based Encryption Systems
RBE conspire has the accompanying four sorts of
elements. SA is a framework manager that has the expert to
create the keys for users and roles, and to characterize the
role chain of command. RM is a role manager who dealswith
the user participation of a role. Owners are the groups who
need to store their data safely in the cloud. Users are the
gatherings who need to get to and unscramble the put away
data in the cloud. Cloud is where data is put away and it
gives interfaces so the various substances can cooperate
with it.The following calculations for RBE plot [6]:
Setup (λ) takes as information the security parameter λ
and yields an ace secret key mk and a framework public key
pk. mk is kept secret by the SA while pk is made open to all
users of the framework.
Concentrate (mk, ID) is executed by the SA to create the
key related with the personality ID. On the off chance that ID
is the personality of a user; the produced key is comebackto
the user as the decryption key. On the off chance that ID is
the character of a part, the produced key is come back to the
RM as the secret key of the role, and a void user list RUL
which will list every one of the userswho are the individuals
from that role is likewise come back to the RM.
ManageRole (mk, IDR, PRR) is executed by the SA to deal
with a role with the personality IDR in the role progression.
PRR is the arrangement of roles which will be the
predecessor rolesof the role. This operation distributesaset
of public parameters pubR to cloud.
AddUser (pk, skR, RULR, IDU ) is executed by the role
manager RM of a role R to concede the role membership to
the user IDU , which bringsabout the role public parameters
pubR and role user list RULR, being refreshed in cloud.
RevokeUser (pk, skR, RULR, IDU ) is executed by a role
manager RM of a part R to repudiate the part participation
from a user IDU , which likewise bringsabout the role public
parameterspubR and part user list RULR, being refreshedin
cloud.
Encrypt (pk, pubR) is executed by the owner of a message
M. This calculation takes as info the framework public key
pk, the role open parameters pubR, and yields a tuple _C, K_,
where C will be a piece of the cipher text, and K ∈ K is the key
that will be utilized to scramble the message M. (Note the
cipher text comprises of C and the scrambled M).the
framework utilizes a protected encryption conspire Enc,
which takes K as the key space, to encode messages. The
cipher text of the message M will be as _C, EncK (M)_ which
must be unscrambled by the users who are the individuals
from the part R. At the point when this operation completes,
a cipher text is yield and transferred to cloud by the owner.
Decrypt (pk, pubR, dk, C) is executed by a user who is an
individual from the role R. This algorithm takes as data the
framework public key pk, the role public parameters pubR,
the user decryption key dk, the role C from the cipher text
downloaded from cloud, and yields the message encryption
key K ∈ K. The key K would then be able to be utilized to
decode the cipher text role EncK (M) and get the message M.

II. The Bilinear Pairings
Let G1, G2, GT be three cyclic group of prime request p,
and GT be a cyclic multiplicative group of prime request p.g
and h are two arbitrary generators where g ∈G1, h ∈ G2.
Utilize an unbalanced bilinear matching which takes
contributions from two unmistakableisomorphicgroupsG1,
G2, with the goal that a more extensive scope of bends is
permitted to be utilized as a role of our system. Expect that
an elliptic bend E is characterized over a field Fq, at that
point G1 is a subgroup of focuses on this elliptic bend
signified by E(Fq), and G2 is normally a subgroup of E(Fqk ),
where k is a parameter called the inserting degree in
matching based cryptography. The normal size of the
components in G2 is bigger than that of the components in
G1. In this way the calculation in G1 is quicker than in G2.
They will influence utilization of this trademark to enhance
the execution of RBE to conspire when worked from the
communicate encryption plot in [21].
3.2 Attribute Based Access Control (ABAC)
I. Key Policy Attribute-BasedEncryption(KP-ABE)
KP-ABE [8] is a public key cryptographyprimitiveforone-
to-numerous interchanges. In KP-ABE, data are related with
qualities for each of which a public key segment is
characterized. The encrypt or partners the arrangement of
credits to the message by encoding it with the comparing
public key components. Every user is allocated an access
structure which is normally characterized as an access tree
over data characteristics, i.e., inside nodes of the access tree
are edge entryways and leaf nodesare related withqualities.
user secret key is characterized to mirror the access
structure with the goal that the user can decode a ciphertext
if and just if the data qualities fulfill his access structure. A
KP-ABE conspires is made out of four algorithms which can
be characterized as takes after [7]:
Setup This algorithm takes as info a security parameter κ
and the trait universe U = {1, 2, . . .,N} of cardinality N. It
characterizes a bilinear group G1 of prime request p with a
generator g, a bilinear guide e : G1 × G1 → G2 which has the
properties of bilinearity, calculability, and non-
degeneracy.mn It restores people in public key PK and
additionally a framework ace key MK as follows
PK = (Y, T1, T2, . . . , TN)
MK = (y, t1, t2, . . . , tN)
Where Ti ∈ G1 and ti ∈ Zp are for attribute I, 1 ≤ I ≤ N, and
Y ∈ G2 is another public key component. We have Ti = gti
and Y = e(g, g)y, y ∈ Zp. While PK is openly known to every
one of the groups in the framework, MK is kept asa secretby
the expert party.
Encryption this algorithm takes a message M, people in
public key PK, and an arrangement of characteristics I as
data. It yields the cipher text E with the accompanying
arrangement:
E = (I, ˜ E, {Ei}i∈I )
Where ˜E = MYs, Ei = Ts I , and s is haphazardly looked
over Zp.
Key Generation This algorithm takesasdataanaccesstree
T, the ace key MK, and people in public key PK. It yields a
user secret key SK as takes after. To begin with, it
characterizes an arbitrary polynomial pi(x) for every node I
of T in the best down way beginning from the root node r.
For each non-root node j, pj(0) = pparent(j)(idx(j)) where
parent(j) speaksto j'sparent and idx(j) isj'sone of a kind list
given by its parent. For mthe root hub r, pr(0) = y. At that
point it yields SK as takes after.
SK = {ski}i∈L
Decoding This algorithm takes as information the cipher
text E scrambled under the trait set I, the userssecret keySK
for get to tree T, and general society key PK. It initially
processes e(Ei, ski) = e(g, g)pi(0)sfor leaf hubs. Atthatpoint,
it totals these blending brings about the base up way
utilizing the polynomial interjection system. At last, it might
recoup the blind factor Y s = e(g, g)ys and output the
message M if and only if I satisfies T .
II. Proxy Re-Encryption (PRE)
Proxy Re-Encryption (PRE) is a cryptographicprimitivein
which a semi-trusted intermediary can change over a cipher
text scrambled under Alice's public key into another cipher
text that can be opened by Bob's private key without seeing
the fundamental plaintext. All the more formally, a PRE plot
permits the intermediary, given the intermediary re-
encryption key rka↔b, to interpret cipher textsunderpublic
key pka into cipher texts under public key pkb and tight
clamp versa.
4. COMPARISON OF ACCESS CONTROL

5. CONCLUSION
The RBAC system can possibly be valuable in commercial
situations as it captures practical access policies based on
roles in an adaptable way and gives secure data storage in
the cloud upholding these access strategies and the ABAC
plan can empower the data owner to appoint a large portion
of computation overhead to capable cloud servers.
Confidentiality of user access to benefit and user secret key
responsibility can be accomplished. Formal security proofs
demonstrate that this plan is secure under standard
cryptographic models.
REFERENCES
[1] Cheng-Chi Leel, Pei-Shan Chung2, Min-Shiang Hwang,"A
Survey on Attribute-based Encryption Schemes of
Access Control in Cloud Environments Attribute-based
encryption", International Journal of Network Security,
vol. 15, no. 4, pp. 231-240, July 2013.
[2] Junbeom Hur, "Improving Security and Efficiency in
Attribute-Based Data Sharing", IEEE Transactions on
Knowledge And Data Engineering, vol. 25, no. 10,
October 2013.
[3] C. C. Lee, P. S. Chung, M. S. Hwang, "A survey on attribute-
based encryption schemes of access control in cloud
environments", International Journal of Network
Security, vol. 15, pp. 231-240, 2013.
[4] H. Deng et al., "Who is touching my cloud" in Computer
Security-ESORICS, Berlin, Germany:Springer, pp. 362-
379, 2014.
[5] S. Lin, R. Zhang, H. Ma, M. Wang, "Revisiting attribute-
based encryption with verifiable outsourced
decryption", IEEE Trans. Inf. Forensics Security, vol. 10,
no. 10, pp. 2119-2130, Oct. 2015.
[6] L. Zhou, V. Varadharajan, and M. Hitchens, “Achieving
secure rolebased access control on encrypted data in
cloud storage”, IEEE Transactions on Information
Forensics and Security, vol. 8, no. 12, 2013, pp. 1947-
1960.
[7] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving Secure
Scalable and Fine-Grained Data Access on Cloud
Computing”, Proceedingsof IEEE INFOCOM, 2010,pp.1-
9.
[8] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-
based encryption for fine-grained access control of
encrypted data,” in Proc. Of CCS’06, 2006.
[9] M. Kallahalla, E. Riedel, R. Swaminathan, Q. Wang, andK.
Fu,“Scalable secure file sharing on untrustedstorage,”in
Proc. of FAST’03, 2003.
[10]M. Blaze, G. Bleumer, and M. Strauss, “Divertible
protocols and atomic proxy cryptography,” in Proc. of
EUROCRYPT ’98, 1998.
[11]D. Boneh, X. Boyen, and E.-J. Goh, “Hierarchical identity
based encryption with constant size ciphertext,” in
EUROCRYPT (Lecture Notes in Computer Science), vol.
3494. New York, NY, USA: Springer- Verlag, May 2005,
pp. 440–456.
[12]C. Gentry and A. Silverberg, “Hierarchical ID-based
cryptoraphy,” in ASIACRYPT (Lecture Notes in
Computer Science), vol. 2501.New York, NY, USA:
Springer-Verlag, 2002, pp. 548–566.
[13]L. Zhou, V. Varadharajan, and M. Hitchens, “Enforcing
role-based access control for secure data storage in the
cloud,” Comput. J., vol. 54, no. 13, pp. 1675–1687, Oct.
2011.
[14]Y. Zhu, H. Hu, G.-J. Ahn, H. Wang, and S.-B. Wang,
“Provably secure role-based encryption withrevocation
mechanism,” J. Comput. Sci. Technol., vol. 26, no. 4, pp.
697–710, 2011.
[15] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure,
scalable, and fine-grained data access control in cloud
computing,” in Proc. IEEE INFOCOM, Mar. 2010, pp.
534–542.
[16]E.-J. Goh, H. Shacham, N. Modadugu, and D. Boneh,
“SiRiUS: Securing remote untrusted storage,” in Proc.
NDSS, 2003, pp. 1–15.
[17]G. Ateniese, K. Fu, M. Green, and S. Hohenberger,
“Improved proxy re-encryption schemes with
applications to secure distributed storage,” in Proc.
NDSS, Feb. 2005, pp. 29–43.
[18] M. Kallahalla, E. Riedel, R. Swaminathan,Q.Wang,andK.
Fu, “Scalable secure file sharing on untrusted storage,”
in Proc. of FAST’03, 2003.
[19]E. Goh, H. Shacham, N. Modadugu, and D. Boneh, “Sirius:
Securing remote untrusted storage,” inProc.ofNDSS’03,
2003
[20]G. Ateniese, K. Fu, M. Green, and S. Hohenberger,
“Improved proxy re-encryption schemes with
applications to secure distributed storage,” in Proc. of
NDSS’05, 2005.
[21]C. Delerablée, “Identity-basedbroadcastencryptionwith
constant size ciphertexts and private keys,” in
ASIACRYPT (Lecture Notes in Computer Science), vol.
4833. New York, NY, USA: Springer-Verlag, 2007, pp.
200–215.
[22]M. Blaze, G. Bleumer, and M. Strauss, “Divertible
protocols and atomic proxy cryptography,” in Proc. of
EUROCRYPT ’98, 1998.

Data Access Control Schemes in Cloud Computing: A Review

More Related Content

What's hot (16)

Similar to Data Access Control Schemes in Cloud Computing: A Review (20)

More from IRJET Journal (20)

Recently uploaded (20)

Data Access Control Schemes in Cloud Computing: A Review