SecRBAC: Secure data in the Clouds

ABSTRACT:

Most current security solutions are based on perimeter security. However, Cloud computing breaks the organization perimeters. When data resides in the Cloud, they reside outside the organizational bounds. This leads users to a loose of control over their data and raises reasonable security concerns that slow down the adoption of Cloud computing. Is the Cloud service provider accessing the data? Is it legitimately applying the access control policy defined by the user? This paper presents a data-centric access control solution with enriched role-based expressiveness in which security is focused on protecting user data regardless the Cloud service provider that holds it. Novel identity-based and proxy re-encryption techniques are used to protect the authorization model. Data is encrypted and authorization rules are cryptographically protected to preserve user data against the service provider access or misbehavior. The authorization model provides high expressiveness with role hierarchy and resource hierarchy support. The solution takes advantage of the logic formalism provided by Semantic Web technologies, which enables advanced rule management like semantic conflict detection. A proof of concept implementation has been developed and a working prototypical deployment of the proposal has been integrated within Google services.

EXISTING SYSTEM:

• Several data-centric approaches, mostly based on Attribute-based Encryption (ABE), have arisen for data protection in the Cloud. In ABE, the encrypted ciphertext is labeled with a set of attributes by the data owner. Users also have a set of attributes defined in their private keys. They would be able to access data (i.e. decrypt it) or not depending on the match between ciphertext and key attributes.
• The set of attributes needed by a user to decrypt the data is defined by an access structure, which is specified as a tree with AND and OR nodes.
• There are two main approaches for ABE depending on where the access structure resides: Key-Policy ABE (KP-ABE) and Ciphertext-Policy ABE (CP-ABE).
• In KP-ABE the access structure or policy is defined within the private keys of users. This allows to encrypt data labeled with attributes and then control the access to such data by delivering the appropriate keys to users. However, in this case the policy is really defined by the key issuer instead of the encryptor of data, i.e. the data owner. So, the data owner should trust the key issuer for this to properly generate an adequate access policy.
• To solve this issue, CP-ABE proposes to include the access structure within the ciperthext, which is under control of the data owner. Then, the key issuer just asserts the attributes of users by including them in private keys. However, either in KP-ABE or CP-ABE, the expressiveness of the access control policy is limited to combinations of AND-ed and OR-ed attributes.

DISADVANTAGES OF EXISTING SYSTEM:

• Encrypting data avoids undesired accesses. However, it entails new issues related to access control management.
• To the best of our knowledge, there is no data-centric approach providing an RBAC model for access control in which data is encrypted and self-protected.
• Existing Hierarchical approach implies that attributes should be managed by the same root domain authority.
• User privileges are completely independent of their private key. Finally, no user-centric approach for authorization rules is provided by current ABE solutions.

PROPOSED SYSTEM:

• This paper presents SecRBAC, a data-centric access control solution for self-protected data that can run in untrusted CSPs and provides extended Role-Based Access Control expressiveness.
• The proposed authorization solution provides a rule-based approach following the RBAC scheme, where roles are used to ease the management of access to the resources.
• The main contributions of the proposed solution are:
• Data-centric solution with data protection for the Cloud Service Provider to be unable to access it.
• Rule-based approach for authorization where rules are under control of the data owner.
• High expressiveness for authorization rules applying the RBAC scheme with role hierarchy and resource hierarchy (Hierarchical RBAC or hRBAC).
• Access control computation delegated to the CSP, but being unable to grant access to unauthorized parties.
• Secure key distribution mechanism and PKI compatibility for using standard X.509 certificates and keys.

ADVANTAGES OF PROPOSED SYSTEM:

• The proposal in this paper supposes a first solution for a data-centric RBAC approach, offering an alternative to the ABAC model.
• This approach can help to control and manage security and to deal with the complexity of managing access control in Cloud computing.
• Role and resource hierarchies are supported by the authorization model, providing more expressiveness to the rules by enabling the definition of simple but powerful rules that apply to several users and resources thanks to privilege propagation through roles and hierarchies.
• Policy rule specifications are based on Semantic Web technologies that enable enriched rule definitions and advanced policy management features like conflict detection.

SYSTEM ARCHITECTURE:

MODULES:

• File Upload
• File Download
• File Update
• New Group User Inclusion
• Departing Group User

MODULE DESCRIPTIONS:

File Upload:

Whenever a need to share data among the group arises, the owner of the file sends the encryption request to the CS. The request is accompanied by the file (F) and a list (L) of users that are to be granted access to the file. L also contains the access rights for each of the users. The users may have READ-only and/or READ–WRITE access to the file. Other parameters can be also set to enforce fine-grained access control over the data. L is used to generate the ACL for the data by the CS. L is sent to the CS only if the data are to be shared with a new proposed group. If the group already exists, the encryption request will not contain L; rather, the group ID of the existing group will be sent. The CS, after receiving the encryption request for the file, generates the ACL from the list and creates a group of the users. The ACL is separately maintained for each file. The ACL contains information regarding the file such as its unique ID, size, owner ID, the list of the user IDs with whom the file is being shared, and other metadata. If the group already existed, only the ACL for the file is created. Next, the CS generates K according to the procedure defined in Section III-B and encrypts the file with an appropriate symmetric block cipher (we have used the AES for encryption purposes). The result is an encrypted file (C). Subsequently, the CS generates Ki and K_ i for every user and deletes K by secure overwriting. Secure overwriting is a concept in which the bits in the memory are constantly flipped to make sure that a memory cell never grips a charge for enough duration for it to be remembered and recovered. The Ki for each user is inserted into the ACL for later use. To protect the integrity of the file, the CS also computes the hash-based message authentication code (HMAC) signature on every encrypted file. A similar procedure for the HMAC key is adopted. However, the HMAC key is kept by the CS only. The encrypted data, the group ID (in the case of a newly generated group), and the K_ i for the owner are sent to the requesting data owner. The group ID and the K_ i for the rest of the group users are directly sent to them over a secure communication channel. The public keys of the group users can be also used to transmit the user portion of the key. We have used the public keys of the users to transmit the key portions. The user, after receiving C, uploads it to the cloud. K is deleted via secure overwriting from the CS after the encryption process. It is noteworthy that the key generation process is executed once when the group is initiated and the first file is submitted for encryption. Moreover, a newly joining member also activates the key generation but only for the new member.

File Download:

The authorized user sends a download request to the CS or downloads the encrypted file (C) from the cloud and sends the decryption request to the CS. The cloud verifies the authorization of the user through a locally maintained ACL. The decryption request is accompanied by the user portion of the key, i.e., K_ i, along with other authentication credentials. The CS computes K by applying XOR operation over K_ i and the corresponding Ki from the ACL. As each of the users correspond to a different pair of Ki and K_ i, none of the users can use other users’ K_ i to masquerade identity. Subsequently, the CS proceeds with the decryption process after verifying the integrity of the file. If the correct K_ i is received by the CS, the result will be a successful decryption process; otherwise, the decryption will fail. After successful decryption, the file is sent to the requesting user through a secure communication channel that could be Secure Sockets Layer (SSL) or Internet Protocol Security (IPSec) channels. K is deleted via secure overwriting from the CS after decryption. The users are authenticated before the request processing according to standard procedures. Similar to the file upload process, the downloading of the file can be also done by the CS on behalf of the user. In the aforesaid case, the decryption request is sent to the CS. The CS, after authenticating the user, sends the download request to the cloud for the specified file. The cloud sends the encrypted file (C) to the CS. The rest of the process for the decryption is the same.

File Update:

Updating the file has a similar procedure to that of uploading the file. The difference is that, while updating, all of the activities related to the creation of the ACL and key generation are not carried out. The user, who has downloaded the file and made any changes, sends an update request to the CS. The request contains the group ID, the file ID, and K_i, along with the file to be encrypted after changes. The CS verifies that the user has the WRITE access to the file from the corresponding ACL. In the case of a valid update request, the CS computes K by XORing Ki and K_ i, encrypts the file, and performs the HMAC calculations. The encrypted file is sent to the user or uploaded to the cloud. K is deleted afterward.

New Group User Inclusion:

If a new user joins the group, the addition of the user is made on the request of the file owner. The request contains the user ID of the joining user, along with the access control parameters to be included in the ACL, and the group ID. The parameters include the IDs of the files for which the user has been granted access rights. It also includes the details indicating the READ and/or WRITE rights granted to the user. Alternatively, the date can be mentioned from which the access rights are valid for the user. This ensures the backward access control for the joining member. The CS, after receiving the joining request, updates the ACLs related to the files for which the access is granted. The key shares are generated, and the user shares are sent to the user along with the corresponding file IDs.

Departing Group User:

The CS is notified about a departing member by the group owner. The CS removes all of the records for the departing user from the ACLs of the related files. As the whole key is not possessed by the group members, the departing member (even being malicious) will be unable to decrypt any of the group data files. Even the presence of encrypted files with a malicious departing member will not affect the privacy of the data. The malicious member will be unable to construct the whole key for decryption. Therefore, the forward access control is also ensured by the SeDaSC methodology. The next section discusses how different security services are achieved by the SeDaSC methodology.

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

• System                           :         Pentium Dual Core.

• Hard Disk                      :         120 GB.

• Monitor                         :         15’’ LED

• Input Devices                 :         Keyboard, Mouse

• Ram                               :         1GB.

SOFTWARE REQUIREMENTS:

• Operating system                    :         Windows 7.
• Coding Language           :         JAVA/J2EE
• Tool                               :         Netbeans 7.2.1
• Database                        :         MYSQL

REFERENCE:

Juan M. Mar´ın P´ erez, Gregorio Mart´ınez P´ erez, Antonio F. Skarmeta G´omez, “SecRBAC: Secure data in the Clouds”, IEEE TRANSACTIONS ON SERVICES COMPUTING 2016.

Flexible and Fine-Grained Attribute-Based Data Storage in Cloud Computing

ABSTRACT:

With the development of cloud computing, outsourcing data to cloud server attracts lots of attentions. To guarantee the security and achieve flexibly fine-grained file access control, attribute based encryption (ABE) was proposed and used in cloud storage system. However, user revocation is the primary issue in ABE schemes. In this article, we provide a ciphertext-policy attribute based encryption (CP-ABE) scheme with efficient user revocation for cloud storage system. The issue of user revocation can be solved efficiently by introducing the concept of user group. When any user leaves, the group manager will update users’ private keys except for those who have been revoked. Additionally, CP-ABE scheme has heavy computation cost, as it grows linearly with the complexity for the access structure. To reduce the computation cost, we outsource high computation load to cloud service providers without leaking file content and secret keys. Notbaly, our scheme can withstand collusion attack performed by revoked users cooperating with existing users. We prove the security of our scheme under the divisible computation Diffie-Hellman (DCDH) assumption. The result of our experiment shows computation cost for local devices is relatively low and can be constant. Our scheme is suitable for resource constrained devices.

EXISTING SYSTEM:

• Boldyreva et al. presented an IBE scheme with efficient revocation, which is also suitable for KP-ABE. Nevertheless, it is not clear whether their scheme is suitable for CP-ABE.
• Yu et al. provided an attribute based data sharing scheme with attribute revocation ability. This scheme was proved to be secure against chosen plaintext attacks (CPA) based on DBDH assumption. However, the length of cipher text and user’s private key are proportional to the number of attributes in the attribute universe.
• Yu et al. designed a KP-ABE scheme with fine-grained data access control. This scheme requires that the root node in the access tree is an AND gate and one child isa leaf node which is associated with the dummy attribute.
• In the existing scheme, when a user leaves from a user group, the group manager only revokes his group secret key which implies that the user’s private key associated with attributes is still valid. If someone in the group intentionally exposes the group secret key to the revoked user, he can perform decryption operations through his private key. To clarify this attack, a concrete instance is given. Assume that the data is encrypted under the policy “professor AND cryptography” and the group public key. Suppose that there are two users: user1and user2 whose private keys are associated with the attribute sets {male, professor, cryptography} and {male, student, cryptography} respectively. If both of them are in the group and hold the group secret key, then user1can decrypt the data but user2can’t. When user1is revoked from the group, he can’t decrypt alone because he does not have the updated group secret key. However, the attributes of user1are not revoked and user2 has the updated group secret key. So, user1can collude with user2 to perform the decryption operation. Furthermore, security model and proof were not provided in their scheme.

DISADVANTAGES OF EXISTING SYSTEM:

• It is expensive in communication and computation cost for users.
• Unfortunately, ABE scheme requires high computation overhead during performing encryption and decryption operations. This defect becomes more severe for lightweight devices due to their constrained computing resources.
• There is a major limitation to single-authority ABE as in IBE. Namely, each user authenticates him to the authority, proves that he has a certain attribute set, and then receives secret key associated with each of those attributes. Thus, the authority must be trusted to monitor all the attributes. It is unreasonable in practice and cumbersome for authority.

PROPOSED SYSTEM:

• In this system, we focus on designing a CP-ABE scheme with efficient user revocation for cloud storage system.
• We aim to model collusion attack performed by revoked users cooperating with existing users.
• Furthermore, we construct an efficient user revocation CP-ABE scheme through improving the existing scheme and prove our scheme is CPA secure under the selective model.
• To solve existing security issue, we embed a certificate into each user’s private key. In this way, each user’s group secret key is different from others and bound together with his private key associated with attributes.
• To reduce users’ computation burdens, we introduce two cloud service providers named encryption-cloud service provider (E-CSP) and decryption-cloud service provider (D-CSP).
• The duty of E-CSP is to perform outsourced encryption operation and D-CSP is to perform outsourced decryption operation.
• In the encryption phase, the operation associated with the dummy attribute is performed locally while the operation associated with the sub-tree is outsourced to E-CSP. T

ADVANTAGES OF PROPOSED SYSTEM:

• Reduce the heavy computation burden on users.
• We outsource most of computation load to E-CSP and D-CSP and leave very small computation cost to local devices.
• Our scheme is efficient for resource constrained devices such as mobile phones.
• Our scheme can be used in cloud storage system that requires the abilities of user revocation and fine-grained access control.

SYSTEM ARCHITECTURE:

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

• System                           :         Pentium Dual Core.

• Hard Disk                      :         120 GB.

• Monitor                         :         15’’ LED

• Input Devices                 :         Keyboard, Mouse

• Ram                               :         1GB.

SOFTWARE REQUIREMENTS: 

• Operating system                    :         Windows 7.
• Coding Language           :         JAVA/J2EE
• Tool                               :         Netbeans 7.2.1
• Database                        :         MYSQL

REFERENCE:

Jiguo Li, Wei Yao, Yichen Zhang,Huiling Qian and Jinguang Han, Member, IEEE, “Flexible and Fine-Grained Attribute-Based Data Storage in Cloud Computing”, IEEE Transactions on Services Computing, 2016.

DeyPoS: Deduplicatable Dynamic Proof of Storage for Multi-User Environments

ABSTRACT:

Dynamic Proof of Storage (PoS) is a useful cryptographic primitive that enables a user to check the integrity of outsourced files and to efficiently update the files in a cloud server. Although researchers have proposed many dynamic PoS schemes in single user environments, the problem in multi-user environments has not been investigated sufficiently. A practical multi-user cloud storage system needs the secure client-side cross-user deduplication technique, which allows a user to skip the uploading process and obtain the ownership of the files immediately, when other owners of the same files have uploaded them to the cloud server. To the best of our knowledge, none of the existing dynamic PoSs can support this technique. In this paper, we introduce the concept of deduplicatable dynamic proof of storage and propose an efficient construction called DeyPoS, to achieve dynamic PoS and secure cross-user deduplication, simultaneously. Considering the challenges of structure diversity and private tag generation, we exploit a novel tool called Homomorphic Authenticated Tree (HAT). We prove the security of our construction, and the theoretical analysis and experimental results show that our construction is efficient in practice.

EXISTING SYSTEM:

• In most of the existing dynamic PoSs, a tag used for integrity verification is generated by the secret key of the uploader. Thus, other owners who have the ownership of the file but have not uploaded it due to the cross-user deduplication on the client-side, cannot generate a new tag when they update the file. In this situation, the dynamic PoSs would fail.
• Halevi et al. introduced the concept of proof of ownership which is a solution of cross-user deduplication on the client-side. It requires that the user can generate the Merkle tree without the help from the cloud server, which is a big challenge in dynamic PoS.
• Pietro and Sorniotti proposed another proof of ownership scheme which improves the efficiency.
• Xu et al.proposed a client-side deduplication scheme for encrypted data, but the scheme employs a deterministic proof algorithm which indicates that every file has a deterministic short proof. Thus, anyone who obtains this proof can pass the verification without possessing the file locally.

DISADVANTAGES OF EXISTING SYSTEM:

• Existing dynamic PoSs cannot be extended to the multi-user environment.
• All existing techniques for cross-user deduplication on the client-side were designed for static files. Once the files are updated, the cloud server has to regenerate the complete authenticated structures for these files, which causes heavy computation cost on the server-side.
• Due to the problem of structure diversity and private tag generation, existing system cannot be extended to dynamic PoS.
• Unfortunately, these schemes cannot support deduplication due to structure diversity and private tag generation.

PROPOSED SYSTEM:

• To the best of our knowledge, this is the first work to introduce a primitive called deduplicatable dynamic Proof of Storage (deduplicatable dynamic PoS), which solves the structure diversity and private tag generation challenges.
• In contrast to the existing authenticated structures, such as skip list and Merkle tree, we design a novel authenticated structure called Homomorphic Authenticated Tree (HAT), to reduce the communication cost in both the proof of storage phase and the deduplication phase with similar computation cost.
• Note that HAT can support integrity verification, dynamic operations, and cross-user deduplication with good consistency.
• We propose and implement the first efficient construction of deduplicatable dynamic PoS called Dey-PoS, which supports unlimited number of verification and update operations. The security of this construction is proved in the random oracle model, and the performance is analyzed theoretically and experimentally.

ADVANTAGES OF PROPOSED SYSTEM:

• It is an efficient authenticated structure.
• It is the first practical deduplicatable dynamic PoS scheme called DeyPoS and proved its security in the random oracle model.
• The theoretical and experimental results show that our DeyPoS implementation is efficient,
• Performs better especially when the file size and the number of the challenged blocks are large.

SYSTEM ARCHITECTURE:

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

• System                           :         Pentium Dual Core.

• Hard Disk                      :         120 GB.

• Monitor                         :         15’’ LED

• Input Devices                 :         Keyboard, Mouse

• Ram                               :         1GB.

SOFTWARE REQUIREMENTS: 

• Operating system                    :         Windows 7.
• Coding Language           :         JAVA/J2EE
• Tool                               :         Netbeans 7.2.1
• Database                        :         MYSQL

REFERENCE:

Kun He, Jing Chen, Ruiying Du, Qianhong Wu, Guoliang Xue, and Xiang Zhang, “DeyPoS: Deduplicatable Dynamic Proof of Storage for Multi-User Environments”, IEEE Transactions on Computers, 2016.

A Modified Hierarchical Attribute-Based Encryption Access Control Method for Mobile Cloud Computing

ABSTRACT:

Cloud computing is an Internet-based computing pattern through which shared resources are provided to devices on demand. Its an emerging but promising paradigm to integrating mobile devices into cloud computing, and the integration performs in the cloud based hierarchical multi-user data-shared environment. With integrating into cloud computing, security issues such as data confidentiality and user authority may arise in the mobile cloud computing system, and it is concerned as the main constraints to the developments of mobile cloud computing. In order to provide safe and secure operation, a hierarchical access control method using modified hierarchical attribute-based encryption (M-HABE) and a modified three-layer structure is proposed in this paper. In a specific mobile cloud computing model, enormous data which may be from all kinds of mobile devices, such as smart phones, functioned phones and PDAs and so on can be controlled and monitored by the system, and the data can be sensitive to unauthorized third party and constraint to legal users as well. The novel scheme mainly focuses on the data processing, storing and accessing, which is designed to ensure the users with legal authorities to get corresponding classified data and to restrict illegal users and unauthorized legal users get access to the data, which makes it extremely suitable for the mobile cloud computing paradigms.

EXISTING SYSTEM:

• Senders encrypt message with certain attributes of the authorized receivers. The ABE based access control method uses several tags to mark the attributes that a specific authorized user needs to possess. The users with certain tag sets can get access to the specific encrypted data and decrypt it.
• Lots of paper introduced the scheme about the attribute based encryption access control method in the cloud computing. In the mobile loud computing environment, there are tremendous data which needs to be processed and marked with attributions for the convenient attributing access before storing. At the same time, the hierarchical structure of the application users need an authentication center entity to control their attributes.

DISADVANTAGES OF EXISTING SYSTEM:

• Does not guarantee Availability
• Issues of Confidentiality. Consumers’ data were not kept secret in cloud systems
• Data Integrity Issue
• No Multiple Controls

PROPOSED SYSTEM:

• In the proposed scenario, users with different privilege levels have different rights to access the part of sensing data coming from the mobile devices. Therefore, one same data has to be encrypted into ciphertext once, which ought to be able to be decrypted multiple times by different authorized users.
• In this paper, a hierarchical access control method using a modified hierarchical attribute-based encryption (M-HABE) and a modified three-layer structure is proposed.
• Differing from the existing paradigms such as the HABE algorithm and the original three-layer structure, the novel scheme mainly focuses on the data processing, storing and accessing, which is designed to ensure the application users with legal access authorities to get corresponding sensing data and to restrict illegal users and unauthorized legal users get access to the data, the proposed promising paradigm makes it extremely suitable for the mobile cloud computing based paradigm.
• What should be emphasized is that the most important highlight of all in the proposed paper can be described as that the modified three-layer structure is designed for solving the security issues illustrated above.

ADVANTAGES OF PROPOSED SYSTEM:

• One ciphertext can be decrypted by several keys.
• Both precise level description and user attribute should be supported in the access structure of the method.
• The keys in the authentication center ought to have the same hierarchical structure just as the structure of users privilege levels.

SYSTEM ARCHITECTURE:

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

• System                           :         Pentium Dual Core.

• Hard Disk                      :         120 GB.

• Monitor                         :         15’’ LED

• Input Devices                 :         Keyboard, Mouse

• Ram                               :         1GB.

SOFTWARE REQUIREMENTS: 

• Operating system                    :         Windows 7.
• Coding Language           :         JAVA/J2EE
• Tool                               :         Netbeans 7.2.1
• Database                        :         MYSQL

REFERENCE:

Yuanpeng Xie, Hong Wen, Bin Wu, Yixin Jiang and Jiaxiao Meng, “A Modified Hierarchical Attribute-Based Encryption Access Control Method for Mobile Cloud Computing”, IEEE Transactions on Cloud Computing, 2016.

TMACS: A Robust and Verifiable Threshold Multi-Authority Access Control System in Public Cloud Storage

ABSTRACT:

Attribute-based Encryption (ABE) is regarded as a promising cryptographic conducting tool to guarantee data owners’ direct control over their data in public cloud storage. The earlier ABE schemes involve only one authority to maintain the whole attribute set, which can bring a single-point bottleneck on both security and performance. Subsequently, some multi-authority schemes are proposed, in which multiple authorities separately maintain disjoint attribute subsets. However, the single-point bottleneck problem remains unsolved. In this paper, from another perspective, we conduct a threshold multi-authority CP-ABE access control scheme for public cloud storage, named TMACS, in which multiple authorities jointly manage a uniform attribute set. In TMACS, taking advantage of (t; n) threshold secret sharing, the master key can be shared among multiple authorities, and a legal user can generate his/her secret key by interacting with any t authorities. Security and performance analysis results show that TMACS is not only verifiable secure when less than t authorities are compromised, but also robust when no less than t authorities are alive in the system. Furthermore, by efficiently combining the traditional multi-authority scheme with TMACS, we construct a hybrid one, which satisfies the scenario of attributes coming from different authorities as well as achieving security and system-level robustness.

EXISTING SYSTEM:

• Attribute-based Encryption (ABE) is regarded as one of the most suitable schemes to conduct data access control in public clouds for it can guarantee data owners’ direct control over their data and provide a fine-grained access control service. Till now, there are many ABE schemes proposed, which can be divided into two categories: Key-Policy Attribute-based Encryption (KP-ABE) and Ciphertext-Policy Attribute-based Encryption (CP-ABE).
• 
  
• In KP-ABE schemes, decrypt keys are associated with access structures while ciphertexts are only labeled with special attribute sets. On the contrary, in CP-ABE schemes, data owners can define an access policy for each file based on users’ attributes, which can guarantee owners’ more direct control over their data. Therefore, compared with KP-ABE, CP-ABE is a preferred choice for designing access control for public cloud storage.

DISADVANTAGES OF EXISTING SYSTEM:

• In most existing CP-ABE schemes there is only one authority responsible for attribute management and key distribution. This only-one-authority scenario can bring a single-point bottleneck on both security and performance.
• Once the authority is compromised, an adversary can easily obtain the only-one-authority’s master key, then he/she can generate private keys of any attribute subset to decrypt the specific encrypted data.
• Moreover, once the only-one-authority is crashed, the system completely cannot work well.
• Although some multi-authority CP-ABE schemes have been proposed, they still cannot deal with the problem of single-point bottleneck on both security and performance mentioned above.
• The adversary can obtain private keys of specific attributes by compromising specific one or more authorities.
• Crash or offline of a specific authority will make that private keys of all attributes in attribute subset maintained by this authority cannot be generated and distributed, which will still influence the whole system’s effective operation.

PROPOSED SYSTEM:

• In this paper, we propose a robust and verifiable threshold multi-authority CP-ABE access control scheme, named TMACS, to deal with the single-point bottleneck on both security and performance in most existing schemes.
• In TMACS, multiple authorities jointly manage the whole attribute set but no one has full control of any specific attribute. Since in CP-ABE schemes, there is always a secret key (SK) used to generate attribute private keys, we introduce (t; n) threshold secret sharing into our scheme to share the secret key among authorities.
• In TMACS, we redefine the secret key in the traditional CP-ABE schemes as master key. The introduction of (t; n) threshold secret sharing guarantees that the master key cannot be obtained by any authority alone.

ADVANTAGES OF PROPOSED SYSTEM:

• TMACS is not only verifiable secure when less than t authorities are compromised, but also robust when no less than t authorities are alive in the system.
• To the best of our knowledge, this paper is the first try to address the singlepoint bottleneck on both security and performance in CPABE access control schemes in public cloud storage.
• In existing access control systems for public cloud storage, there brings a single-point bottleneck on both security and performance against the single authority for any specific attribute.
• To the best of our knowledge, we are the first to design a multi-authority access control architecture to deal with the problem.
• By introducing the combining of (t; n) threshold secret sharing and multi-authority CP-ABE scheme, we propose and realize a robust and verifiable multi-authority access control system in public cloud storage, in which multiple authorities jointly manage a uniform attribute set.
• Furthermore, by efficiently combining the traditional multi-authority scheme with ours, we construct a hybrid one, which can satisfy the scenario of attributes coming from different authorities as well as achieving security and system-level robustness.

SYSTEM ARCHITECTURE:

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

• System                           :         Pentium Dual Core.

• Hard Disk                      :         120 GB.

• Monitor                         :         15’’ LED

• Input Devices                 :         Keyboard, Mouse

• Ram                               :         1GB.

SOFTWARE REQUIREMENTS:

• Operating system                    :         Windows 7.
• Coding Language           :         JAVA/J2EE
• Tool                               :         Netbeans 7.2.1
• Database                        :         MYSQL

REFERENCE:

Wei Li, Kaiping Xue, Yingjie Xue, and Jianan Hong, “TMACS: A Robust and Verifiable Threshold Multi-Authority Access Control System in Public Cloud Storage”, IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 27, NO. 5, MAY 2016.

Secure Optimization Computation Outsourcing in Cloud Computing: A Case Study of Linear Programming

ABSTRACT:

Cloud computing enables an economically promising paradigm of computation outsourcing. However, how to protect customers confidential data processed and generated during the computation is becoming the major security concern. Focusing on engineering computing and optimization tasks, this paper investigates secure outsourcing of widely applicable linear programming (LP) computations. Our mechanism design explicitly decomposes LP computation outsourcing into public LP solvers running on the cloud and private LP parameters owned by the customer. The resulting flexibility allows us to explore appropriate security/efficiency tradeoff via higher-level abstraction of LP computation than the general circuit representation. Specifically, by formulating private LP problem as a set of matrices/vectors, we develop efficient privacy-preserving problem transformation techniques, which allow customers to transform the original LP into some random one while protecting sensitive input/output information. To validate the computation result, we further explore the fundamental duality theorem of LP and derive the necessary and sufficient conditions that correct results must satisfy. Such result verification mechanism is very efficient and incurs close-to-zero additional cost on both cloud server and customers. Extensive security analysis and experiment results show the immediate practicability of our mechanism design.

EXISTING SYSTEM:

• Recent researches in both the cryptography and the theoretical computer science communities have made steady advances in “secure outsourcing expensive computations”.
• Based on Yao’s garbled circuits and Gentry’s breakthrough work on fully homomorphic encryption (FHE) scheme, a general result of secure computation outsourcing has been shown viable in theory, where the computation is represented by an encrypted combinational boolean circuit that allows to be evaluated with encrypted private inputs.
• Frikken give a provably secure protocol for secure outsourcing matrix multiplications based on secret sharing. While this work outperforms their previous work in the sense of single server assumption and computation efficiency (no expensive cryptographic primitives), the drawback is the large communication overhead. Namely, due to secret sharing technique, all scalar operations in original matrix multiplication are expanded to polynomials, introducing significant amount of overhead.

DISADVANTAGES OF EXISTING SYSTEM:

• Applying the existing mechanism to our daily computations would be far from practical, due to the extremely high complexity of FHE operation as well as the pessimistic circuit sizes that cannot be handled in practice when constructing original and encrypted circuits.
• In existing approaches, either heavy cloud-side cryptographic computations or multi-round interactive protocol executions, or huge communication complexities, are involved.
• In short, practically efficient mechanisms with immediate practices for secure computation outsourcing in cloud are still missing.

PROPOSED SYSTEM:

• In this paper, we study practically efficient mechanisms for secure outsourcing of linear programming (LP) computations. Linear programming is an algorithmic and computational tool which captures the first order effects of various system parameters that should be optimized, and is essential to engineering optimization.
• We propose to explicitly decompose the LP computation outsourcing into public LP solvers running on the cloud and private LP parameters owned by the customer.
• Specifically, we first formulate private data owned by the customer for LP problem as a set of matrices and vectors. This higher level representation allows us to apply a set of efficient privacy-preserving problem transformation techniques, including matrix multiplication and affine mapping, to transform the original LP problem into some random one while protecting the sensitive input/output information.

ADVANTAGES OF PROPOSED SYSTEM:

• It has been widely used in various engineering disciplines that analyze and optimize real-world systems/models, such as packet routing, flow control, power management of data centers, etc.
• The flexibility of such decomposition allows us to explore higher level abstraction of LP computations than the general circuit representation for the practical efficiency.
• For the first time, we formalize the problem of securely outsourcing LP computations, and provide such a secure and practical mechanism design which fulfills input/output privacy, cheating resilience, and efficiency.
• Our mechanism brings cloud customer great computation savings from secure LP outsourcing as it only incurs overhead on the customer, while solving a normal LP problem usually requires more time.
• The computations done by the cloud server shares the same time complexity of currently practical algorithms for solving the linear programming problems, which ensures that the use of cloud is economically viable.
• The experiment demonstrates the immediate practicality: our mechanism can always help customers achieve more than 50% savings when the sizes of the original LP problems (with feasible solutions) are not too small, while introducing no substantial overhead on the cloud.

SYSTEM ARCHITECTURE:

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

• System                           :         Pentium Dual Core.

• Hard Disk                      :         120 GB.

• Monitor                         :         15’’ LED

• Input Devices                 :         Keyboard, Mouse

• Ram                               :         1GB.

SOFTWARE REQUIREMENTS: 

• Operating system                    :         Windows 7.
• Coding Language           :         JAVA/J2EE
• Tool                               :         Netbeans 7.2.1
• Database                        :         MYSQL

REFERENCE:

Cong Wang, Member, IEEE, Kui Ren, Senior Member, IEEE, and Jia Wang, Member, IEEE, “Secure Optimization Computation Outsourcing in Cloud Computing: A Case Study of Linear Programming”, IEEE TRANSACTIONS ON COMPUTERS, VOL. 65, NO. 1, JANUARY 2016.

Secure Data Sharing in Cloud Computing Using Revocable-Storage Identity-Based Encryption

ABSTRACT:

Cloud computing provides a flexible and convenient way for data sharing, which brings various benefits for both the society and individuals. But there exists a natural resistance for users to directly outsource the shared data to the cloud server since the data often contain valuable information. Thus, it is necessary to place cryptographically enhanced access control on the shared data. Identity-based encryption is a promising cryptographical primitive to build a practical data sharing system. However, access control is not static. That is, when some user’s authorization is expired, there should be a mechanism that can remove him/her from the system. Consequently, the revoked user cannot access both the previously and subsequently shared data. To this end, we propose a notion called revocable-storage identity-based encryption (RS-IBE), which can provide the forward/backward security of ciphertext by introducing the functionalities of user revocation and ciphertext update simultaneously. Furthermore, we present a concrete construction of RS-IBE, and prove its security in the defined security model. The performance comparisons indicate that the proposed RS-IBE scheme has advantages in terms of functionality and efficiency, and thus is feasible for a practical and cost-effective data-sharing system. Finally, we provide implementation results of the proposed scheme to demonstrate its practicability.

EXISTING SYSTEM:

• Boneh and Franklin first proposed a natural revocation way for IBE. They appended the current time period to the ciphertext, and non-revoked users periodically received private keys for each time period from the key authority.
• Boldyreva, Goyal and Kumar introduced a novel approach to achieve efficient revocation. They used a binary tree to manage identity such that their RIBE scheme reduces the complexity of key revocation to logarithmic (instead of linear) in the maximum number of system users.
• Subsequently, by using the aforementioned revocation technique, Libert and Vergnaud proposed an adaptively secure RIBE scheme based on a variant ofWater’s IBE scheme.
• Chen et al. constructed a RIBE scheme from lattices.

DISADVANTAGES OF EXISTING SYSTEM:

• Unfortunately, existing solution is not scalable, since it requires the key authority to perform linear work in the number of non-revoked users. In addition, a secure channel is essential for the key authority and non-revoked users to transmit new keys.
• However, existing scheme only achieves selective security.
• This kind of revocation method cannot resist the collusion of revoked users and malicious non-revoked users as malicious non-revoked users can share the update key with those revoked users.
• Furthermore, to update the ciphertext, the key authority in their scheme needs to maintain a table for each user to produce the re-encryption key for each time period, which significantly increases the key authority’s workload.

PROPOSED SYSTEM:

• It seems that the concept of revocable identity-based encryption (RIBE) might be a promising approach that fulfills the aforementioned security requirements for data sharing.
• RIBE features a mechanism that enables a sender to append the current time period to the ciphertext such that the receiver can decrypt the ciphertext only under the condition that he/she is not revoked at that time period.
• A RIBE-based data sharing system works as follows:
• Step 1: The data provider (e.g., David) first decides the users (e.g., Alice and Bob) who can share the data. Then, David encrypts the data under the identities Alice and Bob, and uploads the ciphertext of the shared data to the cloud server.
• Step 2: When either Alice or Bob wants to get the shared data, she or he can download and decrypt the corresponding ciphertext. However, for an unauthorized user and the cloud server, the plaintext of the shared data is not available.
• Step 3: In some cases, e.g., Alice’s authorization gets expired, David can download the ciphertext of the shared data, and then decrypt-then-re-encrypt the shared data such that Alice is prevented from accessing the plaintext of the shared data, and then upload the re-encrypted data to the cloud server again.

ADVANTAGES OF PROPOSED SYSTEM:

• We provide formal definitions for RS-IBE and its corresponding security model;
• We present a concrete construction of RS-IBE.
• The proposed scheme can provide confidentiality and backward/forward2 secrecy simultaneously
• We prove the security of the proposed scheme in the standard model, under the decisional ℓ-Bilinear Diffie-Hellman Exponent (ℓ-BDHE) assumption. In addition, the proposed scheme can withstand decryption key exposure
• The procedure of ciphertext update only needs public information. Note that no previous identity-based encryption schemes in the literature can provide this feature;
• The additional computation and storage complexity, which are brought in by the forward secrecy, is all upper bounded by O(log(T )2), where T is the total number of time periods.

SYSTEM ARCHITECTURE:

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

• System                           :         Pentium Dual Core.

• Hard Disk                      :         120 GB.

• Monitor                         :         15’’ LED

• Input Devices                 :         Keyboard, Mouse

• Ram                               :         1GB.

 SOFTWARE REQUIREMENTS:

• Operating system                    :         Windows 7.
• Coding Language           :         JAVA/J2EE
• Tool                               :         Netbeans 7.2.1
• Database                        :         MYSQL

REFERENCE:

Jianghong Wei, Wenfen Liu, Xuexian Hu, “Secure Data Sharing in Cloud Computing Using Revocable-Storage Identity-Based Encryption”, IEEE Transactions on Cloud Computing 2016.

Real-Time Semantic Search Using Approximate Methodology for Large-Scale Storage Systems

ABSTRACT:

The challenges of handling the explosive growth in data volume and complexity cause the increasing needs for semantic queries. The semantic queries can be interpreted as the correlation-aware retrieval, while containing approximate results. Existing cloud storage systems mainly fail to offer an adequate capability for the semantic queries. Since the true value or worth of data heavily depends on how efficiently semantic search can be carried out on the data in (near-) real-time, large fractions of data end up with their values being lost or significantly reduced due to the data staleness. To address this problem, we propose a near-real-time and cost-effective semantic queries based methodology, called FAST. The idea behind FAST is to explore and exploit the semantic correlation within and among datasets via correlation-aware hashing and manageable flat-structured addressing to significantly reduce the processing latency, while incurring acceptably small loss of data-search accuracy. The near-real-time property of FASTenables rapid identification of correlated files and the significant narrowing of the scope of data to be processed. FASTsupports several types of data analytics, which can be implemented in existing searchable storage systems. We conduct a real-world use case in which children reported missing in an extremely crowded environment (e.g., a highly popular scenic spot on a peak tourist day) are identified in a timely fashion by analyzing 60 million images using FAST. FAST is further improved by using semantic-aware namespace to provide dynamic and adaptive namespace management for ultra-large storage systems. Extensive experimental results demonstrate the efficiency and efficacy of FAST in the performance improvements.

EXISTING SYSTEM:

• ISABELAQA is a parallel query processing engine that is designed and optimized for analyzing and processing spatiotemporal, multivariate scientific data. MixApart uses an integrated data caching and scheduling solution to allow MapReduce computations to analyze data stored on enterprise storage systems.
• The frontend caching layer enables the local storage performance required by data analytics. The shared storage back-end simplifies data management.
• Spyglass exploits the locality of file namespace and skewed distribution of metadata to map the namespace hierarchy into a multi-dimensional K-D tree and uses multilevel versioning and partitioning to maintain consistency.
• Glance, a just-in-time sampling-based system, can provide accurate answers for aggregate and top-k queries without prior knowledge.

DISADVANTAGES OF EXISTING SYSTEM:

• Existing content-based analysis tools not only cause high complexity and costs, but also fail to effectively handle the massive amounts of files.
• The high complexity routinely leads to very slow processing operations and very high and often unacceptable latency. Due to the unacceptable latency, the staleness of data severely diminishes the value of data.
• Existing approaches to unstructured data search and analytics rely on either system-based chunks of data files.
• Due to the long latency incurred in data processing and the resulting data staleness, the value/worth of data becomes diminished and eventually nullified.

PROPOSED SYSTEM:

• In the context of this paper, searchable data analytics are interpreted as obtaining data value/worth via queried results, such as finding a valuable record, a correlated process ID, an important image, a rebuild system log, etc.
• We propose a novel near-real-time methodology for analyzing massive data, called FAST, with a design goal of efficiently processing such data in a real-time manner.
• The key idea behind FAST is to explore and exploit the correlation property within and among datasets via improved correlation aware hashing and flat-structured addressing to significantly reduce the processing latency of parallel queries, while incurring acceptably small loss of accuracy.
• The approximate scheme for real-time performance has been widely recognized in system design and high-end computing. In essence, FAST goes beyond the simple combination of existing techniques to offer efficient data analytics via significantly increased processing speed. Through the study of the FAST methodology, we aim to make the following contributions for near real-time data analytics.

ADVANTAGES OF PROPOSED SYSTEM:

• Space-efficient summarization
• Energy efficiency via hashing
• Semantic-aware namespace
• Real system implementation

SYSTEM ARCHITECTURE:

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

• System                           :         Pentium Dual Core.

• Hard Disk                      :         120 GB.

• Monitor                         :         15’’ LED

• Input Devices                 :         Keyboard, Mouse

• Ram                               :         1GB.

SOFTWARE REQUIREMENTS:

• Operating system                    :         Windows 7.
• Coding Language           :         JAVA/J2EE
• Tool                               :         Netbeans 7.2.1
• Database                        :         MYSQL

REFERENCE:

Yu Hua, Senior Member, IEEE, Hong Jiang, Fellow, IEEE, and Dan Feng, Member, IEEE, “Real-Time Semantic Search Using Approximate Methodology for Large-Scale Storage Systems”, IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 27, NO. 4, APRIL 2016.

Protecting Your Right: Verifiable Attribute-Based Keyword Search with Fine-Grained Owner-Enforced Search Authorization in the Cloud

ABSTRACT:

Search over encrypted data is a critically important enabling technique in cloud computing, where encryption-before outsourcing is a fundamental solution to protecting user data privacy in the untrusted cloud server environment. Many secure search schemes have been focusing on the single-contributor scenario, where the outsourced dataset or the secure searchable index of the dataset are encrypted and managed by a single owner, typically based on symmetric cryptography. In this paper, we focus on a different yet more challenging scenario where the outsourced dataset can be contributed from multiple owners and are searchable by multiple users, i.e., multi-user multi-contributor case. Inspired by attribute-based encryption (ABE), we present the first attribute-based keyword search scheme with efficient user revocation (ABKS-UR) that enables scalable fine-grained (i.e., file-level) search authorization. Our scheme allows multiple owners to encrypt and outsource their data to the cloud server independently. Users can generate their own search capabilities without relying on an always online trusted authority. Fine-grained search authorization is also implemented by the owner-enforced access policy on the index of each file. Further, by incorporating proxy re-encryption and lazy re-encryption techniques, we are able to delegate heavy system update workload during user revocation to the resourceful semi-trusted cloud server. We formalize the security definition and prove the proposed ABKS-UR scheme selectively secure against chosen-keyword attack. To build confidence of data user in the proposed secure search system, we also design a search result verification scheme. Finally, performance evaluation shows the efficiency of our scheme.

EXISTING SYSTEM:

• There has been a great interest in developing attribute based encryption due to its fine-grained access control property.
• Goyal et al. designed the first key policy attribute-based encryption scheme, where ciphertext can be decrypted only if the attributes that are used for encryption satisfy the access structure on the user private key. Under the reverse situation, CP-ABE allows user private key to be associated with a set of attributes and ciphertext associated with an access structure. CP-ABE is a preferred choice when designing an access control mechanism in a broadcast environment.
• Cheung and Newport proposed a selectively secure CP-ABE construction in the standard model using the simple Boolean function, i.e., AND gate. By adopting proxy re-encryption and lazy re-encryption techniques, Yu et al. also devised a selectively secure CP-ABE scheme with the ability of attribute revocation, which is perfectly suitable for the data-outsourced cloud model.

DISADVANTAGES OF EXISTING SYSTEM:

• The encrypted data can be effectively utilized then becomes another new challenge.
• Significant attention has been given and much effort has been made to address this issue, from secure search over encrypted data, secure function evaluation, to fully homomorphic encryption systems that provide generic solution to the problem in theory but are still too far from being practical due to the extremely high complexity.
• Symmetric cryptography based schemes are clearly not suitable for this setting due to the high complexity of secret key management.
• Extending user list approach to the multi-owner setting and on a per file basis is not trivial as it would impose significant scalability issue considering a potential large number of users and files supported by the system.
• Additional challenges include how to handle the updates of the user lists in the case of user enrollment, revocation, etc., under the dynamic cloud environment.

PROPOSED SYSTEM:

• This paper focuses on the problem of search over encrypted data, which is an important enabling technique for the encryption-before-outsourcing privacy protection paradigm in cloud computing, or in general in any networked information system where servers are not fully trusted.
• In this paper, we address these open issues and present an authorized keyword search scheme over encrypted cloud data with efficient user revocation in the multi-user multi-data-contributor scenario.
• We realize fine-grained owner-enforced search authorization by exploiting ciphertext policy attribute-based encryption (CP-ABE) technique.
• Specifically, the data owner encrypts the index of each file with an access policy created by him, which defines what type of users can search this index. The data user generates the trapdoor independently without relying on an always online trusted authority (TA). The cloud server can search over the encrypted indexes with the trapdoor on a user’s behalf, and then returns matching result if and only if the user’s attributes associated with the trapdoor satisfy the access policies embedded in the encrypted indexes. We differentiate attributes and keywords in our design.
• Keywords are actual content of the files while attributes refer to the properties of users. The system only maintains a limited number of attributes for search authorization purpose. Data owners create the index consisting of all keywords in the file but encrypt the index with an access structure only based on the attributes of authorized users, which makes the proposed scheme more scalable and suitable for the large scale file sharing system. In order to further release the data owner from the burdensome user membership management, we use proxy re-encryption and lazy re-encryption techniques to shift the workload as much as possible to the CS, by which our proposed scheme enjoys efficient user revocation.

ADVANTAGES OF PROPOSED SYSTEM:

• Formal security analysis shows that the proposed scheme is provably secure and meets various search privacy requirements.
• Furthermore, we design a search result verification scheme and make the entire search process verifiable. Performance evaluation demonstrates the efficiency and practicality of the ABKS-UR.
• We design a novel and scalable authorized keyword search over encrypted data scheme supporting multiple data users and multiple data contributors.
• Compared with existing works, our scheme supports fine-grained owner-enforced search authorization at the file level with better scalability for large scale system in that the search complexity is linear to the number of attributes in the system, instead of the number of authorized users.
• Data owner can delegate most of computationally intensive tasks to the CS, which makes the user revocation process efficient and is more suitable for cloud outsourcing model.
• We formally prove our proposed scheme selectively secure against chosen-keyword attack.
• We propose a scheme to enable authenticity check over the returned search result in the multi-user multi-data-contributor search scenario.

SYSTEM ARCHITECTURE:

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

• System                           :         Pentium Dual Core.

• Hard Disk                      :         120 GB.

• Monitor                         :         15’’ LED

• Input Devices                 :         Keyboard, Mouse

• Ram                               :         1GB.

SOFTWARE REQUIREMENTS: 

• Operating system                    :         Windows 7.
• Coding Language           :         JAVA/J2EE
• Tool                               :         Netbeans 7.2.1
• Database                        :         MYSQL

REFERENCE:

Wenhai Sun, Student Member, IEEE, Shucheng Yu, Member, IEEE, Wenjing Lou, Fellow, IEEE, Y. Thomas Hou, Fellow, IEEE, and Hui Li, Member, IEEE, “Protecting Your Right: Verifiable Attribute-Based Keyword Search with Fine-Grained Owner-Enforced Search Authorization in the Cloud”, IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 27, NO. 4, APRIL 2016.

Identity-Based Proxy-Oriented Data Uploading and Remote Data Integrity Checking in Public Cloud

ABSTRACT:

More and more clients would like to store their data to public cloud servers (PCSs) along with the rapid development of cloud computing. New security problems have to be solved in order to help more clients process their data in public cloud. When the client is restricted to access PCS, he will delegate its proxy to process his data and upload them. On the other hand, remote data integrity checking is also an important security problem in public cloud storage. It makes the clients check whether their outsourced data are kept intact without downloading the whole data. From the security problems, we propose a novel proxy-oriented data uploading and remote data integrity checking model in identity-based public key cryptography: identity-based proxy-oriented data uploading and remote data integrity checking in public cloud (ID-PUIC). We give the formal definition, system model, and security model. Then, a concrete ID-PUIC protocol is designed using the bilinear pairings. The proposed ID-PUIC protocol is provably secure based on the hardness of computational Diffie–Hellman problem. Our ID-PUIC protocol is also efficient and flexible. Based on the original client’s authorization, the proposed ID-PUIC protocol can realize private remote data integrity checking, delegated remote data integrity checking, and public remote data integrity checking.

EXISTING SYSTEM:

• In public cloud environment, most clients upload their data to PCS and check their remote data’s integrity by Internet. When the client is an individual manager, some practical problems will happen. If the manager is suspected of being involved into the commercial fraud, he will be taken away by the police. During the period of investigation, the manager will be restricted to access the network in order to guard against collusion. But, the manager’s legal business will go on during the the period of investigation. When a large of data is generated, who can help him process these data? If these data cannot be processed just in time, the manager will face the lose of economic interest. In order to prevent the case happening, the manager has to delegate the proxy to process its data, for example, his secretary. But, the manager will not hope others have the ability to perform the remote data integrity checking.
• Chen et al. proposed a proxy signature scheme and a threshold proxy signature scheme from the Weil pairing.
• By combining the proxy cryptography with encryption technique, some proxy re-encryption schemes are proposed. Liu et al. formalize and construct the attribute-based proxy signature.
• Guo et al. presented a non-interactive CPA (chosen-plaintext attack)-secure proxy re-encryption scheme, which is resistant to collusion attacks in forging re-encryption keys.

DISADVANTAGES OF EXISTING SYSTEM:

• Public checking will incur some danger of leaking the privacy.
• Less Efficiency.
• Security level is low

PROPOSED SYSTEM:

• This paper is based on the research results of proxy cryptography, identity-based public key cryptography and remote data integrity checking in public cloud.
• In public cloud, this paper focuses on the identity-based proxy-oriented data uploading and remote data integrity checking.
• By using identity-based public key cryptology, our proposed ID-PUIC protocol is efficient since the certificate management is eliminated. ID-PUIC is a novel proxy-oriented data uploading and remote data integrity checking model in public cloud. We give the formal system model and security model for ID-PUIC protocol. Then, based on the bilinear pairings, we designed the first concrete ID-PUIC protocol.
• In the random oracle model, our designed ID-PUIC protocol is provably secure. Based on the original client’s authorization, our protocol can realize private checking, delegated checking and public checking.
• We propose an efficient ID-PUIC protocol for secure data uploading and storage service in public clouds.
• Bilinear pairings technique makes identity-based cryptography practical. Our protocol is built on the bilinear pairings. We first review the bilinear pairings.

ADVANTAGES OF PROPOSED SYSTEM:

• High Efficiency.
• Improved Security.
• The concrete ID-PUIC protocol is provably secure and efficient by using the formal security proof and efficiency analysis.
• On the other hand, the proposed ID-PUIC protocol can also realize private remote data integrity checking, delegated remote data integrity checking and public remote data integrity checking based on the original client’s authorization.

SYSTEM ARCHITECTURE:

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

• System                           :         Pentium Dual Core.

• Hard Disk                      :         120 GB.

• Monitor                         :         15’’ LED

• Input Devices                 :         Keyboard, Mouse

• Ram                               :         1GB. 

SOFTWARE REQUIREMENTS:

• Operating system                    :         Windows 7.
• Coding Language           :         JAVA/J2EE
• Tool                               :         Netbeans 7.2.1
• Database                        :         MYSQL

REFERENCE:

Huaqun Wang, Debiao He, and Shaohua, “Identity-Based Proxy-Oriented Data Uploading and Remote Data Integrity Checking in Public Cloud”, IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11, NO. 6, JUNE 2016.

Identity-Based Encryption with Cloud Revocation Authority and Its Applications

ABSTRACT:

Identity-based encryption (IBE) is a public key cryptosystem and eliminates the demands of public key infrastructure (PKI) and certificate administration in conventional public key settings. Due to the absence of PKI, the revocation problem is a critical issue in IBE settings. Several revocable IBE schemes have been proposed regarding this issue. Quite recently, by embedding an outsourcing computation technique into IBE, Li et al. proposed a revocable IBE scheme with a key-update cloud service provider (KU-CSP). However, their scheme has two shortcomings. One is that the computation and communication costs are higher than previous revocable IBE schemes. The other shortcoming is lack of scalability in the sense that the KU-CSP must keep a secret value for each user. In the article, we propose a new revocable IBE scheme with a cloud revocation authority (CRA) to solve the two shortcomings, namely, the performance is significantly improved and the CRA holds only a system secret for all the users. For security analysis, we demonstrate that the proposed scheme is semantically secure under the decisional bilinear Diffie-Hellman (DBDH) assumption. Finally, we extend the proposed revocable IBE scheme to present a CRA-aided authentication scheme with period-limited privileges for managing a large number of various cloud services.

EXISTING SYSTEM:

• Li et al. introduced an outsourcing computation technique into IBE to propose a revocable IBE scheme with a key-update cloud service provider (KU-CSP). They shifts the key-update procedures to a KU-CSP to alleviate the load of PKG.
• Li et al. also used the similar technique adopted in Tseng and Tsai’s scheme, which partitions a user’s private key into an identity key and a time update key.
• The PKG sends a user the corresponding identity key via a secure channel. Meanwhile, the PKG must generate a random secret value (time key) for each user and send it to the KU-CSP.
• Then the KUCSP generates the current time update key of a user by using the associated time key and sends it to the user via a public channel.

DISADVANTAGES OF EXISTING SYSTEM:

• ID-based encryption (IBE) allows a sender to encrypt message directly by using a receiver’s ID without checking the validation of public key certificate.
• In existing system misbehaving/compromised users in an ID-PKS setting is naturally raised.
• Immediate revocation method employs a designated semi-trusted and online authority (i.e. mediator) to mitigate the management load of the PKG and assist users to decrypt ciphertext.
• The computation and communication costs are higher than previous revocable IBE schemes.
• The other shortcoming is un-scalability in the sense that the KU-CSP must keep a time key for each user so that it will incur the management load.

PROPOSED SYSTEM:

• In order to solve both the un-scalability and the inefficiency in Li et al.’s scheme, we propose a new revocable IBE scheme with cloud revocation authority (CRA).
• In particular, each user’s private key still consists of an identity key and a time update key. We introduce a cloud revocation authority (CRA) to replace the role of the KU-CSP in Li et al.’s scheme. The CRA only needs to hold a random secret value (master time key) for all the users without affecting the security of revocable IBE scheme.
• The CRA uses the master time key to generate the current time update key periodically for each non-revoked user and sends it to the user via a public channel. It is evident that our scheme solves the un-scalability problem of the KU-CSP.
• We construct a CRA-aided authentication scheme with period-limited privileges for managing a large number of various cloud services.

ADVANTAGES OF PROPOSED SYSTEM:

• The proposed scheme possesses the advantages of both Tsengand Tsai’s revocable IBE scheme and Li et al.’s scheme.
• The proposed present the framework of our revocable IBE scheme with CRA and define its security notions to model possible threats and attacks
• CRA-aided authentication scheme with period-limited privileges for managing a large number of various cloud services.

SYSTEM ARCHITECTURE:

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

• System                           :         Pentium Dual Core.

• Hard Disk                      :         120 GB.

• Monitor                         :         15’’ LED

• Input Devices               :         Keyboard, Mouse

• Ram                               :         1GB. 

SOFTWARE REQUIREMENTS:

• Operating system           :         Windows 7.
• Coding Language           :         JAVA/J2EE
• Tool                                   :         Netbeans 7.2.1
• Database                          :         MYSQL

REFERENCE:

Yuh-Min Tseng, Tung-Tso Tsai, Sen-Shan Huang, and Chung-Peng Huang, “Identity-Based Encryption with Cloud Revocation Authority and Its Applications”, IEEE TRANS. CLOUD COMPUTING 2016.