الفهرس 
BackgroundOnly 14 pages are availabe for public view
 |  | from | 194 |  |  |
| | | from | 194 | | |
Abstract
In this work, a secure encrypted data management system has been presented to
exploit the usage of storage-as-a-service provided by honest-but-curious cloud
service provider in one-to-many data sharing applications on both personal and
professional levels. Over the past few years, many data privacy security threats
that hinder the usage of storage-as-a-service provided by honest-but-curious
CSP have evolved. In addition, many Attribute Based Encryption and Proxy Re-
Encryption techniques have been proposed to mitigate these security threats.
These security challenges have been summarized as follows data confidentiality,
fine-grained data access control, efficient user revocation mechanism, collusion
resistance, scalability, generic implementation, efficient attribute revocation
mechanism and multi-authority attributes management.
The presented work composes of four versions. The first three versions have
targeted achieving the first six mentioned data privacy security challenges in
single attributes management authority environment. While, the final version of
the proposed work has targeted the accomplishment of all the eight mentioned
data privacy security challenges in multi-authority attributes management
environment.
The first version has introduced a robust owner-to-user data sharing framework.
The proposed framework succeeded to present a robust solution to accomplish
the first six mentioned challenges that have been summarized as follows data
confidentiality, scalability, fine-grained data access, efficient user revocation,
preventing colluding users from accessing unauthorized data and generic
implementation. In addition, the proposed framework has exploited PKI to
provide an access control mechanism to prevent colluding users to access
154
unauthorized data. Moreover, the proposed framework has countered the attack
of rejoining of a revoked user authorized with different attributes to gain access
to his/her previously authorized data. Furthermore, the proposed framework has
prohibited the collusion between an authorized user and a revoked user to
possess the access privileges once assigned to the revoked user. This has been
accomplished with the aid of using dual signature technique [72]. The proposed
framework has capitalized the existence of PKI to maximize the usage of offline
operations to enhance the framework performance. Additionally, the proposed
framework has made use of PKI to offer a secure transmission of private data
and defends man in the middle attack. The complexity analysis of the proposed
framework has showed the framework practicability.
Unfortunately, the proposed framework in version (1) of the presented work has
failed to achieve many aspects of the scalability challenge. Firstly, the proposed
framework has mandated the online presence of data owner and data user to
exchange system parameters during the setup version. In addition, the proposed
framework has enforced data user participation in the authorization process
procedures performed by CSP. Moreover, the proposed framework has obliged
data owner to generate for each data user number of access tokens. This process
complicates data management for both data owner and data user. Furthermore,
digital objects have to be grouped into aggregated sets named virtual directories
(VD) based on their access rules. This is not appropriate for many data sharing
scenarios.
Version (2) of this work has presented a generic, scalable and fine-grained data
access system for sharing digital objects in honest-but-curious cloud
environments to support the growth of using storage-as-a-service for sharing
digital objects. The proposed system has overcome all version (1) shortcomings.
In addition, the proposed system has achieved all the first six targeted
challenges that are maintaining data confidentiality, enforcing fine-grained data
access control, applying efficient user revocation mechanism, preventing the
collusion between users to access unauthorized digital objects, achieving
155
scalability and possessing generic implementation. In addition, the proposed
system has availed digital passport that can be presented by the user to CSP to
be granted access to any digital object in the cloud environment. The usage of
digital passport has minimized the number of transactions needed to
authenticate the specified user. Moreover, the digital passport has simplified the
data management for users since the user has to keep his/her passport only to
use it to access the cloud. Furthermore, the digital passport has prevented a
rejoined user who possesses different attributes to access his/her previously
authorized data. Additionally, the digital passport has prohibited the collusion
between an authorized user and a revoked one to own the access privileges once
assigned to the revoked user. The proposed system has exploited PKI to
capitalize the usage of offline operations to enhance system performance and to
secure the transmission of private data as well as defending man in the middle
attack. The proposed system complexity analysis has proofed the proposed
system computational validity.
However, the proposed system in version (2) of this work has prevented the data
owner to assign specific data user to more than one users group. This is not
appropriate in many data sharing scenarios and limits the domains where the
proposed system can be implemented. In addition, the proposed system has
necessitated data owner to specify all the authorized users groups for each
digital object. This has complicated data management for data owner.
Moreover, the authorization process performed by CSP to allow specific data
user to download a digital object has put heavy computation overhead on CSP.
This is not economic beneficial for data owner as most of CSP charge models
are based on “pay for what you use” model. Therefore, the proposed system has
suffered from critical shortcomings in regards to the support of system
scalability and simplifying data management.
Version (3) of the proposed work has introduced a robust cryptographic-based
system for secure data sharing in honest-but-curious cloud environments.
Version (3) has overcome all the shortcomings of versions (1) and (2). In
156
addition, the proposed system in version (3) has achieved all the first six
targeted challenges that are maintaining data confidentiality, enforcing finegrained
data access control, applying efficient user revocation mechanism,
resisting collusion between system users, system scalability and generic
implementation.
In addition, the proposed system in version (3) of the presented work has
offered a novel architecture of data user digital identity. The presented digital
identity has solved scalability challenges faced by previous versions without
complicating data management for both data owner and user. Moreover, the
proposed digital identity has eliminated the need of online presence of data
owner and user to exchange any information. Furthermore, the proposed system
has defended man-in-the-middle attack, has ensured identity of participants, has
achieved non-repudiation and has maintained role separation between different
participants. Finally, the proposed system implementation has proofed the
system validity to accomplish all the specified goals with acceptable
performance.
The final version of the proposed work has presented a robust generic multiauthority
attributes management system for cloud environments. The proposed
system in version (4) of the presented work has eliminated one crucial challenge
that is the existence of a single authority for attributes management. In addition,
the proposed system has presented an efficient attribute revocation mechanism
that has prohibited an unauthorized access instantaneously after an attribute
revocation. Moreover, the proposed system has presented a separated
mechanism for attribute revocation and another separate mechanism for user
revocation. Furthermore, the proposed system showed the system practicability
to be implemented using either Ciphertext Policy ABE or Key Policy ABE
technique that possesses specific characteristics. In addition, the proposed
system has presented a novel user digital identity structure that has prohibited
the collusion between system users in such environments. Moreover, the
proposed system has not obliged the participated attributes authorities to
cooperate. Therefore, the attributes authorities were able to join or leave the
proposed system without affecting the existing system users or other existing
attributes authorities. Finally, the presented performance measures have proofed
the proposed system validity to accomplish all the eight specified security
challenges with acceptable performance