![]() | Only 14 pages are availabe for public view |
Abstract In this work, a secure encrypted data management system has been presented to exploit the usage of storage-as-a-service provided by honest-but-curious cloud service provider in one-to-many data sharing applications on both personal and professional levels. Over the past few years, many data privacy security threats that hinder the usage of storage-as-a-service provided by honest-but-curious CSP have evolved. In addition, many Attribute Based Encryption and Proxy Re- Encryption techniques have been proposed to mitigate these security threats. These security challenges have been summarized as follows data confidentiality, fine-grained data access control, efficient user revocation mechanism, collusion resistance, scalability, generic implementation, efficient attribute revocation mechanism and multi-authority attributes management. The presented work composes of four versions. The first three versions have targeted achieving the first six mentioned data privacy security challenges in single attributes management authority environment. While, the final version of the proposed work has targeted the accomplishment of all the eight mentioned data privacy security challenges in multi-authority attributes management environment. The first version has introduced a robust owner-to-user data sharing framework. The proposed framework succeeded to present a robust solution to accomplish the first six mentioned challenges that have been summarized as follows data confidentiality, scalability, fine-grained data access, efficient user revocation, preventing colluding users from accessing unauthorized data and generic implementation. In addition, the proposed framework has exploited PKI to provide an access control mechanism to prevent colluding users to access 154 unauthorized data. Moreover, the proposed framework has countered the attack of rejoining of a revoked user authorized with different attributes to gain access to his/her previously authorized data. Furthermore, the proposed framework has prohibited the collusion between an authorized user and a revoked user to possess the access privileges once assigned to the revoked user. This has been accomplished with the aid of using dual signature technique [72]. The proposed framework has capitalized the existence of PKI to maximize the usage of offline operations to enhance the framework performance. Additionally, the proposed framework has made use of PKI to offer a secure transmission of private data and defends man in the middle attack. The complexity analysis of the proposed framework has showed the framework practicability. Unfortunately, the proposed framework in version (1) of the presented work has failed to achieve many aspects of the scalability challenge. Firstly, the proposed framework has mandated the online presence of data owner and data user to exchange system parameters during the setup version. In addition, the proposed framework has enforced data user participation in the authorization process procedures performed by CSP. Moreover, the proposed framework has obliged data owner to generate for each data user number of access tokens. This process complicates data management for both data owner and data user. Furthermore, digital objects have to be grouped into aggregated sets named virtual directories (VD) based on their access rules. This is not appropriate for many data sharing scenarios. Version (2) of this work has presented a generic, scalable and fine-grained data access system for sharing digital objects in honest-but-curious cloud environments to support the growth of using storage-as-a-service for sharing digital objects. The proposed system has overcome all version (1) shortcomings. In addition, the proposed system has achieved all the first six targeted challenges that are maintaining data confidentiality, enforcing fine-grained data access control, applying efficient user revocation mechanism, preventing the collusion between users to access unauthorized digital objects, achieving 155 scalability and possessing generic implementation. In addition, the proposed system has availed digital passport that can be presented by the user to CSP to be granted access to any digital object in the cloud environment. The usage of digital passport has minimized the number of transactions needed to authenticate the specified user. Moreover, the digital passport has simplified the data management for users since the user has to keep his/her passport only to use it to access the cloud. Furthermore, the digital passport has prevented a rejoined user who possesses different attributes to access his/her previously authorized data. Additionally, the digital passport has prohibited the collusion between an authorized user and a revoked one to own the access privileges once assigned to the revoked user. The proposed system has exploited PKI to capitalize the usage of offline operations to enhance system performance and to secure the transmission of private data as well as defending man in the middle attack. The proposed system complexity analysis has proofed the proposed system computational validity. However, the proposed system in version (2) of this work has prevented the data owner to assign specific data user to more than one users group. This is not appropriate in many data sharing scenarios and limits the domains where the proposed system can be implemented. In addition, the proposed system has necessitated data owner to specify all the authorized users groups for each digital object. This has complicated data management for data owner. Moreover, the authorization process performed by CSP to allow specific data user to download a digital object has put heavy computation overhead on CSP. This is not economic beneficial for data owner as most of CSP charge models are based on “pay for what you use” model. Therefore, the proposed system has suffered from critical shortcomings in regards to the support of system scalability and simplifying data management. Version (3) of the proposed work has introduced a robust cryptographic-based system for secure data sharing in honest-but-curious cloud environments. Version (3) has overcome all the shortcomings of versions (1) and (2). In 156 addition, the proposed system in version (3) has achieved all the first six targeted challenges that are maintaining data confidentiality, enforcing finegrained data access control, applying efficient user revocation mechanism, resisting collusion between system users, system scalability and generic implementation. In addition, the proposed system in version (3) of the presented work has offered a novel architecture of data user digital identity. The presented digital identity has solved scalability challenges faced by previous versions without complicating data management for both data owner and user. Moreover, the proposed digital identity has eliminated the need of online presence of data owner and user to exchange any information. Furthermore, the proposed system has defended man-in-the-middle attack, has ensured identity of participants, has achieved non-repudiation and has maintained role separation between different participants. Finally, the proposed system implementation has proofed the system validity to accomplish all the specified goals with acceptable performance. The final version of the proposed work has presented a robust generic multiauthority attributes management system for cloud environments. The proposed system in version (4) of the presented work has eliminated one crucial challenge that is the existence of a single authority for attributes management. In addition, the proposed system has presented an efficient attribute revocation mechanism that has prohibited an unauthorized access instantaneously after an attribute revocation. Moreover, the proposed system has presented a separated mechanism for attribute revocation and another separate mechanism for user revocation. Furthermore, the proposed system showed the system practicability to be implemented using either Ciphertext Policy ABE or Key Policy ABE technique that possesses specific characteristics. In addition, the proposed system has presented a novel user digital identity structure that has prohibited the collusion between system users in such environments. Moreover, the proposed system has not obliged the participated attributes authorities to cooperate. Therefore, the attributes authorities were able to join or leave the proposed system without affecting the existing system users or other existing attributes authorities. Finally, the presented performance measures have proofed the proposed system validity to accomplish all the eight specified security challenges with acceptable performance |