AES–CP–IDABE: A Privacy Protection Framework against a DoS Attack in the Cloud Environment with the Access Control Mechanism
Abstract
:1. Introduction
- We developed a novel ABE model using AES cryptography and identity-based access control at the owner’s side and the user’s side in the cloud environment. We name the novel algorithm as “AES Cipher-text-Identity and Attribute-Based Encryption” or AES–CP–IDABE in short.
- We provide the owner-side authentication with the necessary information of the owner. This becomes the attribute for their key generation through which they can access the cloud environment.
- For the user-side, we provide two layers for generating the attributes that will be implemented during the authentication process. Initially, the user’s basic information is employed for identity generation along with five random questions, which can ensure the credibility and validity of the authorized user.
- The data in our model is encrypted using AES cryptography, and it is effectively decrypted with the independent keys of the user 6.
- Along with securing the data, our model also shows reduced overhead and resource consumption, which is a crucial requirement for its real-time implementation.
2. Related Work
- When malicious users launch the cyber-attacks on cloud storage, resource consumption will increase.
- The cryptography-driven access control does not protect the cloud provider against many attacks.
- The cloud provider does not implement access control effectively and does not prevent access from unauthorized users effectively.
3. Preliminaries
3.1. CP–IDABE
- Attributes: In the proposed model, the attributes of the user can be one of the following items in the set of five:
- (i)
- First job;
- (ii)
- Last five digits of their credit card;
- (iii)
- Name of their hometown;
- (iv)
- Favorite team;
- (v)
- Favorite sports.
- Policy: Here, the access policy for the user has been designated by attribute A with the identity ID of the user U (A). The user identity obtained from the user name and password is listed along with the attribute in formulating the access policy that is set in the cloud. Hence, CP–IDABE secures the data from unauthorized access. On satisfying the given condition, the access will be approved, or else it will be denied.
- Setup (): P is the security parameter that provides the Public key (Pk) and Master secret key (Mk) from the cloud server (CS).
- KeyGen (Mk, Ai, IDu): Given attributes Ai and Mk and the identity of the user (IDu), this algorithm yields the private key of the user (Ski).
- Enc (Pk, M, IDu, A): Given Pk, the user identity (IDu), the message M and an access policy (A), the Enc algorithm yields an initial Encrypted cipher-text (Ect).
- Dec (Ski, Ect): Given the private key (Ski) and an initially encrypted cipher-text (Ect), the Dec algorithm yields the message M if the IDu and Ai satisfy the access policy (A).
3.2. AES–Cryptology
- Enc (M′, K): Given the key (K), the message M’ yields the final cipher-text (Ect′) during encoding (Enc).
- Dec (K, Ect′): Given the key (K), this algorithm yields the message M’ from Ect′ during decoding (Dec).
3.3. Digital Signature
- SignGen (IDu, At, Mk): the identity of the user (IDu) and the access policy (At) along with the master key (Mk) yield the digital signature (SD) and the verifying message Mv.
3.4. Dual Encryption of AES–CP–IDABE
4. Working Principle of the Proposed System Model
- Data owner: The data owner plays a vital role in any cloud environment. They are the ones who share and store the data on the cloud, which can be accessed by authorized users. They are also responsible for uploading the data into the specified cloud and encrypt it with the proposed AES–CP–IDABE. If any attack takes place in the cloud environment, then they are the ones who get affected the most.
- Data user: Data users utilize the data that are stored on the cloud. It also decrypts the encrypted data through the authentication keys provided by the data owner. The cloud server has to authorize them based on their identity and permission attributes to access the cloud and the stored data.
- Cloud server: The cloud server is an integral part of the proposed work in securing the cloud environment. All the data from the data owners and the users are stored on the server. It contains all the keys and the digital signature of all the users, along with their attributes and ID. Servers are designed to verify the difference between the user’s access and the owner’s access to the cloud environment. Besides authenticaticating the user, it also monitors resource utilization in the cloud.
5. Control Mechanism and Security Model
- Control I: The data owner and the cloud service provider provide distinct authentication to access the cloud. The data owner takes the responsibility of assigning the access policy for the data in the cloud. Hence, the user who has the access policy privileges can only access the data by decrypting it.
- Control II: The cloud server performs the validation of the user before allowing them to access the data and decrypt them. This, in turn, provides resistance against the malicious DoS attacks.
- Control III: The data owner in this model can monitor the user in the cloud server for maintaining the usage of the resource.
- Access control—Since the user attributes and their ID are both used for the authentication of the user; the attacker cannot breach the initial login process easily. In addition to this, while the user information is being processed for authenticating its access to the cloud, one of the five random questions connected to the attributes will pop up. The user can enter the cloud environment only after the verification of the answers to the random pop-up questions. Furthermore, in our model, we provide a separate authentication process for cloud service providers and the data owner.
- Data privacy—AES has never been cracked yet, and it is safe against any brute force attacks contrary to common beliefs and arguments. Additionally, even if the attacker somehow breaches the AES key because of its symmetry, they must know the novel CP–IDABE key as well to obtain the actual data, which is very complex with the well-defined access policies and random ID of the user. The double encryption process preserves data privacy as the encryption key, and a decryption key is a dual form of both AES and CP–IDABE. Hence, the data in the cloud is adequately protected.
- Against the DoS attacks—In general, DoS attacks occur with an increased number of fake requests from the external hacker’s source. Once the attacker enters the cloud, the number of request flow increases. Therefore, the cloud service provider in the proposed model initiates the attack detection and mitigation framework. It encloses the mechanism that captures the IP address and stores them in the cloud server to mitigate the attacker. If the attacker tries to access the cloud, it will block the user and protect the cloud environment from the DoS attack. In the present work, four common DoS attack forms that are considered are mentioned below:
- User datagram protocol (UDP) flood: In this type of DoS attack, a server is flooded with UDP packets. This makes it harder for defensive mechanisms to identify the attack.
- SYN flood: It is carried out when an attacker sends many SYN packets to the target server from spoofed IP addresses.
- Internet control message protocol (ICMP) flood: When a server is flooded with massive amounts of spoofed ICMP packets, its resources are exhausted in trying to process these requests. This overload reboots the server and has an enormous impact on its performance.
- HTTP flood: In an HTTP flood attack, the adversary floods massive spurious HTTP requests for downloading an online file from the target server.
6. The Flow of Control for the Proposed Algorithm
6.1. Key Generation for CP–IDABE
- : The cloud server runs the initial setup for the generated cloud data and provides the public key (Pk) and the master key (Mk) with the security parameter (P).
- : When the public and the master key are generated, and the user processes their request, the CS generates the secret key (Ski) with the master key along with the identity (IDu) and attribute set (Ai).
- : The data in the cloud were encrypted before being uploading into the cloud with the encrypted key, which results in the generation of the encrypted cipher-text (Ect) with the public key ()user identity (IDu) attribute policy (A) and the message M.
- When the user provides the secret key for the encrypted cipher-text, the process of decryption begins, and the message M is obtained.
6.2. AES- ALGORITHM
- : By providing the decrypted data as the input for the AES cryptography, the data will be encrypted again to result in Ect′ with the key (K) and the message M′.
- With the encrypted data and the key (k), the data will be decrypted to produce the message .
6.3. Signature Generation
- The CS picks the attributes and user identification (IDu) for generating the digital signature (SD) with the message.
- : For verifying the user, they must provide the digital signature SD along with the verification message Mv.
7. Results and Discussion
- Cloud user communication: The amount of data that is consumed during the interaction of the user and the cloud server.
- User execution time: The measure of time taken for key generation and the response time in the cloud for the user.
- Data owner upload communication: The amount of data consumed to upload the data on the cloud from the data owners’ end.
7.1. Cloud User Communication and User Execution Time
7.2. Communication of Data Owner
7.3. Time Cost for Encryption and Decryption
7.4. Performance of Different Attacks
8. Conclusions and Future Work
Author Contributions
Funding
Conflicts of Interest
References
- Hashem, I.A.; Yaqoob, I.; Anuar, N.B.; Mokhtar, S.; Gani, A.; Khan, S.U. The rise of “big data” on cloud computing: Review and open research issues. Inf. Syst. 2015, 47, 98–115. [Google Scholar]
- Singh, A.; Chatterjee, K. Cloud security issues and challenges: A survey. J. Netw. Comput. Appl. 2016, 79, 88–115. [Google Scholar] [CrossRef]
- Yu, S.; Wang, C.; Ren, K.; Lou, W. Achieving secure, scalable, and fine-grained data access control in cloud computing. In Proceedings of the 2010 IEEE INFOCOM, San Diego, CA, USA, 14–19 March 2010; pp. 1–9. [Google Scholar]
- Sun, W.; Yu, S.; Lou, W.; Hou, Y.T.; Li, H. Protecting your right: Verifiable attribute-based keyword search with fine-grained owner-enforced search authorization in the cloud. IEEE Trans. Parallel Distrib. Syst. 2014, 27, 1187–1198. [Google Scholar] [CrossRef]
- Kumar, P.; Alphonse, P.J.A. Attribute based encryption in cloud computing: A survey, gap analysis, and future directions. J. Netw. Comput. Appl. 2018, 108, 37–52. [Google Scholar]
- Grobauer, B.; Walloschek, T.; Stocker, E. Understanding cloud computing vulnerabilities. IEEE Secur. Priv. 2010, 9, 50–57. [Google Scholar] [CrossRef]
- Kozlov, D.; Veijalainen, J.; Ali, Y. Security and privacy threats in IoT architectures. In Proceedings of the BODYNETS, Oslo, Norway, 24–26 September 2012; pp. 256–262. [Google Scholar]
- Khan, A.R. Access control in cloud computing environment. ARPN J. Eng. Appl. Sci. 2012, 7, 613–615. [Google Scholar]
- Zhu, W.; Yu, J.; Wang, T.; Zhang, P.; Xie, W. Efficient attribute-based encryption from R-LWE. Chin. J. Electron. 2014, 23, 778–782. [Google Scholar]
- Wan, Z.; Deng, R.H. HASBE: A hierarchical attribute-based solution for flexible and scalable access control in cloud computing. IEEE Trans. Inf. Forensics Secur. 2011, 7, 743–754. [Google Scholar] [CrossRef]
- Li, Y.; Yu, Y.; Yang, B.; Min, G.; Wu, H. Privacy preserving cloud data auditing with efficient key update. Future Gener. Comput. Syst. 2018, 78, 789–798. [Google Scholar] [CrossRef]
- Shen, Z.; Shu, J.; Xue, W. Keyword search with access control over encrypted cloud data. IEEE Sens. J. 2016, 17, 858–868. [Google Scholar] [CrossRef]
- Zhu, Y.; Huang, Z.; Takagi, T. Secure and controllable k-NN query over encrypted cloud data with key confidentiality. J. Parallel Distrib. Comput. 2016, 89, 1–12. [Google Scholar] [CrossRef]
- Cheng, K.; Wang, L.; Shen, Y.; Wang, H.; Wang, Y.; Jiang, X.; Zhong, H. Secure k-nn query on encrypted cloud data with multiple keys. IEEE Trans. Big Data 2017. [Google Scholar] [CrossRef]
- Cui, H.; Deng, R.H.; Li, Y.; Wu, G. Attribute-based storage supporting secure deduplication of encrypted data in cloud. IEEE Trans. Big Data 2017, 5, 330–342. [Google Scholar] [CrossRef]
- Liang, X.; Shetty, S.; Tosh, D.; Kamhoua, C.; Kwiat, K.; Njilla, L. Provchain: A blockchain-based data provenance architecture in cloud environment with enhanced privacy and availability. In Proceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), Madrid, Spain, 14–17 May 2017; pp. 468–477. [Google Scholar]
- Li, J.; Zhang, Y.; Chen, X.; Xiang, Y. Secure attribute-based data sharing for resource-limited users in cloud computing. Comput. Secur. 2018, 72, 1–12. [Google Scholar] [CrossRef]
- Huang, Q.; Yang, Y.; Shen, M. Secure and efficient data collaboration with hierarchical attribute-based encryption in cloud computing. Future Gener. Comput. Syst. 2016, 72, 239–249. [Google Scholar] [CrossRef]
- Jiang, R.; Wu, X.; Bhargava, B. SDSS-MAC: Secure data sharing scheme in multi-authority cloud storage systems. Comput. Secur. 2016, 62, 193–212. [Google Scholar] [CrossRef]
- Murugesan, V.; Shalinie, M.; Neethimani, N. A brief survey of IP traceback methodologies. Acta Polytech. Hung. 2014, 11, 197–216. [Google Scholar]
- Wang, Y.; Wang, F.; Guo, J. A rapid detection algorithm for malformed H-DoS in the cloud platform. Int. J. Adv. Comput. Technol. 2013, 5, 474–481. [Google Scholar]
- Filho, L.; De, F.S.; Silveira, F.A.F.; Junior, A.D.B.; Vargas-Solar, G.; Silveira, F.L. Smart Detection: An Online Approach for DoS/DDoS Attack Detection Using Machine Learning. Secur. Commun. Netw. 2019. [Google Scholar] [CrossRef]
- Rao, K.R.; Ray, I.G.; Asif, W.; Nayak, A.; Rajarajan, M. R-PEKS: RBAC Enabled PEKS for Secure Access of Cloud Data. IEEE Access 2019, 7, 133274–133289. [Google Scholar] [CrossRef]
- Chenthara, S.; Ahmed, K.; Wang, H.; Whittaker, F. Security and privacy-preserving challenges of e-Health solutions in cloud computing. IEEE Access 2019, 7, 74361–74382. [Google Scholar] [CrossRef]
- Tan, S.Y. Correction to Improving Privacy and Security in Decentralizing Multi-Authority Attribute-Based Encryption in Cloud Computing. IEEE Access 2019, 7, 17045–17049. [Google Scholar] [CrossRef]
- Hongbo, L.; Huang, Q.; Ma, S.; Shen, J.; Susilo, W. Authorized equality test on identity-based cipher-texts for secret data sharing via cloud storage. IEEE Access 2019, 7, 25409–25421. [Google Scholar]
- Shumin, X.; Ren, C. Security Protection of System Sharing Data with Improved CP-ABE Encryption Algorithm under Cloud Computing Environment. Autom. Control. Comput. Sci. 2019, 53, 342–350. [Google Scholar] [CrossRef]
- Xiong, J.; Zhang, Y.; Tang, S.; Liu, X.; Yao, Z. Secure Encrypted Data with Authorized Deduplication in Cloud. IEEE Access 2019, 7, 75090–75104. [Google Scholar] [CrossRef]
Ref. No. | Contribution | Methodology | Performance | Future Scope/Limitation |
---|---|---|---|---|
[11] | In the Public Key Infrastructure system, the key expires with the digital certificate | Key updation technique developed for auditing the cloud data | New scheme was more effective than Shacham–Waters auditing scheme | Real-time implementation of the proposed scheme required to understand its effectiveness |
[12] | Keyword search problem with access control is addressed | Novel scheme with KSAC is established with encrypted data | Proposed KSAC required 1.08s and 0.12s for generating per-capacity and match decision | Cost can be reduced by modifying the noise injection frequency |
[13] | Traditional method of support processing and analysis of encrypted data | K-nearest neighbor (KNN) query scheme is proposed | Proposed scheme showed less overhead compared to the existing schemes | Access pattern for data has to be protected |
[15] | Existing ABE system does not support a secure deduplication process | Attribute-based method established for the storage system with effective deduplication | Provided increased confidentiality and semantic security in sharing and deduplication of data | Supports the construction of a new ABE scheme that can be used in CP-ABE |
[17] | Addressed the problem in achieving high-efficiency, fine-graininess on data owner’s side | Attribute-based scheme implemented to verify the attribute set along with the cipher-text under offline and online mode | Proposed method is robust against cipher-text attacks | Main limitation is the revocation of the attributes in data sharing |
Data Size | No. of Attributes | 10 | 20 | 30 | 40 | 50 |
---|---|---|---|---|---|---|
10 KB | I-CP–ABE [27] | 150 | 250 | 400 | 500 | 600 |
AES–CP–IDABE | 210 | 275 | 390 | 470 | 550 | |
50 KB | I-CP–ABE [27] | 190 | 400 | 550 | 600 | 780 |
AES–CP–IDABE | 285 | 430 | 555 | 580 | 690 | |
100 KB | I-CP–ABE [27] | 270 | 440 | 600 | 700 | 1000 |
AES–CP–IDABE | 360 | 480 | 595 | 640 | 850 |
Data Size | No. of Attributes | 10 | 20 | 30 | 40 | 50 |
---|---|---|---|---|---|---|
10 KB | I-CP–ABE [27] | 80 | 90 | 110 | 150 | 190 |
AES–CP–IDABE | 110 | 115 | 125 | 145 | 175 | |
50 KB | I-CP–ABE [27] | 110 | 130 | 150 | 200 | 300 |
AES–CP–IDABE | 130 | 140 | 155 | 180 | 250 | |
100 KB | I-CP–ABE [27] | 250 | 350 | 400 | 550 | 700 |
AES–CP–IDABE | 300 | 375 | 410 | 525 | 610 |
Attacks | F1 Measure | Precision | Accuracy |
---|---|---|---|
SYN flood | 0.995 | 0.995 | 0.986 |
UDP flood | 1 | 1 | 0.981 |
ICMP flood | 0.988 | 1 | 0.978 |
HTTP flood | 1 | 0.985 | 0.981 |
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Chandel, S.; Yang, G.; Chakravarty, S. AES–CP–IDABE: A Privacy Protection Framework against a DoS Attack in the Cloud Environment with the Access Control Mechanism. Information 2020, 11, 372. https://doi.org/10.3390/info11080372
Chandel S, Yang G, Chakravarty S. AES–CP–IDABE: A Privacy Protection Framework against a DoS Attack in the Cloud Environment with the Access Control Mechanism. Information. 2020; 11(8):372. https://doi.org/10.3390/info11080372
Chicago/Turabian StyleChandel, Sonali, Geng Yang, and Sumit Chakravarty. 2020. "AES–CP–IDABE: A Privacy Protection Framework against a DoS Attack in the Cloud Environment with the Access Control Mechanism" Information 11, no. 8: 372. https://doi.org/10.3390/info11080372
APA StyleChandel, S., Yang, G., & Chakravarty, S. (2020). AES–CP–IDABE: A Privacy Protection Framework against a DoS Attack in the Cloud Environment with the Access Control Mechanism. Information, 11(8), 372. https://doi.org/10.3390/info11080372