RSA-CP-IDABE: A Secure Framework for Multi-User and Multi-Owner Cloud Environment

: Cloud has become one of the most widely used technologies to store data due to its availability, ﬂexibility, and low cost. At the same time, the security, integrity, and privacy of data that needs to be stored on the cloud is the primary threat for cloud deployment. However, the increase in cloud utilization often results in the creation of a multi-user cloud environment, which requires its owners to manage and monitor the data more e ﬀ ectively. The security of information faces an additional threat, which is related to the increasing number of users and owners who deal with the data stored on the cloud. Many researchers have developed several frameworks and algorithms to address the security issues of the cloud environment. In the present work, a novel algorithm is proposed with the integration of Ciphertext Policy-Identity Attribute-based Encryption (CP-IDABE) and the Rivest–Shamir–Adelman (RSA) algorithm for securing the cloud. Both the owners and users are provided with the public and distinct secret keys that are generated by the Automated Certiﬁcate Authority (ACA). The attribute policy di ﬀ erentiates between the user and owner for accessing the cloud data. The proposed RSA-CP-IDABE algorithm also prevents the Man in the Middle (MITM) attack e ﬀ ectively. The performance of the proposed algorithm is evaluated for its time used for encryption, decryption, and execution for varying sizes of data. The obtained results are compared with the existing framework to show its e ﬀ ectiveness. The proposed algorithm can be enhanced with the revocation of privileges in the future.


Introduction
Cloud computing has revolutionized data management in various organizations, globally. The related industries have realized the usage of cloud as a shared environment scheme, which helps to improve the efficiency of data storage [1]. The Cloud storage service provides a comparably low-cost, scalable, and position-independent platform for clients. As a result, it becomes a rapidly profit-earning growth service. It can also integrate multiple internal and/or external cloud services mutually to give high interoperability with open architectures and interfaces [2]. However, there are numerous security issues and challenges in cloud computing because it encompasses many technologies, such as networks, databases, operating systems, virtualization, resource scheduling, transaction management, concurrent control, and memory management [3,4]. In a cloud environment, the responsibility for employing and preserving efficient security mechanisms are in the hands of the providers. To reduce the panic of customers regarding the cloud, these providers try to assure the customers by claiming that the user data and applications stored in their space will be accurately secured [5].
(a) An Automated Cloud Authority (ACA) is established to issue the certificates and keys for both the user and multi owners only after the registration in the cloud. (b) Each of the users and secondary owners is provided with the distinct secret keys to access the data on the cloud-based on their attributes. (c) Since the data is double encrypted, only authorized people can access the data or make any modifications. (d) With the usage of different secret keys on both the user and the owner's side, the confidentiality and integrity of the data are ensured through the proposed scheme. (e) Prevents the MITM attack effectively in the cloud environment.
The rest of the paper is structured as follows. Section 2 describes the related works on cloud security under a multi-owner environment. Section 3 discusses the preliminaries of the proposed algorithm. The system architecture of the secure cloud environment is provided in Section 4. Section 5 provides the system algorithms. Section 6 lists the results obtained from the proposed algorithm and compares it with the earlier algorithms. Section 7 concludes the paper and states future works.

Related Work
Anand et al. [12] had proposed an ECC-based, Diffie-Hellman, key-exchange protocol, and digital signature to protect the multi-owner cloud environment. The proposed algorithm prevents the MITM attack and secures the data integrity among the multi-owners. However, it does not consider the user side in particular with varying attributes. Huang et al. [13] proposed a novel scheme for the cloud to secure the sharing of data among the users and established the conditional dissemination for the multiple owners. The Identity-based Broadcast Encryption (IBBE) technique is employed to share the data among the users that are obtained from its owners. Additionally, the owners, based on the preferences, provide the fine-grained access policy. The proposed approach is found to provide adequate security to the data in the multi-owner clouds. Miao et al. [14] presented a privacy-preserving scheme that is developed with attribute-based keyword search techniques in the multi-owner cloud environment. The proposed scheme improved the tracing of malicious users. The scheme is useful in providing adequate security and prevents the keyword-guessing attack in offline mode. The performance of the proposed scheme is evaluated on real-world datasets.
Sangeetha et al. [15] addressed the issues that are present in the Personal Health Record (PHR) frameworks due to multi-owners. Their work proposed two different frameworks with a Secure-Key Policy Attribute-based Encryption (S-KP-ABE) in the personal domain and Privacy-Preserving-Decentralized Collusion Resistant-Attribute-based Encryption (PP-DCR-ABE) in the public domain. By employing the tokenization technique, the proposed algorithm provided security over the collusion attacks. The experimental outcome validated the improved performance of the proposed frameworks in a multi-owner-based PHR cloud environment.
Miao et al. [16] proposed a novel conjunctive keyword search framework for securing the data in the multi-owner cloud environment. The multi-signature approach was employed to secure the cloud over the keyword guessing attack in the proposed model. The proposed model is verified against the real-time data and is found to be effective. Rong et al. [17] proposed a K-means Clustering-based Privacy-preserving Scheme for securing the distributed cloud in the multi-owner setting. The proposed work provides the set of building blocks of privacy-preserving and employs the protocol of outsourced K-means clustering. From the theoretical analysis, it was observed that the proposed scheme could provide the confidentiality of the cloud data with reduced computational overhead. The proposed scheme experimentally validates its performance against the existing approaches.
Aruna et al. [18] discussed the security and protection that are required for a multi-owner cloud environment. The work examined the different techniques in securing the multi-owner cloud and suggested that the research on the multi-owner cloud should be extended to provide enhanced security, storage, and processing of information in the cloud. Guo et al. [19] proposed an accurate, secure, and efficient multi-owner cloud environment through a scheme of multi-keyword ranked search techniques. A new weight formulation scheme was developed for the keywords for the quality-based ranking of the document. The greedy depth-first search algorithm was employed to improve the constructed global balanced binary tree index.
Peng et al. [20] proposed another tree-based ranking scheme for multi-keyword searches to secure the cloud in a multi-owner environment. Additionally, a privacy-preserving protocol was proposed to enhance security through the process of bilinear mapping. From the security analysis, it is observed that the proposed scheme can secure the cloud, and the security is validated from its performance analysis. Li et al. [21] proposed multi-owner, key-aggregate, searchable encryption through a trapdoor technique to share the data in a multi-owner cloud environment. The scheme supports effective data sharing for both multiple owners and users by reducing unnecessary trapdoors that are hard for generating by mobile devices during the querying step. The security and performance analysis showed the effectiveness of the proposed scheme.

Preliminaries
For securing the cloud in the multi-owner and multi-user environment, a novel Ciphertext Policy Attribute-based Encryption (CP-IDABE) with the identity of a user is integrated with the RSA encryption techniques. The preliminaries for the proposed method are given in this section, and their corresponding notations are given in Table 1.

CP-IDABE
The CP-IDABE combines both the attributes and the ID of the user/owner for the cryptic mechanism over the cipher data under their respective access policy. The users utilize the unsymmetrical security key to access the data in the cloud environment. Additionally, in the proposed scheme, the secondary owners of the data were provided with a distinct secret key. The user/owner generates their username along with a password that serves to be the identity for the proposed scheme. The attribute set that encloses the privileges of access defines whether the person is either a user or an owner. Furthermore, a set of answers to a set of questions [22] is used to validate the user and owner when accessing the cloud through the ACA.

•
Attributes: In the proposed model, the attributes of the user/owner can be anything coming from the set of five random questions provided randomly by ACA. The five random questions provided in the present schemes are (i) primary job (ii) last three digits of credit card (iii) native place (iv) favorite sports (v) favorite team. • Policy: The access policy is very significant in the proposed model, as it is established over the multi-owner and multi-user cloud environment through ACA. In addition to the authorized access to the data, the access policy also provides privileges like editing and removing the data for multiple owners. However, users must be restricted only to access the data, and they do not have the privileges to edit it. In general, the access policy for the owners are defined as (A O ID i O i ), and the users are defined as (A U ID j U j ). When the above conditions are satisfied, the access will be approved, or else it will be denied.
The CP-IDABE consists of the following steps in performing the cryptic mechanism to the cloud data: 1.
Setup (1 P ): The public key, PUK, and the master key, MAK, are generated for the user and the owner based on security parameter P through ACA. Similarly, the public key and the master key are generated for the RSA algorithm as PUK R and MAK R, respectively.

Multi-user:
• KeyGen (MAK, A U , ID j ): given the owner attributes A U and MAK, with the identity (ID j ), this algorithm yields the private key of owner USK i . • Enc (PUK, M, ID j , A): given PUK, user identity ID j with access policy set A, the ciphertext Et is generated with the message M. • Dec (USK i , Et): given the secret key USK i , a ciphertext Et is decrypted through the A U and ID j to get the message M.

RSA-Cryptology
To improve the security and to have effective access control among multi-owners and multi-users, the cloud data is encrypted with the CP-IDABE is encrypted one more time with the RSA algorithm. The RSA algorithm generally takes two prime numbers L and M, randomly to generate the secret key [23,24]. After selecting two prime numbers L and M, the following steps are followed for the key generation: Step 1: estimate N = LxM Step 2: estimate ϕ (N) = (L − 1)(M − 1) Step 3: choose integer e Step 4: GCD (ϕ (N), e) = 1; 1 < e < ϕ (N) Step 5: calculate d d e mod ϕ (N) = 1 public key PUK R = {e, n} private key K R = {d, n}.

Digital Signature
• SignGen (ID i , ID j , A): with the user/owner identity along with their access policy A, yields digital signature D U and D O for the user and owner, respectively, with the verifying message VM.

Description of the System Model
The proposed RSA-CP-IDABE for securing the multi-owner and multi-user cloud environment is given in Figure 1. The proposed framework has four essential components which are discussed below: • Automated Cloud Authority (ACA): This component is employed to register the users and the owners of the data. Initially, the primary owner of the data registers and obtains the secret key for uploading and accessing the cloud data. The principal owner approves other owners through ACA only. The owners can approve any users through the ACA. The ACA access the attribute set of both the user and owner and generate the keys that are used by them to access the data. The ACA controls access over the data through verification of the keys for both users and owners distinctly.
• Cloud: It is a vital component in the proposed framework that stores the encrypted data. The encryption over the data is initially performed with the CP-IDABE using the attribute policy set. Then, the RSA algorithm is applied over encrypted data and stored in the cloud. The user processes the request for data from the cloud and receives it for accessing it. • Multi-owner: It is the group of people who possess the privilege to access the data and modify or update it regularly. In the proposed framework, the data has one primary owner who monitors and controls other owners through ACA. The multi-owners provide access to multiple users and track their access over the data. The primary owner can revoke the secondary owner at any stage. Similarly, the owner can revoke the user over suspicious activity through ACA. • Multi-user: The user in the cloud environment accesses the data through a secret key. The user is authorized by anyone of the multi-owners of the data in the cloud. The user has the privilege to access the data, but they are not allowed to modify or update the cloud data. The data owner through ACA can revoke the user at the time because of any suspicious activities.
Information 2020, 11, x FOR PEER REVIEW 6 of 13 • Cloud: It is a vital component in the proposed framework that stores the encrypted data. The encryption over the data is initially performed with the CP-IDABE using the attribute policy set. Then, the RSA algorithm is applied over encrypted data and stored in the cloud. The user processes the request for data from the cloud and receives it for accessing it. • Multi-owner: It is the group of people who possess the privilege to access the data and modify or update it regularly. In the proposed framework, the data has one primary owner who monitors and controls other owners through ACA. The multi-owners provide access to multiple users and track their access over the data. The primary owner can revoke the secondary owner at any stage. Similarly, the owner can revoke the user over suspicious activity through ACA. • Multi-user: The user in the cloud environment accesses the data through a secret key. The user is authorized by anyone of the multi-owners of the data in the cloud. The user has the privilege to access the data, but they are not allowed to modify or update the cloud data. The data owner through ACA can revoke the user at the time because of any suspicious activities.

Security Analysis
Once the primary owner uploads the data into the cloud, additional secondary owners can be added through the approval of the primary owner. Both the primary and the secondary owners are provided with the public key and the secret key from the ACA to access the data and edit it. Let us consider the owners, as in Figure 2: The primary owner, i.e., owner 1, uploads the encrypted data into the cloud. The secondary owner can access the data on providing the secret key that encloses their identity and the attributes of the owner. The primary owner has to offer both the RSA key and

Security Analysis
Once the primary owner uploads the data into the cloud, additional secondary owners can be added through the approval of the primary owner. Both the primary and the secondary owners are provided with the public key and the secret key from the ACA to access the data and edit it. Let us consider the owners, as in Figure 2: The primary owner, i.e., owner 1, uploads the encrypted data into the cloud. The secondary owner can access the data on providing the secret key that encloses their identity and the attributes of the owner. The primary owner has to offer both the RSA key and the CP-IDABE key to access the data to the user and secondary owners.
Similarly, when the user requests for the data, the digital signature of the user is verified, and access to the data is granted to them. The user uses the secret key to access the obtained encrypted cloud data. If the data owners revoke the user, the users cannot get the data stored in the cloud, as shown in Figure 2.
The MITM attack often occurs when the attacker tries to establish a clear connection among the owners or users. The messages are relayed between the two owners. As seen in Figure 2, consider a scenario where a connection is established between the owner-2 and the user-2 through the MITM attack. When the attacker attempts to access the cloud data from the owner's or the user's end, they must know the answer to the random security questions. They also must provide the secret key to access the data. Hence, the attacker may not breach the security framework, and the data is secured from a MITM attack.
Information 2020, 11, x FOR PEER REVIEW 7 of 13 The MITM attack often occurs when the attacker tries to establish a clear connection among the owners or users. The messages are relayed between the two owners. As seen in Figure 2, consider a scenario where a connection is established between the owner-2 and the user-2 through the MITM attack. When the attacker attempts to access the cloud data from the owner's or the user's end, they must know the answer to the random security questions. They also must provide the secret key to access the data. Hence, the attacker may not breach the security framework, and the data is secured from a MITM attack. Additionally, the security key provided is robust against any breaches. The central aspect of the proposed framework is that the RSA algorithm uses the unsymmetrical key cryptography, and as a result, the attacker has to know both the decryption keys individually to access the data. Even when the attacker breaches the RSA key, they need to obtain the CP-IDABE, which was formulated with access policy that contains the user/owner attribute along with its random identity. Therefore, the proposed model is more secure than the EECDH [12], which is the symmetrical key encryption model. Due to the complex security-key model in the proposed scheme, the data in the cloud can be secured adequately against many attacks.

Construction of the Algorithm
The proposed RSA-CP-IDABE algorithm consists of three different algorithms to ensure the security of the data in the cloud. The first algorithm is the digital signature algorithm that generates the digital signature for both the user and the owner at the time of registration in the cloud. The second algorithm is the CP-IDABE that encrypts the data initially. The final algorithm is the RSA algorithm that encrypts the previously encrypted information once again before storing it on the cloud. Both the CP-IDABE and RSA are used together for the key generation process in the proposed framework. Additionally, the security key provided is robust against any breaches. The central aspect of the proposed framework is that the RSA algorithm uses the unsymmetrical key cryptography, and as a result, the attacker has to know both the decryption keys individually to access the data. Even when the attacker breaches the RSA key, they need to obtain the CP-IDABE, which was formulated with access policy that contains the user/owner attribute along with its random identity. Therefore, the proposed model is more secure than the EECDH [12], which is the symmetrical key encryption model. Due to the complex security-key model in the proposed scheme, the data in the cloud can be secured adequately against many attacks.

Construction of the Algorithm
The proposed RSA-CP-IDABE algorithm consists of three different algorithms to ensure the security of the data in the cloud. The first algorithm is the digital signature algorithm that generates the digital signature for both the user and the owner at the time of registration in the cloud. The second algorithm is the CP-IDABE that encrypts the data initially. The final algorithm is the RSA algorithm that encrypts the previously encrypted information once again before storing it on the cloud. Both the CP-IDABE and RSA are used together for the key generation process in the proposed framework.

For Users
• USK j ← KeyGen (MAK, A U , ID j) : this algorithm uses the master key, MAK, generated by the ACA along with the identity and attributes of the user ID j and A U , respectively, to generate the secret key for the owner USK j .

Results & Discussion
The proposed RSA-CP-IDABE framework to secure the cloud data in the multi-owner and multi-user environment is implemented through Java. The private cloud is established through the Eucalyptus that runs on the i5 Intel core processer with 2.50 GHz using the 16 GB RAM. The performance of the proposed framework is analyzed for its performance through the time taken for encryption and decryption and the overall execution time. The obtained results are compared with the EECDH model [12], since it was implemented to secure only the multi-owner cloud, and the proposed RSA-CP-IDABE is developed to secure the cloud with both multi-owner and multi-user.

Encryption Time
The encryption time is the time taken for encrypting the data through the cryptic mechanism in the cloud security framework. The encryption time generally depends on the size of data that is to be encrypted. In the proposed RSA-CP-IDABE scheme, the encryption time for 8-KB data is 40 ms, and for 1024-KB data, it is 124 ms. However, for the existing Enhanced Elliptical Curve Diffie Hellman (EECDH) algorithm [12], the time taken for encrypting 8-KB data is 51 ms, and 1024-KB is 136 ms, respectively. The comparison between the proposed RSA-CP-IDABE and existing EECDH [12] is given in Table 2 and Figure 3.  8  51  40  16  52  44  32  55  52  64  66  62  128  78  74  256  110  86  512  122  100  1024 136 124 Information 2020, 11, x FOR PEER REVIEW 9 of 13 encryption and decryption and the overall execution time. The obtained results are compared with the EECDH model [12], since it was implemented to secure only the multi-owner cloud, and the proposed RSA-CP-IDABE is developed to secure the cloud with both multi-owner and multi-user.

Encryption Time
The encryption time is the time taken for encrypting the data through the cryptic mechanism in the cloud security framework. The encryption time generally depends on the size of data that is to be encrypted. In the proposed RSA-CP-IDABE scheme, the encryption time for 8-KB data is 40 ms, and for 1024-KB data, it is 124 ms. However, for the existing Enhanced Elliptical Curve Diffie Hellman (EECDH) algorithm [12], the time taken for encrypting 8-KB data is 51 ms, and 1024-KB is 136 ms, respectively. The comparison between the proposed RSA-CP-IDABE and existing EECDH [12] is given in Table 2 and Figure 3.

Decryption Time
The decryption time is the time taken by the owner or the user to decrypt the data using the proposed algorithm. For the proposed RSA-CP-IDABE, the decryption time for 8-KB and 1024-KB data is about 45 ms and 71 ms, respectively. The comparison between the proposed RSA-CP-IDABE and the existing EECDH over decoding different file sizes is given in Table 3 and Figure 4. The existing EECDH [12] takes 54 ms and 80 ms for decrypting the 8-KB and 1024-KB data, respectively. The comparison between the proposed RSA-CP-IDABE and the existing EECDH over decoding different file sizes are given in Table 3 and Figure 4.

Decryption Time
The decryption time is the time taken by the owner or the user to decrypt the data using the proposed algorithm. For the proposed RSA-CP-IDABE, the decryption time for 8-KB and 1024-KB data is about 45 ms and 71 ms, respectively. The comparison between the proposed RSA-CP-IDABE and the existing EECDH over decoding different file sizes is given in Table 3 and Figure 4. The existing EECDH [12] takes 54 ms and 80 ms for decrypting the 8-KB and 1024-KB data, respectively. The comparison between the proposed RSA-CP-IDABE and the existing EECDH over decoding different file sizes are given in Table 3 and Figure 4.  8  54  45  16  59  48  32  62  56  64  67  61  128  70  65  256  73  68  512  78  71  1024  80  71 Information 2020, 11, x FOR PEER REVIEW 10 of 13  8  54  45  16  59  48  32  62  56  64  67  61  128  70  65  256  73  68  512  78  71  1024 80 71

Execution Time
The execution time is the total time taken to secure the data in the cloud environment. The execution time includes the key generation time, encryption time, uploading time, downloading time, decryption time, and verification time. The execution time over the 8-KB and 1024-KB data is about 725 ms and 17,523 ms, respectively, for the existing EECDH [12]. In comparison, the proposed RSA-CP-IDABE has an execution time of 675 ms and 15,792 ms for 8-KB and 1024-KB data, respectively. Table 4 and Figure 5 shows the comparison of performances between the RSA-CP-IDABE and EECDH [12].

Execution Time
The execution time is the total time taken to secure the data in the cloud environment. The execution time includes the key generation time, encryption time, uploading time, downloading time, decryption time, and verification time. The execution time over the 8-KB and 1024-KB data is about 725 ms and 17,523 ms, respectively, for the existing EECDH [12]. In comparison, the proposed RSA-CP-IDABE has an execution time of 675 ms and 15,792 ms for 8-KB and 1024-KB data, respectively. Table 4 and Figure 5 shows the comparison of performances between the RSA-CP-IDABE and EECDH [12].  It is observed in Table 5 that both the encryption and decryption time of the proposed approach is higher than the Improved CP-ABE (I-CP-ABE) [25] when the number of attributes is less. However, when there is an increase in the attributes, the difference between the times decreases, and it was observed that the proposed RSA-CP-IDABE is better than the existing I-CP-ABE, as shown in Figures  6 and 7.    No.of attributes I-CP-ABE [25] RSA-CP-IDABE It is observed in Table 5 that both the encryption and decryption time of the proposed approach is higher than the Improved CP-ABE (I-CP-ABE) [25] when the number of attributes is less. However, when there is an increase in the attributes, the difference between the times decreases, and it was observed that the proposed RSA-CP-IDABE is better than the existing I-CP-ABE, as shown in Figures 6 and 7.  It is observed in Table 5 that both the encryption and decryption time of the proposed approach is higher than the Improved CP-ABE (I-CP-ABE) [25] when the number of attributes is less. However, when there is an increase in the attributes, the difference between the times decreases, and it was observed that the proposed RSA-CP-IDABE is better than the existing I-CP-ABE, as shown in Figures  6 and 7.    No.of attributes I-CP-ABE [25] RSA-CP-IDABE    No.of attributes I-CP-ABE [25] RSA-CP-IDABE

Conclusions and Future Work
For securing the data in the multi-user and multi-owner cloud environment, a novel RSA-CP-IDABE algorithm was proposed. Both the user and the owner have to register through the ACA in the cloud. After the registration, they are provided with a public key and a distinct secret key based on the attributes. The RSA-based secret key is provided to both the owner and the user. The primary owner monitors the activities of secondary owners over the data. The multiple owners monitor user activities. When the owners upload the data, both the CP-IDABE and RSA algorithm are executed by the system to encrypt the data. The user accesses the data using the dual decryption keys. The proposed algorithm also prevents the MITM attack effectively through the double encryption over the cloud data.
The proposed RSA-CP-IDABE is evaluated for its performance over the varying sizes of data. The encryption time for 1024-KB data is about 124 ms, and its decryption time is 71 ms. The total execution time for 1024-KB data is about 15,792 ms. From the comparison, it is observed that the proposed RSA-CP-IDABE is more useful and effective in securing data in the cloud than the existing EECDH and I-CP-ABE algorithm.
The drawback of the proposed security scheme is that it performed better over the existing I-CP-ABE model only when the number of attributes increases. The concept of revocation is vital for cloud users, as it establishes control over user activities. In the proposed model, revocation is not considered. The future scope may include the revocation of users and secondary owners using their attributes to ensure the improved integrity and privacy of data.