Cloud Computing is an interesting and emerging technology which enables the cloud storage easily accessible to the internet users. It offers the three basic service models.
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS).Clouds are deployed as public, private and hybrid clouds.
Public Clouds: The service provider makes available the applications or resources to public. Private Clouds:
Hybrid Clouds: Cloud storage is a boon to the enterprise users. Instead of owning the resources which are inaccessible during most of the time, cloud storage provides them pay per use concept. It reduces the maintenance cost.
Emergency Department: Breakglass
A Survey on Encryption Schemes for Data Sharing in Cloud Computing:
This paper discuss about the various encryption schemes which helps in sharing the outsourced data in a safe manner. Several encryption schemes such as Key-Policy Attribute-Based Encryption, Ciphertext-Policy Attribute-Based Encryption, Ciphertext Policy Attribute Set Based Encryption, Fuzzy Identity-Based Encryption, Hierarchical Identity- Based Encryption, Hierarchical Attribute-Based Encryption and Hierarchical Attribute-Set-Based Encryption are analyzed and compared to find the best access control to the outsourced data. Among these encryption schemes, the author concludes that the Hierarchical attribute set based encryption is the best encryption scheme to share the secured outsourced data in the cloud service provider.
Hierarchical Attribute-Based Encryption for Fine-Grained Access Control in Cloud Storage Services
This paper combines the hierarchical identity based encryption and the cipher-text policy attribute based encryption system for efficient sharing of confidential data on the cloud servers. The proposed scheme is to attain high performance, fine-grained access control, scalability and full delegation.
A CRM service for cloud computing based on a separate encryption and decryption system:
This paper proposed a business model which consists of three cloud systems to ensure the data confidentiality. The unauthorized insiders in the cloud , leak the data. To avoid this, data is stored in one service provider and the encryption or decryption is performed in another service provider. The encryption or decryption system is not aware of the data stored in storage service provider. It is necessary that data must be encrypted first and then stored in storage service provider. The third cloud system is for application systems such as CRM. All the three cloud systems are independent.
CP-ABE Based Encryption for Secured Cloud Storage Access:
The proposed scheme ensures the data integrity and data security in data outsourcing using cipher-text policy attribute based encryption. The owner of the data is responsible for defining and enforcing the policies for attributes and not for users. Thus unauthorized access is effectively blocked. The security model of the cloud storage architecture consists of the key generation center, data storing center, data owner and the user. The data storage center and the key generation center are assumed to be semi-trusted. The attribute sets are identified by private keys. The key issuing protocol involves the key generation center and the data storing center and then the secret keys are generated using the secure 2PC protocol. Keys are provided to the users for those who possess the correct attributes. As the key issuing protocol involves two authorities, no one can individually generate the secret keys for the user.
Secure Cloud based Medical Data exchange using Attribute based Encryption:
To make the data exchange secure in cloud, the proposed system grants fine grained access control to the outsourced data by combining key policy attribute based encryption, proxy re-encryption and lazy encryption. The purpose of the proposed system is to provide the secure access control for the medical data exchange and the secure key management. This scheme greatly reduces the data owner’s difficulties by delegating it to the cloud servers. Consider a medical data exchange scenario in which the patient wants to send the files requested by the doctors. First, the patient must send the secret key and the PRE key and the URL of the cloud storage to the doctor via email. Then the patient needs to upload the encrypted files (i.e., files are encrypted using the data encryption key, DEK) and the encrypted DEK (i.e., DEK is encrypted using KP-ABE whose access structure is satisfied by the secret key sent to the doctor) to the cloud storage. The doctor requests and receives both encrypted files and encrypted DEK. After receiving the response from the cloud, the doctor uses his secret key to decrypt the encrypted DEK. Then the original DEK is used to decrypt the encrypted files. The cloud storage server is assumed to be semi-trusted. This scheme enables data confidentiality, data integrity using authentication, user revocation using lazy encryption, break glass access in emergency departments.
TAAC: Temporal Attribute-based Access Control for Multi-Authority Cloud Storage Systems
CP-ABE schemes are generally applied in multi-authority cloud storage systems to improve the efficiency of the multi authority cloud storage system. Due to the attribute revocation problem, existing CP-ABE schemes are not directly applied to data access control for cloud storage systems. The cloud storage system consists of multiple attribute authorities and they are independent from each other. As there are multiple authorities, no central authority is required to manage the entire cloud storage system and it is ensured that the entire security of the cloud storage system is not dependent on the central authority. Temporal Attribute-based Access Control (TAAC) is proposed to provide the efficient data access control schemes in multi-authority cloud storage systems on attribute level. Re-encryption of cipher-text is not required in TAAC during the attribute revocation which leads to the efficiency. The purpose of the TAAC is to slot the time and associate the time slot with attributes. The attribute authority can revoke or re-grant the user in a particular time slot without the knowledge of other authorities (i.e. users can access the attributes from other authorities, only the attributes from the particular authority is revoked). Any legal user can download the cipher-text from the system and only those who have the attributes are allowed to decrypt the cipher-text which is associated with the access policy and the particular time slot. The algorithms used in TAAC to design the framework are GlobalSetup, AuthoritySetup, SKeyGen, UKeyGen, DKeyCom, Encrypt and Decrypt. Symmetric algorithms are used to encrypt the data and TAAC is used to encrypt the content key. The Secret keys are given to the users those who possess the attributes and the Update Keys are published in the pubic bulletin boards. Secret keys and Update keys are used to generate decryption key for time slot. The four phases in TAAC are System Initialization, Key Generation by AAs, Data Encryption by Owners and Data Decryption by Users. TAAC enhances the scalability and flexibility to construct an efficient multi authority cloud storage system.
Efficient Sharing of Secure Cloud Storage Services
Consider an organization which uses the cloud storage services in the form of a hierarchy to share the services efficiently. Efficient Sharing of Secure Cloud Services (ESC) scheme is the proposed scheme. The owner of the organization is considered to be the upper level user and the employees who are working under the owner are considered to be the lower level user. There is a root -Private Key Generator (root-PKG) which is a trusted third party and it acts as the topmost level to the owner. The root-PKG delegates the owner to provide the secret keys to the lower level users. As the owner grants access to multiple recipients, the system adopts one-to-many encryption and the hierarchical identity-based encryption algorithm. The hierarchical identity-based architecture consists of a domain which includes the upper level user and the lower level user, where the authentication and the secret key transmissions take place. The domain shares the cloud storage services. It is sufficient to store a single copy of the cipher-text on the cloud, when the sender wants to encrypt and store a file. The owner and the intended recipients can recover the file using their private keys. The outside attackers and the curious unauthorized employees inside the domain are unable to recover the cipher-text. This scheme avoids the collusion attacks in the random oracle model under Bilinear Diffie-Hellman assumption. The steps in ESC scheme are Root Setup, DomSetup, One2ManyEnc, UserDec and RecipientsDec. Performance and Security are amended in this scheme.
Reliable Re-encryption in Unreliable Clouds
A cloud environment consists of many cloud servers. The authors importune to encrypt the data before storing it into the cloud. To avoid the revoked users accessing the data file with their decrypt keys, the contents must be re-encrypted and the new keys are rendered to the empowered users. Consider a premise that four cloud servers such as CS1, CS2, CS3 and CS4 present in a cloud environment. The data owner wishes to re-encrypt all the old cipher-text using the new re-encryption keys. For this purpose, re-encryption commands are propagated through the entire network. Network outage takes a chance to prevent the successful re-encryption in all cloud servers. The revoked users gain the old cipher-text which is decrypted by their old decryption keys if the server is not updated due to the network failures. The resolution to this problem is the cloud servers expected to re-encrypt them independently without obtaining the commands from the data owner (i.e. avert the command driven re-encryption scheme). Reliable re-encryption scheme in unreliable clouds (R3 scheme) is a time based re-encryption scheme which affiliates the data with an access control and access time. The design of the proposed R3 scheme is to permit the cloud servers to re-encrypt the data automatically based on the internal clock. This scheme applies the attribute based encryption and the proxy re-encryption scheme. Data owner initialization, Data user read data and Data owner write data are the three components in R3 scheme. The proposed scheme meliorates the access control correctness, data consistency, confidentiality and data efficiency.
A Secure Erasure Code-Based Cloud Storage System with Secure Data Forwarding
Constructing a secure distributed cloud storage system is a major dispute when it executes multiple functions. The authors suggested threshold proxy re-encryption scheme and the decentralized erasure code for the distributed cloud storage system. The decentralized cloud storage system consists of n distributed storage servers and m key servers. Maintaining separate servers for different functionality is to ascertain the data confidentiality, because the servers are presumed to be semi-trusted. Storage servers and key servers work independently. The former one performs encoding and forwarding functions while the latter one performs partial decryption. Data forwarding uses proxy re-encryption schemes. The encryption schemes carry out encoding on the encrypted messages and the forwarding procedures are executed on the encrypted and encoded messages.
