International Journal of Engineering Trends and Technology (IJETT) – Volume 4 Issue 6- June 2013 Hierarchical Attribute-Based Secure Outsourcing for Malleable Access in Cloud Computing S. Usha#1, Dr. A. Tamilarasi#2, K. Mahalakshmi*3 #1 Assistant Professor, Dept. of CSE, University College of Engg., Panruti Campus, Tamilnadu, India #2 Professor & HOD, Kongu Engineering College, Perundurai,Tamilnadu, India * PG Scholar, Dept. of CSE, University College of Engg., (BIT Campus), Trichy, Tamilnadu, India Abstract— This paper is an attempt to provide an enhanced data storage security model in Cloud Computing and creating a trust environment in cloud computing. There are a lot of compelling reasons for businesses to deploy cloud-based storage. For a new business, start-up costs are significantly reduced because there is no need to invest capital up front for an internal IT infrastructure to support the business. By far, the number one question clients considering a move to cloud storage ask is whether or not their data will be secure. Storing data offsite doesn’t change data security requirements; they are the same as those facing data stored onsite. Security should be based on business requirements for specific applications and data sets, no matter where the data is stored. We believe that data storage security in Cloud Computing, an area full of challenges and of paramount importance, is still in its infancy now, and many research problems are yet to be identified. In this paper, we investigated the problem of data security in cloud data storage, to ensure the correctness of clients’ data in cloud data storage. We proposed a Hierarchical Attribute-Based Secure Outsourcing for mallable Access in Cloud computing which also ensures data storage security and survivability thereby providing trust environment to the clients. To combat against unauthorized information leakage, sensitive data have to be encrypted before outsourcing so as to provide end-to-end data confidentiality assurance in the cloud and beyond. We have reduced the computation time due to key size by implementing ECDSA algorithm for Cryptographical operations. Also we use push mail algorithm for key exchange between owner and consumer. It enhances the security in the proposed model effectively. Keywords— Cloud Computing, Access Control, Secure data storage I. INTRODUCTION Cloud computing is a computing paradigm in which the application software and databases are moved to the centralized large data centres. Cloud computing differs from existing hosting services. Services are based on consumption and the technology infrastructure is optimized for hosting several customers. Cloud Computing has been envisioned as the next-generation architecture of IT Enterprise. It is receiving more and more attentions, from both industrial and academic community. Cloud computing separates usage of IT resources from their management and maintenance, so that clients can focus on their core business and leave the expensive maintenance of IT services to cloud service provider. However clients of outsourced storage are at the mercy of their storage providers for the continued availability ISSN: 2231-5381 of their data. Even Amazon's S3, the best-known storage service, has experienced significant downtime. Here we are considering scenarios where clients may have concerns of the data security and survivability of their data stored in the cloud storage. The management of the data and services may not be fully trustworthy. Trust Access of clients on identity and behaviors is significant for Network Services. In Trust Environment, security and survivability must be provided on network services. The client’s behaviors should be monitored and some abnormal behaviors should be handled. In order to increase the data storage security and to provide trust environment in cloud, we propose architecture with Hierarchical Attribute-based secure outsourcing to monitor data flow to ensure data storage security and survivability thereby providing trust environment to the clients. Cipher text-policy attribute-based encryption (CP-ABE), as one of the most promising encryption systems in this field allows the encryption of data by specifying an access control policy over attributes so that only users with a set of attributes satisfying this policy can decrypt the corresponding data. However a CP-ABE system may not work well when enterprise users outsource their data for sharing on cloud servers due to the following reasons: First, one of the biggest merits of cloud computing is that users can access data stored in the cloud anytime and any- where using any device such as thin clients with limited bandwidth, CPU, and memory capabilities. Therefore the encryption system should provide high performance. Second, in the case of a large-scale industry a delegation mechanism in the generation of keys inside an enterprise is needed. IBE provides a public key encryption mechanism where a public key is an arbitrary string. In this paper construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle and these system include an efficient CCA2 public key cryptosystem. Although some CPABE schemes support delegation between users which enables a user to generate attribute secret keys containing a subset of this own attribute secret keys for other users. We hope to achieve a full delegation that is a delegation mechanism between attribute authorities (AAs) which independently make decisions on the structure and semantics of their attributes. Third, in case of a large-scale industry with a high turnover rate, a scalable revocation mechanism is a must. In this paper, we propose first a hierarchical attributebased encryption (HABE) model by combining a HIBE http://www.ijettjournal.org Page 2594 International Journal of Engineering Trends and Technology (IJETT) – Volume 4 Issue 6- June 2013 system and a CP-ABE system Based on the HABE model we construct a HABE scheme by making a performanceexpressivity trade-off to achieve high performance. Traditionally trust can be established based on identities. Obtain local identities from system in order to access system service. Under assumption of that entities in the systems are already known each other. On open system like Internet strangers can make connection and establish trust together obviously establishing trust based on ID is not a feasible approach. Parties may come from different security domain and often do not have any pre-existing relationship. Therefore, the properties of the participants will be most relevant. The approach of automated trust negotiation differs from traditional identity-based access control systems mainly in the following aspects: 1) Trust between two strangers is established based on parties’ properties. It is proven through disclosure of digital credentials. 2) Every party can define access control policies to control outsider’s access to their sensitive resources. 3) Instead of a one-shot authorization and authentication trust is established incrementally through a sequence of bilateral credential disclosures. 4) Less sensitive first. More sensitive disclosed later on as level of trust increase. 5) When it comes to SaaS and PaaS authentication authenticate users with your identity provider and use federation for trust with the SaaS vendor. 6) Interestingly the CSA recommends enabling the use of a single set of credentials valid across multiple sites for individual users and to void vendor proprietary methods II. RELATED WORKS Matthew Green, Susan Hohenberger and Brent Waters [13], In this work, we show how to delegate (in a true offline sense) the ability to transform an ABE cipher text on message m into an El Gamal-style cipher text on the same m, without learning anything about m. This is similar to the concept of proxy encryption where an untrusted proxy is given a re-encryption key that allows it to transform an encryption under Alice’s key of m into an encryption under Bob’s key of the same m, without allowing the proxy to learn anything about m. IBE provides a public key encryption mechanism where a public key is an arbitrary string. An IBE consists of 4 algorithms are Setup, KeyGen, Encrypt and Decrypt. In a HIBE system identities are vectors. A vector of dimension k represents an identity at depth k. Rakesh Bobba, Himanshu Khurana and Manoj Prabhakaran [14],in this paper We refer to the master-key as the private key at depth 0 and note that an IBE system is an HIBE where all identities are at depth 1. Initialize: adversary select an identity ID* which he wants to challenge Setup: system runs the Setup algorithm and give adversary public parameter. But the master-key keeps as itself. ISSN: 2231-5381 Phase 1: Private Key query: adversary select an identity to system and system will send a private key corresponding to the identity Phase 2: Private Key query and Decryption query Guess: finally, adversary output a guess b’. The adversary wins if b=b’. CPA selective-ID is not allowed to issue decryption queries. However, a CP-ASBE scheme must also support specific combinations of attributes from different sets. The key idea in our construction is to include judiciously chosen additional values in the cipher text (and in the key) that will allow a user to combine attributes from multiple sets all belonging to the same user. Better supporting compound attributes and supporting multiple numerical value assignments for a given attribute in a single key. In order to gauge the cost of this additional functionality we compared the encryption, decryption and key generation times using randomly generated policies and associated keys with those of BSW CPABE scheme. A distributed data access control scheme that is able to enforce fine-grained access control over sensor data and is resilient against strong attacks such as sensor compromise and user colluding. The proposed scheme exploits a novel cryptographic primitive called attribute-based encryption (ABE), tailors, and adapts it for WSNs with respect to both performance and security requirements. The feasibility of the scheme is demonstrated by experiments on real sensor platforms. To our best knowledge, this paper is the first to realize distributed fine-grained data access control for WSNs. They also propose a novel patient-centric framework and a suite of mechanisms for data access control to PHRs stored in semi-trusted servers. To achieve fine-grained and scalable data access control for PHRs, they leverage attribute based encryption (ABE) techniques to encrypt each patient’s PHR file. Different from previous works in secure data outsourcing they focused on the multiple data owner scenario, and divide the users in the PHR system into multiple security domains that greatly reduces the key management complexity for owners and users. A high degree of patient privacy is guaranteed simultaneously by exploiting multi-authority ABE. Our scheme also enables dynamic modification of access policies or file attributes, supports efficient on-demand user/attribute revocation and break-glass access under emergency scenarios. John Bethencourt, Amit Sahai, and Brent Waters [15], in this paper they present a system for realizing complex access control on encrypted data that we call Cipher text-Policy Attribute-Based Encryption. By using our techniques encrypted data can be kept confidential even if the storage server is untrusted; moreover their methods are secure against collusion attacks. Previous Attribute-Based Encryption systems used attributes to describe the encrypted data and built policies into user’s keys; while in their system attributes are used to describe a user’s credentials and a party encrypting data determines a policy for who can decrypt. Thus our methods are conceptually closer to traditional access control methods such as Role-Based Access Control (RBAC). In http://www.ijettjournal.org Page 2595 International Journal of Engineering Trends and Technology (IJETT) – Volume 4 Issue 6- June 2013 addition they provide an implementation of our system and give performance measurements. Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters [16], they propose an access control mechanism using cipher text-policy attribute-based encryption to enforce access control policies with efficient attribute and user revocation capability. The fine-grained access control can be achieved by dual encryption mechanism which takes advantage of the attribute-based encryption and selective group key distribution in each attribute group. They demonstrate how to apply the proposed mechanism to securely manage the outsourced data. The analysis results indicate that the proposed scheme is efficient and secure in the data outsourcing systems. Melissa Chase and Sherman S.M. Chow [17], in this paper, the author proposes a solution which removes the trusted central authority and protects the user’s privacy by preventing the authorities from pooling their information on particular users, thus making ABE more usable in practice. Sascha Müller , Stefan Katzenbeisser , and Claudia Eckert [18], they introduce the concept of Distributed AttributeBased Encryption (DABE) where an arbitrary number of parties can be present to maintain attributes and their corresponding secret keys. This is in stark contrast to the classic CP-ABE schemes where all secret keys are distributed by one central trusted party. They provide the first construction of a DABE scheme the construction is very efficient as it requires only a constant number of pairing operations during encryption and decryption. Rakesh Bobba, Himanshu Khurana and Manoj Prabhakaran [14], in this paper they introduce the concept of Attribute-sets: A practically motivated enhancement to attribute-based encryption Attribute-Based Encryption (ABE) Cipher textPolicy ABE (CP-ABE) is a form of ABE where policies are associated with encrypted data and attributes are associated with keys. Specifically we propose Cipher text Policy Attribute Set Based Encryption (CP-ASBE) - a new form of CP-ABE - which unlike existing CP-ABE schemes that represent user attributes as a monolithic set in keys organizes user attributes into a recursive set based structure and allows users to impose dynamic constraints on how those attributes may be combined to satisfy a policy. We show that the proposed scheme is more versatile and supports many practical scenarios more naturally and efficiently. We provide a prototype implementation of our scheme and evaluate its performance overhead. III. SYSTEM MODEL System-In order to achieve secure, scalable and access control on outsourced data in the cloud, we utilize and uniquely combine the following cryptographic techniques. 1. Key Policy Attribute-Based Encryption (KP-ABE). 2. Re-Encryption (PRE) Low Cost: This is the very great advantages for organisations to reduce their cost by having the cloud computing service. Fast Service (Always Up time): Cloud ISSN: 2231-5381 computing service providers having infrastructure so server always in up-time. The amount of decryption code that needs to reside on a resource constrained user device will be smaller. Reduction: Bilinear Decisional Diffie-Hellman, Collusion resistance and can’t combine private key components. Domain Authroity Trusted Authroity Data Owner Domain Authroity Data Owner Secured Cloud Domain Authroity Figure 1: Our Proposed System Model IV. ALGORITHM The Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. As with elliptic curve cryptography in general the bit size of the public key believed to be needed for ECDSA is about twice the size of the security level in bits. By comparison in the security level of 80 bits meaning an attacker requires the equivalent of about 280 signature generations to find the private key the size of a DSA public key is at least 1024 bits whereas the size of an ECDSA public key would be 160 bits. On the other hand, the signature size is the same for both DSA and ECDSA: 4t bits, where t is the security level measured in bits that are about 320 bits for a security level of 80 bits. Suppose Alice wants to send a signed message to Bob. Initially the curve parameters (CURVE, G, n) must be agreed upon. In addition to the field and equation of the curve we need G a base point of prime order on the curve; n is the multiplicative order of the point G. Alice creates a key pair, consisting of a private key integer dA randomly selected in the interval [1, n-1] and a public key curve point QA=dA*G. We use * to denote elliptic curve point multiplication by a scalar. For Alice to sign a message m follows these steps: 1. Calculate e=HASH (m), where HASH is a cryptographic hash function, such as SHA-1. 2. Let Z be the Ln leftmost bits of e, where Ln is the bit length of the group order n. 3. Select a random integer k from [1, n-1]. 4. Calculate the curve point(x1, y1) = k*G. 5. Calculate r=x1(mod n). If r=0, go back to step 3. 6. Calculate s=k-1(Z+rdA) (mod n). If s=0, go back to step 3. 7. The signature is the pair(r, s). http://www.ijettjournal.org Page 2596 International Journal of Engineering Trends and Technology (IJETT) – Volume 4 Issue 6- June 2013 V. SIMULATION WORKS/RESULTS We have simulated our system in Java. We implemented and tested with a system configuration on Intel Dual Core processor, Windows XP and using Netbeans 7.0. We have used the following modules in our implementation part. The details of each module for this system are as follows: Authority Management: There are three levels of authority in this hierarchal management. The trusted authority is the root authority and responsible for managing top-level domain authorities. Each top-level domain authority corresponds to a top-level organization, such as an enterprise. Each lower-level domain authority corresponds to a lower-level organization such as an affiliated company in that enterprise. Data owners/consumers may correspond to employees in an organization. Each domain authority is responsible for managing the data owners and consumers in its domain. Authentication: All the 3 authorities need to be authenticated in order to access their service. Authentication helps to prevent the data from the illegal access. Data Storage: The cloud service provider manages a cloud to provide data storage service. Data owners encrypt their data files and store them in the cloud for sharing with data consumers. Data Access: To access the shared data files, data consumers download encrypted data files of their interest from the cloud and then decrypt them. In our scheme, a data owner specifies an access structure for a cipher text which is referred to as the cipher text policy. Only users with decryption keys whose associated attributes specified in their key structures satisfy the access structure can decrypt the cipher text. To evaluate our outsourcing systems we implemented the CP-ABE version is associated Outsourcing decryption resulted in significant practical benefits. Decrypting on an ABE cipher text containing 100 attributes we found that without the use of a proxy the mobile device would require about 30 seconds of computation time and drain a significant amount of the device’s battery. When we applied our outsourcing technique decrypting the cipher text took 2 seconds on our Intel server and approximately 60 milliseconds on the mobile device itself. To demonstrate compatibility with existing infrastructure we constructed a re-usable platform for outsourcing decryption using the Amazon EC2 service. Our proxy is deployed as a public Amazon Machine Image that can be programmatically instantiated by any application requiring acceleration. In addition to the core benefits of outsourcing we discovered other collateral advantages. In existing ABE implementations much of the decryption code is dedicated to determining how a policy is satisfied by a key and executing the corresponding pairing computations of decryption. In our outsourcing solution most of this code is pushed into the untrusted transformation algorithm leaving only a much smaller portion on the user’s device. A domain authority is trusted by its subordinate domain authorities or users that it administrates, but may try to get the private keys ISSN: 2231-5381 of users outside its domain. Users may try to access data files either within or outside the scope of their access privileges, so malicious users may collude with each other to get sensitive files beyond their privileges. Figure 2: Implementation Screens on Key generation Figure 3: Implementation Screens on Data Authority login Figure 4: Implementation Screens displaying access levels http://www.ijettjournal.org Page 2597 International Journal of Engineering Trends and Technology (IJETT) – Volume 4 Issue 6- June 2013 VI. CONCLUSION & FUTURE WORK Figure 5: Implementation Screens on Key generation In this paper, we investigated the problem of data security in cloud data storage, which is essentially a distributed storage system. To ensure the correctness of clients’ data in cloud data storage, we proposed a Hierarchical Attribute-Based Secure Outsourcing for mallable Access in Cloud computing which also ensures data storage security and survivability to secure and monitor Data flow. By utilizing the security key, proposed architecture achieves the integration of storage correctness insurance and survivability, i.e., whenever data corruption has been detected during the storage correctness verification in cloud storage server, we can almost guarantee the simultaneous identification of the misbehaving server(s). Also, we proposed a new novel technique to get realizing scalable, fine-grained access control in the cloud computing and to produce the work with flexible, new method called HASBE. In this scheme, seamlessly incorporates a hierarchical structure of the system users by applying a delegation algorithm to ABSE. This scheme not only supports the flexible attributions but also achieves the efficient user revocation. We formally proved the security of HASBE based on the security of CP-ABE by Bethencourt. Finally, we implemented the proposed scheme, and conducted comprehensive performance analysis and evaluation, which showed its efficiency and advantages over existing schemes. Figure 6: Implementation Screens on Key Decryptor [1] VII. [2] First we observe that while key validity is limited because of the window of the actual attribute assignments change far less frequently. Second we observe that it is possible to add attributes retroactively to a user key both in CP-ABE and CPASBE, if key server is able to maintain some state information about the user key. Then by allowing multiple value assignments to the expiration time attribute we can simply add a new expiration value to the existing key. Thus while we require the key server to maintain some state we avoid the need to generate and distribute new keys on a frequent basis. This reduces the burden on the key server by a factor proportional to the average number of attributes in user keys. In our system, neither data owners nor data consumers will be always online. They come online only when necessary while the cloud service provider, the trusted authority, and domain authorities are always online. The cloud is assumed to have abundant storage capacity and computation power. In addition, we assume that data consumers can access data files for reading only. [3] [4] [5] [6] [7] [8] [9] [10] ISSN: 2231-5381 REFERENCES H. Liu, P. Wan, X. Jia, X. Liu, and F. Yao, “Efficient flooding scheme based on 1-hop information in mobile ad hoc networks,” In Proc. IEEE INFOCOM, 2006. J. Wu, W. Lou, and F. Dai, “Extended multipoint relays to determine connected dominating sets in manets,” IEEE Trans. on Computers, vol. 55, no. 3, pp. 334–347, 2006. M. Khabbazian and V. K. Bhargava, “Efficient broadcasting in mobile ad hoc networks,” IEEE Transactions on Mobile Computing: accepted for publication, 2008. J. Wu and F. Dai, “Broadcasting in ad hoc networks based on selfpruning,” In Proc. IEEE INFOCOM, pp. 2240–2250, 2003. W. Peng and X. Lu, “On the reduction of broadcast redundancy in mobile ad hoc networks,” In Proc. ACM Interational Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc), pp. 129–130, 2000. I. Stojmenovic, M. Seddigh, and J. Zunic, “Dominating sets and neighbor elimination-based broadcasting algorithms in wireless networks,”IEEE Trans. on Parallel and Distributed Systems, vol. 13, pp. 14–25, 2002. M. Khabbazian and V. K. Bhargava, “Localized broadcasting with guaranteed delivery and bounded transmission redundancy,” IEEE Transactions on Computers, vol. 57, no. 8, pp. 1072–1086, 2008. J. Wu and F. Dai, “A generic distributed broadcast scheme in ad hoc wireless networks,” IEEE Transactions on Computers, vol. 53, no. 10, pp. 1343–1354, 2004. P. Nand and S.C. Sharma, “ Probability based improved broadcasting for AODV Routing protocol”, “ IEEE International Conference on Computational Intelligence and Communication Networks, 2011. D. Dembla and Y. Chaba, “ Performance Modeling of Efficient and Dynamic Broadcasting Algorithm in MANETs Routing Protocols”, http://www.ijettjournal.org Page 2598 International Journal of Engineering Trends and Technology (IJETT) – Volume 4 Issue 6- June 2013 [11] [12] [13] [14] [15] IEEE International Conference on Computer Research and Development, 2010. S. Preethi, B. Ramachandran, “ Energy Efficient routing protocols for mobile AdHoc networks”, IEEE International Conference on Emerging Trends in Networks and Computer Communications, 2011. P. Nand and S.C. Sharma, “Comparative Analysis of Broadcasting Techniques for Routing Protocols”, IEEE International Conference on Devices and Communications”, 2011. Matthew Green, Susan Hohenberger and Brent Waters, “Outsourcing the Decryption of ABE Ciphertexts”. Rakesh Bobba, Himanshu Khurana and Manoj Prabhakaran, “Attribute-Sets: A Practically Motivated Enhancement to AttributeBased Encryption”, July 27, 2009. John Bethencourt, Amit Sahai, and Brent Waters, “Ciphertext-Policy Attribute-Based Encryption”. ISSN: 2231-5381 [16] [17] [18] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters, “Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data”. Melissa Chase and Sherman S.M. Chow, “Improving Privacy and Security in Multi-Authority Attribute-Based Encryption”. Sascha Müller , Stefan Katzenbeisser , and Claudia Eckert, “Distributed Attribute-Based Encryption”, in international conference on information security and cryptography in year 2008. http://www.ijettjournal.org Page 2599