744 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 2, APRIL 2012access of customer information to high-level executives of A. Attribute-Based Encryptionthe company only. In these cases, access control of sensitive The notion of ABE was ﬁrst introduced by Sahai and Watersdata is either required by legislation (e.g., HIPAA) or company  as a new method for fuzzy identity-based encryption. Theregulations. primary drawback of the scheme in  is that its threshold se- Access control is a classic security topic which dates back to mantics lacks expressibility. Several efforts followed in the lit-the 1960s or early 1970s , and various access control models erature to try to solve the expressibility problem. In the ABEhave been proposed since then. Among them, Bell-La Padula scheme, ciphertexts are not encrypted to one particular user as(BLP)  and BiBa  are two famous security models. in traditional public key cryptography. Rather, both ciphertextsTo achieve ﬂexible and ﬁne-grained access control, a number and users’ decryption keys are associated with a set of attributesof schemes – have been proposed more recently. or a policy over attributes. A user is able to decrypt a cipher-Unfortunately, these schemes are only applicable to systemsin which data owners and the service providers are within the text only if there is a match between his decryption key andsame trusted domain. Since data owners and service providers the ciphertext. ABE schemes are classiﬁed into key-policy at-are usually not in the same trusted domain in cloud computing, tribute-based encryption (KP-ABE) and ciphertext-policy at-a new access control scheme employing attributed-based en- tribute-based encryption (CP-ABE), depending how attributescryption  is proposed by Yu et al. , which adopts the and policy are associated with ciphertexts and users’ decryp-so-called key-policy attribute-based encryption (KP-ABE) to tion keys.enforce ﬁne-grained access control. However, this scheme falls In a KP-ABE scheme , a ciphertext is associated with ashort of ﬂexibility in attribute management and lacks scalability set of attributes and a user’s decryption key is associated within dealing with multiple-levels of attribute authorities. We note a monotonic tree access structure. Only if the attributes asso-that in contrast to KP-ABE, ciphertext-policy ABE (CP-ABE) ciated with the ciphertext satisfy the tree access structure, can turns out to be well suited for access control due to its the user decrypt the ciphertext. In a CP-ABE scheme , theexpressiveness in describing access control policies. roles of ciphertexts and decryption keys are switched; the ci- In this paper, we propose a hierarchical attribute-set-based phertext is encrypted with a tree access policy chosen by an en-encryption (HASBE) scheme for access control in cloud cryptor, while the corresponding decryption key is created withcomputing. HASBE extends the ciphertext-policy at- respect to a set of attributes. As long as the set of attributes as-tribute-set-based encryption (CP-ASBE, or ASBE for short) sociated with a decryption key satisﬁes the tree access policyscheme by Bobba et al.  with a hierarchical structure associated with a given ciphertext, the key can be used to de-of system users, so as to achieve scalable, ﬂexiblem and crypt the ciphertext. Since users’ decryption keys are associated http://ieeexploreprojects.blogspot.comCP-ABE is conceptually closer to tradi-ﬁne-grained access control. with a set of attributes, The contribution of the paper is multifold. First, we show tional access control models such as Role-Based Access Controlhow HASBE extends the ASBE algorithm with a hierarchical (RBAC) . Thus, it is more natural to apply CP-ABE, insteadstructure to improve scalability and ﬂexibility while at the same of KP-ABE, to enforce access control of encrypted data.time inherits the feature of ﬁne-grained access control of ASBE. However, basic CP-ABE schemes (e.g., ) are far fromSecond, we demonstrate how to implement a full-ﬂedged ac- enough to support access control in modern enterprise envi-cess control scheme for cloud computing based on HASBE. ronments, which require considerable ﬂexibility and efﬁciencyThe scheme provides full support for hierarchical user grant, ﬁle in specifying policies and managing user attributes . In acreation, ﬁle deletion, and user revocation in cloud computing. CP-ABE scheme, decryption keys only support user attributesThird, we formally prove the security of the proposed scheme that are organized logically as a single set, so users can onlybased on the security of the CP-ABE scheme by Bethencourt et use all possible combinations of attributes in a single set issuedal.  and analyze its performance in terms of computational in their keys to satisfy policies. To solve this problem, Bobbaoverhead. Lastly, we implement HASBE and conduct compre- et al.  introduced ciphertext-policy attribute-set-based en-hensive experiments for performance evaluation, and our exper- cryption (CP-ASBE or ASBE for short). ASBE is an extendediments demonstrate that HASBE has satisfactory performance. form of CP-ABE which organizes user attributes into a recursive The rest of the paper is organized as follows. Section II pro- set structure. The following is an example of a key structure ofvides an overview on related work. Then we present our system depth 2, which is the depth of the recursive set structure:model and assumptions in Section III. In Section IV, we de-scribe in detail the construction of HASBE and show how it isused in access control of outsourced data in cloud computing. InSection V, we prove the security of HASBE and analyze its se-curity by comparing with Yu et al.’s scheme. Then in Section VI,we analyze computation complexity of HASBE and evaluate its The above example represents a key structure assigned to aperformance based on real implementation. Lastly, we conclude graduate student in CS department of a university, who is thethe paper in Section VII. TA for course 101 and has enrolled in course 525. It can be seen that the same attribute can be assigned multiple values, II. RELATED WORK e.g., the attribute “Role” is assigned value “TA” and “Grad-Stu- In this section, we review the notion of attribute-based en- dent” in different sets. This feature renders ASBE more versatilecryption (ABE), and provide a brief overview of the ASBE and ﬂexible in supporting many practical scenarios. In this ex-scheme by Bobba et al. After that, we examine existing access ample, the graduate student holding such a private key shouldcontrol schemes based on ABE. not be able to combine the attribute “Role: TA” with “CourseID:
WAN et al.: HASBE: A HIERARCHICAL ATTRIBUTE-BASED SOLUTION FOR FLEXIBLE AND SCALABLE ACCESS CONTROL 745525” so as to access course grades of other students who enroll The missing part of ASBE is the delegation algorithm, whichin course 525. Such a feature cannot be implemented with the is used in our proposed scheme to construct the hierarchicaloriginal CP-ABE algorithm. structure. We adopt the same four algorithms of ASBE, and ex- ASBE can enforce dynamic constraints on combining at- tend ASBE by proposing a new delegation algorithm.tributes to satisfy a policy, which provides great ﬂexibilityin access control. In the recursive attribute set assigned to B. Access Control Solutions for Cloud Computinga user, attributes from the same set can be combined freely,while attributes from different sets can only be combined The traditional method to protect sensitive data outsourced towith the help of translating items, whose function will be third parties is to store encrypted data on servers, while the de-explained later. Consider attributes for students derived from cryption keys are disclosed to authorized users only. However,courses they have taken. Every student has a set of attributes there are several drawbacks about this trivial solution. First of for each course he has taken. We want all, such a solution requires an efﬁcient key management mech-to have a policy “Students who took a course that satisﬁes anism to distribute decryption keys to authorized users, which and and .” has been proven to be very difﬁcult. Next, this approach lacksEnforcing such a policy with CP-ABE is difﬁcult, since a stu- scalability and ﬂexibility; as the number of authorized users be-dent could have taken multiple courses and obtained different comes large, the solution will not be efﬁcient any more. In case agrades in them. The encryptor will have to ensure the student previously legitimate user needs to be revoked, related data hascannot select and combine attributes from different sets to to be re-encrypted and new keys must be distributed to existingcircumvent the policy. In , several possible solutions with legitimate users again. Last but not least, data owners need to beplain CP-ABE are described, but none of them is satisfactory. online all the time so as to encrypt or re-encrypt data and dis-However, using ASBE, we can solve the problem simply by tribute keys to authorize users.assigning multiple values to the group of attributes in different ABE turns out to be a good technique for realizing scalable,sets. For each course the student has taken, he gets a separate ﬂexible, and ﬁne-grained access control solutions. Yu et al. set of values for the attributes . In this proposed an access control mechanism based on KP-ABE forway, ASBE can enforce efﬁcient ciphertext policy encryption cloud computing, together with a re-encryption technique forfor situations where existing ABE schemes are inefﬁcient. efﬁcient user revocation. This scheme enables a data owner to Furthermore, ASBE’s capability of assigning multiple values delegate most of the computational overhead to cloud servers.to the same attribute enables it to solve the user revocation The use of KP-ABE provides ﬁne-grained access control grace-problem efﬁciently, which is difﬁcult in CP-ABE. The revoca- fully. Each ﬁle is encrypted with a symmetric data encryption http://ieeexploreprojects.blogspot.comtion problem can be solved easily by assigning different expira- key ( ), which is in turn encrypted by a public key corre-tion times. sponding to a set of attributes in KP-ABE, which is generated The above desirable feature and the recursive key structure according to an access structure. The encrypted data ﬁle is storedis implemented by four algorithms, Setup, KeyGen, Encrypt, with the corresponding attributes and the encrypted . If theand Decrypt: associated attributes of a ﬁle stored in the cloud satisfy the ac- . Here is the depth of key structure. Take as cess structure of a user’s key, then the user is able to decrypt the input a depth parameter . It outputs a public key and encrypted , which is used in turn to decrypt the ﬁle. master secret key . The ﬁrst problem with Yu et al.’s scheme is that the encryptor Take as input the master secret key is not able to decide who can decrypt the encrypted data except , the identity of user , and a key structure . It out- choosing descriptive attributes for the data, and has no choice puts a secret key for user . but to trust the key issuer. Furthermore, KP-ABE is not naturally Take as input the public key ,a suitable to certain applications. An example of such applica- message , and an access tree . It outputs a ciphertext . tions is a type of sophisticated broadcast encryption, where users . Take as input a ciphertext and are described by various attributes and the one whose attributes a secret key for user . It outputs a message . If match a policy associated with a ciphertext can decrypt the ci- the key structure associated with the secret key phertext. For such an application, a better choice is CP-ABE. satisﬁes the access tree , associated with the ciphertext Wang et al.  proposed hierarchical attribute-based , then is the original correct message . Otherwise, encryption (HABE) to achieve ﬁne-grained access control in is null. cloud storage services by combining hierarchical identity-based These algorithms are essentially similar to those of CP-ABE, encryption (HIBE) and CP-ABE. This scheme also supportsexcept some extensions to support recursive key structure. ﬁne-grained access control and fully delegating computation toThe public key and the master key of ASBE are extended the cloud providers. However, HABE uses disjunctive normalfrom CP-ABE to have components supporting recursive key form policy and assumes all attributes in one conjunctive clausestructure. For depth , the corresponding public key component are administrated by the same domain master. Thus the sameis and . The master key is extended by adding a new attribute may be administrated by multiple domain masterssecret exponent for depth . The generated private keys according to speciﬁc policies, which is difﬁcult to implementare also different in ASBE and CP-ABE. There are translating in practice. Furthermore, compared with ASBE, this schemecomponents that enable attributes translation between different cannot support compound attributes efﬁciently and does notkey sets. support multiple value assignments.
746 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 2, APRIL 2012 Fig. 1. System model. III. SYSTEM MODEL AND ASSUMPTIONSA. System Model Fig. 2. Example key structure. As depicted in Fig. 1, the cloud computing system underconsideration consists of ﬁve types of parties: a cloud serviceprovider, data owners, data consumers, a number of domain addition, we assume that communication channels between allauthorities, and a trusted authority. parties are secured using standard security protocols, such as The cloud service provider manages a cloud to provide data SSL.storage service. Data owners encrypt their data ﬁles and storethem in the cloud for sharing with data consumers. To access IV. OUR CONSTRUCTIONthe shared data ﬁles, data consumers download encrypted data In this section, we ﬁrst present our HASBE scheme, whichﬁles of their interest from the cloud and then decrypt them. Each extends the ASBE algorithm with a hierarchical user structure.data owner/consumer is administrated by a domain authority. A We then show how HASBE is applied for hierarchical userdomain authority is managed by its parent domain authority or grant, data ﬁle creation, ﬁle access, user revocation, and ﬁlethe trusted authority. Data owners, data consumers, domain au- deletion.thorities, and the trusted authority are organized in a hierarchicalmanner as shown in Fig. 1. A. Preliminaries The trusted authority is the root authority and responsible Bilinear Maps: Let http://ieeexploreprojects.blogspot.com , be cyclic (multiplicative) groupsfor managing top-level domain authorities. Each top-level do- of prime order . Let be a generator of . Then :main authority corresponds to a top-level organization, such as is a bilinear map if it has the following properties:.a federated enterprise, while each lower-level domain authority • Bilinearity: for all and ,corresponds to a lower-level organization, such as an afﬁliated .company in a federated enterprise. Data owners/consumers may • Nondegeneracy: .correspond to employees in an organization. Each domain au- is called a bilinear group if the group operation and thethority is responsible for managing the domain authorities at the bilinear map are both efﬁciently computable.next level or the data owners/consumers in its domain. In our HASBE scheme, a data encryptor speciﬁes an access In our system, neither data owners nor data consumers will structure for a ciphertext which is referred to as the ciphertextbe always online. They come online only when necessary, while policy. Only users with decryption keys whose associated at-the cloud service provider, the trusted authority, and domain au- tributes, speciﬁed in their key structures, satisfy the access struc-thorities are always online. The cloud is assumed to have abun-dant storage capacity and computation power. In addition, we ture can decrypt the ciphertext.assume that data consumers can access data ﬁles for reading Key Structure: We use a recursive set based key structureonly. as in  where each element of the set is either a set or an element corresponding to an attribute. The depth of theB. Security Model key structure is the level of recursions in the recursive set, We assume that the cloud server provider is untrusted in the similar to deﬁnition of depth for a tree. For a key structuresense that it may collude with malicious users (short for data with depth 2, members of the set at depth 1 can either beowners/data consumers) to harvest ﬁle contents stored in the attribute elements or sets but members of a set at depth 2cloud for its own beneﬁt. may only be attribute elements. Consider the example shown In the hierarchical structure of the system users given in in Fig. 2, where ,Fig. 1, each party is associated with a public key and a private ,key, with the latter being kept secretly by the party. The trusted is a key structure of depth 2. It represents theauthority acts as the root of trust and authorizes the top-level attributes of a person who is both a director of level 3 for a unitdomain authorities. A domain authority is trusted by its sub- and a coordinator of level 6 for another unit in the Defense Ad-ordinate domain authorities or users that it administrates, but vanced Research Projects Agency (DARPA) of the Departmentmay try to get the private keys of users outside its domain. of Defense (DoD).Users may try to access data ﬁles either within or outside the The key structure deﬁnes unique labels for sets in it. For keyscope of their access privileges, so malicious users may collude structures of depth 2, just an index of the sets at depth 2 is suf-with each other to get sensitive ﬁles beyond their privileges. In ﬁcient to uniquely identify the sets. Thus if there are sets
WAN et al.: HASBE: A HIERARCHICAL ATTRIBUTE-BASED SOLUTION FOR FLEXIBLE AND SCALABLE ACCESS CONTROL 747 Fig. 4. Hierarchical structure of system users. Fig. 3. Example access structure. it contains at least one set that has all theat depth 2 then a unique index where is as- attributes needed to satisfy and that the attributes belongingsigned to each set. The set at depth 1 is referred to as set 0. to multiple sets in cannot be combined to satisfy , exceptUsing this convention, a key structure of depth 2 can be repre- when there are designated translating nodes in . If nodesented as , where is the set at depth is a translating node in , then if the attribute elements used1 while is the th set at depth 2, for . In the to satisfy the predicate represented by the subtree rooted atkey structure in Fig. 2, belong to a different set in than those used to satisfy thecorresponds to , and predicates represented by the siblings of , the decrypting user correspond to and is able to combine them to satisfy the predicate represented by , respectively. Individual attributes inherit the label of the the parent node of .set they are contained in and are uniquely deﬁned by the com- Several functions are deﬁned for the purpose of dealing withbination of their name and their inherited label. For example, the access structure. We deﬁne as the parent nodeattribute is deﬁned as . When of and as the index number of node . The functiontrying to satisfy a given policy, a user http://ieeexploreprojects.blogspot.com is a leaf node and denotes the attribute may only use attribute is deﬁned only ifelements within a set, but may not combine attributes across the associated with the leaf node in the tree.sets by default. However, if the encryptor has designated trans-lating nodes in an access structure, users can combine attributes B. HASBE Schemefrom multiple sets to satisfy the access structure, as will be ex-plained later in the scheme construction as well as in . The proposed HASBE scheme seamlessly extends the ASBE Access Structure: In our scheme, we use the same tree access scheme to handle the hierarchical structure of system users instructure as in . In the tree access structure, leaf nodes are Fig. 4.attributes and nonleaf nodes are threshold gates. Each nonleaf Recall that our system model consists of a trusted authority,node is deﬁned by its children and a threshold value. Let multiple domain authorities, and numerous users correspondingdenote the number of children and the threshold value of to data owners and data consumers. The trusted authority is re-node . An example of the access tree structure is shown in sponsible for generating and distributing system parameters andFig. 3, where the threshold values for “AND” and “OR” are 2 root master keys as well as authorizing the top-level domain au-and 1, respectively. thorities. A domain authority is responsible for delegating keys The above access structure demands that only a director in to subordinate domain authorities at the next level or users inDoD or NSA of level larger than 5 can access the data ﬁles pro- its domain. Each user in the system is assigned a key structuretected by the access policy. In CP-ABE schemes, a person who which speciﬁes the attributes associated with the user’s decryp-has private keys corresponding to attributes on the key structure tion key.shown in Fig. 2 would be able to access the data ﬁles, which We are now ready to describe the main operations ofcompromises the security of the access policy in Fig. 3. Such HASBE: System Setup, Top-Level Domain Authority Grant,problems are effectively prevented using attribute-set-based New Domain Authority/User Grant, New File Creation, Userencryption which forbids combining attributes across multiple Revocation, File Access, and File Deletion.sets. System Setup: The trusted authority calls the algo- Let be the access structure rooted at node and rithm to create system public parameters and master keybe the access structure rooted at the root node . Without . will be made public to other parties and willloss of generality, we consider key structure of depth 2, be kept secret. , where is the th . Here is the depth of theattribute set and is the label. We say that satisﬁes if and key structure. We describe the HASBE scheme for key struc-only if a function returns a nonempty set of labels. The tures of depth 2, and it can be extended to any depth . The algo-function is computed recursively and will be introduced rithm selects a bilinear group of prime order with generatorin the encryption algorithm later. is said to satisfy if and then chooses random exponents . To
748 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 2, APRIL 2012support key structure of depth , will range from 1 to . Thisalgorithm sets the public key and master key as follows: Fig. 5. Format of a data ﬁle on the cloud. ture , which is a set of . The master key of is in the form . As in the algorithm, this al- Top-Level Domain Authority Grant: A domain authority is gorithm randomly chooses a unique number for each userassociated with a unique ID and a recursive attribute set , where with or domain authority, a random number for each set ,being the th attribute in and being the number of at- and a random number for each . Then it computestributes in . When a new top-level domain authority, i.e., DA , the new secret key aswants to join the system, the trusted authority will ﬁrst verifywhether it is a valid domain authority. If so, the trusted authoritycalls to generate the master key for DA . After get-ting the master key, DA can authorize the next level domainauthorities or users in its domain. . This algorithm creates themaster key for top-level DA . It selects a unique number for the domain authority, which is also for the set , The new secret key or is a secret key for theand selects random numbers , one for each set key structure . Because the algorithm rerandomizes the key, . Furthermore, it picks a random number for each a delegated key is equivalent to one received directly from the . It computes the master key for trusted authority.DA as follows: New File Creation: To protect data stored on the cloud, a data owner ﬁrst encrypts data ﬁles and then stores the encrypted http://ieeexploreprojects.blogspot.comAs in , each ﬁle is encrypted with a data ﬁles on the cloud. symmetric data encryption key , which is in turn encrypted with HASBE. Before uploading to the cloud, a data ﬁle is pro- cessed by the data owner as follows: • Pick a unique ID for this data ﬁle. • Randomly choose a symmetric data encryption key , where is the key space, and encrypt the data In the above master key, is for translation from of ﬁle using .to of at the translating node. Elements and can • Deﬁne a tree access structure for the ﬁle and encryptbe used as to translate to at the translating with using algorithm ofnodes, we will give the details later in the algorithm. HASBE which returns ciphetext . New Domain Authority/User Grant: When a new user, Finally, the encrypted data ﬁle is stored on the cloud in thedenoted as , or a new subordinate domain authority, de- format as shown in Fig. 5.noted as DA , wants to join the system, the administrating . is the message to encrypt. In thedomain authority, denoted as DA , will ﬁrst verify whether New File Creation operation, is the of a data ﬁle.the new entity is valid. If true, DA assigns the new entity is the tree access structure. Encrypt algorithm is the same asa key structure corresponding to its role and a unique that of ASBE . The algorithm associates a polynomialID. Note that is a subset of , where is the key struc- with each node in the tree , which is chosen randomly in ature of DA . In , every element is labeled the same as it top-down manner from the root node . For every node in ,is in . For example, , the degree of is set to be one less than the threshold value , of and denoted as . If is a leaf node, then is set to 0.and , For each nonroot node , . Thethen is labeled as set in both other points of are randomly chosen. For the root node , and , and is labeled as (2, ). , where is a random number, and the other For a new user , DA calls to gen- points of are randomly selected. This algorithm computeserate the secret key for this user. Otherwise, if it is a new domain the Ciphetext as follows:authority DA , DA calls togenerate the master key for DA . Then DA can authorizethe lower level domain authorities or users in its domain. . This algorithm uses the master keyof , which is for the key structure , and a new key struc-
WAN et al.: HASBE: A HIERARCHICAL ATTRIBUTE-BASED SOLUTION FOR FLEXIBLE AND SCALABLE ACCESS CONTROL 749where denotes the set of leaf nodes in , denotes the set the cloud just knows the two ciphertext components andof translating nodes in the access tree . can not get the plaintext of the data ﬁle. User Revocation: Whenever there is a user to be revoked, File Access: When a user sends request for data ﬁlesthe system must make sure the revoked user cannot access the stored on the cloud, the cloud sends the corresponding ci-associated data ﬁles any more. One way to solve this problem is phertexts to the user. The user decrypts them by ﬁrst callingto re-encrypt all the associated data ﬁles used to be accessed by to obtain and then decrypt data ﬁlesthe revoked user, but we must also ensure that the other users using . algorithm is as follows:who still have access privileges to these data ﬁles can access . This algorithm accepts ciphetext CTthem correctly. and user ’s key structure as input. The algorithm ﬁrst calls HASBE inherits the advantage of ASBE in efﬁcient user to verify whether the key structure in satisﬁesrevocation. We add an attribute to a user’s the tree access structure associated with the CT. The func-key, which indicates the time until which the key is considered tion is performed recursively. For each node in ,to be valid. Then the policy associated with data ﬁles can there is a set of labels returned by . If does notinclude a check on the attribute as a numer- satisfy , the algorithm returns null; otherwise the algorithmical comparison. For example, assuming a user has a key picks one from the set returned by , and calls functionwith and a data ﬁle whose access policy on the root node of , whereis associated with , then can decrypt this is a node from . is deﬁned asdata ﬁle only when and the rest of the policy matches follows: ’s attributes. This numeric comparison of attributes can be If is a leaf node, and if , where , thenimplemented by the “bag of bits” as in . In practice, the . If ,validity period of sensitive attributes must be kept small to where , thenreduce the window of vulnerability when a key is compromised, .for example, a day, a week, or a month . With this feature, If is a nonleaf node, then iswe allow multiple value assignments to the deﬁned as follows:attribute so as to add a new expiration value to the existing • Let be an arbitrary sized set of child nodes suchkey. In this way, we can update user’s key without entire key that only if (1) label or (2) labelregenerating and redistributing at the end of expiration time. for some and is a translating node. If no such setOn the other hand, the data owner can http://ieeexploreprojects.blogspot.com . change the policy over exists then returndata ﬁles by updating the attribute associated • For each node , if , then callwith the leaf node in the access tree. The update of user’s key and store output in .and re-encryption of data ﬁles can be done as follows: • For each node , if and , then Key Update. Suppose that there is a user , who is adminis- call and store output in . trated by the domain authority DA . DA maintains some Then if , translate to as follows: state information about ’s key and adds a new value of to ’s existing key when it wants to up- date ’s key. Then DA computes the secret key compo- nents corresponding to the attribute and sends them to . Transmission of the secret key compo- Otherwise, if , then translate to as follows: nents to the user can be accomplished with an out-of-band channel between DA and the user . While DA is re- quired to maintain some state information about user’s key, DA avoids the need to generate and distribute the entire keys on a frequent basis. This reduces the workload on DA • Compute using polynomial interpolation as follows: and saves considerable computing resources. Data Re-encryption. When the data owner wants to , where re-encrypt a data ﬁle, he changes the value of the . So when , attribute in the key policy and com- , else when , . putes the new ciphertext components and , where So the function on is the leaf node on the access tree corresponding the the root node returns . If , then attribute. Then the data owner sends . If , then these new ciphertext components to the cloud and the and . cloud service provider can re-encrypt the data ﬁle by Then the message can be computed as simply updating these ciphertext components. So when . re-encrypting a data ﬁle, the data owner just needs to File Deletion: Encrypted data ﬁles can be deleted only at the compute the ciphertext components associated with the request of the data owner. To delete an encrypted data ﬁle, the attribute while other parts of the cipher- data owner sends the ﬁle’s unique ID and its signature on this text remain unchanged, which effectively reduces the ID to the cloud. Only upon successful veriﬁcation of the data workload of the data owner. Furthermore, in this process owner and the request, the cloud deletes the data ﬁle.
750 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 2, APRIL 2012 V. SECURITY PROOF AND DISCUSSION Theorem 1: Suppose there is no polytime adversary who can break the security of CP-ABE with nonnegligible advantage;A. Security Proof then there is no polytime adversary who can break our system Though HASBE is extended from ASBE by Bobba et al. with with nonnegligible advantage.a hierarchical structure using a delegation algorithm similar to Proof: Suppose we have an adversary with nonneg-the one described in the CP-ABE scheme by Bethencourt et al., ligible advantage against our proposed scheme. Using , wewe do not use the proof technique by Bobba et al. Instead, we show how to build an adversary, , that breaks the CP-ABEprove the security of our scheme directly based on the security scheme with nonnegligible advantage. The adversary can playof CP-ABE. We show that if there are any vulnerabilities in a similar game with the CP-ABE scheme. The CP-ABE secu-the proposed scheme, these vulnerabilities can be used to break rity model  is also composed of four steps: Setup, Phase 1,CP-ABE. Thus, HASBE is expected to have the same security Challenge, Phase 2 and Guess. That is to say, can make privateproperty as CP-ABE, which has been proven to be secure under queries during the game to obtain private keys in the CP-ABEthe generic bilinear group model and the random oracle model. scheme. A generic security model to be deﬁned below describes inter- • Initialization. The adversary takes the public key ofactions between an adversary and an encryption algorithm like CP-ABE , andHASBE or CP-ABE. Identical to the model used in CP-ABE, the corresponding private key is unknown to thethe security model allows the adversary to query for any private adversary.keys that cannot be used to decrypt the challenge ciphertext. • Setup. The adversary selects a random number ,In CP-ABE and HASBE the ciphertexts are associated with ac- and computes the HASBE public parameters fromcess structures and the private keys are identiﬁed with attributes. asThus, the security model requires that the adversary chooses to . That is, the adversary setsbe challenged on an encryption to an access structure and and . Then the public key is given to thecan ask for any private key such that does not satisfy . adversary. 1) Formal Security Model: Before giving a formal proof • Phase 1. In this phase, answers private key queries. Sup-for the proposed scheme, we ﬁrst describe the formal security pose the adversary is given a private key query for a setmodel for ciphertext-policy ABE schemes. In this model, the where does not satisfy . In order to answer the query,adversary will choose to be challenged on an encryption to an makes a private key query to CP-ABE challenger for theaccess structure http://ieeexploreprojects.blogspot.comAs a result, obtains two different pri- and can ask for any private key such that same set twice. does not satisfy . The formal security model is deﬁned as vate keys:follows between an adversary and a challenger : • Setup. The challenger runs the Setup algorithm and gives the public parameters, PK to the adversary. • Phase 1. The adversary makes repeated private key queries corresponding to sets of attributes . The challenger responds by running algorithm (Top-level domain) to generate the private key cor- responding to the attribute set . Or else, the adversary where ’s are attributes from , and are makes private key queries for a lower-level domain au- random numbers in . thority or end users with the private key From and , can obtain by dividing in of an upper level domain authority. The challenger with in . selects random number , responds by running algorithm to generate and let and . Then can the private key. derive the private key requested by as • Challenge. The adversary submits two equal length mes- sages and . In addition, the adversary gives a . Then challenge access structure such that none of the sets the private key is returned to the adversary . from Phase 1 satisfy the access structure. The Note that attribute in or may appear multiple challenger ﬂips a random coin , and encrypts under times in . The above private key derivation deals . The ciphertext is given to the adversary. with this issue by randomly selecting and from . • Phase 2. Phase 1 is repeated with the restriction that none If the adversary requests for a lower-level domain au- of the sets of attributes satisfy the access thority’s private key or an end user’s private key, it is noted structure corresponding to the challenge. that the master key of the domain authority can • Guess. The adversary outputs a guess of . be obtained by querying and for The advantage of the adversary in this game is deﬁned as some times ( should be queried for multiple . times when there are multiple layers of domain authori- Deﬁnition 1: A ciphertext-policy ABE scheme is secure if ties). Though may contain attributes that satisfy ,all polynomial time adversaries have at most a negligible ad- only attributes in are actually used in . It fol-vantage in the above game. lows that can answer the adversary’s query by executing
WAN et al.: HASBE: A HIERARCHICAL ATTRIBUTE-BASED SOLUTION FOR FLEXIBLE AND SCALABLE ACCESS CONTROL 751 the algorithm using the attributes in only, 4) Efﬁcient User Revocation: To deal with user revocation in and returns the result to . cloud computing, we add an attribute to • Challenge. When decides that Phase 1 is over, it out- each user’s key and employ multiple value assignments puts an access structure and two messages , for this attribute. So we can update user’s key by simply which it wishes to be challenged. gives the two messages adding a new expiration value to the existing key. We just to CP-ABE challenger, and is given the challenge cipher- require a domain authority to maintain some state infor- text mation of the user keys and avoid the need to generate and . distribute new keys on a frequent basis, which makes our Then computes the challenge ciphertext for from scheme more efﬁcient than existing schemes. as: 5) Expressiveness: In HASBE, a user’s key is associated with a set of attributes, so HASBE is conceptually closer to tra- . In , , , and are readily ob- ditional access control methods such as Role-Based Ac- tained from . Note that is a linear combination cess Control (RBAC) . Thus, it is more natural to apply of and other known values, which are determined by the HASBE, instead of KP-ABE, to enforce access control. public access structure. Thus can be computed from VI. PERFORMANCE ANALYSIS AND IMPLEMENTATION and other known values. Finally, the challenge cipher- text is returned to the adversary . In this section, we ﬁrst analyze theoretic computation com- • Phase 2. issues queries not issued in Phase 1. responds plexity of the proposed scheme in each operation. Then we im- as in Phase 1. plement an HASBE toolkit based on the toolkit devel- • Guess. Finally, outputs a guess , and then oped for CP-ABE , and conduct a series of experiments to concludes its own game by outputting . According to the evaluate performance of our proposed scheme. formal security model, the advantage of the adversary A. Performance Analysis against HASBE is We analyze the computation complexity for each system op- eration in our scheme as follows. System Setup. When the system is set up, the trusted au- This means has nonnegligible advantage against the thority selects a bilinear group and some random numbers. CP-ABE scheme, which completes the proof of the When http://ieeexploreprojects.blogspot.com are generated, there will be several and theorem. exponentiation operations. So the computation complexity of System Setup is . Top-Level Domain Authority Grant. This oper-B. Discussion ation is performed by the trusted authority. The In this subsection, we compare our scheme with the one pro- master key of a domain authority is in the form ofposed by Yu et al.  on security features in implementing ,access control for cloud computing. where is the key structure associated with a new domain 1) Scalability: We extend ASBE with a hierarchical structure authority, is the set of . Let be the number of at- to effectively delegate the trusted authority’s private at- tributes in , and be the number of sets in . Then the tribute key generation operation to lower-level domain au- computation of consists of two exponentiations for thorities. By doing so, the workload of the trusted root au- each attribute in , and one exponentiations for every set thority is shifted to lower-level domain authorities, which in . The computation complexity of Top-Level Domain can provide attribute key generations for end users. Thus, Authority Grant operation is . this hierarchical structure achieves great scalability. Yu et New User/Domain Authority Grant. In this operation, a al.’s scheme, however, only has one authority to deal with new user or new domain authority is associated with an at- key generation, which is not scalable for large-scale cloud tribute set, which is the set of that of the upper level domain computing applications. authority. The main computation overhead of this opera- 2) Flexibility: Compared with Yu et al.’s scheme, HASBE or- tion is rerandomizing the key. The computation complexity ganizes user attributes into a recursive set structure and al- is , where is the number of attributes in lows users to impose dynamic constraints on how those the set of the new user or domain authority, and is the attributes may be combined to satisfy a policy. So HASBE number of sets in . can support compound attributes and multiple numerical New File Creation. In this operation, the data owner needs assignments for a given attribute conveniently. As illus- to encrypt a data ﬁle using the symmetric key and trated with the example key structure in Fig. 2 and access then encrypt using HASBE. The complexity of en- structure in Fig. 3, HASBE can enforce more complex ac- crypting the data ﬁle with depends on the size of the cess policies than Yu et al.’s scheme. data ﬁle and the underlying symmetric key encryption al- 3) Fine-grained access control: Based on HASBE, our gorithm. Encrypting with a tree access structure scheme can easily achieve ﬁne-grained access control. A consists of two exponentiations per leaf node in and one data owner can deﬁne and enforce expressive and ﬂexible exponentiation per translating node in . So the compu- access policy for data ﬁles as the scheme in . tation complexity of New File Creation is ,
752 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 2, APRIL 2012Fig. 6. Experiments on system setup and top-level domain authority grant. (a) Setup operation; (b) top-level domain authority grant (the number of subsets in thekey structure is 1); (c) top-level domain authority grant (the total number of attributes in the key structure is 50). TABLE I COMPARISON OF COMPUTATION COMPLEXITY B. Implementation We have implemented a multilevel HASBE toolkit based on the toolkit (http://acsc.csl.sri.com/cpabe/) developed for CP-ABE  which uses the Pairing-Based Cryptography library (http://crypto.stanford.edu/pbc/). Then comprehensive experiments are conducted on a laptop with dual core 2.10-GHz CPU and 2-GB RAM, running Ubuntu 10.04. We make an where denotes the leaf nodes of and denotes the analysis on the experimental data and give the statistical data. translating nodes of . Similar to the toolkit, our toolkit also provides a number User Revocation. In this operation, a domain authority just of command line tools as follows: maintains some state information of users’ keys and as- hasbe-setup: Generates a public key and a master key signs new value for expiration time to a user’s key when http://ieeexploreprojects.blogspot.com . updating it. When re-encrypting data ﬁles, the data owner hasbe-keygen: Given and , generates a private just needs two exponentiations for ciphertext components key for a key structure. The key structure with depth 1 or associated with the attribute. So the com- 2 is supported. putation complexity of this operation is . hasbe-keydel: Given and of DA , delegates File Access. In this operation, we discuss the decrypting some parts of DA ’s private keys to a new user or DA in operation of encrypted data ﬁles. A user ﬁrst obtains its domain. The delegated key is equivalent to generating with the algorithm and then decrypt data ﬁles private keys by the root authority. using . We will discuss the computation complexity hasbe-keyup: Given , the private key, the new at- of the algorithm. The cost of decrypting a cipher- tribute and the subset, generates a new private key which text varies depending on the key used for decryption. Even contains the new attribute. for a given key, the way to satisfy the associated access hasbe-enc: Given , encrypts a ﬁle under an access tree tree may be various. The algorithm consists of policy speciﬁed in a policy language. two pairing operations for every leaf node used to satisfy hasbe-dec: Given a private key, decrypts a ﬁle. the tree, one pairing for each translating node on the path hasbe-rec: Given , a private key and an encrypted ﬁle, from the leaf node used to the root and one exponentia- re-encrypt the ﬁle. Note that the private key should be able tion for each node on the path from the leaf node to the to decrypt the encrypted ﬁle. root. So the computation complexity varies depending on Fig. 6(a) shows the time required to setup the system for a the access tree and key structure. It should be noted that the different depth of key structure. Our scheme can be extended decryption is performed at the data consumers; hence, its to support any depth of key structure. The cost of this operation computation complexity has little impact on the scalability increases linearly with the key structure depth, and the setup can of the overall system. be completed in constant time for a given depth. Except for this File Deletion. This operation is executed at the request of experiment, all other operations are tested with the key structure a data owner. If the cloud can verify the requestor is the depth of 2. owner of the ﬁle, the cloud deletes the data ﬁle. So the Top-Level Domain Authority Grant is performed with the computation complexity is . command line tool . The cost is determined by Computation complexity of each system operation is shown the number of subsets and attributes in the key structure. Whenin Table I, in which denotes the number of attributes in the there is only one subset in the key structure, the cost growskey structure, is the attribute set of the data ﬁle, is the set linearly with the number of attributes as Fig. 6(b) shows. Whileof leaf nodes of the access tree or policy tree, and is the set the number of attributes in the key structure is ﬁxed to be 50,of translating nodes of the policy tree. the cost also increases linearly with the number of subsets as
WAN et al.: HASBE: A HIERARCHICAL ATTRIBUTE-BASED SOLUTION FOR FLEXIBLE AND SCALABLE ACCESS CONTROL 753Fig. 7. Experiments on new user/domain authority grant and key update. (a) New user/domain authority grant (the total number of attributes in the master secretkey of DA is 50 and the total number of attributes is 45); (b) new user/domain authority grant (the total number of attributes in the master secret key of DA is 50and the number of subsets is 1); (c) key update (the total number of attributes in the original private key is 50).Fig. 8. Experiments on ﬁle creation and decryption. (a) Encryption/new ﬁle creation; (b) decryption/ﬁle access (there is 1 subset with 50 attributes in the privatekey); (c) decryption/ﬁle access (there is 1 subset with 50 attributes in the private key and the number of attributes used for decryption is 50). http://ieeexploreprojects.blogspot.comshown in Fig. 6(c). Results of these two ﬁgures conform to the of attributes on the access tree, which is same as the encryptiontheoretic analysis. operation, so we do not give the analysis here. With the command , a domain authority DA The data owner can use the command to encryptcan perform New User/Domain Authority Grant for a new user a ﬁle to create a new encrypted ﬁle. The time for this operationor another domain authority in his domain. The cost depends on depends on the access tree structure. According to the numberthe number of subsets and attributes to be delegated. Assume of leaf nodes and the level of the access tree policy, the timethe domain authority DA has a private key with 50 attributes. required to encrypt the ﬁle is shown in Fig. 8(a). We can see theWhen DA wants to delegate 45 of the attributes, the cost grows cost is linear with the number of leaf nodes on the access treelinearly with the number of subsets to be delegated as shown and unrelated to the level of the access tree.in Fig. 7(a). If DA delegates 1 of the subsets, the cost also To access the ﬁle, decryption should be done with theincreases linearly with the number of attributes in the subset as command . The time of decryption is differentin Fig. 7(b). depending on the access tree and key structure. Here we assume User Revocation operation consists of two steps: Key Up- that there is just 1 subset with 50 attributes in the key structuredate and Data Re-encryption. Key Update is implemented with associated with the private key. As shown in Fig. 8(b), thethe command . The root authority or domain au- decryption time is proportional to the number of leaf nodesthority can assign a new attribute to the user or domain authority. needed for decryption, and the level of the access tree has noAdding a new attribute to one subset of private key can be done impact on the decryption time.in constant time as the complexity is . If the new attribute In Fig. 8(c), assuming that the number of leaf nodes used forneeds to be assigned to several subsets, the cost is linear with decryption is 50, we show the relationship between the accessthe number of the subsets, as shown in Fig. 7(c). tree level and the time for decryption. We can see that the access Data Re-encryption is performed with the command tree level have no impact on the cost. . The data owner can re-encrypt the data ﬁle. Forexample, there is an encrypted ﬁle named which is VII. CONCLUSIONencrypted with a policy and and the data owner re-encrypts In this paper, we introduced the HASBE scheme for realizingit with the command - , scalable, ﬂexible, and ﬁne-grained access control in cloud com-then the new encrypted data ﬁle is associated with a policy puting. The HASBE scheme seamlessly incorporates a hierar-and and . When a user is revoked, the associated data ﬁle chical structure of system users by applying a delegation algo-can be re-encrypted in this way, and the new attributes can rithm to ASBE. HASBE not only supports compound attributesbe assigned to valid user with command . The due to ﬂexible attribute set combinations, but also achieves ef-cost of operation Data Re-encryption depends on the number ﬁcient user revocation because of multiple value assignments
754 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 2, APRIL 2012of attributes. We formally proved the security of HASBE based  R. Bobba, H. Khurana, and M. Prabhakaran, “Attribute-sets: A practi-on the security of CP-ABE by Bethencourt et al.. Finally, we cally motivated enhancement to attribute-based encryption,” in Proc. ESORICS, Saint Malo, France, 2009.implemented the proposed scheme, and conducted comprehen-  A. Sahai and B. Waters, “Fuzzy identity based encryption,” in Proc.sive performance analysis and evaluation, which showed its ef- Acvances in Cryptology—Eurocrypt, 2005, vol. 3494, LNCS, pp.ﬁciency and advantages over existing schemes. 457–473.  G. Wang, Q. Liu, and J. Wu, “Hierachical attibute-based encryption for ﬁne-grained access control in cloud storage services,” in Proc. ACM Conf. Computer and Communications Security (ACM CCS), Chicago, ACKNOWLEDGMENT IL, 2010. The authors would like to thank the anonymous reviewers for Zhiguo Wan received the B.S. degree in computertheir valuable comments. science from Tsinghua University, Beijing, China, in 2002, and the Ph.D. degree in wireless network se- curity from the National University of Singapore, in REFERENCES 2006. He is a lecturer in the School of Software, Tsinghua  R. Buyya, C. ShinYeo, J. Broberg, and I. Brandic, “Cloud computing University. His main research interests include cryp- and emerging it platforms: Vision, hype, and reality for delivering com- tography and security in wireless networks. puting as the 5th utility,” Future Generation Comput. Syst., vol. 25, pp. 599–616, 2009.  Amazon Elastic Compute Cloud (Amazon EC2) [Online]. Available: http://aws.amazon.com/ec2/  Amazon Web Services (AWS) [Online]. Available: https://s3.ama- zonaws.com/  R. Martin, “IBM brings cloud computing to earth with massive new Jun’e Liu received the B.S. degree in software en- data centers,” InformationWeek Aug. 2008 [Online]. Available: http:// gineering from Northeastern University of China in www.informationweek.com/news/hardware/data_centers/209901523 2009. She is working toward the masters degree at  Google App Engine [Online]. Available: http://code.google.com/ap- the School of Software, Tsinghua University, Beijing, pengine/ China.  K. Barlow and J. Lane, “Like technology from an advanced alien cul- Her research interests include cloud computing ture: Google apps for education at ASU,” in Proc. ACM SIGUCCS and information security. User Services Conf., Orlando, FL, 2007. Ms. Liu has been named Excellent Graduate of  B. Barbara, “Salesforce.com: Raising the level of networking,” Inf. Liaoning Province in 2009, and received a number Today, vol. 27, pp. 45–45, 2010. of awards, including National Scholarship, IBM  J. Bell, Hosting Enterprise Data in the Cloud—Part 9: Investment Value Scholarship for outstanding students, and ﬁrst level Zetta, Tech. Rep., 2010. Scholarship of Northeastern University. http://ieeexploreprojects.blogspot.com  A. Ross, “Technical perspective: A chilly sense of security,” Commun. ACM, vol. 52, pp. 90–90, 2009.  D. E. Bell and L. J. LaPadula, Secure Computer Systems: Uniﬁed Ex- position and Multics Interpretation The MITRE Corporation, Tech. Robert H. Deng (A’03–M’04–SM’04) received the Rep., 1976. bachelor degree from National University of Defense  K. J. Biba, Integrity Considerations for Secure Computer Sytems The Technology, China, and the M.Sc. and Ph.D. degrees MITRE Corporation, Tech. Rep., 1977. from the Illinois Institute of Technology.  H. Harney, A. Colgrove, and P. D. McDaniel, “Principles of policy in He has been with the Singapore Management secure groups,” in Proc. NDSS, San Diego, CA, 2001. University since 2004, and is currently professor,  P. D. McDaniel and A. Prakash, “Methods and limitations of secu- associate dean for Faculty and Research, School of rity policy reconciliation,” in Proc. IEEE Symp. Security and Privacy, Information Systems. Prior to this, he was principal Berkeley, CA, 2002. scientist and manager of the Infocomm Security  T. Yu and M. Winslett, “A uniﬁed scheme for resource protection in Department, Institute for Infocomm Research, automated trust negotiation,” in Proc. IEEE Symp. Security and Pri- Singapore. He has 26 patents and more than 200 vacy, Berkeley, CA, 2003. technical publications in international conferences and journals in the areas of  J. Li, N. Li, and W. H. Winsborough, “Automated trust negotiation computer networks, network security, and information security. He has served using cryptographic credentials,” in Proc. ACM Conf. Computer and as general chair, program committee chair, and program committee member Communications Security (CCS), Alexandria, VA, 2005. of numerous international conferences. He is an Associate Editor of the IEEE  V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attibute-based encryp- TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, Associate Editor tion for ﬁne-grained access control of encrypted data,” in Proc. ACM of Security and Communication Networks Journal (John Wiley), and member Conf. Computer and Communications Security (ACM CCS), Alexan- of Editorial Board of the Journal of Computer Science and Technology (the dria, VA, 2006. Chinese Academy of Sciences).  S. Yu, C. Wang, K. Ren, and W. Lou, “Achiving secure, scalable, and Dr. Deng received the University Outstanding Researcher Award from the ﬁne-grained data access control in cloud computing,” in Proc. IEEE National University of Singapore in 1999 and the Lee Kuan Yew Fellow for Re- INFOCOM 2010, 2010, pp. 534–542. search Excellence from the Singapore Management University in 2006. He was  J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute- named Community Service Star and Showcased Senior Information Security based encryption,” in Proc. IEEE Symp. Security and Privacy, Oak- Professional by ISC under its Asia-Paciﬁc Information Security Leadership land, CA, 2007. Achievements program in 2010.