RE: cloud computing Project Idea
cloud computing .rtf (Size: 232.01 KB / Downloads: 54)
Cloud computing is a promising computing paradigm which recently has drawn extensive attention from both academia and industry. By combining a set of existing andnew techniques from research areas such as Service-Oriented Architectures (SOA) and virtualization, cloud computing is regarded as such a computing paradigm in which resources in the computing infrastructure are provided as services over the Internet.Along with this new paradigm, various business models are developed, which can be described by terminology of “X as a service (XaaS)”,where X could be software,hardware, data storage, and etc. Successful examples are Amazon’s EC2 and S3,Google App Engine and Microsoft Azure which provide users with scalableresources in the pay-as-you use fashion at relatively low prices. For example Amazon S3 data storage service just charges $0.12 to $0.15 per gigabyte month.
As compared to building their own infrastructures, users are able to save their investments significantlyby migrating businesses into the cloud. With the increasing development of cloudcomputing technologies, it is not hard to imagine that in the near future more and morebusinesses will be moved into the cloud.Cloud computing is also facing many challenges that, if not well resolved, may impede its fast growth. Data security, as it exists in many other applications, is among these challenges that would raise great concerns from users when they store sensitive information on cloud servers. These concerns originate from the fact that cloud servers are usually operated by commercial providers which are very likely to be outside of the trusted domain of the users.
Data confidential against cloud servers is hence frequently desired when users outsource data for storage in the cloud. In some practical applicationsystems, data confidentiality is not only a security/privacy issue, but also of juristic concerns. For example, in healthcare application scenarios use and disclosure of protected health information (PHI) should meet the requirements of Health Insurance Portability and Accountability Act (HIPAA), and keeping user data confidential against the storage servers is not just an option, but a requirement.
Furthermore, we observe that there are also cases in which cloud users themselves are content providers. They publish data on cloud servers for sharing and need fine-grained data access control in terms of which user (data consumer) has the access privilege to which types of data. In thehealth care case, for example, a medical center would be the data owner who stores millions of healthcare records in the cloud. It would allow data consumers such as doctors, patients, researchers and etc, to access various types of healthcare records under policies admitted by HIPAA. To enforce these access policies, the data owners on one hand would like to take advantage of the abundant resources that the cloud provides for efficiency and economy, on the other hand, they may want to keep the data contents confidential against cloud servers.
We address this open issue and propose a secure and scalable fine-grained dataaccess control scheme for cloud computing. Our proposed scheme is partially based on our observation that, in practical application scenarios each data file can be associated with a set of attributes which are meaningful in the context of interest. The access structure of each user can thus be defined as a unique logical expression over these attributes to reflect the scope of data files that the user is allowed to access.As the logical expression can represent any desired data file set, fine-grainedness of data access control is achieved.
To enforce these access structures, we define a publickey component for each attribute. Data files are encrypted using public key components corresponding to their attributes. User secret keys are defined to reflect their accessstructures so that a user is able to decrypt a cipher text if and only if the data file attributes satisfy his access structure. Such a design also brings about the efficiency benefit, as compared to previous works.1) the complexity of encryption is just related the number of attributes associated to the data file, and is independent to the number of users in the system
2) data file creation/deletion and new user grantoperations just affect current file/user without involving system-wide data file update or re-keying.
One extremely challenging issue with this design is the implementation of user revocation, which would inevitably require re-encryption of data files accessible to the leaving user, and may need update of secret keys for all the remaining users. If all these tasks are performed by the data owner himself/herself, it would introduce a heavy computation overhead on him/her and may also require the data owner to be always online. To resolve this challenging issue, our proposed scheme enables the data owner to delegate tasks of data file re-encryption and user secret key update to cloud servers without disclosing data contents or user access privilege information. We achieve ourdesign goals by exploiting a novel cryptographic primitive, namely key policy attribute-based encryption.
MODELS AND ASSUMPTIONS
Similar to Enabling Public Verifiability and Data Dynamics for Storage Securityin Cloud Computing,we assume that the system is composed of the following parties,the Data Owner, many Data Consumers, many Cloud Servers, and a Third Party Auditor if necessary. To access data files shared by the data owner, Data Consumers, or users for brevity, download data files of their interest from Cloud Servers and then decrypt.
Neither the data owner nor users will be always online. They come online just on the necessity basis. For simplicity, we assume that the only access privilege for users is datafile reading. Extending our proposed scheme to support data file writing is trivial by asking the data writer to sign the new data file on each update as does. From now on,we will also call data files by files for brevity.
Cloud Servers are always online and operated by the Cloud Service Provider (CSP). They are assumed to have abundant storage capacity and computation power. The Third Party Auditor is also an online party which is used for auditing every file access event. In addition, we also assume that the data owner can not only store data files but also run his own code on Cloud Servers to manage his data files.
This assumption coincides with the unified ontology of cloudcomputing which is recently proposed by Youseff et al.
In this work, we just consider Honest but Curious Cloud Servers as Over-encryption: Management of access control evolution on outsourced data does. That is to say, Cloud Servers will follow our proposed protocol in general, but try to find out as much secret information as possible based on their inputs. More specifically, we assume Cloud Servers are more interested in file contents and user access privilege information than other secret information. Cloud Servers might collude with a small number of malicious users for the purpose of harvesting file contents when it is highly beneficial.Communication channel between the data owner/users and Cloud Servers are assumed to be secured under existing security protocols such as SSL. Users would try to access files either within or outside the scope of their access privileges. To achieve this goal,unauthorized users may work independently or cooperatively. In addition, each party is preloaded with a public/private key pair and the public key can be easily obtained byother parties when necessary.
Our main design goal is to help the data owner achieve fine-grained access control on files stored by Cloud Servers. Specifically, we want to enable the data owner to enforce a unique access structure on each user, which precisely designates the set of files that the user is allowed to access. We also want to prevent Cloud Servers from beingable to learn both the data file contents and user access privilege information. In addition,the proposed scheme should be able to achieve security goals like user accountability and support basic operations such as user grant/revocation as a general one-to-many communication system would require. All these design goals should be achieved efficiently in the sense that the system is scalable.
Our existing solution applies cryptographic methods by disclosing data decryption keys only to authorized users. These solutions inevitably introduce a heavy computationoverhead on the data owner for key distribution and data management when fine graineddata access control is desired, and thus do not scale well.
could change security settings, assigning privileges too low, or even more alarmingly too high allowing access to your data by other parties.
Experts claim that their clouds are 100% secure - but it will not be their head on the block when things go away. It's often stated that cloudcomputing security is better than most enterprises. Also, how do you decide which data to handle in the cloud and which to keep to internal systems – once decided keeping it secure could well be a full-time task?
Control of your data/system by third-party. Data - once in the cloud always in the cloud! Can you be sure that once you delete data from your cloud account will it not exist any more or will traces remain in the cloud?
In order to achieve secure, scalable and fine-grained access control on outsourceddata in the cloud, we utilize and uniquely combine the following three advancedcryptographic techniques:
•Key Policy Attribute-Based Encryption (KP-ABE).
•Proxy Re-Encryption (PRE)
•Low initial capital investment
•Shorter start-up time for new services
•Lower maintenance and operation costs
•Higher utilization through virtualization
•Easier disaster recovery
More specifically, we associate each data file with a set of attributes, and assign each user an expressive access structure which is defined over these attributes. To enforce this kind of access control,we utilize KP-ABE to escort data encryption keys of data files. Such a construction enables us to immediately enjoy fine-grainedness of access control. However, this construction, if deployed alone, would introduce heavy computation overhead and cumbersome onlineburden towards the data owner, as he is in charge of all the operations of data/user management. Specifically, such an issue is mainly caused by the operation of user revocation, which inevitably requires the dataowner to re-encrypt all the data files accessible to the leaving user, oreven needs the data owner to stay online to update secret keys for users. To resolve this challenging issue and make the construction suitable for cloud computing, we uniquely combine PRE with KP-ABEand enable the data owner to delegate most of the computation intensive operations to Cloud Servers without disclosing the underlying file contents. Such a construction allows the data owner to control access of his data files with a minimal overhead in terms of computation effort and online time, and thus fits well into the cloud environment. Data confidentiality is also achieved since Cloud Servers are not able to learn the plaintext of any data file in our construction.For further reducing the computation overhead on Cloud Servers and thus saving the data owner’s investment, we take advantage of the lazy re-encryption technique and allow Cloud Servers to “aggregate”computation tasks of multiple system operations. As the computation complexity on Cloud Servers is either proportional to the number of system attributes, or linear to the size of the user access structure/tree, which is independent to the number of users in the system. Scalability is thus achieved. In addition, our construction also protects user access privilege information against Cloud Servers. Accountability of user secret key can also be achieved by using an enhanced scheme of KP-ABE.