KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

PRIAM: Privacy Preserving Identity and Access Management Scheme in Cloud

  • Xiong, Jinbo (Faculty of Software, Fujian Normal University) ;
  • Yao, Zhiqiang (Faculty of Software, Fujian Normal University) ;
  • Ma, Jianfeng (Faculty of Software, Fujian Normal University) ;
  • Liu, Ximeng (School of Computer Science and Technology, Xidian University) ;
  • Li, Qi (School of Computer Science and Technology, Xidian University) ;
  • Ma, Jun (School of Computer Science and Technology, Xidian University)
  • Received : 2013.03.15
  • Accepted : 2013.12.28
  • Published : 2014.01.30
Download PDF
⟨ Previous Next ⟩

Abstract

Each cloud service has numerous owners and tenants, so it is necessary to construct a privacy preserving identity management and access control mechanism for cloud computing. On one hand, cloud service providers (CSP) depend on tenant's identity information to enforce appropriate access control so that cloud resources are only accessed by the authorized tenants who are willing to pay. On the other hand, tenants wish to protect their personalized service access patterns, identity privacy information and accessing newfangled cloud services by on-demand ways within the scope of their permissions. There are many identity authentication and access control schemes to address these challenges to some degree, however, there are still some limitations. In this paper, we propose a new comprehensive approach, called Privacy pReserving Identity and Access Management scheme, referred to as PRIAM, which is able to satisfy all the desirable security requirements in cloud computing. The main contributions of the proposed PRIAM scheme are threefold. First, it leverages blind signature and hash chain to protect tenant's identity privacy and implement secure mutual authentication. Second, it employs the service-level agreements to provide flexible and on-demand access control for both tenants and cloud services. Third, it makes use of the BAN logic to formally verify the correctness of the proposed protocols. As a result, our proposed PRIAM scheme is suitable to cloud computing thanks to its simplicity, correctness, low overhead, and efficiency.

Keywords

References

  1. H. Takabi, J. B. D. Joshi, and G. J. Ahn, "Security and privacy challenges in cloud computing environments," Security & Privacy, IEEE, vol. 8, pp.24-31, 2010. https://doi.org/10.1109/MSP.2010.186
  2. M. Van Dijk and A. Juels, "On the impossibility of cryptography alone for privacy-preserving cloud computing," in Proc. of the 5th USENIX conference on Hot topics in security, pp.1-8, 2010. http://portal.acm.org/citation.cfm?id=1924934
  3. E. Bertino, F. Paci, R. Ferrini, and N. Shang, "Privacy-preserving digital identity management for cloud computing," Data Engineering, vol. 32, pp.21-27, 2009. http://sites.computer.org/debull/A09mar/A09MAR-CD.pdf#page=23
  4. S. Subashini and V. Kavitha, "A survey on security issues in service delivery models of cloud computing," Journal of Network and Computer Applications, vol. 34, pp.1-11, 2011. https://doi.org/10.1016/j.jnca.2010.07.006
  5. S. Chow, Y. J. He, L. Hui, and S. Yiu, "SPICE: Simple privacy-preserving identity-management for cloud environment," in Proc. of Applied Cryptography and Network Security, pp.526-543, 2012.
  6. J. Chen, Y. Wang, and X. Wang, "On-demand security architecture for cloud computing," Computer, vol. 45, pp.73-78, 2012.
  7. D. Chaum, "Blind signatures for untraceable payments," in Proc. Of Crypto '82, pp.199-203, 1982.
  8. L. Lamport, "Password authentication with insecure communication," Communications of the ACM, vol. 24, pp.770-772, 1981. https://doi.org/10.1145/358790.358797
  9. M. Burrows, M. Abadi, and R. Needham, "A logic of authentication," in Proc. of the RSLA '89, pp.233-271, 1989. http://rspa.royalsocietypublishing.org/content/426/1871/233.short
  10. X. Lin, and X. Li, "Achieving efficient cooperative message authentication in vehicular ad hoc networks," IEEE T. Vehicular Technology, vol.62, no.7, pp.3339-3348, 2013. https://doi.org/10.1109/TVT.2013.2257188
  11. R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, "EPPA: An efficient and privacy-preserving aggregation scheme for secure smart grid communications," IEEE Transactions on Parallel and Distributed Systems, vol.23, no.9, pp.1621-1631, 2012. https://doi.org/10.1109/TPDS.2012.86
  12. R. Lu, X. Lin, X. Liang, and X. Shen, "A dynamic privacy-preserving key management scheme for location-based services in VANETs," IEEE Transactions on Intelligent Transportation Systems, vol.13, no.1, pp.127-139, 2012. https://doi.org/10.1109/TITS.2011.2164068
  13. H. Zhu, T. Liu, and G. Wei, "PPAS: privacy protection authentication scheme for VANET," Cluster Computing, pp.1-14, 2013.
  14. P. Angin, B. Bhargava, R. Ranchal, N. Singh, M. Linderman, and L. B. Othmane, "An entity- centric approach for privacy and identity management in cloud computing," in Proc. of IEEE RDS '10, pp.177-183, 2010.
  15. J. Chen, G. Wu, L. Shen, and Z. Ji, "Differentiated security levels for personal identifiable information in identity management system," Expert Systems with Applications, vol.38, pp. 14156-14162, 2011.
  16. J. Chen, G. Wu, and Z. Ji, "Secure interoperation of identity managements among different circles of trust," Computer Standards & Interfaces, vol.33, pp.533-540, 2011. https://doi.org/10.1016/j.csi.2011.02.008
  17. H. Yang, H. Kim, H. Li, E. Yoon, X. Wang, and X. Ding, "An efficient broadcast authentication scheme with batch verification for ADS-B messages," KSII Transactions on Internet and Information Systems (TIIS), vol.7, no.10, pp.2544-2560, 2013. https://doi.org/10.3837/tiis.2013.10.013
  18. R. Ranchal, B. Bhargava, L. B. Othmane, L. Lilien, A. Kim, and M. Kang, "Protection of identity information in cloud computing without trusted third party," in Proc. IEEE RDS '10, pp. 368-372, 2010.
  19. C. T. Li, C. C. Lee, C. Y. Weng, and C. I. Fan, "An extended multi-server-based tenant authentication and key agreement scheme with tenant anonymity," KSII Transactions on Internet and Information Systems (TIIS), vol. 7, no.1, pp.119-131, 2013. https://doi.org/10.3837/tiis.2013.01.008
  20. J. Xiong, Z. Yao, and J. Ma, "Action-based multilevel access control for structured document," Journal of Computer Research and Development, vol.50, no.7, pp.1399-1408, 2013. http://d.wanfangdata.com.cn/periodical_jsjyjyfz201307005.aspx
  21. G. Wang, Q. Liu, and J. Wu, "Hierarchical attribute-based encryption for fine-grained access control in cloud storage services," in Proc. of ACM CCS '10, pp.735-737, 2010.
  22. X. Liu, J. Ma, J. Xiong, and G. Liu, "Ciphertext-policy hierarchical attribute-based encryption for fine-grained access control of encryption data," International Journal of Network Security, vol.16, no.4, pp.351-357, 2014. http://ijns.femto.com.tw/contents/ijns-v16-n6/ijns-2014-v16-n6-p437-443.pdf
  23. X. Liu, J. Ma, and J. Xiong, "Ciphertext policy weighted attribute based encryption scheme," Journal of Xi'an Jiaotong University, vol.47, no.8, pp.44-48, 2013. http://d.wanfangdata.com.cn/periodical_xajtdxxb201308008.aspx
  24. F. Zhao, T. Nishide, and K. Sakurai, "Realizing fine-grained and flexible access control to outsourced data with attribute-based cryptosystems," in Proc. of ISPEC '11, pp.83-97, 2011.
  25. M. Nabeel, E. Bertino, and M. Kantarcioglu, "Towards privacy preserving access control in the cloud," in Proc. of CollaborateCom '11, pp.172-180, 2011. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6144802
  26. S. C. Yu, C. Wang, K. Ren, and W. J. Lou, "Achieving secure, scalable, and fine-grained data access control in cloud computing," in Proc. of INFOCOM '10, pp.1-9, 2010.
  27. J. Kolter, R. Schillinger, and G. Pernul, "A privacy-enhanced attribute-based access control system," in Proc. of DAS XXI '07, pp.129-143, 2007.
  28. A. A. Almutairi, M. I. Sarfraz, S. Basalamah, W. G. Aref, and A. Ghafoor, "A distributed access control architecture for cloud computing," IEEE Software, vol.29, pp.36-44, 2012. https://doi.org/10.1109/MS.2011.153
  29. R. Lu, X. Lin, and X. Shen, "SPOC: A secure and privacy-preserving opportunistic computing framework for mobile-healthcare emergency," IEEE Transactions on Parallel and Distributed Systems, vol.24, no.3, pp.614-624, 2013. https://doi.org/10.1109/TPDS.2012.146
  30. X. Lin, R. Lu, X. Shen, Y. Nemoto and N. Kato, "SAGE: A strong privacy-preserving scheme against global eavesdropping for eHealth systems," IEEE Journal on Selected Areas in Communications, vol.27, no.4, pp.365-378, 2009. https://doi.org/10.1109/JSAC.2009.090502
  31. K. Ren, W. Lou, K. Kim, and R. Deng, "A novel privacy preserving authentication and access control scheme for pervasive computing environments," IEEE Transactions on Vehicular Technology, vol. 55, pp.1373-1384, 2006. https://doi.org/10.1109/TVT.2006.877704
  32. C. T. Li, M. S. Hwang, and Y. P. Chu, "Further improvement on a novel privacy preserving authentication and access control scheme for pervasive computing environments," Computer Communications, vol. 31, pp. 4255-4258, 2008. https://doi.org/10.1016/j.comcom.2008.06.002
  33. Z. Tan, "A lightweight conditional privacy-preserving authentication and access control scheme for pervasive computing environments," Journal of Network and Computer Applications, vol. 35, pp. 1839-1846, 2012. https://doi.org/10.1016/j.jnca.2012.07.008
  34. M. Ruckert, and D. Schroder, "Fair partially blind signatures," in Proc. of Africacrypt '10, pp. 34-51, 2010.
  35. S. Ruj, M. Stojmenovic, and A. Nayak, "Privacy preserving access control with authentication for securing data in clouds," in Proc. of IEEE/ACM CCGrid '12, pp.556-563, 2012.
  36. J. Li, M. H. Au, W. Susilo, D. Xie, and K. Ren, "Attribute-based signature and its applications," in Proc. of ACM ASIACCS '10, pp.60-69, 2010.
  37. J. Xiong, Z. Yao, and J. Ma, "PRAM: privacy preserving access management scheme in cloud services," in Proc. of ACM ASIACCS cloudcomputing '13, pp.41-46, 2013.
  38. R. C. Merkle, "One way hash functions and DES," in Proc. of CRYPTO '89, pp.428-446, 1990.
  39. Q. He, D. Wu, and P. Khosla, "The quest for personal control over mobile location privacy," IEEE Communications Magazine, vol.42, pp.130-136, 2004. https://doi.org/10.1109/MCOM.2004.1299356
  40. J. Xiong, Z. Yao, and J. Ma, "Multilevel access control model for video database," Journal on Communications, vol.33, no.8, pp.147-154, 2012. http://www.joconline.com.cn/ch/reader/view_abstract.aspx?file_no=20120818
  41. A. Weimerskirch and D. Westhoff, "Zero common-knowledge authentication for pervasive networks," in Proc. of ACM SAC '03, pp.73-87, 2003.
  42. S. Xu and M. Yung, "K-anonymous secret handshakes with reusable credentials," in Proc. of ACM CCS '04, pp.158-167, 2004.

Cited by

  1. Privacy-Preserving Two-Party Collaborative Filtering on Overlapped Ratings vol.8, pp.8, 2014, https://doi.org/10.3837/tiis.2014.08.022
  2. 의료정보 접근을 위한 동적상황인증시스템의 구현 vol.19, pp.6, 2014, https://doi.org/10.7472/jksii.2018.19.6.31
  3. Self-destruction of data in cloud using asymmetric key with key generator vol.37, pp.p2, 2014, https://doi.org/10.1016/j.matpr.2020.08.655