Privacy Preserving Delegated Access Control in Public Clouds
Mohamed Nabeel, Elisa Bertino
Tech report number
CERIAS TR 2012-11
Current approaches to enforce fine-grained access control on confidential data hosted in the cloud are based on
fine-grained encryption of the data. Under such approaches, data owners are in charge of encrypting the data before uploading
them on the cloud and re-encrypting the data whenever user credentials or authorization policies change. Data owners thus
incur high communication and computation costs. A better approach should delegate the enforcement of fine-grained access
control to the cloud, so to minimize the overhead at the data owners, while assuring data confidentiality from the cloud. We
propose an approach, based on two layers of encryption, that addresses such requirement. Under our approach, the data owner
performs a coarse-grained encryption, whereas the cloud performs a fine-grained encryption on top of the owner encrypted data.
A challenging issue is how to decompose access control policies (ACPs) such that the two layer encryption can be performed.We
show that this problem is NP-complete and propose novel optimization algorithms. We utilize an efficient group key management
scheme that supports expressive ACPs. Our system assures the confidentiality of the data and preserves the privacy of users
from the cloud while delegating most of the access control enforcement to the cloud.
confidentiality, access control, cloud computing
To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.