A Blockchain-based access control scheme with multiple attribute authorities for secure cloud data sharing
Introduction
With the development of Internet technology and technological innovation, the cloud has significantly changed the way data is shared. It provides individuals and industries with various data storage and management services that enable customers to easily access resources and share data. A Global Industry Vision (GIV) whitepaper predicts that, by 2025,“every company everywhere will be using cloud technology and 85% of business applications will be cloud-based”[1].
While cloud providers put a lot of effort into ensuring the convenience of data sharing, there are still many security issues need to be considered. One of the main concerns is that cloud providers are not fully trusted. They will not only suffer external attacks from adversaries, but also internal attacks from malicious staff, which leads to huge data security risks for data sharing in cloud. For example, Azure security vulnerability result in the disclosure of 250M Customer Details [2], Amazon employees leak customers’ personal data to third parties for personal interests [3], and it is not uncommon for cloud storage providers to snoop on users’ private data. To address the above issues caused by not fully trusted cloud storage service providers, cryptographic access control schemes such as IBE [4], CP-ABE [5] and KP-ABE [6] are proposed to secure sharing data by encrypting it with a secret key, such that only users with the secret key can decrypt data.
Ciphertext-policy attribute-based encryption (CP-ABE) is considered as one of the most suitable technology to provide secure data access control in public cloud storage [7]. However, in most of existing CP-ABE schemes [7], [8], [9], all participants are forced to trust a single authority. It is easy to cause a single point of failure, and in practical applications, attributes are generally distributed across different trust domains and organizations. Therefore, Chase [10] propose the first multi-authority CP-ABE scheme, in which several disjoint domains are managed by different authorities to realize that user attributes are issued across multiple authorities. Although some extensions are also proposed [11], [12], [13], they still have the problem of the single-point of failure. Since in these schemes, the whole attribute set is divided into multiple disjoint subsets each of which is maintained by only a single authority. Li et al. [14] propose a TMACS scheme, taking advantage of threshold secret sharing to deal with the single-point bottleneck problem. Such that any one authority cannot obtain the master key by itself alone. Nevertheless, in this scheme, data users need to select multiple authorities from the authority list and communicate with each of these authorities to request secret key shares, which brings additional computational and communicational overhead.
As a promising technology, blockchain has received much attention in recent years. Inspired by security properties of blockchain [15] and its innovative application in data communication [16], [17] and sharing [18], [19], [20], [21], [22], [23]. We intend to establish multi-party trust through blockchain, write the collaborative computing procedure among multiple authorities from multiple attribute domains into smart contracts, and generate decryption tokens for users. Since blockchain transactions have the property of transparency, it is necessary to consider how to integrate off-chain and on-chain algorithms to ensure the security of access control scheme based on blockchain.
In this paper, we propose a blockchain-based multi-authority access control scheme, named BMAC, for secure cloud data sharing to address the issues mentioned above such as multi-authority cross-domain collaboration, single point of failure and high computational and communicational overhead. In addition, a trustable and immutable access logs is recorded on blockchain, such that data owner can easily monitor users’ access behavior. Overall, our main contributions are summarized as follows.
- (1)
A decentralized access control scheme based on blockchain and multi-authority attribute-based encryption, named BMAC, is proposed, which can solve the problems of a single point of failure, high computation and communication overhead on the data user side. In this scheme, the data access logs can be recorded on the blockchain, so as to realize auditable access control management.
- (2)
We extend the classical multi-authority attribute-based encryption method and design four smart contracts to realize multi-authority cross-domain collaboration. We take advantage of smart contracts to establish mutual trust between multiple authorities and collect attribute sub-tokens for collaborative calculations to generate a decryption token for users.
- (3)
We analyzed the security and performance of the scheme, and analyzed the effectiveness of our multi-authority ABE scheme from the perspective of communication overhead and computation overhead on the user side.
The rest of this paper is organized as follows. Section 2 reviews related works about multi-authority attribute-based access control schemes, along with the researches on blockchain-based access control. In Section 3, we introduce some technical preliminaries. The system model and security model are presented in Section 4. The details of our blockchain-based multi-authority access control scheme are present in Section 5. In Section 6, we analyze security properties and evaluate the performance. Finally, we made a conclusion in Section 8.
Section snippets
Related work
In this section, we would introduce some related works in terms of multi-authority attribute based encryption schemes and Blockchain-based access control schemes.
Preliminaries
In this section, we review some background information on bilinear maps and the security definition, then we briefly describe Shamir secret sharing, multi-authority CP-ABE scheme and blockchain introduced into BMAC.
System and security model
This section provides an overview of the system. We briefly describe five participating entities and four phases of access control in the system model. We also introduce the syntax of the procedure flow to help understand the subsequent theoretical algorithms. Security assumption and model are given at the end of this section.
A blockchain-based multi-authority access control scheme
The proposed scheme builds mutual trust among multiple AAs based on the blockchain, and utilizes smart contracts to implement cross-domain management of user attributes, such that users only need to interact with a smart contract to obtain attributes without communicating with multiple AAs. We begin by introducing smart contracts proposed in our scheme, and then give a detailed algorithm description for each stage of access control.
Security analysis
In this section, we give the security analysis of our blockchain-based multi-authority ABE for data sharing. We will prove the confidentiality of our proposed scheme under the not fully trusted cloud assumption, and revisit details that make our access control scheme secure. We will additionally prove that our scheme exhibits auditable access control. We provide our proof of security in Appendix.
Performance analysis
We conduct simulations to evaluate the performance of the proposed scheme and make a comparison between TMACS scheme [14] and our proposed. The scheme is implemented with a 256-bit BN elliptic curve. All the experiments were done on Mac with macOS Catalina 10.15, 1.6 GHz Intel Corei5 and 8G RAM.
Conclusion
In this paper, we propose a multi-authority attribute-based access control scheme based on blockchain, named BMAC, for data sharing. Taking advantage of blockchain technology, our scheme achieves that each attribute is managed across different domains, eliminates the single-point bottleneck of the existing multi-authority CP-ABE schemes and reduces computation and communication overhead between the user and the multiple attribute authorities. The security analysis shows that our scheme could
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
This work was supported by the National Key R&D Program of China [grant number 2016YFB0800402]; the National Natural Science Foundation of China [grant numbers U1836204, U1705261].
References (31)
- et al.
Fine-grained data access control with attribute-hiding policy for cloud-based iot
Comput. Netw.
(2019) - et al.
Extended file hierarchy access control scheme with attribute based encryption in cloud computing
IEEE Trans. Emerg. Top. Comput.
(2019) - et al.
A semi-autonomous distributed blockchain-based framework for uavs system
J. Syst. Archit.
(2020) - et al.
Smart-toy-edge-computing-oriented data exchange based on blockchain
J. Syst. Archit.
(2018) - et al.
Sbac: A secure blockchain-based access control framework for information-centric networking
J. Netw. Comput. Appl.
(2020) - et al.
Controllable and trustworthy blockchain-based cloud data management
Future Gener. Comput. Syst.
(2019) - et al.
Blockchain based searchable encryption for electronic health record sharing
Future Gener. Comput. Syst.
(2019) - et al.
Blockchain data-based cloud data integrity protection mechanism
Future Gener. Comput. Syst.
(2020) - et al.
Trustaccess: A trustworthy secure ciphertext-policy and attribute hiding access control scheme based on blockchain
IEEE Trans. Veh. Technol.
(2020) Touching an intelligent world
(2019)
Microsoft leaks 250m customer details in azure fat-finger faux pas
Amazon fires employees for leaking customer email addresses and phone numbers
Identity-based encryption from the weil pairing
Ciphertext-policy attribute-based encryption
Attribute-based encryption for fine-grained access control of encrypted data
Cited by (73)
TDS-NA: Blockchain-based trusted data sharing scheme with PKI authentication
2024, Computer CommunicationsWQCrowd: Secure blockchain-based crowdsourcing framework with multi-tier worker quality evaluation
2023, Journal of King Saud University - Computer and Information SciencesPoly-ABE: A traceable and revocable fully hidden policy CP-ABE scheme for integrated demand response in multi-energy systems
2023, Journal of Systems ArchitecturePEvaChain: Privacy-preserving ridge regression-based credit evaluation system using Hyperledger Fabric blockchain
2023, Expert Systems with ApplicationsAn access control scheme for distributed Internet of Things based on adaptive trust evaluation and blockchain
2023, High-Confidence Computing