A Blockchain-based access control scheme with multiple attribute authorities for secure cloud data sharing

https://doi.org/10.1016/j.sysarc.2020.101854Get rights and content

Abstract

Ciphertext-policy attribute-based encryption(CP-ABE) has been widely studied and used in access control schemes for secure data sharing. Since in most of the existing attribute-based encryption methods, all user attributes are managed by a single central authority, it is easy to cause a single point of failure. Therefore, several multi-authority CP-ABE schemes are proposed to manage user attributes by multiple authorities. However, these schemes still do not eliminate the single point of failure in essence or suffer from high computation and communication overhead on data users. In this paper, we propose a Blockchain-based Multi-authority Access Control scheme called BMAC for sharing data securely. Shamir secret sharing scheme and permissioned blockchain (Hyperledger Fabric) are introduced to implement that each attribute is jointly managed by multiple authorities to avoid single point of failure. In addition, we take advantage of blockchain technology to establish trust among multiple authorities and exploit smart contracts to compute tokens for attributes managed across multiple management domains, which reduces communication and computation overhead on the data user side. Moreover, blockchain helps to record the access control process in a secure and auditable way. Finally, we analyze the security of the proposed algorithm. Further analysis and comparison show the performance of the proposed method.

Introduction

With the development of Internet technology and technological innovation, the cloud has significantly changed the way data is shared. It provides individuals and industries with various data storage and management services that enable customers to easily access resources and share data. A Global Industry Vision (GIV) whitepaper predicts that, by 2025,“every company everywhere will be using cloud technology and 85% of business applications will be cloud-based”[1].

While cloud providers put a lot of effort into ensuring the convenience of data sharing, there are still many security issues need to be considered. One of the main concerns is that cloud providers are not fully trusted. They will not only suffer external attacks from adversaries, but also internal attacks from malicious staff, which leads to huge data security risks for data sharing in cloud. For example, Azure security vulnerability result in the disclosure of 250M Customer Details [2], Amazon employees leak customers’ personal data to third parties for personal interests [3], and it is not uncommon for cloud storage providers to snoop on users’ private data. To address the above issues caused by not fully trusted cloud storage service providers, cryptographic access control schemes such as IBE [4], CP-ABE [5] and KP-ABE [6] are proposed to secure sharing data by encrypting it with a secret key, such that only users with the secret key can decrypt data.

Ciphertext-policy attribute-based encryption (CP-ABE) is considered as one of the most suitable technology to provide secure data access control in public cloud storage [7]. However, in most of existing CP-ABE schemes [7], [8], [9], all participants are forced to trust a single authority. It is easy to cause a single point of failure, and in practical applications, attributes are generally distributed across different trust domains and organizations. Therefore, Chase [10] propose the first multi-authority CP-ABE scheme, in which several disjoint domains are managed by different authorities to realize that user attributes are issued across multiple authorities. Although some extensions are also proposed [11], [12], [13], they still have the problem of the single-point of failure. Since in these schemes, the whole attribute set is divided into multiple disjoint subsets each of which is maintained by only a single authority. Li et al. [14] propose a TMACS scheme, taking advantage of threshold secret sharing to deal with the single-point bottleneck problem. Such that any one authority cannot obtain the master key by itself alone. Nevertheless, in this scheme, data users need to select multiple authorities from the authority list and communicate with each of these authorities to request secret key shares, which brings additional computational and communicational overhead.

As a promising technology, blockchain has received much attention in recent years. Inspired by security properties of blockchain [15] and its innovative application in data communication [16], [17] and sharing [18], [19], [20], [21], [22], [23]. We intend to establish multi-party trust through blockchain, write the collaborative computing procedure among multiple authorities from multiple attribute domains into smart contracts, and generate decryption tokens for users. Since blockchain transactions have the property of transparency, it is necessary to consider how to integrate off-chain and on-chain algorithms to ensure the security of access control scheme based on blockchain.

In this paper, we propose a blockchain-based multi-authority access control scheme, named BMAC, for secure cloud data sharing to address the issues mentioned above such as multi-authority cross-domain collaboration, single point of failure and high computational and communicational overhead. In addition, a trustable and immutable access logs is recorded on blockchain, such that data owner can easily monitor users’ access behavior. Overall, our main contributions are summarized as follows.

  • (1)

    A decentralized access control scheme based on blockchain and multi-authority attribute-based encryption, named BMAC, is proposed, which can solve the problems of a single point of failure, high computation and communication overhead on the data user side. In this scheme, the data access logs can be recorded on the blockchain, so as to realize auditable access control management.

  • (2)

    We extend the classical multi-authority attribute-based encryption method and design four smart contracts to realize multi-authority cross-domain collaboration. We take advantage of smart contracts to establish mutual trust between multiple authorities and collect attribute sub-tokens for collaborative calculations to generate a decryption token for users.

  • (3)

    We analyzed the security and performance of the scheme, and analyzed the effectiveness of our multi-authority ABE scheme from the perspective of communication overhead and computation overhead on the user side.

The rest of this paper is organized as follows. Section 2 reviews related works about multi-authority attribute-based access control schemes, along with the researches on blockchain-based access control. In Section 3, we introduce some technical preliminaries. The system model and security model are presented in Section 4. The details of our blockchain-based multi-authority access control scheme are present in Section 5. In Section 6, we analyze security properties and evaluate the performance. Finally, we made a conclusion in Section 8.

Section snippets

Related work

In this section, we would introduce some related works in terms of multi-authority attribute based encryption schemes and Blockchain-based access control schemes.

Preliminaries

In this section, we review some background information on bilinear maps and the security definition, then we briefly describe Shamir secret sharing, multi-authority CP-ABE scheme and blockchain introduced into BMAC.

System and security model

This section provides an overview of the system. We briefly describe five participating entities and four phases of access control in the system model. We also introduce the syntax of the procedure flow to help understand the subsequent theoretical algorithms. Security assumption and model are given at the end of this section.

A blockchain-based multi-authority access control scheme

The proposed scheme builds mutual trust among multiple AAs based on the blockchain, and utilizes smart contracts to implement cross-domain management of user attributes, such that users only need to interact with a smart contract to obtain attributes without communicating with multiple AAs. We begin by introducing smart contracts proposed in our scheme, and then give a detailed algorithm description for each stage of access control.

Security analysis

In this section, we give the security analysis of our blockchain-based multi-authority ABE for data sharing. We will prove the confidentiality of our proposed scheme under the not fully trusted cloud assumption, and revisit details that make our access control scheme secure. We will additionally prove that our scheme exhibits auditable access control. We provide our proof of security in Appendix.

Performance analysis

We conduct simulations to evaluate the performance of the proposed scheme and make a comparison between TMACS scheme [14] and our proposed. The scheme is implemented with a 256-bit BN elliptic curve. All the experiments were done on Mac with macOS Catalina 10.15, 1.6 GHz Intel Corei5 and 8G RAM.

Conclusion

In this paper, we propose a multi-authority attribute-based access control scheme based on blockchain, named BMAC, for data sharing. Taking advantage of blockchain technology, our scheme achieves that each attribute is managed across different domains, eliminates the single-point bottleneck of the existing multi-authority CP-ABE schemes and reduces computation and communication overhead between the user and the multiple attribute authorities. The security analysis shows that our scheme could

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

This work was supported by the National Key R&D Program of China [grant number 2016YFB0800402]; the National Natural Science Foundation of China [grant numbers U1836204, U1705261].

References (31)

  • JenningsR.

    Microsoft leaks 250m customer details in azure fat-finger faux pas

    (2020)
  • PalmerA.

    Amazon fires employees for leaking customer email addresses and phone numbers

    (2020)
  • BonehD. et al.

    Identity-based encryption from the weil pairing

  • BethencourtJ. et al.

    Ciphertext-policy attribute-based encryption

  • GoyalV. et al.

    Attribute-based encryption for fine-grained access control of encrypted data

  • Cited by (73)

    • WQCrowd: Secure blockchain-based crowdsourcing framework with multi-tier worker quality evaluation

      2023, Journal of King Saud University - Computer and Information Sciences
    View all citing articles on Scopus
    View full text