Attribute Based Data Management in Crypt Cloud

A PROJECT REPORT

Submitted by

P.SATHISH (113115104085)
G.RAJESH (13115104076)

S.BINUGANESH (113115104021)

in partial fulfillment for the award of the degree

of

BACHELOR OF ENGINEERING
in
COMPUTER SCIENCE AND ENGINEERING

VEL TECH MULTI TECH Dr. RANGARAJAN Dr. SAKUNTHALA

ENGINEERING COLLEGE, ALAMATHI ROAD, AVADI-62

ANNA UNIVERSITY: CHENNAI 600025

MARCH 2019

i
ABSTRACT

ii
 ABSTRACT
Data owners will store their data in public cloud along with
encryption and particular set of attributes to access control on the cloud
data. While uploading the data into public cloud they will assign some
attribute set to their data. If any authorized cloud user wants to download
their data they should enter that particular attribute set to perform further
actions on data owner’s data. A cloud user wants to register their details
under cloud organization to access the data owner’s data. Users want to
submit their details as attributes along with their designation. Based on
the user details Semi-Trusted Authority generates decryption keys to get
control on owner’s data. An user can perform a lot of operations over
the cloud data. If the user wants to read the cloud data he needs to be
entering some read related attributes, and if he wants to write the data he
needs to be entering write related attributes. Foe each and every action
user in an organization would be verified with their unique attribute set.
These attributes would be shared by the admins to the authorized users
in cloud organization. These attributes will be stored in the policy files
in a cloud. If any user leaks their unique decryption key to the any
malicious user data owners wants to trace by sending audit request to
auditor and auditor will process the data owners request and concludes
that who is the guilty.

iii
 CHAPTER 1

INTRODUCTION

4
 CHAPTER 1
INTRODUCTION
1.1 CLOUD COMPUTING
THE prevalence of cloud computing may indirectly incur vulnerability to the
confidentiality of outsourced data and the privacy of cloud users. A particular
challenge here is on how to guarantee that only authorized users can gain access to
the data, which has been outsourced to cloud, at anywhere and anytime. One naive
solution is to employ encryption technique on the data prior to uploading to cloud.
However, the solution limits further data sharing and processing. This is so because
a data owner needs to download the encrypted data from cloud and further re-
encrypt them for sharing (suppose the data owner has no local copies of the data).
A fine-grained access control over encrypted data is desirable in the context of
cloud computing. Ciphertext-Policy Attribute-Based Encryption (CPABE) may be
an effective solution to guarantee the confidentiality of data and provide fine-
grained access control here. In a CP-ABE based cloud storage system, for example,
organizations (e.g., a university such as the University of Texas at San Antonio)
and individuals (e.g., students, faculty members and visiting scholars of the
university) can first specify access policy over attributes of a potential cloud user.
Authorized cloud users then are granted access credentials (i.e., decryption keys)
corresponding to their attribute sets (e.g., student role, faculty member role, or
visitor role), which can be used to obtain access to the outsourced data. As a robust
one-to-many encryption mechanism, CP-ABE offers a reliable method to
protect data stored in cloud, but also enables fine-grained access control over the
data.

5
1.2 LITERATURE SURVEY
A. “ Attribute Based Data Sharing with Attribute Revocation”by
authors Shucheng, YuCong Wang, Kui Ren in 2010

Cipher text-Policy Attribute Based Encryption (CP-ABE) is a promising

cryptographic primitive for fine-grained access control of shared data. In CP-ABE,
each user is associated with a set of attributes and data are encrypted with access
structures on attributes. A user is able to decrypt a cipher text if and only if his
attributes satisfy the cipher text access structure. Beside this basic property,
practical applications usually have other requirements. In this paper we focus on an
important issue of attribute revocation which is cumbersome for CP-ABE schemes.
In particular, we re- solve this challenging issue by considering more practical
scenarios in which semi-trustable on-line proxy servers are available. As compared
to existing schemes, our proposed solution enables the authority to revoke user
attributes with minimal effort. We achieve this by uniquely integrating the
technique of proxy re-encryption with CP-ABE, and enable the authority to
delegate most of laborious tasks to proxy servers. Formal analysis shows that our
proposed scheme is provably secure against chosen cipher text attacks. In ad-
dictions, we show that our technique can also be applicable to the Key-Policy
Attribute Based Encryption (KP-ABE) counterpart.

B. “Enabling Semantic Search based on Conceptual Graphs over

Encrypted Outsourced Data”by Zhangjie Fu, Xingming
Sun,Athanasios and Ching-Nung Yang in 2013

Currently, searchable encryption is a hot topic in the field of cloud computing.

The existing achievements are mainly focused on keyword-based search schemes,
and almost all of them depend on predefined keywords extracted in the phases of
index construction and query. However, keyword-based search schemes ignore the

6
semantic representation information of users’ retrieval and cannot completely
match users’ search intention. Therefore, how to design a content-based search
scheme and make semantic search more effective and context-aware is a difficult
challenge. In this paper, for the first time, we define and solve the problems of
semantic search based on conceptual graphs(CGs) over encrypted outsourced data
in clouding computing (SSCG).We firstly employ the efficient measure of
”sentence scoring” in text summarization and Tregex to extract the most important
and simplified topic sentences from documents. We then convert these simplified
sentences into CGs. To perform quantitative calculation of CGs, we design a new
method that can map CGs to vectors. Next, we rank the returned results based on
”text summarization score”. Furthermore, we propose a basic idea for SSCG and
give a significantly improved scheme to satisfy the security guarantee of
searchable symmetric encryption (SSE). Finally, we choose a real-world dataset the
CNN dataset to test our scheme. The results obtained from the experiment show
the effectiveness of our proposed scheme.

C. “ENCRYPTED DATA MANAGEMENT WITH

DEDUPLICATION IN CLOUD COMPUTING” by TRUPTI
RONGARE in 2016

Cloud computing offers many services resources over the Internet and providing
them to users on demand. It main service is data storage, processing, and
management in the Internet of Thing (IoT). Various cloud service providers (CSPs)
offer huge volumes of storage to maintain and manage Internet data, which can
include videos, photos, and personal records. To preserve cloud data confidentiality
and user privacy, cloud data are often stored in an encrypted form. But duplicated
data that are encrypted under different encryption schemes could be stored in the
cloud, which greatly decreases the utilization rate of storage resources, especially

7
for big data. Several data reduplication schemes have recently been proposed. But
most of them suffer from security weakness and lack of flexibility to support
secure data access control. This paper proposes a scheme based on attribute-based
encryption (ABE) to deduplicate encrypted data stored in the cloud while also
supporting secure data access control. In this paper the survey based on analysis
and implementation, results show the efficiency, effectiveness, and scalability of
the survey for potential practical deployment.

D. : “Leveraging software defined networking for security policy

enforcement” by DepengJin, LiSu, LieguangZeng, ThanosVasilakos
in 2015

Network operators employ a variety of security policies for protecting the

data and services. However, deploying these policies intraditional network is
complicated and security vulner able due to the distributed network control
and lack of standard control protocol. Software defined network provide
sanideal paradigm to address these challenges by separating control plane and
d tap lane, and exploiting the logically centralized control. In this paper, we
focus on taking the advantage of software-defined networking for security
policies enforcement. We propose at wo layer Open Flows witch topology
designed to implement security policies, which considers the limitation off
low table size in a single switch, the complexity of configuring security
policies to these switches, and load balance among these switches.
Furthermore, we introduce a safe way to update the configuration of these
switches one by one for better load balance when traffic distribution changes.
Specifically, we model the update process as a path in a graph, in which each
no derepresents a security policy satisfied configuration, and each edge
represents a single step of safely update.

E. “Security and Privacy for Storage and Computation in Cloud

Computing”by K. Sharmila1, V. Vinoth Kumar in 2014

8
The Secure Data Sharing in Clouds (SeDaSC) methodology that provides: data
confidentiality and integrity, access control, data sharing (forwarding) without
using compute-intensive re-encryption, insider threat security, and forward and
backward access control. The SeDaSC methodology encrypts a file with a single
encryption key. Two different key shares for each of the users are generated, with
the user only getting one share. The possession of a single share of a key allows the
SeDaSC methodology to counter the insider threats. The other key share is stored
by a trusted third party, which is called the cryptographic server. We implement a
working prototype of the SeDaSC methodology and evaluate its performance
based on the time consumed during various operations.

9
1
 CHAPTER 2

SYSTEM ANALYSIS

2
 CHAPTER 2

SYSTEM ANALYSIS

2.1 EXISTING SYSTEM

In existing system the CP-ABE may help us prevent security

breach from outside attackers. But when an insider of the organization is
suspected to commit the “crimes” related to the redistribution of
decryption rights and the circulation of user information in plain format
for illicit financial gains, how could we conclusively determine that the
insider is guilty?
In addition to the above questions, we have one more which is
related to key generation authority. A cloud user’s access credential (i.e.,
decryption key) is usually issued by a semi-trusted authority based on
the attributes the user possesses. How could we guarantee that this
particular authority will not (re-)distribute the generated access
credentials to others.
2.1.1 DISADVANTAGES OF EXISTING SYSTEM
1)When an insider of the organization is suspected to commit the
“crimes” it cannot able to prevent it.
2)If a cloud user shares his\her credentials to other user it cant able to
find it.

3
2.2 PROPOSED SYSTEM

In this work, we have addressed the challenge of credential leakage

in CP-ABE based cloud storage system by designing an accountable
authority and revocable Crypt Cloud which supports white-box
traceability and auditing (referred to as Crypt Cloud+). This is the first
CP-ABE based cloud storage system that simultaneously supports white-
box traceability, accountable authority, auditing and effective revocation.
Specifically, Crypt Cloud+ allows us to trace and revoke malicious cloud
users (leaking credentials). Our approach can be also used in the case
where the users’ credentials are redistributed by the semi-trusted
authority.

2.2.1 ADVANTAGES OF PROPOSED SYSTEM

1)The Semi-Trustable Authority sends the Decryption key to the users

based on their Attributes they provided during their joining time.

2)If any user shares his decryption keys to other user the Semi-Trustable
Authority finds the malicious user and blocks him and finds the guilty
by sends the question who sends you that decryption key.

4
 CHAPTER 3

SYSTEM DESIGN

5
 CHAPTER 3

SYSTEM DESIGN
3.1 INPUT DESIGN

The input design is the link between the information system and the user. It
comprises the developing specification and procedures for data preparation and
those steps are necessary to put transaction data in to a usable form for processing
can be achieved by inspecting the computer to read data from a written or printed
document or it can occur by having people keying the data directly into the system.
The design of input focuses on controlling the amount of input required,
controlling the errors, avoiding delay, avoiding extra steps and keeping the process
simple. The input is designed in such a way so that it provides security and ease of
use with retaining the privacy. Input Design considered the following things:

 What data should be given as input?

 How the data should be arranged or coded?
 The dialog to guide the operating personnel in providing input.
 Methods for preparing input validations and steps to follow when error
occur.
Objectives

 Input Design is the process of converting a user-oriented description of the

input into a computer-based system. This design is important to avoid errors
in the data input process and show the correct direction to the management
for getting correct information from the computerized system.

 It is achieved by creating user-friendly screens for the data entry to handle

large volume of data. The goal of designing input is to make data entry

6
 easier and to be free from errors. The data entry screen is designed in such a
way that all the data manipulates can be performed. It also provides record
viewing facilities.

 When the data is entered it will check for its validity. Data can be entered
with the help of screens. Appropriate messages are provided as when needed
so that the userwill not be in maize of instant. Thus the objective of input
design is to create an input layout that is easy to follow

3.2 OUTPUT DESIGN

A quality output is one, which meets the requirements of the end user and
presents the information clearly. In any system results of processing are
communicated to the users and to other system through outputs. In output design it
is determined how the information is to be displaced for immediate need and also
the hard copy output. It is the most important and direct source information to the
user. Efficient and intelligent output design improves the system’s relationship to
help user decision-making.

 Designing computer output should proceed in an organized, well thought out

manner; the right output must be developed while ensuring that each output
element is designed so that people will find the system can use easily and
effectively. When analysis design computer output, they should Identify the
specific output that is needed to meet the requirements.
 Select methods for presenting information.
 Create document, report, or other formats that contain information produced
by the system.

The output form of an information system should accomplish one or more of

the following objectives.

7
  Convey information about past activities, current status or projections of the
 Future.
 Signal important events, opportunities, problems, or warnings.
 Trigger an action.
 Confirm an action.

3.3 ARCHITECTURE DIAGRAM

Architecture includes four layers: raw data collection, context analysis, event
personalization, and diary generation. Through those four layers, Smart Diary
captures critical events according to users’ preferences, and automatically
generates diaries to the user.

8
 STA

Data Owners Data owners have Public Cloud

all rights to delete
and edit their data
Generates Attribute
File Permission Key based decryption keys

File Upload Cloud Users

Encrypt Files Registration & Login

Enter Decryption key

Policy File Creation

File permission key

Informs to Data Owners

Key Leakage True User

Account Blocked

File Read, Write, Download, Delete

Fig 3.1: Architecture Diagram

9
3.4 USE CASE DIAGRAM

A use case diagram is a graphic depiction of the interactions among the

elements of a system. A use case is a methodology used in system analysis to
identify, clarify, and organize system requirements.

Fig 3.2: Use case Diagram

3.5 ACTIVITY DIAGRAM

Activity diagrams are graphical representations of workflows of stepwise

activities and actions with support for choice, iteration and concurrency. In the

10
Unified Modeling Language, activity diagrams are intended to model both
computational and organisational processes (i.e. workflows).

Fig 3.3: Activity Diagram

3.6 SEQUENCE DIAGRAM

A Sequence diagram is an interaction diagram that shows how processes

operate with one another and in what order. It is a construct of a Message Sequence
Chart. A sequence diagram shows object interactions arranged in time sequence

11
 Fig 4.4: Sequence Diagram

Collaboration Diagram:
UML Collaboration Diagrams illustrate the relationship and interaction between

software objects. They require use cases, system operation contracts and domain model to

already exist. The collaboration diagram illustrates messages being sent between classes and

objects.

12
3.7 DFD- DATA FLOW DIAGRAM:

Context Level DFD’s

A context level DFD is the most basic form of DFD. It aims to show how the entire
system works at a glance. There is only one process in the system and all the data
flows either into or out of this process. Context level DFD’s demonstrates the
interactions between the process and external entities. They do not contain Data
Stores. When drawing Context Level DFD’s, we must first identify the process, all
the external entities and all the data flows. We must also state any assumptions we
make about the system. It is advised that we draw the process in the middle of the
page. We then draw our external entities in the corners and finally connect our
entities to our process with the data flows.

LEVEL OF DFD’S

Level 1 DFD’s aim to give an overview of the full system. They look at the system
in more detail. Major processes are broken down into sub-processes. Level 1
DFD’s also indentifies data stores that are used by the major processes. When
13
constructing a Level 1 DFD, we must start by examining the Context Level DFD.
We must break up the single process into its sub-processes. We must then pick out
the data stores from the text we are given and include them in our DFD. Like the
Context Level DFD’s, all entities, data stores and processes must be labeled. We
must also state any assumptions made from the text.

Level 0:

Level 1:

Level 2:

14
Level 3:

3.8 CLASS DIAGRAM

A Class diagram in the Unified Modelling Language is a type of static

structure diagram that describes the structure of a system by showing the

system's classes, their attributes, operations (or methods), and the relationships

among objects.

15
 CHAPTER 4

SYSTEM IMPLEMENTATION

16
 CHAPTER 4
SYSTEM IMPLEMETATION
4.1 HARDWARE REQUIREMENTS

 System : Pentium IV 2.4 GHz.

 Hard Disk : 40 GB.
 Monitor : 15 VGA Colour.
 Mouse : Logitech.
 Ram : 4GB

4.2 SOFTWARE REQUIREMENTS

 Operating system : Windows 7.

 Coding Language : Java 1.7
 Database : Tomcat 7.0
 Back End : Mysql

4.3 MODULE DESCRIPTION

4.3.1 Organization profile creation & Key Generation

User has an initial level Registration Process at the web end. The users provide
their own personal information for this process. The server in turn stores the
information in its database. Now the Accountable STA (semi-trusted Authority)
generates decryption keys to the users based on their Attributes Set (e.g. name,
mail-id, contact number etc..,). User gets the provenance to access the
Organization data after getting decryption keys from Accountable STA.

4.3.2 Data Owners File Upload

17
 In this module data owners create their accounts under the public cloud and
upload their data into public cloud. While uploading the files into public cloud
data owners will encrypt their data using RSA Encryption algorithm and
generates public key and secret key. And also generates one unique file access
permission key for the users under the organization to access their data.

4.3.3 File Permission & Policy File Creation

Different data owners will generate different file permission keys to their
files and issues those keys to users under the organization to access their files.
And also generates policy files to their data that who can access their data.
Policy File will split the key for read the file, write the file, download the file
and delete the file.

4.3.4 Tracing who is guilty

Authorized DUs are able to access (e.g. read, write, download, delete and
decrypt) the outsourced data. Here file permission keys are issued to the
employees in the organization based on their experience and position. Senior
Employees have all the permission to access the files (read, write, delete, &
download). Fresher’s only having the permission to read the files. Some
Employees have the permission to read and write. And some employees have
all the permissions except delete the data. If any Senior Employee leaks or
shares their secret permission keys to their junior employees they will request
to download or delete the Data Owners Data. While entering the key system
will generate attribute set for their role in background validate that the user has
all rights to access the data. If the attributes set is not matched to the Data
Owners policy files they will be claimed as guilty. If we ask them we will find
who leaked the key to the junior employees.

18
19
CHAPTER 5

CONCLUSION

CHAPTER 5
CONCLUSION
20
In this work, we have addressed the challenge of
credential leakage in CP-ABE based cloud storage system
by designing an accountable authority and revocable
CryptCloud which supports white-box traceability and
auditing (referred to as CryptCloud+). This is the first CP-
ABE based cloud storage system that simultaneously
supports white-box traceability,accountable authority,
auditing and effective revocation.Specifically,
CryptCloud+ allows us to trace and revoke
malicious cloud users (leaking credentials). Our approach
can be also used in the case where the users’ credentials
are redistributed by the semi-trusted authority.

21
 APPENDIX-2

SCREEN SHOTS

Organisation Profile Creation(Home page)

22
User Sign Up

Semi-Trustable Authority

23
Semi-Trustable Authority Generating Decryption key based
on User Attributes

User Sign In
24
Key Generation by E-Mail

Entering the key Generated through E-Mail

25
REFERENCES

26
[1] Mazhar Ali, Revathi Dhamotharan, Eraj Khan, Samee U. Khan, Athanasios V. Vasilakos,

Keqin Li, and Albert Y. Zomaya. Sedasc: Secure data sharing in clouds. IEEE Systems Journal,

11(2):395–404, 2017.

[2] Mazhar Ali, Samee U. Khan, and Athanasios V. Vasilakos. Security in cloud computing:

Opportunities and challenges. Inf. Sci., 305:357–383, 2015.

[3] Michael Armbrust, Armando Fox, R ean Griffith, Anthony D Joseph, Randy Katz, Andy

Konwinski, Gunho Lee, David Patterson, Ariel Rabkin, Ion Stoica, et al. A view of cloud

computing. Communications of the ACM, 53(4):50–58, 2010.

[4] Nuttapong Attrapadung and Hideki Imai. Attribute-based encryption supporting

direct/indirect revocation modes. In Cryptography and Coding, pages 278–300. Springer, 2009.

[5] Amos Beimel. Secure schemes for secret sharing and key distribution. PhD thesis, PhD

thesis, Israel Institute of Technology, Technion, Haifa, Israel, 1996.

[6] Mihir Bellare and Oded Goldreich. On defining proofs of knowledge. In Advances in

Cryptology-CRYPTO’92, pages 390–420. Springer, 1993.

[7] Dan Boneh and Xavier Boyen. Short signatures without random oracles. In EUROCRYPT -

2004, pages 56–73, 2004.

[8] Hongming Cai, Boyi Xu, Lihong Jiang, and Athanasios V. Vasilakos. Iot-based big data

storage systems in cloud computing: Perspectives and challenges. IEEE Internet of Things

Journal, 4(1):75–87, 2017.

[9] Jie Chen, Romain Gay, and Hoeteck Wee. Improved dual system ABE in prime-order groups

via predicate encodings. In Advances in Cryptology - EUROCRYPT 2015, pages 595–624, 2015.

27
[10] Angelo De Caro and Vincenzo Iovino. jpbc: Java pairing based cryptography. In ISCC 2011,

pages 850–855. IEEE, 2011.

[11] Hua Deng, Qianhong Wu, Bo Qin, Jian Mao, Xiao Liu, Lei Zhang, and Wenchang Shi. Who

is touching my cloud. In Computer Security-ESORICS 2014, pages 362–379. Springer, 2014.

[12] Zhangjie Fu, Fengxiao Huang, Xingming Sun, Athanasios Vasilakos, and Ching-Nung Yang.

Enabling semantic search based on conceptual graphs over encrypted outsourced data. IEEE

Transactions on Services Computing, 2016.

[13] Vipul Goyal. Reducing trust in the PKG in identity based cryptosystems.In Advances in

Cryptology-CRYPTO 2007, pages 430–447. Springer, 2007.

[14] Vipul Goyal, Steve Lu, Amit Sahai, and Brent Waters. Black-box accountable authority

identity-based encryption. In Proceedings of the 15th ACM conference on Computer and

communications security, pages 427–436. ACM, 2008.

[15] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for

fine-grained access control of encrypted data. In Proceedings of the 13th ACM conference on

Computer and communications security, pages 89–98. ACM, 2006.

[16] Qi Jing, Athanasios V. Vasilakos, Jiafu Wan, Jingwei Lu, and Dechao Qiu. Security of the

internet of things: perspectives and challenges. Wireless Networks, 20(8):2481–2501, 2014.

[17] Allison Lewko. Tools for simulating features of composite order bilinear groups in the prime

order setting. In Advances in Cryptology–EUROCRYPT 2012, pages 318–335. Springer, 2012.

[18] Allison Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, and Brent Waters.

Fully secure functional encryption:Attribute-based encryption and (hierarchical) inner product

28
encryption. In Advances in Cryptology–EUROCRYPT 2010, pages 62–91. Springer, 2010.

[19] Allison Lewko and Brent Waters. New proof methods for attribute-based encryption:

Achieving full security through selective techniques. In Advances in Cryptology–CRYPTO

2012, pages 180–198. Springer, 2012.

[20] Jiguo Li, Xiaonan Lin, Yichen Zhang, and Jinguang Han. KSFOABE: outsourced attribute-

based encryption with keyword search function for cloud storage. IEEE Trans. Services

Computing, 10(5):715–725, 2017.

29