Abstract
Cloud operating system (Cloud OS) is the heart of cloud management platform that takes control of various cloud resources. Therefore, it attracts numerous attacks, especially unauthorized access. Many existing works adopt role-based access control (RBAC) model for Cloud OS access control and token-based approaches as user credentials of sessions or transactions between users and cloud, but they fail to resist privilege abuse caused by RBAC policy rules tampering or token hijacking. To addresses this challenging problem, we propose a secure access control framework suitable for resource-centric Cloud OS. For one thing, we propose a new authorization model with cryptographically protected RBAC policy rules. To solve the policy decision problem caused by encrypted policy rules in this model, an approach is developed to transform it into permission searching problem and we further propose a policy decision scheme based on this. For another thing, we achieve user token unlinkability and token-replay-attack resistance by introducing randomization mechanism and leveraging one-show token technique. A proof of concept implementation has been developed and the proposed scheme is proven secure and efficient by security analysis and the performance evaluation.
Similar content being viewed by others
References
Aftab MU, Qin Z, Hundera NW, Ariyo O, Son NT, Dinh TV et al (2019) Permission-based separation of duty in dynamic role-based access control model. Symmetry 11(5):669
Aftab MU, Qin Z, Quadri SF, Javed A, Nie X (2019) Role-based abac model for implementing least privileges. In: Proceedings of the 2019 8th international conference on software and computer applications, pp 467–471
Blundo C, Cimato S, Siniscalchi L (2020) Managing constraints in role based access control. IEEE Access
Cai F, Zhu N, He J, Mu P, Li W, Yu Y (2019) Survey of access control models and technologies for cloud computing. Clust Comput 22(3):6111–6122
Chakraborty S, Sandhu R, Krishnan R (2019) On the feasibility of rbac to abac policy mining: A formal analysis. In: International conference on secure knowledge management in artificial intelligence era. Springer, pp 147–163
Chen Z, Yang Q, Wan X, Tu Y, Yu F, Xu C (2011) Privacy preservation in role-based access control model. J Netw 6(8):1106
De Caro A, Iovino V (2011) jpbc: Java pairing based cryptography. In: Proceedings of the 16th IEEE symposium on computers and communications, ISCC 2011, Kerkyra, Corfu, Greece, June 28 - July 1, pp 850–855
Dixit JP, Badal N, Abbas SQ (2017) A novel approach of distributed security mechanism of data distribution in distributed environment. Int J Appl Eng Res 12(10):2115–2122
Ghorbel A, Ghorbel M, Jmaiel M (2017) Privacy in cloud computing environments: a survey and research challenges. J Supercomput 73(6):2763–2800
Gu W, Yang C, Yi Y (2020) An access model under cloud computing environment. Int J Comput Sci Eng 22(2-3):328–334
He Y, Han Z, Cai Y (2010) A fine grained rbac model supporting flexible administrative separation of duty. In: 2010 sixth international conference on intelligent information hiding and multimedia signal processing. IEEE, pp 192–195
Li J, Tang X, Wei Z, Wang Y, Chen W, Tan YA (2019) Identity-based multi-recipient public key encryption scheme and its application in iot. Mob Netw Appl pp 1–8
Li Z, Wang D, Morais E (2020) Quantum-safe round-optimal password authentication for mobile devices. IEEE Trans Dependable Secure Comput PP(99)
Lufei Z (2017) Zuoning, C.: vstarcloud: an operating system architecture for cloud computing. In: 2017 IEEE 2nd international conference on cloud computing and big data analysis (ICCCBDA). IEEE, pp 271–275
Luo J, Wang H, Gong X, Li T (2016) A novel role-based access control model in cloud environments. Int J Comput Intell Syst 9(1):1–9
Maiti S, Misra S (2020) P2b: Privacy preserving identity-based broadcast proxy re-encryption. IEEE Trans Veh Technol 69(5):5610–5617
Miao Y, Ma J, Liu X, Weng J, Li H, Li H (2018) Lightweight fine-grained search over encrypted data in fog computing. IEEE Trans Serv Comput 12(5):772–785
Pérez JMM, Pérez GM, Gómez AFS (2016) Secrbac: Secure data in the clouds. IEEE Trans Serv Comput 10(5):726–740
Pustchi N, Sandhu R (2015) Mt-abac: A multi-tenant attribute-based access control model with tenant trust. In: International conference on network and system security. Springer, pp 206–220
PV R, Sandhu R (2016) Poster: security enhanced administrative role based access control models. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 1802–1804
Qiu S, Wang D, Xu G, Kumari S (2020) Practical and provably secure three-factor authentication protocol based on extended chaotic-maps for mobile lightweight devices. IEEE Trans Dependable Secure Comput
Rahman MU (2020) Scalable role-based access control using the eos blockchain. arXiv:2007.02163
Riad K, Hamza R, Yan H (2019) Sensitive and energetic iot access control for managing cloud electronic health records. IEEE Access 7:86,384–86,393
Sandhu R, Ferraiolo D, Kuhn R et al (2000) The nist model for role-based access control: towards a unified standard. In: ACM workshop on role-based access control, vol 10
Shuang W, Hao Y, Dongnan L (2018) A new identity based blind signature scheme and its application. In: 2018 IEEE 3rd advanced information technology, electronic and automation control conference (IAEAC). IEEE, pp 672–676
Singh MP, Sural S, Vaidya J, Atluri V (2019) Managing attribute-based access control policies in a unified framework using data warehousing and in-memory database. Comput Secur 86:183– 205
Sinha AK, Tripathy S (2019) Cookiearmor: Safeguarding against cross-site request forgery and session hijacking. Secur Priv 2(2):e60
Varghese B, Netto MA, Llorente IM, Buyya R (2020) New generation cloud computing. Softw Pract Exp 50(6):803–804
Wang C, Wang D, Tu Y, Xu G, Wang H (2020) Understanding node capture attacks in user authentication schemes for wireless sensor networks. IEEE Trans Dependable Secure Comput
Wang D, Cheng H, Wang P, Huang X, Jian G (2017) Zipf’s law in passwords. IEEE Trans Inf Forensics Secur 12(11):2776–2791
Wang D, Li W, Wang P (2018) Measuring two-factor authentication schemes for real-time data access in industrial wireless sensor networks. IEEE Trans Ind Inform 14(9):4081–4092
Wang D, Wang N, Wang P, Qing S (2015) Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity. Inform Sci 321:162–178
Wang D, Wang P (2016) Two birds with one stone: Two-factor authentication with security beyond conventional bound. IEEE Trans Dependable Secure Comput pp 1–1
Xu P, Jiao T, Wu Q, Wang W, Jin H (2015) Conditional identity-based broadcast proxy re-encryption and its application to cloud email. IEEE Trans Comput 65(1):66–79
Yang Y, Liu R, Chen Y, Li T, Tang Y (2018) Normal cloud model-based algorithm for multi-attribute trusted cloud service selection. IEEE Access 6:37,644–37,652
Yu Y, Ni J, Yang H, Mu Y, Susilo W (2014) Efficient public key encryption with revocable keyword search. Secur Commun Netw 7(2):466–472
Zhang J, Ma J, Ma Z, Lu N, Yang Y, Li T, Wei D (2019) Efficient hierarchical data access control for resource-limited users in cloud-based e-health. In: 2019 international conference on networking and network applications (NaNA). IEEE, pp 319– 324
Zhou L, Varadharajan V, Hitchens M (2013) Achieving secure role-based access control on encrypted data in cloud storage. IEEE Trans Inf Forensic Secur 8(12):1947–1960
Acknowledgements
This work supported by the National Natural Science Foundation of China (Nos.62072093, 62072092, 61601107and U1708262); the China Postdoctoral Science Foundation (No.2019M653568); the Fundamental Research Funds for the Central Universities (No.N2023020); the Natural Science Foundation of Hebei Province of China (No.F2020501013) the Key Research and Development Project of Hebei Province (No.20310702D).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Zhang, J., Lu, N., Ma, J. et al. A Secure Access Control Framework for Cloud Management. Mobile Netw Appl 27, 404–416 (2022). https://doi.org/10.1007/s11036-021-01839-w
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11036-021-01839-w