Elsevier

Computers & Security

Volume 73, March 2018, Pages 249-265
Computers & Security

Privacy preserving fine-grained location-based access control for mobile cloud

https://doi.org/10.1016/j.cose.2017.10.014Get rights and content

Abstract

Mobile cloud computing is a revolutionary computing paradigm for mobile applications, which enables storage and computation migration from mobile users to resource-rich and powerful cloud servers. This migration causes some privacy issues in providing secure data storage, fine-grained access control and anonymity of users. Attribute-based encryption is an end-to-end public key encryption mechanism that ensures security of stored data in the cloud and provides fine-grained access control using defined policies and constraints. Location of a device is one of the contextual policies, which is used to improve data security, authenticate user and provide access to services and useful information. However, unlike other policies and attributes used in attribute-based encryption, location attribute is an intrinsic dynamic attribute. In this paper, we investigate providing Location-Based Services (LBSs) for attribute-based access control in mobile cloud. More specifically, we propose a multi-authority attribute-based access control scheme to support coexistence of authorities, provide anonymity of users and protect their identity against malicious authorities. The proposed scheme uses dynamic location of mobile users as contextual information about those users, employs location range constraints as a policy in attribute-based encryption and authorizes users with dynamic locations satisfying access policies. The proposed attribute-based encryption is integrated with proxy re-encryption to (a) transform secret information received from different authorities and protect users' identities from disclosure to cloud server, and (b) outsource the computation to a cloud server with unlimited computational power. This results in achieving more efficiency and reducing the computation cost on resource-constrained mobile users.

Introduction

In some applications of mobile cloud, Location-Based Services (LBSs) are popular services provided by mobile devices and remote servers, in which users gain access to features (e.g. health, indoor object search, entertainment, work, personal life (Guo et al, 2008, Guo et al, 2012)) depending on their geographic location. LBSs adopt Data as a Service (DaaS) model (Hu et al., 2013); they are accessible by mobile devices, through the mobile network, and make use of the geographic positions of these devices.

In location-based services, location of a device represents one of the most important contextual information about that device and its owner; it is exploited to improve data security, and to support access to services and information provided by the cloud for mobile users. Indeed, by integrating access control mechanisms with conditions based on the physical position of users, we can improve data security and immune users data against unauthorized accesses and disclosures. Furthermore, in some applications, we need this information to provide convenient services for mobile users based on their positions (e.g. social networking as an entertainment service which uses information on the geographical position of the mobile device).

The main challenge of location-based access control is the release of information only to authorized users satisfying predefined conditions; this is called fine-grain access control. In traditional access control approaches, to provide secure fine-grained access control and limit the release of information to authorized users, data owners should encrypt data for each user, which imposes high computational overhead. Attribute-Based Encryption (ABE) technique is a promising approach to achieve fine-grained access control (Goyal et al, 2006, Sahai, Waters, 2005). It provides access control over encrypted data using defined access policies and assigned set of attributes embedded in ciphertexts and secret keys. In particular, Ciphertext Policy ABE (CP-ABE) provides access such that encrypted data can be decrypted only by a user possessing a set of attributes. Thus, based on access policy embedded in ciphertext, different users are able to access different pieces of information based on the attributes they are assigned. Since ABE encrypts data without exact knowledge of receivers, it is suitable for large-scale systems.

Providing fine-grained access control for attribute-based encryption requires issuing different attributes for each user. Since each authority issues a bunch of attributes for each user, the employed ABE (CP-ABE) should support coexistence of multiple authorities. Multi-Authority ABE (MA-ABE) (Jiang et al, 2016, Jung et al, 2015, Lewko, Waters, 2011, Li et al, 2016, Yang, Jia, 2014) is more appropriate for location-based access control for cloud, as users hold attributes issued by different authorities. Moreover, in MA-ABE, instead of issuing a secret key by a single authority, each authority issues part of the key corresponding to a bunch of attributes it is responsible for. Hence, it can protect identity and provide anonymity of users.

Using MA-ABE in the context of LBSs introduces several challenges including (1) location anonymity: mobile users should not be traceable while using LBSs; (2) dynamic location update: locations of mobile users change over time; MA-ABE should support the dynamic update of location and key related to that location attribute; and (3) computational overhead on mobile devices (users): the execution of the scheme should not impose high computation cost on mobile users with limited resources.

In this paper, aiming to address the above challenges, we propose a new Privacy Preserving Location-Based Access Control (PPLBAC) scheme for mobile clouds. The proposed PPLBAC provides the following properties:

  • Confidentiality of stored data: We propose a fine-grained access control mechanism which provides access to encrypted data for authorized users satisfying predefined static and dynamic conditions.

  • User anonymity protection against authorities: The proposed PPLBAC exploits secret sharing mechanism to share secret between authorities and provides a novel approach to support coexistence of multiple authorities, protect the identity of users against each authority and reduce the computation overhead on resource-constrained mobile users.

  • Dynamic location updating of mobile users: Since the location is an attribute which should be dynamically updated, each time the location of a mobile user changes, the entire secret key of that user must be changed. Hence, we propose an efficient location updating method for mobile users without changing their entire secret keys.

  • Location privacy for mobile users: To provide location privacy, we incorporate MA-ABE with comparative attribute-based encryption (Wang et al., 2015)1 and proxy re-encryption to (a) simultaneously support location constraint (modeled as range policies) as well as other constraints (modeled as regular policies) in MA-ABE, and (b) transform secret information received from authorities such that cloud server would not be able to recognize users and their locations (even if all authorities collaborate).

  • Low computational overhead on mobile users: Due to computation overhead, imposed by pairing operations in the decryption, ABE is not suitable for mobile cloud. To solve this problem, the proposed PPLBAC integrates MA-ABE with proxy re-encryption (Lai et al, 2013, Tysowski, Hasan, 2013) and offline big data processing mechanism (Fernandez et al, 2015, Rathore et al, 2015) and provides a new method to (a) outsource costly computational pairing operations in the decryption of MA-ABE to cloud server, (b) perform (offline just one time) the static part of computations at registration time and (c) perform the dynamic part of computations at access time.

To the best of our knowledge, this is the first work suitable for dynamic location-based access control in mobile cloud to achieve multi-authority and fine-grained access control, provide dynamic anonymous and unforgeable location and support confidentiality of users without imposing significant computational overhead on mobile devices. We also formally define and prove selective security of the proposed PPLBAC against chosen plaintext attacks. Finally, we evaluate PPLBAC to show its feasibility for location-based access control in mobile cloud.

The remainder of this paper is organized as follows. Section 2 presents the literature review related to our work. Section 3 presents some preliminaries. Section 4 discusses the system and security models. Section 5 describes the proposed scheme. Section 6 analyzes the security of the proposed PPLBAC and Section 7 evaluates its performance. Finally, Section 8 concludes the whole paper.

Section snippets

Related work

Providing privacy preserving location-based services for mobile users while interacting with Location Service Provider (LSP), has two different aspects: (a) query privacy, which concerns the disclosure of sensitive information about the service query and (b) location privacy, which concerns the disclosure and misuse of location information of users (Pan et al., 2012). Location privacy is achieved using two approaches: (a) adding noise to location (e.g. expanding user's location (Domingo-Ferrer,

Preliminaries

In this section, first we briefly introduce composite order bilinear group. Next, we present Multi-Dimensional Range Derivation Functions (MDRDF). Finally, we give background information on tree access structure used to design the scheme.

System and security models

In this section, we first present the system model and its architecture. Then, we describe the threat model and security assumptions about the entities in that architecture. Next, we describe the framework of the scheme and its functional model. Finally, we define the security model used for security analysis of our scheme.

The proposed scheme: a detailed description

There are five entities in the scheme:

Attribute Authorities (AAi) including LSP, User (U), Cloud Service Provider (CSP) and Data Owner (DO). The scheme consists of five phases: setup, key generation, encryption, access request, and decryption.

Security analysis

In this section, we analyze the security of the proposed scheme. First, we present the assumptions used to prove the security of PPLBAC. Next, we discuss how PPLBAC supports location privacy, user anonymity and location unforgeability, and how it is immune against authorities collusion attacks and chosen plaintext attacks.

Performance evaluation

In this section, we evaluate the performance of PPLBAC. At first, we present the complexity analysis of PPLBAC from two aspects: computation overhead and communication overhead. We also compare our proposed scheme with the state of the art including (Jung et al, 2015, Li et al, 2016, Shao et al, 2014, Zhu et al, 2013). Finally, we exploit the experimental results to evaluate its performance.

Conclusion

In this paper, we have investigated providing location-based service for attribute-based access control in mobile cloud. We have developed a multi-authority attribute-based access control scheme to simultaneously support static and dynamic attributes for mobile devices. Moreover, we have provided a way to outsource the heavy computations from resource-constrained mobile devices and reduce their computational overhead to small constant. In the proposed scheme, we transform secret information

Yaser Baseri received his B.S. degree from Shahid Beheshti University, Tehran, Iran, in 2005 and his MS degree in Computer Science from Sharif University of Technology, Tehran, Iran, in 2007. He was also a research assistant at Institute of Electronics Research, Sharif University of Technology, Tehran, Iran. Currently, he is pursuing the Ph.D. degree in Computer Science at Network Research Lab (NRL), Department of Computer Science and Operations Research, Universite de Montreal, Montreal, QC,

References (41)

  • R.C. Fernandez et al.

    Liquid: unifying nearline and offline big data integration

  • V. Goyal et al.

    Attribute-based encryption for fine-grained access control of encrypted data

  • M. Green et al.

    Libfenc: the functional encryption library

  • GuoB. et al.

    Home-explorer: ontology-based physical artifact search and hidden object detection system

    Mobile Inf Syst

    (2008)
  • GuoB. et al.

    Design-in-play: improving the variability of indoor pervasive games

    Multimed Tools Appl

    (2012)
  • HuH. et al.

    Verdict: privacy-preserving authentication of range queries in location-based services

  • T. Jung et al.

    Control cloud data access privilege and anonymity with fully anonymous attribute-based encryption

    IEEE Trans Inf Forens Secur

    (2015)
  • LaiJ. et al.

    Attribute-based encryption with verifiable outsourced decryption

    IEEE Trans Inf Forens Secur

    (2013)
  • LaiJ. et al.

    Attribute-based encryption with verifiable outsourced decryption

    IEEE Trans Inf Forens Secur

    (2013)
  • A. Lewko et al.

    Decentralizing attribute-based encryption

  • Cited by (18)

    • Specification and adaptive verification of access control policy for cyber-physical-social spaces

      2022, Computers and Security
      Citation Excerpt :

      The contextual information of these models focus on the social group and the social relationships. For the access control models of the internet of things, Baseri et al. (2018) propose a location-based access control scheme. This scheme uses dynamic location of mobile users as contextual information about those users, employs location range constraints as a policy in attribute-based encryption and authorizes users with dynamic locations satisfying access policies.

    • Scaling & fuzzing: Personal image privacy from automated attacks in mobile cloud computing

      2021, Journal of Information Security and Applications
      Citation Excerpt :

      For instance, a recent model [1] of data streaming has shown that the offloading model allows for more storage and energy efficiency operation of smart phones. However, achieving user data privacy [2–5] is a major roadblock for the adoption of mobile cloud computing for general purpose applications. A user’s personal images [6,7] reveal many details about his/her personal interests, which may be sought after by advertising agencies, and/or sensitive personal information that can be abused by attackers.

    • Context-Aware Attribute Based Access Control for Cloud-based SCADA Systems

      2023, IIoT-NETs 2023 - Proceedings of the 2023 Enhanced Network Techniques and Technologies for the Industrial IoT to Cloud Continuum
    • A Proposal for Dynamic and Secure Authentication in IoT Architectures Based on SDN

      2022, Journal of Telecommunications and the Digital Economy
    View all citing articles on Scopus

    Yaser Baseri received his B.S. degree from Shahid Beheshti University, Tehran, Iran, in 2005 and his MS degree in Computer Science from Sharif University of Technology, Tehran, Iran, in 2007. He was also a research assistant at Institute of Electronics Research, Sharif University of Technology, Tehran, Iran. Currently, he is pursuing the Ph.D. degree in Computer Science at Network Research Lab (NRL), Department of Computer Science and Operations Research, Universite de Montreal, Montreal, QC, Canada. He is also a Research Fellow at CIRRELT. His research interests include cloud computing, cryptography and network security.

    Abdelhakim Hafid was as a Senior Research Scientist at Telcordia Technologies, NJ, USA, for several years, focused on major research projects on the management of next generation networks. He was also a Visiting Professor at the University of Evry, France, an Assistant Professor at Western University, Canada, a Research Director at the Advance Communication Engineering Center (venture established by WU, Bell Canada, and Bay Networks), Canada, a Researcher at CRIM, Canada, and a Visiting Scientist at GMD-Fokus, Berlin, Germany. He is a Full Professor at the University of Montreal, where he founded the Network Research Laboratory in 2005. He is also a Research Fellow at CIRRELT. He has extensive academic and industrial research experience in the area of the management and design of next generation networks.

    Soumaya Cherkaoui is a Full Professor at the Electrical and Computer Engineering Dept. at Universite Sherbrooke, Canada, where she is the Director of INTERLAB. In the past, she worked for several years in industry leading major projects targeted at the Aerospace Industry. She has held invited visiting positions at several universities and research centers, including U. Toronto, Monash University, Bell Laboratories, UC Berkeley, and U. Montreal. She has over 200 publications in reputable journals, conferences, has served as a General Chair, and TPC chair of numerous conferences and workshops, and as Associate or Guest Editor of several reputable journals.

    View full text