skip to main content
research-article

Encryption policies for regulating access to outsourced data

Published: 03 May 2010 Publication History

Abstract

Current access control models typically assume that resources are under the strict custody of a trusted party which monitors each access request to verify if it is compliant with the specified access control policy. There are many scenarios where this approach is becoming no longer adequate. Many clear trends in Web technology are creating a need for owners of sensitive information to manage access to it by legitimate users using the services of honest but curious third parties, that is, parties trusted with providing the required service but not authorized to read the actual data content. In this scenario, the data owner encrypts the data before outsourcing and stores them at the server. Only the data owner and users with knowledge of the key will be able to decrypt the data. Possible access authorizations are to be enforced by the owner. In this article, we address the problem of enforcing selective access on outsourced data without need of involving the owner in the access control process. The solution puts forward a novel approach that combines cryptography with authorizations, thus enforcing access control via selective encryption. The article presents a formal model for access control management and illustrates how an authorization policy can be translated into an equivalent encryption policy while minimizing the amount of keys and cryptographic tokens to be managed. The article also introduces a two-layer encryption approach that allows the data owner to outsource, besides the data, the complete management of the authorization policy itself, thus providing efficiency and scalability in dealing with policy updates. We also discuss experimental results showing that our approach is able to efficiently manage complex scenarios.

Supplementary Material

Vimercati Appendix (a12-vimercati-apndx.pdf)
Online appendix to encryption policies for regulating access to outsourced data on article 12.

References

[1]
Aggarwal, G., Bawa, M., Ganesan, P., Garcia-Molina, H., Kenthapadi, K., Motwani, R., Srivastava, U., Thomas, D., and Xu, Y. 2005. Two can keep a secret: A distributed architecture for secure database services. In Proceedings of the Conference on Innovative Data Systems Research (CIDR'05). VLDB Endowment, 186--199.
[2]
Agrawal, R., Kierman, J., Srikant, R., and Xu, Y. 2004. Order preserving encryption for numeric data. In Proceedings of the ACM SIGMOD'04 International Conference on Management of Data. ACM, New York, 563--574.
[3]
Akl, S. and Taylor, P. 1983. Cryptographic solution to a problem of access control in a hierarchy. ACM Trans. Comput. Syst. 1, 3, 239--248.
[4]
Atallah, M., Frikken, K., and Blanton, M. 2005. Dynamic and efficient key management for access hierarchies. In Proceedings of the ACM Conference on Computer and Communications Security (CCS'05). ACM, New York, 190--202.
[5]
Ateniese, G., De Santis, A., Ferrara, A. L., and Masucci, B. 2006. Provably-Secure time-bound hierarchical key assignment schemes. In Proceedings of the ACM Conference on Computer and Communications Security (CCS'06). ACM, New York, 288--297.
[6]
Baralis, E., Paraboschi, S., and Teniente, E. 1997. Materialized views selection in a multidimensional database. In Proceedings of the International Conference on Very Large Databases (VLDB'97). Morgan Kaufmann, San Francisco, CA,156--165.
[7]
Bouganim, L. and Pucheral, P. 2002. Chip-Secured data access: Confidential data on untrusted servers. In Proceedings of the International Conference on Very Large Databases (VLDB'02). VLDB Endowment, 131--142.
[8]
Ceselli, A., Damiani, E., De Capitani di Vimercati, S., Jajodia, S., Paraboschi, S., and Samarati, P. 2005. Modeling and assessing inference exposure in encrypted databases. ACM Trans. Inform. Syst. Secur. 8, 1, 119--152.
[9]
Chor, B., Kushilevitz, E., Goldreich, O., and Sudan, M. 1998. Private information retrieval. J. ACM 45, 6, 965--981.
[10]
Ciriani, V., De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., and Samarati, P. 2007. Fragmentation and encryption to enforce privacy in data storage. In Proceedings of the European Symposium on Research in Computer Security (ESORICS'07). Springer, 225--239.
[11]
Cormode, G., Srivastava, D., Yu, T., and Zhang, Q. 2008. Anonymizing bipartite graph data using safe groupings. In Proceedings of the International Conference on Very Large Databases (VLDB'08). VLDB Endowment, 833--844.
[12]
Crampton, J., Martin, K., and Wild, P. 2006. On key assignment for hierarchical access control. In Proceedings of the IEEE Computer Security Foundations Workshop (CSFW'06). IEEE Computer Society, Washington, 98--111.
[13]
Damiani, E., De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., and Samarati, P. 2007. An experimental evaluation of multi-key strategies for data outsourcing. In Proceedings of the IFIP International Conference on Information Security (SEC'07). Springer, 385--396.
[14]
The DBLP Computer Science Bibliography. The DBLP computer science bibliography. http://dblp.uni-trier.de.
[15]
De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Pelosi, G., and Samarati, P. 2008. Preserving confidentiality of security policies in data outsourcing. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES'08). ACM, New York, 75--84.
[16]
De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., and Samarati, P. 2007. Over-Encryption: Management of access control evolution on outsourced data. In Proceedings of the International Conference on Very Large Databases (VLDB'07). VLDB Endowment, 123--134.
[17]
De Santis, A., Ferrara, A.L., and Masucci, B. 2004. Cryptographic key assignment schemes for any access control policy. Inform. Process. Lett. 92, 4, 199--205.
[18]
Gudes, E. 1980. The design of a cryptography based secure file system. IEEE Trans. Softw. Engin. 6, 5, 411--420.
[19]
Hacigümüs, H., Iyer, B., and Mehrotra, S. 2002a. Providing database as a service. In Proceedings of the International Conference on Data Engineering (ICDE'02). IEEE Computer Society, Washington, 29--39.
[20]
Hacigümüs, H., Iyer, B., Mehrotra, S., and Li, C. 2002b. Executing SQL over encrypted data in the database-service-provider model. In Proceedings of the ACM SIGMOD'02 International Conference on Management of Data. ACM, New York, 216--227.
[21]
Harn, L. and Lin, H. 1990. A cryptographic key generation scheme for multilevel data security. Comput. Secur. 9, 6, 539--546.
[22]
Hwang, M. and Yang, W. 2003. Controlling access in large partially ordered hierarchies using cryptographic keys. J. Syst. Softw. 67, 2, 99--107.
[23]
Kushilevitz, E. and Ostrovsky, R. 1997. Replication is not needed: Single database, computationally-private information retrieval. In Proceedings of the Annual IEEE Symposium on Foundations of Computer Science (FOCS'97). IEEE Computer Society, Washington, 364.
[24]
Liaw, H., Wang, S., and Lei, C. 1989. On the design of a single-key-lock mechanism based on Newton's interpolating polynomial. IEEE Trans. Softw. Engin. 15, 9, 1135--1137.
[25]
MacKinnon, S., P. Taylor, Meijer, H., and Akl, S. 1985. An optimal algorithm for assigning cryptographic keys to control access in a hierarchy. IEEE Trans. Comput. 34, 9, 797--802.
[26]
Miklau, G. and Suciu, D. 2003. Controlling access to published data using cryptography. In Proceedings of the International Conference on Very Large Databases (VLDB'03). VLDB Endowment, 898--909.
[27]
Mykletun, E., Narasimha, M., and Tsudik, G. 2006. Authentication and integrity in outsourced databases. ACM Trans. Storage 2, 2, 107--138.
[28]
Nascimento, M., Sander, J., and Pound, J. 2003. Analysis of SIGMOD's co-authorship graph. ACM SIGMOD Rec. 32, 3, 8--10.
[29]
Olson, L., Rosulek, M., and Winslett, M. 2007. Harvesting credentials in trust negotiation as an honest-but-curious adversary. In Proceedings of the ACM Workshop on Privacy in the Electronic Society (WPES'07). ACM, New York, 64--67.
[30]
Samarati, P. and De Capitani di Vimercati, S. 2001. Access control: Policies, models, and mechanisms. In Foundations of Security Analysis and Design, R. Focardi and R. Gorrieri, Eds. Springer, 137--196.
[31]
Sandhu, R. 1987. On some cryptographic solutions for access control in a tree hierarchy. In Proceedings of the Fall Joint Computer Conference on Exploring Technology: Today and Tomorrow. IEEE Computer Society Press, Los Alamitos, CA, 405--410.
[32]
Sandhu, R. 1988. Cryptographic implementation of a tree hierarchy for access control. Inform. Process. Lett. 27, 2, 95--98.
[33]
Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C., and Ferguson, N. 1998. On the twofish key schedule. In Proceedings of the ACM Symposium on Applied Computing (SAC'98). Springer, 27--42.
[34]
Shen, V. and Chen, T. 2002. A novel key management scheme based on discrete logarithms and polynomial interpolations. Comput. Secur. 21, 2, 164--171.
[35]
Shmueli, E., Waisenberg, R., Elovici, Y., and Gudes, E. 2005. Designing secure indexes for encrypted databases. In Proceedings of the Annual Working Conference on Database Security (DBSec'05). Springer, 54--68.
[36]
Sion, R. 2005. Query execution assurance for outsourced databases. In Proceedings of the International Conference on Very Large Databases (VLDB'05). VLDB Endowment, 601--612.
[37]
Sion, R. 2007. Secure data outsourcing. In Proceedings of the International Conference on Very Large Databases (VLDB'07). VLDB Endowment, 1431--1432.
[38]
Sion, R. and Winslett, M. 2007. Regulatory-Compliant data management. In Proceedings of the International Conference on Very Large Databases (VLDB'07). VLDB Endowment, 1433--1434.
[39]
Wang, H. and Lakshmanan, L. V. S. 2006. Efficient secure query evaluation over encrypted XML databases. In Proceedings of the International Conference on Very Large Databases (VLDB'06). VLDB Endowment, 127--138.
[40]
XML Encryption Syntax and Processing, W3C Rec. 2002. http://www.w3.org/TR/xmlenc-core/.

Cited By

View all
  • (2024)Enforcing Corporate Governance Controls with Cloud-based ServicesIEEE Transactions on Services Computing10.1109/TSC.2024.3451179(1-14)Online publication date: 2024
  • (2024)Mix&Slice for Efficient Access Revocation on Outsourced DataIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.328059021:3(1390-1405)Online publication date: May-2024
  • (2024)A Review on Privacy Preservation in Cloud Computing and Recent TrendsMicro-Electronics and Telecommunication Engineering10.1007/978-981-99-9562-2_30(365-376)Online publication date: 22-Mar-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Database Systems
ACM Transactions on Database Systems  Volume 35, Issue 2
April 2010
336 pages
ISSN:0362-5915
EISSN:1557-4644
DOI:10.1145/1735886
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 May 2010
Accepted: 01 November 2009
Revised: 01 September 2009
Received: 01 November 2008
Published in TODS Volume 35, Issue 2

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Data outsourcing
  2. encryption policy
  3. privacy

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)38
  • Downloads (Last 6 weeks)8
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Enforcing Corporate Governance Controls with Cloud-based ServicesIEEE Transactions on Services Computing10.1109/TSC.2024.3451179(1-14)Online publication date: 2024
  • (2024)Mix&Slice for Efficient Access Revocation on Outsourced DataIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.328059021:3(1390-1405)Online publication date: May-2024
  • (2024)A Review on Privacy Preservation in Cloud Computing and Recent TrendsMicro-Electronics and Telecommunication Engineering10.1007/978-981-99-9562-2_30(365-376)Online publication date: 22-Mar-2024
  • (2024)HybridHash: An Efficient Hash Index for Encrypted DatabasesAdvanced Intelligent Computing Technology and Applications10.1007/978-981-97-5609-4_4(43-54)Online publication date: 5-Aug-2024
  • (2024)Exploring Reciprocal Exchanges and Trust-Based Authorizations: A Feasibility Demonstration with Location-Based ServicesTransactions on Large-Scale Data- and Knowledge-Centered Systems LVII10.1007/978-3-662-70140-9_2(27-67)Online publication date: 25-Oct-2024
  • (2023)PreIndex: A Simple But Efficient Tree Index for Encrypted Databases2023 2nd International Conference on Sensing, Measurement, Communication and Internet of Things Technologies (SMC-IoT)10.1109/SMC-IoT62253.2023.00014(35-39)Online publication date: 29-Dec-2023
  • (2023)An Efficient Distributed Framework for Secured Multimedia Content Using Cloud Storage2023 2nd International Conference on Computer Technologies (ICCTech)10.1109/ICCTech57499.2023.00019(57-63)Online publication date: 23-Feb-2023
  • (2023)Protecting Data and Queries in Cloud-Based ScenariosSN Computer Science10.1007/s42979-023-01862-64:5Online publication date: 10-Jun-2023
  • (2023)Technologies for Hybrid Cloud Computing in Renewable Energy Associated with the Proposed AlgorithmRecent Advances in Mechanical Engineering10.1007/978-981-99-1894-2_65(777-786)Online publication date: 19-Jun-2023
  • (2023)Selective Encryption for Owners’ Control in Digital Data MarketsE-Business and Telecommunications10.1007/978-3-031-36840-0_17(389-409)Online publication date: 22-Jul-2023
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media