01whole.pdf (3.11 MB)
Download file

Cryptographic role-based access control for secure data storage in cloud systems

Download (3.11 MB)
thesis
posted on 28.03.2022, 20:36 by Lan Zhou
With the rapid increase in the amount of digital information that needs to be stored, there has been a growing trend in recent times to store data in the cloud because ofthe benefits it provides such as on-demand access and scalability. Cloud data storage raises the important security issue of how to control and prevent unauthorised access to data stored in the cloud. Access control is required to specify who can create the access policies as well as to determine the access mechanisms needed to control access to the stored data. One well-known access control model is the role-based access control (RBAC) model, which provides flexible controls and security management by having two mappings, users to roles and roles to privileges on data objects. We propose role-based encryption (RBE) schemes, which integrate cryptographic techniques with RBAC models, to enforce RBAC policies for data stored in the cloud. Using RBE schemes, the owners of data can encrypt it in such a way that only users with appropriate roles as specified by the access policy can decrypt and view the content of the data. We then describe the design of a secure RBE-based hybrid cloud storage architecture as well as a practical implementation of the proposed RBE-based architecture and its performance results. In large-scale RBAC systems, decentralising the administration tasks is an important issue as it is usually impractical to centralise the task of managing these users and permissions, and their relationships with roles. We propose a cryptographic administrative model AdC-RBAC to manage and enforce role-based access policies for the RBE schemes in large-scale cloud systems. The AdC-RBAC model uses cryptographic techniques to ensure that administrative tasks such as user, permission, and role management are performed only by authorised administrative roles. We have also demonstrated the suitability of the proposed RBE schemes and the developed architecture in two practical applications, one involving secure data storage in the cloud for a banking organisation and the other concerned with secure storage of patient-centric health records in the cloud. The issue of trust is critical in cloud storage systems and it is necessary to address explicitly trust issues in the enforcement of access policies in cloud data storage as often implicit assumptions are made that the various system entities behave properly. We have developed trust models that can help to reason about the behaviour of users, data owners and role managers, taking into account role hierarchy and permission inheritance. We then describe the design of trust-enhanced secure cloud data storage systems integrating trust models and RBE schemes, which reduce risk and improve the quality of cloud storage services.

History

Table of Contents

1. Introduction -- 2. Background -- 3. Generic role-based encryption frameworks -- 4. A concrete role-based encryption construction -- 5. A secure cloud storage system based on role-based encryption -- 6. Administrative model for role-based encryption -- 7. Applications of role-based encryption -- 8. Owner's trust model for role-based encryption -- 9. User's trust model for role-based encryption -- 10. Conclusions and future work.

Notes

A thesis submitted to Macquarie University for the degree of Doctor of Philosophy, Department of Computing" "July 2014" Bibliography: pages 243-260 "Typeset in LaTeX2e

Awarding Institution

Macquarie University

Degree Type

Thesis PhD

Degree

PhD, Macquarie University, Faculty of Science and Engineering, Department of Computing

Department, Centre or School

Department of Computing

Year of Award

2014

Principal Supervisor

Vijay Varadharajan

Additional Supervisor 1

Michael Hitchens

Rights

Copyright Lan Zhou 2014. Copyright disclaimer: http://mq.edu.au/library/copyright

Language

English

Extent

1 online resource (xx, 260 pages) illustrations

Former Identifiers

mq:54437 http://hdl.handle.net/1959.14/1142415