TY - JOUR
T1 - Crypt-DAC: Cryptographically Enforced Dynamic Access Control in the Cloud
AU - Qi, Saiyu
AU - Zheng, Yuanqing
N1 - Funding Information:
We acknowledge the support from National Natural Science Foundation of China (No 61602363, No. 61702437, No 61572382), China Postdoctoral Science Foundation (No 2016M590927), Hong Kong ECS under Grant PolyU 252053/15E, Key Project of Natural Science Basic Research Plan in Shaanxi Province of China (No. 2016JZ021), The State Key Laboratory of Cryptology, PO Box 5159, Beijing 100878, China, Doctoral Fund of Ministry of Education of China (No. 20130203110004), China 111 Project (No. B16037), and the Fundamental Research Funds for the Central Universities (No XJS16001, No JB161509).
Publisher Copyright:
© 2004-2012 IEEE.
PY - 2021/3/1
Y1 - 2021/3/1
N2 - Enabling cryptographically enforced access controls for data hosted in untrusted cloud is attractive for many users and organizations. However, designing efficient cryptographically enforced dynamic access control system in the cloud is still challenging. In this paper, we propose Crypt-DAC, a system that provides practical cryptographic enforcement of dynamic access control. Crypt-DAC revokes access permissions by delegating the cloud to update encrypted data. In Crypt-DAC, a file is encrypted by a symmetric key list which records a file key and a sequence of revocation keys. In each revocation, a dedicated administrator uploads a new revocation key to the cloud and requests it to encrypt the file with a new layer of encryption and update the encrypted key list accordingly. Crypt-DAC proposes three key techniques to constrain the size of key list and encryption layers. As a result, Crypt-DAC enforces dynamic access control that provides efficiency, as it does not require expensive decryption/re-encryption and uploading/re-uploading of large data at the administrator side, and security, as it immediately revokes access permissions. We use formalization framework and system implementation to demonstrate the security and efficiency of our construction.
AB - Enabling cryptographically enforced access controls for data hosted in untrusted cloud is attractive for many users and organizations. However, designing efficient cryptographically enforced dynamic access control system in the cloud is still challenging. In this paper, we propose Crypt-DAC, a system that provides practical cryptographic enforcement of dynamic access control. Crypt-DAC revokes access permissions by delegating the cloud to update encrypted data. In Crypt-DAC, a file is encrypted by a symmetric key list which records a file key and a sequence of revocation keys. In each revocation, a dedicated administrator uploads a new revocation key to the cloud and requests it to encrypt the file with a new layer of encryption and update the encrypted key list accordingly. Crypt-DAC proposes three key techniques to constrain the size of key list and encryption layers. As a result, Crypt-DAC enforces dynamic access control that provides efficiency, as it does not require expensive decryption/re-encryption and uploading/re-uploading of large data at the administrator side, and security, as it immediately revokes access permissions. We use formalization framework and system implementation to demonstrate the security and efficiency of our construction.
KW - Access control
KW - cloud
KW - revocation
UR - http://www.scopus.com/inward/record.url?scp=85102718242&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2019.2908164
DO - 10.1109/TDSC.2019.2908164
M3 - Journal article
AN - SCOPUS:85102718242
SN - 1545-5971
VL - 18
SP - 765
EP - 779
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 2
M1 - 8676350
ER -