Enforcing RBAC Policies over Data Stored on Untrusted Server (Extended Version)



Department of Computer Engineering, Sharif University of Technology, Tehran, Iran


One of the security issues in data outsourcing is the enforcement of the data owner’s access control policies. This includes some challenges. The first challenge is preserving confidentiality of data and policies. One of the existing solutions is encrypting data before outsourcing which brings new challenges; namely, the number of keys required to access authorized resources, efficient policy updating, write access control enforcement, overhead of accessing/processing data at the user/owner side. Most of the existing solutions address only some of the challenges, while imposing high overhead on both owner and users. Though, policy management in the Role-Based Access Control (RBAC) model is easier and more efficient due to the existence of role hierarchical structure and role inheritance; most of the existing solutions address only enforcement of policies in the form of access control matrix. In this paper, we propose an approach to enforce RBAC policies on encrypted data outsourced to a service provider. We utilize Chinese Remainder Theorem for key management and role/permission assignment. Efficient user revocation, efficient role hierarchical structure updating, availability of authorized resources for users of new roles, and enforcement of write access control policies as well as static separation of duties, are of advantages of the proposed solution.


[1] Ernesto Damiani, S. De Capitani di Vimercati, Sara Foresti, Sushil Jajodia, Stefano Paraboschi, and Pierangela Samarati. Key management for multi-user encrypted databases. In Proceedings of the 2005 ACM Workshop on Storage Security and Survivability, StorageSS ’05, pages 74–83, New York, NY, USA, 2005. ACM.
[2] D. Grolimund, L. Meisser, S. Schmid, and R. Wattenhofer. Cryptree: A folder tree structure for cryptographic file systems. In Reliable Distributed Systems, 2006. SRDS ’06. 25th IEEE Symposium on, pages 189–198, Oct 2006.
[3] Junbeom Hur and Dong Kun Noh. Attribute-based access control with efficient revocation in data outsourcing systems. Parallel and Distributed Systems, IEEE Transactions on,22(7):1214–1221, 2011.
[4] T. Eissa and Gi-Hwan Cho. A fine grained access control and flexible revocation scheme for data security on public cloud storage services. In Cloud Computing Technologies, Applications and Management (ICCCTAM), 2012 International
Conference on, pages 27–33. IEEE, Dec 2012.
[5] Rohollah Mahfoozi. Using functional encryption to manage encrypted data. Master’s thesis, Computer Engineering Department, Tehran, IRAN: Sharif University of Technology, November 2013.
[6] P. Tourani, M.A. Hadavi, and R. Jalili. Access control enforcement on outsourced data ensuring privacy of access control policies. In High Performance Computing and Simulation (HPCS), 2011 International Conference on, pages 491–497. IEEE, July 2011.
[7] Leila Karimi, Seyyed Ahmad Javadi, Mohammad Ali Hadavi, and Rasool Jalili. Missing a Trusted Reference Monitor: How to Enforce Confidential and Dynamic Access Policies?, pages 92–104. Springer International Publishing, Cham,2014.
[8] Divyashikha Sethia, Huzur Saran, and Daya Gupta. Cp-abe for selective access with scalable revocation: A case study for mobile-based health-folder. IJ Network Security, 20(4):689–701, 2018.
[9] Nurmamat Helil and Kaysar Rahman. Cp-abe access control scheme for sensitive data set constraint with hidden access policy and constraint policy. Security and Communication Networks,2017, 2017.
[10] Samta Ukey, Jayant Adhikari, et al. A review on data storage security in cloud computing environment for mobile devices. International Journal of Research, 5(13):312–316, 2018.
[11] Shucheng Yu, Cong Wang, Kui Ren, and Wenjing Lou. Achieving secure, scalable, and fine grained data access control in cloud computing. In INFOCOM, 2010 Proceedings IEEE, pages1–9. Ieee, IEEE, march 2010.
[12] Sabrina De Capitani Di Vimercati, Sara Foresti, Sushil Jajodia, Stefano Paraboschi, and Pierangela Samarati. Over-encryption: management of access control evolution on outsourced data. In Proceedings of the 33rd international conference on Very large data bases, pages 123–134. VLDB endowment, 2007.
[13] Enrico Bacis, Sabrina De Capitani di Vimercati, Sara Foresti, Stefano Paraboschi, Marco Rosa, and Pierangela Samarati. Access control management for secure cloud storage. In International Conference on Security and Privacy in Communication Systems, pages 353–372. Springer, 2016.
[14] Rohit Jain and Sunil Prabhakar. Access Control and Query Verification for Untrusted Databases,pages 211–225. Springer Berlin Heidelberg, Berlin, Heidelberg, 2013.
[15] Sabrina De Capitani Di Vimercati, Sara Foresti, Sushil Jajodia, Giovanni Livraga, Stefano Para boschi, and Pierangela Samarati. Enforcing dynamic write privileges in data outsourcing. Computers and Security, 39, Part A(0):47 – 63, 2013.
27th { IFIP } International Information Security Conference.
[16] Lanju Kong, Qingzhong Li, and Lin Li. Enabling access control in partially honest outsourced databases. International Journal of Database Theory and Application, 7(3):63–72, 2014.
[17] Craig Gentry and Alice Silverberg. Hierarchicalid-based cryptography. In Advances in Cryptology ASIACRYPT 2002, volume 2501 of Lecture Notes in Computer Science, pages 548–566. Springer Berlin Heidelberg, 2002.

[18] Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity based encryption with constant size ciphertext. In Advances in Cryptology EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 440–456. Springer
Berlin Heidelberg, 2005.
[19] Yan Zhu, Di Ma, Chang-Jun Hu, and Dijiang Huang. How to use attribute-based encryption to implement role-based access control in the cloud. In Proceedings of the 2013 International Workshop on Security in Cloud Computing, Cloud Computing ’13, pages 33–40. ACM, 2013.
[20] Muhammad Rizwan Asghar, Mihaela Ion, Giovanni Russello, and Bruno Crispo. Espoonerbac: Enforcing security policies in outsourced environments. Computers and Security, 35(0):2 – 24,2013. Special Issue of the International Conference on Availability, Reliability and Security(ARES).
[21] Lan Zhou, Vijay Varadharajan, and Michael Hitchens. Enforcing role-based access control for secure data storage in the cloud. Computer,54(10):1675–1687, 2011.
[22] L. Zhou, V. Varadharajan, and M. Hitchens. Achieving secure role-based access control on encrypted data in cloud storage. IEEE Transactions on Information Forensics and Security, 8(12):1947–1960, Dec 2013.
[23] Lan Zhou, Vijay Varadharajan , and Michael Hitchens. Generic constructions for role-based encryption. International Journal of Information Security, 14(5):417–430, Oct 2015.
[24] Mohamed Nabeel, Ning Shang, and Elisa Bertino. Privacy preserving policy-based content sharing in public clouds. IEEE Transactions on Knowledge and Data Engineering, 25(11):2602–2614,2013.
[25] V. K. SathiyaBalan, P. Zavarsky, D. Lindskog, and S. Butakov. Study of applicability of chinese remainder theorem based group key management for cloud environment. In 2015 10th International Conference for Internet Technol-
ogy and Secured Transactions (ICITST), pages 114–119, Dec 2015.
[26] Perumal Pandiaraja, Pandi Vijayakumar, Varadarajan Vijayakumar, and Raman Seshadhri. Computation efficient attribute based broadcast group key management for secure document access in public cloud. J. Inf. Sci.Eng., 33(3):695–712, 2017.