Security privacy and anonymity in computation

Keywords: RFID · Authentication protocol · Hash function · Security · Privacy 1 Introduction With the development and application of the Internet of Things, Radio Frequency IDen‐tificatio

LNCS 10066

9th International Conference, SpaCCS 2016

Zhangjiajie, China, November 16–18, 2016

Commenced Publication in 1973

Founding and Former Series Editors:

Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Jose M Alcaraz Calero • Sabu M Thampi (Eds.)

Security, Privacy,

and Anonymity in Computation, Communication, and Storage 9th International Conference, SpaCCS 2016

Proceedings

123

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science

ISBN 978-3-319-49147-9 ISBN 978-3-319-49148-6 (eBook)

DOI 10.1007/978-3-319-49148-6

Library of Congress Control Number: 2016957376

LNCS Sublibrary: SL4 – Security and Cryptology

© Springer International Publishing AG 2016

This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on micro films or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.

The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a speci fic statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made.

Printed on acid-free paper

This Springer imprint is published by Springer Nature

The registered company is Springer International Publishing AG

The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

The 9th International Conference on Security, Privacy, and Anonymity in tion, Communication and Storage (SpaCCS 2016) was held in Zhangjiajie, China,during November 16–18, 2016, and was jointly organized by Central South University,Guangzhou University, and Jishou University.

Computa-The SpaCCS conference series provides a forum for world-class researchers to gatherand share their research achievements, emerging ideas, and trends in information securityfields Previous SpaCCS conferences were held in Helsinki, Finland (2015), Beijing,China (2014), Melbourne, Australia (2013), Liverpool, UK (2012), and Changsha, China(2011)

This year the conference received 110 submissions All submissions received atleast three reviews during a high-quality review process According to the reviewresults, 40 papers were selected for oral presentation at the conference and inclusion inthis Springer volume, giving an acceptance rate of 36.4 % Besides the regular paperpresentations, the program included three interesting and insightful keynotes byProf Yang Xiao, the University of Alabama, USA, Prof Indrakshi Ray, Colorado StateUniversity, USA, and Dr Shui Yu, Deakin University, Australia We are very grateful

to the keynote speakers

SpaCCS 2016 was made possible by the joint effort of numerous people and zations worldwide There is a long list of people who volunteered their time and energy toput together the conference and who deserve special thanks First and foremost, we wouldlike to offer our gratitude to Prof Guojun Wang from Guangzhou University, China, andProf Gregorio Martinez from University of Murcia, Spain, the Steering Committee chairs,for guiding the whole process of the conference We are also deeply grateful to all theProgram Committee members for their great effort in reading, commenting, debating, andfinally selecting the papers We also wish to thank all the external reviewers for assistingthe Program Committee in their particular areas of expertise

organi-We would like to offer our gratitude to the general chairs, Jianbin Li, Prof Felix GomezMarmol, and Prof Juan E Tapiador, for their great support and good suggestionscontributing to the success of the conference Thanks also go to the: workshop chairs,

Dr Raymond Choo, Dr Mianxiong Dong, and Dr Jin Li; publicity chairs, Prof CarlosBecker Westphall, Dr Scott Fowler, and Dr Xiaofei Xing; publication chair, ShuhongChen; organization chairs, Prof Fang Qi, Dr Xiaofei Xing and Prof Qingping Zhou;registration chair, Ms Pin Liu; conference secretariat, Dr Sancheng Peng; and Web-master, Mr Binji Mo

We would like to thank all the authors, participants, and session chairs for theirvaluable efforts, many of whom travelled long distances to attend this conference andmake their valuable contributions

Jose M Alcaraz CaleroSabu M Thampi

Felix Gomez Marmol NEC Laboratories Europe, Germany

Juan E Tapiador The University Carlos III of Madrid, Spain

Program Chairs

Indrakshi Ray Colorado State University, USA

Jose M Alcaraz Calero University of the West of Scotland, UK

Sabu M Thampi Indian Institute of Information Technology

and Management, IndiaProgram Vice Chairs

Security Track

Javier Lopez University of Malaga, Spain

Privacy Track

Anonymity Track

Mario Freire The University of Beira Interior, Portugal

Md Zakirul Alam Bhuiyan Temple University, USA

Program Committee

Afrand Agah West Chester University of Pennsylvania, USAHabtamu Abie Norwegian Computing Center/Norsk Regnesentral,

NorwayHamid Ali Abed Al-asadi Basra University, Iraq

Ricardo Marco Alaez University of the West of Scotland, UK

Bruhadeshwar Bezawada International Institute of Information Technology, IndiaCataldo Basile Politecnico di Torino, Italy

Simona Bernardi Centro Universitario de la Defensa, Spain

Jorge Bernal Bernabe University of Murcia, Spain

Saad Bani-Mohammad Dean of IT College, Al al-Bayt University, Jordan

Salima Benbernou Université Paris Descartes, France

Miguel Pupo Correia University of Lisbon, Portugal

Alfredo Cuzzocrea University of Trieste and ICAR-CNR, Italy, ItalyAniello Castiglione University of Salerno, Italy

Anupam Chattopadhyay Nanyang Technological University, Singapore

Christian Callegari The University of Pisa, Italy

Lien-Wu Chen Feng Chia University, Taiwan

Mauro Conti University of Padua, Italy

Naveen Chilamkurti La Trobe University, Australia

Sudip Chakraborty Valdosta State University, USA

Josep Domingo-Ferrer Universitat Rovira i Virgili, Catalonia

Sabrina De Capitani di

Vimercati

Università degli Studi di Milano, Italy

Oscar Esparza Universitat Politècnica de Catalunya, Spain

Dieter Gollmann Hamburg University of Technology, GermanyDimitris Geneiatakis Aristotle University of Thessaloniki, Greece

Saurabh Kumar Garg University of Tasmania, Australia

Ching-Hsien Hsu Chung Hua University, Taiwan

Mohammad Mehedi

Hassans

King Saud University, KSARagib Hasan University of Alabama, Birmingham, UK

Xiaojun Hei School of Electronic Information and Communications,

Huazhong University of Science and Technology,China

Xinyi Huang Fujian Normal University, China

Pedro Inácio University of Beira Interior, Portugal

Murtuza Jadliwala Wichita State University, USA

Young-Sik Jeong Dongguk University, Korea

Vana Kalogeraki Athens University of Economics, Greece

Giovanni Livraga Università degli Studi di Milano, Italy

Haitao Lang University of Physics & Electronics, China

Jose Andre Morales Carnegie Mellon University-CERT, USA

Aleksandra Mileva University Goce Delcev, Republic of MacedoniaJuan Pedro Munoz-Gea Universidad Politécnica de Cartagena, Spain

Mirco Marchetti University of Modena and Reggio Emilia, ItalyRenita Murimi Oklahoma Baptist University, USA

Sheikh M Habib TU Darmstadt Germany, Germany

Subhomoy Maitra ISI Calcutta, India

David Naccache École normale supérieure, France

Rolf Oppliger eSECURITY Technologies, Switzerland

Al-Sakib Khan Pathan UAP and SEU, Bangladesh/Islamic University

in Madinah, KSACarlos Perez-Conde Universidad de Valencia, Spain

Günther Pernul University of Regensburg, Germany

Risat Mahmud Pathan Chalmers University of Technology, Sweden

Roberto Di Pietro Nokia Bell Labs, France

Sancheng Peng Guangdong University of Foreign Studies, ChinaMiguel Pardal University of Lisbon, Portugal

Vincenzo Piuri Università degli Studi di Milano, Italy

Zeeshan Pervez University of the West of Scotland, UK

Bimal Roy Indian Statistical Institute, India

Imed Romdhani Edinburgh Napier University, UK

Indrajit Ray Colorado State University, USA

Md Abdur Razzaque University of Dhaka, Bangladesh

Mubashir Husain Rehmani COMSATS Institue of Information Technology,

PakistanAltair Santin Pontifical Catholic University of Parana, BrazilChang-ai Sun University of Science and Technology Beijing, ChinaChao Song University of Electronic Science and Technology of

China, ChinaChunhua Su School of Information Science, Japan

Dimitris E Simos SBA Research, Austria

Hossain Shahriar Kennesaw State University, USA

Hung-Min Sun National Tsing Hua University, Taiwan

Junggab Son North Carolina Central University, USA

Ramakrishna Thurimella University of Denver, USA

Traian Marius Truta Northern Kentucky University, USA

Eugene Y Vasserman Kansas State University, USA

Luis Javier Garcia Villalba The Complutense University, Spain

Mingzhong Wang University of the Sunshine Coast, Australia

Yongdong Wu Insitute for Infocomm Research, Singapore

Yunsheng Wang Kettering University, USA

Xiaolong Xu Nanjing University of Posts and Telecommunications,

China

Chau Yuen Singapore University of Technology and Design,

Singapore

ChinaIlsun You Soonchunhyang University, Republic of Korea

Muneer Masadeh Bani

Yassein

Jordan University of Science and Technology, JordanShucheng Yu University of Arkansas at Little Rock, USA

Xuanxia Yao Universty of Science and Technology Beijing, China

David Zheng Frostburg State University, USA

Mingwu Zhang Hubei University of Technology, China

Qingchen Zhang St Francis Xavier University, Canada

Sherali Zeadally University of Kentucky, USA

Youwen Zhu Nanjing University of Aeronautics and Astronautics,

ChinaYun-Wei Zhao Tilburg University, The Netherlands

Steering Committee Chairs

Gregorio Martinez University of Murcia, Spain

Steering Committee

Jemal H Abawajy Deakin University, Australia

Jose M Alcaraz Calero University of the West of Scotland, UK

Jiannong Cao Hong Kong Polytechnic University, Hong Kong,

SAR China

Weijia Jia Shanghai Jiao Tong University, China

Georgios Kambourakis University of the Aegean, Greece

Constantinos Kolias George Mason University, USA

Felix Gomez Marmol NEC Laboratories Europe, Germany

Peter Mueller IBM Zurich Research Laboratory, SwitzerlandIndrakshi Ray Colorado State University, USA

Kouichi Sakurai Kyushu University, Japan

Juan E Tapiador The University Carlos III of Madrid, Spain

Sabu M Thampi Indian Institute of Information Technology and

Management, India

Laurence T Yang St Francis Xavier University, Canada

Wanlei Zhou Deakin University, Australia

Carlos Becker Westphall Federal University of Santa Catarina, Brazil

Scott Fowler Linkoping University, Sweden

Publication Chair

Shuhong Chen Hunan Institute of Engineering, China

Registration Chair

Local Chairs

Qingping Zhou Jishou University, China

A Security Proxy Scheme Based on Attribute Node Mapping

for Cloud Storage 14Huakang Li, Zhenyu Wang, Yitao Yang, and Guozi Sun

Privacy Preserving Scheme for Location and Content Protection

in Location-Based Services 26Tao Peng, Qin Liu, Guojun Wang, and Yang Xiang

An Improved Asymmetric Searchable Encryption Scheme 39

Qi Wu

Recommendation Systems in Real Applications: Algorithm

and Parallel Architecture 45Mengxian Li, Wenjun Jiang, and Kenli Li

Big Data Security Analytic for Smart Grid with Fog Nodes 59Wenlin Han and Yang Xiao

A Reduction Method of Analyzing Data-Liveness and Data-Boundedness

for a Class of E-commerce Business Process Nets 70Wangyang Yu, Guanjun Liu, and Leifeng He

Computation of Secure Consistency for Real Systems 84Mimi Wang, Guanjun Liu, Changjun Jiang, and Chungang Yan

Study on Personalized Location Privacy Protection Algorithms for

Continuous Queries in LBS 98Jiayi Gan, Hongyun Xu, Mengzhen Xu, Kai Tian, Yaohui Zheng,

and Yong Zhang

A Novel Signature Generation Approach in Noisy Environments

for Detecting Polymorphic Worm 109Jie Wang and Jie Wu

A User Authentication Scheme Based on Trusted Platform

for Cloud Computing 122Jiaqing Mo, Zhongwang Hu, and Yuhua Lin

ROP-Hunt: Detecting Return-Oriented Programming Attacks in

Applications 131

Lu Si, Jie Yu, Lei Luo, Jun Ma, Qingbo Wu, and Shasha Li

On the Security of a Threshold Anonymous Authentication Protocol for

VANETs 145Jianhong Zhang, Zhibin Sun, Shuai Liu, and Pengyan Liu

The Encryption Scheme with Data Compression Based on QC-LDPC 156Yiliang Han

Location Privacy Preserving Scheme Based on Attribute Encryption 164

Xi Lin, Yiliang Han, Yan Ke, and Xiaoyuan Yang

Attribute-Based Traceable Anonymous Proxy Signature Strategy for

Mobile Healthcare 178Dacheng Meng, Wenbo Wang, Entao Luo, and Guojun Wang

A Privacy Preserving Friend Discovery Strategy Using Proxy

Re-encryption in Mobile Social Networks 190Entao Luo, Wenbo Wang, Dacheng Meng, and Guojun Wang

Defect Analysis and Risk Assessment of Mainstream File Access Control

Policies 204

Li Luo, Hongjun He, and Jiao Zhu

A Comprehensive Survey of Privacy-Preserving in Smart Grid 213Guanlin Si, Zhitao Guan, Jing Li, Peng Liu, and Hong Yao

Ghost Train for Anonymous Communication 224Przemysław Błaśkiewicz, Mirosław Kutyłowski, Jakub Lemiesz,

and Małgorzata Sulkowska

Efficient Detection Method for Data Integrity Attacks in Smart Grid 240Peixiu An and Zhitao Guan

Fully Secure Unbounded Revocable Key-Policy Attribute-Based

Encryption Scheme 251Changji Wang, Jian Fang, and Jianguo Xie

A Privacy-Preserving Hybrid Cooperative Searching Scheme over

Outsourced Cloud Data 265Qiang Zhang, Qin Liu, and Guojun Wang

Modeling and Propagation Analysis on Social Influence Using Social

Big Data 279Sancheng Peng, Shengyi Jiang, and Pengfei Yin

Building Root of Trust for Report with Virtual AIK and Virtual PCR Usage

for Cloud 333Qiang Huang, Dehua Zhang, Le Chang, and Jinhua Zhao

On the Impact of Location Errors on Localization Attacks in

Location-Based Social Network Services 343Hanni Cheng, Shiling Mao, Minhui Xue, and Xiaojun Hei

Service-Oriented Workflow Executability from a Security Perspective 358Sardar Hussain, Richard O Sinnott, and Ron Poet

Distributed Multi-authority Attribute-Based Encryption for Secure Friend

Discovery and Data Sharing in Mobile Social Networks 374Fang Qi, Wenbo Wang, and Zhe Tang

Modeling Attack Process of Advanced Persistent Threat 383Weina Niu, Xiaosong Zhan, Kenli Li, Guowu Yang, and Ruidong Chen

A New Image Encryption Scheme Using a Hyperchaotic System 392Chong Fu, Ming Tie, Jian-lin Wang, Shao-ting Chen, and Hui-yan Jiang

Architectural Patterns for Security-Oriented Workflows

in Collaborative Environments 406Sardar Hussain, Richard O Sinnott, and Ron Poet

Modeling and Vulnerable Points Analysis for E-commerce Transaction

System with a Known Attack 422Mimi Wang, Guanjun Liu, Chungang Yan, and Changjun Jiang

Authentication and Transaction Verification Using QR Codes

with a Mobile Device 437Yang-Wai Chow, Willy Susilo, Guomin Yang, Man Ho Au,

and Cong Wang

Secure and Efficient Mobile Payment Using QR Code in an Environment

with Dishonest Authority 452Xiaoling Zhu, Zhengfeng Hou, Donghui Hu, and Jing Zhang

User Preference-Based Spamming Detection with Coupled

Behavioral Analysis 466Frank Jiang, Mingdong Tang, and Quang Anh Tran

Analysis of SIFT Method Based on Swarm Intelligent Algorithms

for Copy-Move Forgery Detection 478Fei Zhao, Wenchang Shi, Bo Qin, and Bin Liang

Encryption Scheme Based on Hyperelliptic Curve Cryptography 491Asha Liza John and Sabu M Thampi

Author Index 507

Abstract The RFID tags only have limited computing and memory resources.This makes it difficult to solve their security and privacy problems Authentication

is considered as an effective approach to protect the security and privacy of RFIDsystems Based on Hash function and the randomization of the tag’s identifier, alightweight authentication protocol is proposed The protocol uses Hash function

to ensure the anonymity and confidentiality of the RFID system It uses a random‐ization function to randomize the tag’s identifier to enhance the difficulty to revealthe secrecy of the RFID system Time stamp and pseudorandom number generatorare combined to prevent replay attack It also completes the strong authentication

of the backend server to the tag by twice authentication The analysis shows thatthis protocol provides forward security and it can prevent eavesdropping, tracing,replay and de-synchronize attack The protocol only uses Hash function andpseudorandom number generator It is very suitable to the low-cost RFID system

Keywords: RFID · Authentication protocol · Hash function · Security · Privacy

1 Introduction

With the development and application of the Internet of Things, Radio Frequency IDen‐tification (RFID) technique gets the wide attention from various fields RFID is a perva‐sive technology deployed to identify and trace some objects automatically It uses radio-waves to communicate, without visible light and physical contact It is considered as asupplementary or replacement technology for traditional barcode technology Today,RFID systems have been successfully applied to manufacturing, supply chain, agricul‐ture, transportation, health, e-payment, food safety tracing, and some other fields [1].But the tags of RFID systems only have limited computing and memory resources andthey use open wireless channel to communicate It is easy for the adversary to eavesdropthe session information of an RFID system Attackers can attack an RFID system bytracing, forging, spoofing, impersonating, tampering and de-synchronizing So theprivacy and security of RFID systems has become one of the main factors to hinder theirwide application Although some physical methods have been proposed to solve thesecurity and privacy problems of RFID systems the research results show that it is themost flexible and effective method to use software encryption and authentication tech‐nique The popular tags are some low-cost passive tags They have very limited

© Springer International Publishing AG 2016

G Wang et al (Eds.): SpaCCS 2016, LNCS 10066, pp 1–13, 2016.

DOI: 10.1007/978-3-319-49148-6_1

computing and memory resources They may be limited to hundreds of bits of storage,roughly between 5000 and 10000 logic gates Within these logic gates, only 250 to 3000gates can be devoted to security purpose [2] It is very difficult to implement public keycryptography, even symmetric encryption algorithms for the low-cost passive RFIDtags So some lightweight cryptographic authentication protocols were proposed tosatisfy the special requirements of RFID systems But they usually use some complicatedencryption algorithms and they are not suitable for the low-cost RFID tags Some proto‐cols use Hash function to complete the authentication for RFID systems, but they havesome flaws so that they cannot entirely solve the security and privacy of RFID systems[3 4] So it is very necessary to design some simple and feasible lightweight authenti‐cation protocols for RFID systems, especially for the low-cost RFID systems.

The contribution of this paper is that we use Hash function and pseudorandomnumber generator to construct a novel lightweight authentication protocol for the low-cost RFID systems Otherwise, we propose another special function, which is called therandomizing selecting bit function This function randomly selects some bits of the tag’sidentifier to generate each session between tag and reader Hence, each session onlyincludes the partial information of the tag’s identifier so as to enhance the difficulty toreveal the secrecy of RFID systems The protocol provides forward security It alsocompletes the strong authentication of the backend server to the tag by twice authenti‐cation It can prevent the leakage of the secret information and it implements the anon‐ymous and confidential communication between tag and backend server/reader.The paper is organized as follows In Sect 2, an RFID system’s components, itssecurity and privacy are introduced briefly In Sect 3, some typical Hash-based light‐weight authentication protocols are analyzed and their flaws are pointed out In Sect 4,Hash function, a pseudorandom number generator and a randomizing selecting bit func‐tion are combined to construct a mutual authentication protocol for the low-cost RFIDsystems In Sect 5, the proposed protocol is analyzed and its security and privacy isproved The secure performance of the protocol is compared with other similar authen‐tication protocols In Sect 6, conclusions are given and the advantages of the proposedprotocol are pointed out

2 The RFID System, Its Security and Privacy

An RFID system consists of three components: Radio Frequency (RF) tag, RF readerand backend server, as shown in Fig 1 A tag is a silicon chip with antenna and a smallstorage There are two types of tags: active tag and passive tag Active tags includebatteries Passive tags don’t have any battery and they are activated by the RF signalfrom the reader So they only have limited electric energy to transmit signals over shorterdistance This kind of tags is very cheap and they are usually called the low-cost tags

A reader is a device capable of sending and receiving data in the form of radio frequencysignal This device communicates with tag and reads its identifier It has electric powerenough to transmit signals over longer distance So the communication channels

backend

backward channel

Fig 1. The component of an RFID System

A backend server is used to store the detail information about the tagged objects,and it cooperates with reader to implement the authentication to tag It searches theinformation about the tagged objects according to the tag’s identifier and sends theinformation to the reader

As an important component of the low-cost RFID system, the tag usually has verylimited computing and memory resources and it uses the open wireless channel tocommunicate It is difficult for a tag to implement some complicated cryptographicalgorithms So the channel between tag and reader is insecure Most secure problems ofRFID systems are resulted from the insecure wireless channel But backend server andreader have abundant computing and storage resource They can implement conven‐tional cryptographic protocols So the channel between backend server and reader issecure They can be thought as one part of the RFID system, which is called the backendserver/reader

As a typical resource-constrained system, the low-cost RFID system is very vulner‐able to some secure theats An adversary can eavesdrop, intercept, tamper, block andreplay each session between tag and backend sever/reader It can impersonate a legiti‐mate tag to cheat the backend server/reader It can start de-synchronization attack byintercepting and blocking the sessions between tag and backend sever/reader So a secureRFID system can resist against eavesdropping, tracing, replay and de-synchronizationattack Otherwise, it must satisfy forward security and anonymity

3 Some Typical RFID Authentication Protocols

The cryptographic authentication protocols are thought as an important approach toensure the privacy and security of RFID systems They are divided into three categories:general authentication protocols, lightweight authentication protocols and ultra-light‐weight authentication protocols General authentication protocols are suitable for somesituations with abundant computing and memory resources They can use symmetricencryption algorithms, even public key cryptography Lightweight authentication

protocols use Hash function, CRC function, pseudorandom number generating function,bitwise operations Ultra-lightweight authentication protocols only use pseudorandomnumber generating function and bitwise operations The research results justify that theencryption strength is very limited for ultra-lightweight authentication protocols andthey cannot protect the security and privacy of RFID systems General authenticationprotocols need abundant computing and storing resources and they are not suitable forthe low-cost RFID system Therefore lightweight authentication protocols become aunique approach to solve the security and privacy of the low-cost RFID system.Many research works have been done for RFID lightweight authentication in recentyears Some authentication protocols use the one-way property of Hash functions tosolve the secure and private problems of RFID systems But most of them have serioussecurity problems or they are not suitable to the low-cost RFID system These typicalHash-based authentication protocols are Hash-Lock protocol, Randomized Hash-Lockprotocol, Hash-chain protocol, and so on.

Based on the difficulty of inverting to solve an one-way Hash function, S.A Weis

et al [5] firstly proposed Hash-Lock protocol, which attempts to provide mutual authen‐

tication between tag and reader The protocol uses the pseudonym of the tag, MetaID,

to replace the actual tag’s ID to ensure its privacy During the authenticating process the plaintext of the tag’s ID is transferred between tag and reader, and MetaID is fixed So

an adversary easily compromises mutual authentication by simply eavesdropping andreplaying these exchanged sessions between tag and reader Moreover, an adversary

easily traces the tag’s holder by the fixed MetaID.

In order to overcome the flaws of Hash-Lock protocol, S.A Weis and S.E Sarma

et al proposed randomized Hash-Lock protocol [5] This protocol uses the pseudor‐andom number generator (PRNG) to randomize the transferred sessions between tagand reader Tags respond to reader’s queries by generating a random number r, then

Hashing its ID and concatenating the result with r, and sending them to the reader Alegitimate reader identifies one of its tags by performing a brute-force search of its known

IDs Then the reader sends the identified tag’s ID to the tag by plaintext It is easy for

an adversary to eavesdrop and obtain the identity information of the tag Hence, it isvulnerable to spoofing and replay attack Moreover, the tag’s holder is easily traced andthis protocol cannot satisfy forward security

M Ohkubo et al firstly proposed Hash-chain protocol [6 7] The aim of theirprotocol is to provide better protection of the user’s privacy by refreshing the identifier

of the tag for each authentication Different from Hash-Lock protocol, Hash-chain

protocol uses two different Hash functions, H () and G() This protocol only provides

one-way authentication, namely, the reader authenticates the tag while the tag does notauthenticate the reader To achieve forward security, this protocol uses the Hash chaintechnique to renew the secret information stored in the tag But this protocol does notuse a random number generator and it is vulnerable to spoofing and replay attack

Ohkubo et al.’s scheme has a complexity in terms of Hash computations of m × n, where

m is the given maximum limit on the Hash chain length and n is the total number of tags.

Thus, when the number of tags n or the chain length m is large the computation becomes

unimaginable for the low-cost RFID system Another similar scheme was provided bySang-Soo Yeo et al [8] The scheme gave a conceptually simple but elegant solution to

MetaID, to replace the tag’s ID like Hash-Lock protocol It provides mutual authenti‐

cation and forward security It can protect RFID systems from many attacks, such astracing, cloning and denial of service However, it is vulnerable to replay attack The

adversary can simply eavesdrop and reuse MetaID to be authenticated successfully.

Later, Su Mi Lee et al used the challenge-response mechanism and proposed a low-costRFID authentication protocol (LCAP) [10] The aim of their effort is to solve the de-synchronized problem by maintaining a previous identifier in the backend server Thisprotocol provides mutual authentication and guarantees the location privacy of the tag’sholder It also provides untraceability by changing tag’s identification dynamically.Nevertheless, it does not provide forward security, namely, an adversary can inferprevious sessions about the tags after it reveals the present secret information of the tags.Jung-Sik Cho et al [11, 12] proposed a new Hash-based authentication protocol tosolve the secure and private problems for the RFID system However, Hyunsung Kim[13] demonstrated that this protocol is vulnerable to DOS attack He pointed out thatJung-Sik Cho et al.’s protocol is vulnerable to traffic analysis and tag/reader imperso‐nation attacks More precisely, an adversary can impersonate a valid tag or reader withprobability 1/4 Finally, an adversary can obtain some information about the secretvalues of the tag in the next session with probability 3/4 Therefore Hyunsung Kimproposed an improved protocol to offer protection against the attacks described above.But this enhanced version is as insecure as its predecessor Walid I Khedr [14] pointedout that an adversary can perform a de-synchronization attack by intercepting andtampering the transferred message Further, Walid I Khedr justified that Jung-Sik Cho

et al.’s protocol cannot ensure forward security Masoumeh Safkhani and PedroPeris-Lopez et al [15] also constructed three different attacks to demonstrate Jung-SikCho et al.’s protocol is vulnerable to de-synchronization attack and tag/reader imper‐sonation attacks Masoumeh Safkhani and Pedro Peris-Lopez et al justified that the de-synchronization attack succeeds with probability 1 and the complexity of the attack isonly one run of the protocol

J.H Ha and S.J Moon et al [16] proposed an RFID security protocol using the based functions and proved that their protocol can provide forward privacy However,Da-Zhi Sun and Ji-Dong Zhong [17] pointed out that an attacker can track a target tag

Hash-by observing previous unsuccessful sessions of the tag Da-Zhi Sun et al justified thatJ.H Ha et al.’s protocol fails to provide forward privacy as they claimed and then theyproposed another Hash-based authentication functions to overcome the weaknesses ofJ.H Ha et al.’s protocol But all these protocols use two different Hash functions andthey are not suitable for the low-cost RFID system

Liu Yang, Peng Yu et al proposed an RFID secure authenticated protocol based onHash function [18] Their protocol ensures the privacy of the tag’s secret information

and realizes three party mutual authentications among tag, reader and backend server.But, for each authentication process of the protocol, the tag and the reader call Hashfunction more than five times respectively So their proposed protocol is so complicatedthat it is not suitable to the low-cost RFID system.

By analysis as described above, it can be concluded that recent proposed RFIDauthentication protocols with Hash function failed to solve the security and privacy forthe low-cost RFID systems Especially, many Hash-based authentication protocolscannot ensure forward security, or they use two different Hash functions, which hinderstheir application to the low-cost RFID system

4 A Secure Hash-Based Authentication Protocol with Randomized Identifier for the Low-Cost RFID System

Some low-cost tags like EPC Global Class1 Gen2 standard can provide Hash func‐tion, pseudorandom number generator and simple bitwise operations [19, 20] Now,

we use these on-chip functions and bitwise operations to complete the mutual authen‐tication between tag and backend server/reader Moreover, we construct a function

to randomly select the tag’s partial identifier so that each session only includes thepartial secrecy of a tag

Supposed ID is the identifier of a tag and it uniquely identifies the tag pID is the

pseudonym of a tag and pID = PRNG(ID) PRNG() is a pseudorandom number gener‐

ator The length of ID and pID is L bit and L∈{64, 96, 128} ID and pID are stored in the tag curID, curpID, oldID and oldpID are some other parameters, which are stored

in the backend server curID and curpID are the identifier and pseudonym of a tag used

in the current authentication process oldID and oldpID are the values of ID and pID

used in the last successful authentication process The purpose to store oldID and oldpID

is to resist against de-synchronization attack At the beginning of the authentication, the

initial values of curID and oldID are set to the identifier of the tag Namely,

curID = oldID = ID and curpID = oldpID = PRNG(ID) The tag and the backendserver share Hash function Hash(), pseudorandom number generator PRNG() and arandom selecting bit function f (x, m, n) These three functions are defined as follows:

Hash():{0, 1} ∗ →{0, 1}L PRNG():{0, 1} ∗ →{0, 1}L

f (x, m, n) = xm x m+1… … xn

Where x is the tag’s identifier and x = x0x1… … x L−1, m and n are two random numbers

generated by the pseudorandom number generator, 0≤ m ≤ L − 1 and 0 ≤ n ≤ L − 1.

The function f (x, m, n) randomly selects the partial identifier of a tag and uses it togenerate each session between tag and backend server/reader Hence, each session onlyincludes one part of the tag’s identifier and this increases the difficulty to reveal the tag’s

secrecy The one-way property of Hash function Hash() is used to ensure the integrity

Fig 2. The authentication process of the proposed protocol

Table 1. The symbols used in the proposed authentication protocol

Notation Description

ID, pID The tag’s identifier and its pseudonym

curID and curpID The tag’s identifier and its pseudonym used for the current authentication

process

oldID and oldpID The tag’s identifier and its pseudonym used for the prior successful

authentication process

L The length of the tag’s identifier

Hash() A secure cryptographic Hash function

PRNG() A pseudorandom number generator

f (x, m, n) A randomly selecting bit function and its value is from the m th to n th bits of

x

r, s Two random numbers generated by backend server/reader and tag

t The time stamp of the backend server

DATA k The information of the tag k stored in the backend server

⊕ Bitwise exclusive-OR operation

The authentication process of the protocol is described as follows:

Step 1: the backend server/reader to the tag

The backend server calls the pseudorandom number generator PRNG() to generate

a pseudorandom number r Then it combines its time stamp t with r by exclusive-ORoperation to construct the message r ⊕t|| challenge It transfers this message to the tagthrough the reader Hence, a new authentication process begins

Step 2: the tag to the backend server/reader

The tag receives the message r ⊕t and it calls PRNG() to generate another pseudor‐andom number s Then it calls Hash(), PRNG () and f (x, m, n) to generate the messages

Step 3: the backend server/reader to the tag

After the backend server receives the message m1 ||n2||p, it searches its backenddatabase to get each record about the tags, (curID, curpID, oldID, oldpID) Firstly, it uses

curpID of the current record to compute p ⊕PRNG(curpID⊕r⊕t) and to abstract s

equal n2 for all records, the authentication to the tag fails and the protocol exits If there exists one record which satisfies that m1′ equals m1 and n2′ equals n2, the first authen‐

tication of the backend server to the tag succeeds Then the backend server sends the

message m2′ to the tag through the reader The backend server begins to update its secretkeys as follows

If (curID, curpID) is used for the above successful authentication the backend server

updates its secret keys as follows:

If (oldID, oldpID) is used for the above successful authentication the backend server

holds its current oldID and oldpID It only updates its partial secret keys as follows:

Step 4: the tag to the backend server/reader

After the tag receives the message m2′, it compares m2′ with m2 If they are not equalthe authentication to the backend server/reader fails and the protocol exits Otherwisethe authentication to the backend server/reader succeeds Then the tag begins to updateits secret keys as follows:

The tag sends n1 to the backend server through the reader.

Step 5: the backend server to the reader

The backend server receives the message n1 from the tag and it compares n1 with

n1′ If they are not equal the authentication fails and the protocol exits Otherwise thesecond authentication to the tag is completed successfully

Then the backend server gets the detail information about the tag, DATA k, from its

database and sends the information to the reader After the reader receives DATA k, itdisplays DATA on its screen

The procedure described above completes the mutual authentication betweenbackend server/reader and tag Meanwhile, it also completes the strong authentication

of the backend server to the tag by twice authentication

5 The Analysis to the Privacy and Security of the Proposed Protocol

The authentication process described above shows that the protocol uses the randomselecting bit function to make the sessions unpredictable and this increases the difficulty

to reveal the secret information of the tag One-way property of Hash function ensuresthe integrity of the sessions and the confidential transfer of the secret information of theRFID system A pseudorandom number generator randomizes the messages sent by thetag so that it is difficult for the adversary to trace and identify a tag Meanwhile, the timestamp is used to resist against replay attack The protocol provides forward security and

it can also resist against de-synchronization attack

• Forward security After each authentication is completed the protocol updates thesecrecy of the tag Therefore the protocol uses some different secret keys to encryptand generate the sessions for each authentication There is not any relationshipbetween the previous sessions and the current secret keys Although an adversaryreveals the current secrecy of the tag he cannot decrypt the previous session messages

• De-synchronization attack The protocol stores curID, curpID, oldID, and oldpID in

the backend server oldID, and oldpID are the values of curID and curpID for the last

successful authentication If the tag cannot synchronously update its secrecy with the

backend server they can use oldID, and oldpID to complete the later authentication

so as to resist against de-synchronization attack

• Eavesdropping For the whole authenticating process of the protocol, all sessionmessages are processed by Hash function or the pseudorandom number generator.Although an adversary can eavesdrop all messages transferred between tag andbackend server/reader he cannot reveal these message So the protocol can effectivelyresist against the leakage of the secret information and it ensures the confidential andanonymous communication between backend server/reader and tag

• Tracing attack If a tag repeats to send the same message to the backend server/readermany times an adversary can easily trace and identify the tag In order to resist againsttracing attack, the tag generates a new pseudorandom number for each authenticationand the pseudorandom number is used to randomize the session messages Thereforethe freshness of the session messages is ensured For any different challenge fromthe backend server/reader the tag will give a different response An adversary cannotjudge which tag sends the session messages eavesdropped by him and it cannotdistinguish two different tags Therefore the protocol can resist against tracing attack

• Replay attack This attack means that an adversary re-sends the session messagesintercepted by him so as to get the authentication of the RFID system Because allsession messages transferred between backend server/reader and tag are processed

by the time stamp of the backend server An adversary can intercept the sessionmessages and re-sends them later But these messages are out of time and they are

cannot get the plaintext of these sessions So the protocol ensures the anonymity ofthe RFID system.

Compared with other similar protocols, our proposed protocol has many advantages,which are shown by Table 2

Table 2. The comparison among the different authentication protocols

Protocols Eaves

dropping

Tracingattack

Replayattack

synchron-ized attack

De-Spoofingattack

Forwardsecurity

It uses Hash function and random selecting bit function to process the session messages

so as to increase the difficulty to reveal the secret information of the tag Meanwhile,twice authentication to the tag also increases the secure strength of the protocol Theanalysis to the proposed protocol proves that the protocol can provide forward securityand it can resist against eavesdropping, tracing, replay and de-synchronization attacks

It completes the mutual authentication between tag and backend server/reader Theprotocol only uses Hash function, pseudorandom number generator and some simplebitwise operations So the protocol is very suitable to some resource-constrained envi‐ronment like the low-cost RFID systems

Acknowledgments We are appreciated to anonymous reviewers for their constructivesuggestion to this paper The relative work about this paper is supported by National NaturalScience Foundation of China (No 61272097).

References

1 Chen, M., Luo, W., Mo, Z., Chen, S., Fang, Y.: An efficient tag search protocol in large-scale

RFID systems with noisy channel IEEE/ACM Trans Netw 24(2), 703–716 (2016)

2 Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda, A.: RFIDsystems: a survey on security threats and proposed solutions In: Cuenca, P., Orozco-Barbosa,

L (eds.) PWC 2006 LNCS, vol 4217, pp 159–170 Springer, Heidelberg (2006) doi:

10.1007/11872153_14

3 Chikouche, N., Cherif, F., Cayrel, P.-L.: Weaknesses in two RFID authentication weaknesses.In: El Hajji, S., et al (eds.) C2SI 2015, LNCS, vol 9084, pp 162–172 Springer, Heidelberg(2015)

4 Deng, R.H., Li, Y., Yung, M., Zhao, Y.: A new framework for RFID privacy In: Gritzalis,D., Preneel, B., Theoharidou, M (eds.) ESORICS 2010 LNCS, vol 6345, pp 1–18 Springer,Heidelberg (2010) doi:10.1007/978-3-642-15497-3_1

5 Weis, S.A., Sarma, S.E., Rivest, R.L., Engels, D.W.: Security and privacy aspects of low-costradio frequency identification systems In: Proceedings of the 1st International Conference onSecurity in Pervasive Computing, Boppard, Germany, pp 201–212 (2003)

6 Ohkubo, M., Suzuki, K., Kinoshita, S.: Cryptographic approach to “Privacy-Friendly” tags.In: RFID Privacy Workshop MIT Press, Cambridge (2003)

7 Ohkubo, M., Suzuki, K., Kinoshita, S.: Hash-chain based forward secure privacy protectionscheme for low-cost RFID In: Proceedings of the 2004 Symposium on Cryptography andInformation Security, Sendai, Japan, pp 719–724 (2004)

8 Yeo, S.-S., Kim, S.K.: Scalable and flexible privacy protection scheme for RFID systems In:Molva, R., Tsudik, G., Westhoff, D (eds.) ESAS 2005 LNCS, vol 3813, pp 153–163.Springer, Heidelberg (2005) doi:10.1007/11601494_13

9 Lee, Y.K., Verbauwhede, I.: Secure and low-cost RFID authentication protocols In:Proceedings of the 2nd IEEE Workshop on Adaptive Wireless Networks, St Louis, USA, pp.1–5 (2005)

10 Lee, S.M., Hwang, Y.J., Lee, D.H., Lim, J.I.: Efficient authentication for low-cost RFIDsystems In: Gervasi, O., Gavrilova, M.L., Kumar, V., Laganà, A., Lee, H.P., Mun, Y., Taniar,D., Tan, C.J.K (eds.) ICCSA 2005 LNCS, vol 3480, pp 619–627 Springer, Heidelberg(2005) doi:10.1007/11424758_65

11 Cho, J.-S., Yeo, S.S., Kim, S.K.: Securing against brute-force attack: a hash-based RFID

mutual authentication protocol using a secret value Comput Commun 34(3), 391–397 (2011)

12 Cho, J.-S., Jeong, Y.-S., Sang, O.-P.: Consideration on the brute-force attack cost and retrievalcost: a hash-based radio-frequency identification (RFID) tag mutual authentication protocol

Comput Math Appl 3, 1–8 (2012)

13 Kim, H.: Desynchronization attack on hash-based RFID mutual authentication protocol J

Secur Eng 9(4), 357–365 (2012)

14 Khedr, W.I.: SRFID: a hash-based secure scheme for low cost RFID systems Egypt Inf J

14, 89–98 (2013)

15 Safkhani, M., Peris-Lopez, P., Hernandez-Castro, J.C., Bagheri, N.: Cryptanalysis of the Cho

et al protocol: a hash-based RFID tag mutual authentication protocol J Comput Appl Math

259, 571–577 (2014)

lightweight hash function In: Preneel, B., Takagi, T (eds.) CHES 2011 LNCS, vol 6917,

pp 312–325 Springer, Heidelberg (2011) doi:10.1007/978-3-642-23951-9_21

20 Gao, S., Wang, H.: Forward private RFID authentication protocol based on universal hash

function J Inf Comput Sci 10(11), 3477–3488 (2013)

Node Mapping for Cloud Storage

Huakang Li, Zhenyu Wang, Yitao Yang, and Guozi Sun(B)

School of Computer Science and Technology, School of Software,

Institute of Computer Technology,Nanjing University of Posts and Telecommunications, Nanjing 210023, China

{huakanglee,sun}@njupt.edu.cn

Abstract Cloud storage provides convenient storage services with data

leaking risk while the encryption and decryption keys are supported bycloud service However, the traditional CP-ABE scheme cannot solvethe problem of integrity of could service provider according to sin-gle attributes rules In this paper, we design a prototype system forsecure cloud storage which separates storage services and security ser-vice using Attribute node mapping based on CP-ABE scheme The pro-totype system consists of four parts: a client, a key generation center, asecurity proxy and a storage system We propose an innovative conver-gence encryption method and a shared access mechanism to improve theencryption against guessing attack Hierarchical eliminate redundancyand parallel data access technologies are also proposed improving thedata transmission efficiency

Keywords: Cloud storage· Access control ·Attribute-based tion·CP-ABE·Node mapping

Encryp-1 Introduction

With the development of Internet and distributed computing in recent years,Could Computing has become an important technology for shared softwaresand hardware resources Cloud storage service is the most common and popularservice (e.g Google Drive, Dropbox, Huawei Cloud) for typical users The bot-tleneck of limited storage space has become more and more significant, especiallyfor mobile users while they take lots of pictures and videos

Different with super computing system, inexpensive commodities are monly used in cloud system due to the consideration of scalability [6] The relia-bility issue of these systems is of particular relevance To ensure the data reliabil-ity, redundancy scheme is a basic solution and has been extensively deployed [8].With this scheme, the intuitive idea is to store copies of data objects over a set

com-of network nodes for the successful recovery At the same time, the cloud serviceprovider could remove the extra redundancy data copies from data storage

We also bear the risk of cloud storage, such as efficacy and security [7,11]while we enjoy the convenience of cloud storage One problem of cloud service

c

 Springer International Publishing AG 2016

G Wang et al (Eds.): SpaCCS 2016, LNCS 10066, pp 14–25, 2016.

important verifier, implies the data owner allowing others to verify the owneddata.

According to the basic requirements of security and performance, the existingscheme of security evaluation can be classified as follows:

– Blockless Verification: User can modify the data blocks to avoid retrieving allaudited data blocks in cloud storage

– Batch Auditing: User can verify the data from different client at the sametime with a special token

– Dynamic Data: The data can be continuously modified by competent users.– Privacy Presenting: User can’t access the delegated data in the cloud storageservice

In this paper, we propose a scheme for cloud storage combined with thesecurity proxy and stochastic storage strategy to separate storage service andsecurity service The prototype system contains four parts: a client, a key gen-eration center, a security proxy and a storage system In the uploading process,client cuts the file into blocks with fixed size to calculate the hash fingerprintsand sent to the security proxy The security proxy compares the hash fingerprint

to establish whether the data are redundant Secret keys and random storagetables generated by the hash value and partial quantity value, are sent back

to the client The client uses the secret key to encrypt the data and upload

to cloud storage with random storage table In the downloading process, usersneed to pass the verification of access structure tree to achieve the secret key fordecoding and random storage table when they are required to access the data.The client accesses the storage nodes according to the random storage table todecode the data block and reconstruct the data after the legitimate authentica-tion The method proposed under this paper solves the contradiction betweendata encryption and data redundancy At the same time, it also can prevent theillegal use and data privacy from cloud storage service providers

The article consists of the following parts: Sect.2 introduces the relatedworks of data encryption and data redundancy The system design and improvedABE scheme are introduced in Sect.3 Section4shows the access control schemedesign The experimental results of system performance are illustrated in Sect.5.Section6 concludes the main jobs and feature works

Cloud storage service providers utilize data redundancy to ensure the ability of data while they hope to reduce the repeated data copies to save thestorage costs Whole File Detection (WFD) technologies [9] use the hash value

reli-of the whole file to estimate the comparing fingerprint to implement the datarepetition Fixed-sized partition (FSP) [3] cuts the files into data blocks withfixed size to calculate the hash fingerprint Content-defined chunking method[17] uses a dynamic sliding window to calculate the Robin fingerprint value.Sliding block method [12] uses Rsync sum function and fixed block sliding win-dow to calculate the calibration value of cross data block in the file Comparabledata detection technology contrasts data one by one to eliminate duplicate data

in the system However, the high computational complexity problem is existedfor these methods

2.2 Data Encryption

Wang et al [20] proposed the scheme to support public verification and fullydynamic data instead of modifying or deleting data files The definition of publicauditability which implies public verification is delegated by a trusted third partyauditor (TPA) to verify Li et al [10] proposed a public auditability scheme

in resource-constrained devices using third party auditor for data uploadingand audit delegating After that Wang et al [19] proposed a privacy protectionscheme which is considered user’s data privacy in the public auditability.Attribute-based Encryption (ABE), which is one of public key encryptionsystems, is proposed by Sahai [15] firstly This method is based on fuzzy identity-based encryption and can achieve the fine-grained access control issues ABE usesthe user access policies set of users attributes and data together The systemenables users to access data only if users access property structures match theaccess control policy It is ideal for cloud storage that data are shared amongusers In the cloud area, many researchers [18,24,25] have applied the ABE toachieve a more fine-grained access control and data sharing goals

In recent years, researchers have proposed a number of ABE schemes Waters[22] and Daza [4] proposed ABE schemes independently, whose cipher text

lengths are n + (1) and 2(n − t) + (1), using threshold-based access control

policy However, effects of these ABE schemes are very low for mobile agents Afixed length of the cipher text ABE encryption scheme [5] was proposed while theusers private key attribute must be fully consistent This significant limitationmade the established policy properties cipher text cannot be widely promoted

3 Design of Cloud CP-ABE Scheme

3.1 Design of System Model

When the CP-ABE scheme is used in secure cloud storage environment, oneproblem is the fundamental structure of CP-ABE scheme supports attributesets only constructed by single property in accordance of a certain number ofrules And it does not support the attributes of third-party, such as authorizationcenter Therefore we designed a new CP-ABE scheme (Fig.1) for cloud storagewith Key Generation Center and Security Proxy

Fig 1 System structure of cloud CP-ABE scheme.

– Key Generation Center (KGC): KGC is mainly responsible for the system togenerate public and private keys KGC is also responsible for the distribution

of their corresponding properties of the component for different users withdifferent access rights In our work, KGC is deemed to be semi-credible (honestbut curious) that the KGC will analyze users private information beside thedefault services

– Security proxy (SP): SP is designed to separate the users security servicesfrom the cloud storage It is responsible to store the fingerprint database anddistribute the secret attributes Also, SP is semi-credible.

– Cloud storage provider (CSP): CSP provides storage services for users, andcontrol the data access according to the authentication of private key structurefrom users Also, CSP is semi-credible

– Data owner (DO): In order to reduce storage costs, data owners use the age service from CSP, and upload their private data DO are responsible fordefining access control policy, and encrypt data before uploading to preventillegal use of CSP

stor-– User: Users can get the data from CSP If one user satisfies the access controlpolicy with attribute structure, he can access the shared resources

3.2 Sharing Degree-Based Authentication

We suppose that one file F is divided into N shared pieces stored on the cloud

server The server would reduce the redundancy blocks according to the datarepetition and build an Access Structure Tree (AST) (Fig.2) based on historicaccess frequency Therefore, we have the definition as follows:

Definition 1: Sharing Degree (SD): If each piece data is shared by several

documents, the SD can be estimated with the deeps of AST The SD of leafnodes which are on the bottom lay is [1 10], and the root node has the largest

SD, such as (1000∞);

Definition 2: Children Relationship (CR): CR presents the relationship

between child nodes data blocks Therefore, the CR of a leaf node amounts to

Fig 2 A simple structure of sharing degree-based access tree.

structure λ which matches the access tree T generated by security proxy In order

to meet T (λ) = 1, we should satisfy the condition that T x (λ) = 1 (x = 1, , m), where T x is the sub-tree of the AST

In order to import the CP for key management, we add Secret Attribute (SA)into the set for attribute keys (Fig.3) Each user includes this property, and thevalues are very different for different data Root of access structure tree must beAND gate, and the child node of the root must be a mapping node which includ-ing expiration and secret attributes The operation (such as attribute additionand deletion) of attribute sets is not contained by these two attributes So adver-sary cannot have all the users private key when update the key regardless of incloud server of third-party security proxy

For the mapping node, a mapping function e : {SA, E} → {ρλ} with Expiration

(E) and Secret Attribute (SA) λ is SA set submitted by user And the new key structure S new {ρλ, ρi, ρj, ρk, }, ρλ ∈ U − S is generated synchronously by the

key generation center

Fig 3 A simple structure of access structure tree with SA.

Table 1 The Symbol descriptions of Cloud CP-ABE

For the cloud service, if x is a leaf node, and key attribute set |x| ∈ S new,

T x (λ) will return value 1 If x is a non-leaf node, the value of T x (λ) will be

calculated with its child nodes{y} If x is a mapping node and the attribute of

x satisfies S x = φ, S x will be transformed to ρλ with the mapping function e.

The mapping node becomes a leaf node and performs the leaf node matchingoperation

4 Access Control Design

To accommodate de-duplication technology in cloud storage and reduce the culate pressure of re-encryption by security agents We firstly use the file division

cal-to cut files incal-to a number of blocks of fixed size The hash value and gent encryption of each block was computed The key generation center (KGC)

conver-assigns the attribute keys to n Security proxy (SP) is responsible for allocating

the confidential attributes (SA) and expiration attributes (E) The main symbolsfor Cloud CP-ABE can be presented as Table1

4.1 System Initialization

Assuming that q is the initial prime number for encryption algorithm and Z p ∗

is a collection of a finite field For any i ∈ Z ∗

p , and a ∈ Z ∗

p (a is in set S), the definition of the Lagrangian Parameter Δ i,s is as bellows:

Δ i,s = Π j∈S,j=i x − j

The bilinear group{G x } are generated by security parameters with generator

g We can define the bilinear mapping function e : G1∗ → G2while the random function can be defined as:

pseudo-Υ (x) = g x2n Π i=1 n+1 t Δ i i,s (2)

T1= g t1, , T |u| = g t|u| , Y = e(g, g)y (3)here, the main system secret key M K is {s i : t1, , t|u|, y}.

4.2 Encryption Algorithm

The encryption algorithm proceeds from the root node r of the access tree T

We choose a polynomial P x for each node x from root to leaf For the root node, P r (0) = s where s ∈ Z ∗ is randomly selected For the non-leaf node,

P x (0) = P parent (x)(index(x)) The final cipher text (CT) can be written as:

CT = {M · e(g, g)αs, C = hs, ∀y ∈ L, C y = H( |y|)P y(0)} (4)

where M is input data, α is the source unit in Z ∗ , and L is the set of all leaf

nodes of AST

4.3 Authentication

When user accesses file F , security proxy will extract d (d ≤ f) data blocks

randomly to generate the access control tree Π Here the original file F is divided into f blocks The user must provide the full attribute set Π, otherwise its an

illegal access from the current user

4.4 Private Key Generation

For the PKG, the users private key SK is generated by attribute set U, primary key M K and public parameters P K.

SK = (D = g(α + γ)/β, ∀j ∈ S : D j = gγ · H(j), D j = gγj) (5)here α, β, γ ∈ Z ∗ and j ∈ S are selected randomly.

4.5 Decryption of Cipher Text

If and only if the attribute set meets the access tree, cipher text can be decrypted

to plain-text For the leaf-node x, we use i = |x| and i ∈ S to calculate as follows,

If i / ∈ S, Decrpyt(CT, SK, x) = ⊥ For the non-leaf node x, we can use the

return value of F λ from its child node λ, then recursively calculate the F x bypolynomial interpolation:

C ∗ /(e(C, D)/A) = C ∗ /(e(h S , g α+γ/β )/e(g, g) γ S

5 System Performance

The confidentialities of access structure and data in this paper can be evidenced

by the security issue of cipher text of encryption key according to symmetrickey encryption algorithm (such as DES, AES, etc.) Therefore, in this section wejust discuss the time cost for system performance Table2shows that we used a

computer with 2.5 GHz CP U and 4G M emory The system is U buntu 12.04 with

J DK 1.7 We used the standard library P CB −0.5.14 from Stanford University.

The encrypt data are generated randomly with [20 50] child nodes The number

of users attribute set is 10 uniformly We calculated attribute set using KEKfunction The finite field was set at 512, and 160 bit elliptic curve functions

(y2= x3+ x) for decryption were used from PBC library.

Table 2 System parameters for experiments

System environment Experiment parameters

System Ubuntu 12.04 SK Eq 5 KEK

Lib PBC-0.5.14 Decrypt Eq 6 {y2=x3+x}

Figures4 and 5 show the encryption and decryption times with CP-ABEand our Cloud CP-ABE algorithm Encryption times of the two schemes aresignificantly linear relationship with leaf nodes The average time of our scheme

Fig 4 Encryption time results for CP-ABE and our approach.

Fig 5 Decryption time results for CP-ABE and our approach.

is 0.36 s more than the basic CP-ABE The average time consuming of the basicCP-ABE program is 0.126 s, and the average time for our scheme is 0.376 s fordecryption Compared with the basic CP-ABE scheme, the time consuming isadded within the acceptable range

6 Conclusion

In this paper, we proposed an attributed-based access control model for theencryption scheme The prototype system consists of four parts: a client, a keygeneration center, a security proxy and a storage system Based on the traditionalCP-ABE scheme, a de-duplication function, which makes access control tree ofCP-ABE scheme more expressive, to solve defection that the user attribute setsmust come from the user The experimental results illustrated that hierarchicaleliminate redundancy and parallel data access technologies were in a position

to improve the data transmission efficiency However, all of our work is based

on the cloud storage providers and security agents are separated In the feature,

we could consider the mutual authentication mechanisms among user, agent andcloud service provider to make the cloud storage more secure

Acknowledgments This work was supported by the Foundation of Nanjing

Uni-versity of Posts and Telecommunications (Grant No NY213085 and No NY214069),the NSFC (No 61502247, 11501302, 61502243), Natural Science Foundation of JiangsuProvince (BK20140895, BK20130417)

References

1 Ateniese, G., Di Pietro, R., Mancini, L.V., Tsudik, G.: Scalable and efficient able data possession In: Proceedings of the 4th International Conference on Secu-rity and Privacy in Communication Netowrks, p 9 ACM (2008)

prov-2 Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based tion In: IEEE Symposium on Security and Privacy, SP 2007, pp 321–334 IEEE(2007)

encryp-3 Bobbarjung, D.R., Jagannathan, S., Dubnicki, C.: Improving duplicate elimination

in storage systems ACM Trans Storage (TOS) 2(4), 424–448 (2006)

4 Daza, V., Herranz, J., Morillo, P., R`afols, C.: Extensions of access structures and

their cryptographic applications Appl Algebra Eng Commun Comput 21(4),

257–284 (2010)

5 Emura, K., Miyaji, A., Nomura, A., Omote, K., Soshi, M.: A ciphertext-policyattribute-based encryption scheme with constant ciphertext length In: Bao, F., Li,H., Wang, G (eds.) ISPEC 2009 LNCS, vol 5451, pp 13–23 Springer, Heidelberg(2009) doi:10.1007/978-3-642-00843-6 2

6 Ford, D., Labelle, F., Popovici, F.I., Stokely, M., Truong, V.A., Barroso, L., Grimes,C., Quinlan, S.: Availability in globally distributed storage systems In: OSDI, pp.61–74 (2010)

7 Hashem, I.A.T., Yaqoob, I., Anuar, N.B., Mokhtar, S., Gani, A., Khan, S.U.: The

rise of big data on cloud computing: review and open research issues Inf Syst 47,