CryptCloud+: Secure and Expressive Data Access Control for Cloud Storage

Secure cloud storage, which is an emerging cloud service, is designed to protect the confidentiality of outsourced data but also to provide flexible data access for cloud users whose data is out of physical control. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is regarded as one of the most promising techniques that may be leveraged to secure the guarantee of the service. However, the use of CP-ABE may yield an inevitable security breach which is known as the misuse of access credential (i.e., decryption rights), due to the intrinsic all-or-nothing decryption feature of CP-ABE. In this paper, we investigate the two main cases of access credential misuse: one is on the semi-trusted authority side, and the other is on the side of cloud user. To mitigate the misuse, we propose the first accountable authority and revocable CP-ABE based cloud storage system with white-box traceability and auditing, referred to as CryptCloud(+). We also present the security analysis and further demonstrate the utility of our system via experiments.

Automated summary

Secure cloud storage is a new cloud service designed to protect the confidentiality of outsourced data and provide flexible data access to cloud users. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is considered a promising technique for securing the service, but it may lead to security breaches due to the misuse of access credentials. This paper investigates cases of access credential misuse and proposes a novel cloud storage system CryptCloud(+) to mitigate such issues. Additionally, security analysis and experiments are presented to demonstrate the system's utility.