Paper 2017/090

Crypt-DAC: Cryptographically Enforced Dynamic Access Control in the Cloud

Saiyu Qi and Yichen Li and Yuanqing Zheng and Yong Qi

Abstract

Enabling access controls for data hosted on untrusted cloud is attractive for many users and organizations. Recently, many works have been proposed to use advanced cryptographic primitives such as identity-based encryption, attribute-based encryption, and predicate encryption to enforce data access control on the potentially untrusted cloud. However, designing efficient cryptographically enforced dynamic access control system in the cloud is still a challenging issue. In this paper, we propose Crypt- DAC, a system that provides practical cryptographic enforcement of dynamic access control. Crypt-DAC uses delegation-aware encryption and symmetric onion encryption, which enable access revocation to be executed at the cloud side in a secure manner. Crypt-DAC further uses lazy de-onion encryption to facilitate file access without incurring obvious overhead. As a result, Crypt- DAC enforces dynamic access control that provides efficiency, as it does not require expensive decryption/re-encryption and uploading/re-uploading of large data at customer side, and security, as it immediately revoke access permissions, while operating under a similar threat model of previous comparable systems. We use formalization framework and system implementation to demonstrate the security and efficiency of our construction.