Sage Journals: Discover world-class research

Abstract

Body sensor network has emerged as one of the most promising technologies for e-healthcare, which makes remote health monitoring and treatment to patients possible. With the support of mobile cloud computing, large number of health-related data collected from various body sensor networks can be managed efficiently. However, how to keep data security and data privacy in cloud-integrated body sensor network (C-BSN) is an important and challenging issue since the patients’ health-related data are quite sensitive. In this paper, we present a novel secure access control mechanism MC-ABE (Mask-Certificate Attribute-Based Encryption) for cloud-integrated body sensor networks. A specific signature is designed to mask the plaintext, and then the masked data can be securely outsourced to cloud severs. An authorization certificate composed of the signature and related privilege items is constructed which is used to grant privileges to data receivers. To ensure security, a unique value is chosen to mask the certificate for each data receiver. Thus, the certificate is unique for each user and user revocation can be easily completed by removing the mask value. The analysis shows that proposed scheme can meet the security requirement of C-BSN, and it also has less computation cost and storage cost compared with other popular models.

1. Introduction

Body sensor network (BSN) emerges recently with rapid development of wearable sensors, implantable sensors, and short range wireless communication, which make pervasive healthcare monitoring and management become increasingly popular [1, 2]. By the body sensor network, health-related data of the patient can be collected and transferred to the healthcare staff in real time, so the patient's state of health can be under monitoring and precautions can be taken if something bad happened.

In order to enhance the scalability of the body sensor network, some work focuses on combining cloud computing and body sensor network together. As shown in Figure 1, with the support of mobile cloud computing, cloud-integrated body sensor network (C-BSN) can be constructed [3]. In C-BSN, massive local body sensor networks are integrated together and mass data are collected and stored in cloud servers; healthcare staffs will continually monitor their patients’ status and exchange views when it is difficult to make diagnosis; researchers can make data analysis to get some useful results such as regularity of disease development; government agencies also can take measures on disease prevention and control based on data analysis.

Figure 1

Conceptual architecture of cloud-integrated body sensor network.

However, there are still several problems and challenges in C-BSN [3, 4]. For example, data security and data privacy must be concerned since patient-related data is private and sensitive. In this paper, we propose a secure data access control scheme named MC-ABE, which can efficiently ensure data security and data privacy. For data security, data can be securely transferred from data owners to the cloud servers and securely stored; for data privacy, data can be only accessed by authorized users with fine-grained policies.

For example, Bob (data owner) is a patient, and Alice (data requester) is his healthcare doctor. By C-BSN, Bob's health-related data can be collected and sent to cloud server in real time; and Alice gets Bob's information from cloud server to monitor his health status. Besides the authorized person, Bob does not want anyone else to know about his health data. However, his information may be leaked in many ways: the cloud operator/administrator may access his data; malicious user may intrude into the cloud server to steal user data; unauthorized DR may exceed to access others’ data. In summary, there are three key problems which need to be solved to ensure the users’ data security and data privacy in C-BSN. Firstly, the cloud is semitrusted; that is, although we outsource the data to the cloud, we still need to prevent cloud operators from accessing the data content; secondly, we must take measures to keep malicious users out of C-BSN system; lastly, it is also important to study how to avoid the unauthorized access of other users.

In this paper, we propose a novel secure access control mechanism MC-ABE to tackle the aforementioned problems. And main contributions of this paper can be summarized as follows: (i)

We construct one specific signature to CP-ABE to mask the plaintext and then realize securely encryption/decryption outsourcing.

(ii)

We construct the unique authentication certificate for each visitor, which makes the system achieve more effective control on malicious visitors; in particular, it also leads to a low cost for user revocation.

(iii)

We introduce the third-party trust authority to manage above-mentioned signatures and certificates, which can guarantee data security even if the cloud server is semitrusted.

(iv)

In C-BSN, processing data in time is quite necessary. Our proposed scheme can meet such requirement. From the section of performance evaluation, our scheme takes less time than other compared methods to do data collecting, data transmission, and data acquisition.

The rest of this paper is organized as follows. Section 2 introduces the related work. Then, in Section 3, some preliminaries are given. Our scheme is stated in Section 4. In Section 5, security analysis is given. In Section 6, the performance of our scheme is evaluated. The paper is concluded in Section 7.

2. Related Work

Recently, various techniques have been proposed to address the problems of data security and data privacy in C-BSN. In [5], Sahai and Waters proposed the Attribute-Based Encryption (ABE) to realize access control on encrypted data. In ABE, the ciphertext's encryption policy is associated with a set of attributes, and the data owner can be offline after data is encrypted. One year later, Goyal et al. proposed a new type of ABE, Key-Policy Attribute-Based Encryption (KP-ABE) [6]. In KP-ABE, the ciphertext's encryption policy is also associated with a set of attributes, but the attributes are organized into a tree structure (named access tree). The benefit of this approach is that more flexible access control strategy can be got and fine-grained access control can be realized. However, data owner was short of entire control over the encryption policy; that is, he cannot decide who can access the data and who cannot. To solve this problem, Bethencourt et al. proposed CP-ABE (Ciphertext-Policy Attribute-Based Encryption) [7], in which data owner constructed the access tree together with visitors’ identity information. The user can decrypt the ciphertext if and only if attributes in his private key match the access tree. So, in CP-ABE, data owner can configure more flexible access policy. In [8], Yu et al. tried to achieve secure, scalable, and fine-grained access control in cloud environment. Their proposed scheme is based on KP-ABE and combines with the other two techniques, proxy reencryption and lazy reencryption. It is proved that the proposed scheme can meet the security requirement in cloud quite well. Similarly, Wang et al. proposed an access control scheme based on CP-ABE, which is also secure and efficient in cloud environment [9].

In [10], Ahmad et al. proposed a multitoken authorization strategy to remedy the weaknesses of the authorization architecture in mobile cloud. It reduces the probability of unauthorized access to the cloud data and service when malicious activity happened; for example, IdM (Identity Management Systems) are compromised, network links are eavesdropped, or even communication tokens are stolen. In [11], Yadav and Dave presented an access model based on CP-ABE which could provide the remote integrity check by the way of augmenting secure data storage operations. To reduce computation overhead and achieve secure encryption/decryption outsourcing, the access tree is divided into two parts: one part is encrypted by the data owner and the other part is encrypted by the cloud sever. So a portion of computation overhead was transferred from data owner to cloud sever. The similar method is also adopted in the work of Zhou and Huang [12]. In addition to the access tree division, Zhou and Huang also propose an efficient data management model to balance communication and storage overhead to reduce the cost of data management operations. In [13], Li et al. presented a low complexity multiauthority attribute-based encryption scheme for mobile cloud computing which uses masked shared-decryption-keys to ensure the security of decryption outsourcing and adopts multiauthorities for authorization to enhance security assurance. The above schemes are based on CP-ABE, in which complex bilinear map calculation is performed. In [14], Yao el al. proposed a novel access control mechanism, in which data operation privileges are granted based on authorization certificates. The advantage of such mechanism is that the computation cost can be decreased remarkably, since there is no bilinear map calculation. And the disadvantage is that lots of operations need to be handled by data owner, such as privilege designation, and then it demands that the data owner must know all information about the visitors. In [15], the authors considered the problem of patient self-controlled access privilege to highly sensitive Personal Health Information. They proposed a Secure Patient-Centric Access Control scheme which allows data requesters to have different access privileges based on their roles and then assigns different attribute sets to them. However, they took the cloud server as trusted, and their scheme does not work well for user revocation. In [16], the authors proposed a novel CP-ABE scheme with constant-size decryption keys independent of the number of attributes. Their scheme is suitable for applications based on lightweight mobile devices but is not suitable for large scale C-BSN.

3. Preliminaries

3.1. Notations

The notations used in MC-ABE are listed as follows.

Notations in MC-ABE. Consider the following:

DO: data owner,

DR: data requester/receiver,

ESP: encryption service provider,

DSP: decryption service provider,

SSP: storage service provider,

TA: trust authority,

SetS: setup server,

PK: public key,

MK: master key,

SK: secret key,

M: plaintext,

CT: ciphertext,

T: access tree,

MM: masked plaintext,

Cert: authorization certificate,

MValue: mask value,

MCert: masked certificate.

DO and DR are cloud users. ESP is cloud server that can help DO do data encryption. SSP is cloud storage server. DSP is the server that is responsible for data decryption. TA is the third-party trust authority. SetS is the setup server whose responsibility is to generate PK and MK.

PK and MK are parameters that are used for data encryption/decryption. SK is held by DR which is used to decrypt ciphertext, which is generated using PK and MK. The data is plaintext before encryption, denoted as M, and CT is the ciphertext of M. T is the access policy (access tree). MM is the masked plaintext; in MC-ABE, the plaintext will be masked to MM by a signature before being encrypted to achieve “double protection.” Cert is the authorization certificate (see Section 4.2.1 for details). Mask value is used to mask Cert to generate MCert (see Section 4.2.2 for details).

3.2. Basics

3.2.1. Bilinear Pairing

Let $G_{1}$ and $G_{2}$ be two multiplicative cyclic groups of prime order p. Let g be a generator of $G_{1}$ and let e be a bilinear map, e: $G_{1} \times G_{1} \to G_{2}$ . For $a, b \in Z_{p}$ , the bilinear map e has the following properties [3, 10]: (1)

Bilinearity: for all $u, v \in G_{1}$ , we have $e (u^{a}, v^{b}) = e (u, v)^{a b}$ .

(2)

Nondegeneracy: $e (g, g) \neq 1$ .

(3)

Being symmetric: $e (g^{a}, g^{b}) = e (g, g)^{a b} = e (g^{b}, g^{a})$ .

3.2.2. Discrete Logarithm (DL) Problem

Definition 1 (discrete logarithm (DL) problem).

Let G be a multiplicative cyclic group of prime order p and let g be its generator, for all $α \in Z_{p}$ , given $g, g^{α}$ as input, output α.

The DL assumption holds in G if it is computationally infeasible to solve the DL problem in G [17].

3.3. Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

3.3.1. Access Structure

Let $P = \{P_{1}, P_{2}, \dots P_{n}\}$ be the universal set [18]. Each element in P is an attribute, that is, the descriptive identification information of a visitor [19]. An access structure is a collection (resp., monotone collection) T of nonempty subsets of P. For example, P = {Beijing, Shanghai, No. 1 Middle School, No. 2 Middle School, student, teacher, administrator}. Visitor 1 has the attributes set A = {Beijing, No. 1 Middle School, student} [20].

The access structure in CP-ABE is the tree structure, which is named access tree [2]. For the access tree T, the leaf nodes are associated with descriptive attributes; each interior node is a relation function, such as AND (n of n), OR (1 of n), and n of m ( $m > n$ ).

Each DR has a set of attributes, which are associated with DR's SK. If DR's attributes set satisfies the access tree, the encrypted data can be decrypted by DR's SK.

3.3.2. Working Process

In CP-ABE, the plaintext is encrypted with a symmetric key, and then the key is shared in the access tree. In the process of decryption, if DR's SK satisfies the access tree, then DR gets the shared secret and the data can be recovered.

3.4. Assumptions

In this work, we make the following assumptions.

Assumption 1 (service providers (ESP, DSP, and SSP) are semitrusted).

That is, they will follow our proposed protocol in general but try to find out as much secret information as possible. And the information may be accessed illegally by internal malicious employees or external attackers. In particular, although ESP and DSP undertake most of the computing cost, they do not have enough information to deduce the plaintext.

Assumption 2 (SetS and TA are trusted).

On no conditions will they leak information about data and related keys.

In order to deduce more information about encrypted data, service providers might combine their information to perform collusion attack. In our scheme, collusions between service providers are taken into consideration.

4. MC-ABE

4.1. Overview

Our proposed scheme MC-ABE is shown in Figure 2. Seven algorithms are included in MC-ABE: Setup, ${E n c r y p t}_{D O}$ , ${E n c r y p t}_{E S P}$ , KeyGen, CerGen, ${D e c r y p t}_{D S P}$ , and ${D e c r y p t}_{D R}$ .

Figure 2

System model.

For data outsourcing, DO encrypts M with algorithm ${E n c r y p t}_{D O}$ , in which signature is used to mask M. Then ESP encrypts T with algorithm ${E n c r y p t}_{E S P}$ to finish the encryption. The encrypted data is stored in SSP.

For data access, when DR requests data from SSP, the request is sent to TA after verification. TA chooses a unique value to the mask certificate for DR. Then, using the attributes set of DR, TA computes SK with algorithm KeyGen. After that, SK is sent to DSP and the certificate is sent to DR. At the same time, SSP sends the CT to DSP. With SK and CT, DSP can do decryption and get M that is masked by signature. Once DR receives the certificate, he decrypts the masked certificate with his unique value (TA sends the unique value to this DR when the first authorized request occurred. It will be used in the following requests until this DR is revoked) to get the certificate. Using the certificate, DR can decrypt the masked M with signatures in the certificate.

In addition, if a DR is revoked, TA will mark the DR as “revoked” and this DR's unique mask value will be invalid. No certificate will be granted to this DR any more.

4.2. Two Important Notions

4.2.1. Authorization Certificate (Cert)

The authorization certificate is introduced in MC-ABE to grant data privileges for DR. As shown in Structure of Authorization Certificate, it includes five items that are privilege related information. DO provides the certificate related information to TA, and then TA constructs the unique authorization certificate for each authorized DR.

Structure of Authorization Certificate

File ID list ( $f_{1}$ , $f_{2} \dots$ )

Valid Period (From the start time to the end time)

Signature ( ${{s i g n}_{f 1}}$ , ${{s i g n}_{f 2}} \dots$ )

Privilege ( ${p_{f 1}}$ , $\{p_{f 2}\} \dots$ )

PK, MK

File ID is ID list of the authorized files. Valid Period denotes the valid period of the signature from the start time to the end time. Signature is used by DO to mask the plaintext in data encryption; it is used by DR to get the plaintext in data decryption. Privilege is the privilege denoted by the signature such as read, modify, or delete. PK, MK are two keys noted in Notations in MC-ABE.

4.2.2. Mask Value (MValue)

To achieve fine-grained access control over DR, the mask value is introduced in MC-ABE. The mask value is maintained by TA. For each DR, TA sets a unique mask value for him. The mask value is used to blind the authorization certificate before the certificate is sent to DR. Thus, each DR receives its own unique blinded certificate since the mask value is unique. In the following, the process is described in detail.

After TA receives a data access request, it checks DRID firstly. If the requester is a new user, TA generates a random number $t_{D R I D} \in Z_{p}$ and inserts it into the mask value table.

Otherwise, if this DRID already exists in mask value table and the item of revocation is “N” (initial value of this item is “N.” Only at the time when the DRID is revoked will this item be set as “Y”), TA invokes algorithm CerGen to compute the masked certificate (see Table 1).

Table 1

Mask value table (maintained by TA).

DRID	Mask value	Revocation
DR1	MValue_DR1	N
DR2	MValue_DR2	Y
DR3	MValue_DR3	N

DRID: ID of DR.

Mask value: unique mask value for each DR.

Revocation: revocation mark. “Y” means this DR is revoked. “N” means this DR is authorized.

Algorithm (CerGen( $t_{D R I D}$ , PK)→MCert). Construct a certificate Cert as Structure of Authorization Certificate shows. MCert is the masked Cert.

Then, compute as follows:

\begin{matrix} M V a l u e = g^{t_{D R I D}} \\ M C e r t = C e r t \cdot e (g^{θ}, g^{t_{D R I D}}) = C e r t \cdot e {(g, g)}^{θ t_{D R I D}} . \end{matrix}

(1)

If DR is a new user, MValue and MCert will be sent to him. Otherwise, send MCert to the DR.

4.3. Scheme Description

The whole process of MC-ABE is shown in Figure 3. In this section, we describe each step in detail.

Figure 3

Algorithms’ implementation in MC-ABE.

4.3.1. Data Outsourcing

In C-BSN, DO usually uses mobile devices that lack computing power and storage space. To reduce the encryption overhead of DO, the encryption process is divided into two parts: ${E n c r y p t}_{D O}$ and ${E n c r y p t}_{E S P}$ . ${E n c r y p t}_{D O}$ is the encryption algorithm implemented by DO and ${E n c r y p t}_{E S P}$ is carried out by ESP. Since ESP is semitrusted, we introduce the signature in ${E n c r y p t}_{D O}$ to mask M. In general, there are three steps for data outsourcing.

Firstly, SetS generates PK and MK.

Algorithm 2 (Setup→PK, MK).

SetS performs the algorithm. Let $G_{0}$ be a multiplicative cyclic group of prime order p and let g be its generator, and four random numbers $α, β, ε, θ \in Z_{p}$ (further details in [7]). Consider

\begin{matrix} P K = (G_{0}, g, h = g^{β}, e {(g, g)}^{α}, g^{ε}, g^{θ}) \\ M K = (β, g^{α}) . \end{matrix}

(2)

Secondly, DO performs the first step of data encryption.

Algorithm 3 ( ${E n c r y p t}_{D O}$ (PK, M, K)→MM).

DO implements the algorithm. PK is got from SetS; M is DO's plaintext; MM is masked M; K is the set of operation privileges, and k is one of the elements in K.

For $k \subset K$ , we choose a random number $v_{k} \subset Z_{p}$ and then compute the signature:

\begin{matrix} {s i g n a t u r e}_{k} = e (g^{ε}, g^{v_{k}}) = e {(g, g)}^{ε v_{k}} . \end{matrix}

(3)

For simplicity, let v denote the set of $v_{k} : v = {v_{k} | k \in K}$ ; signature denotes the set of ${s i g n a t u r e}_{k} : s i g n a t u r e = {{s i g n a t u r e}_{k} | k \in K}$ .

Choose a random number $s \in Z_{p}$ ; then

\begin{array}{l} M M & = \tilde{C} = M \cdot e {(g, g)}^{a s} s i g n a t u r e \\ = M \cdot e {(g, g)}^{a s} \cdot e {(g, g)}^{ε v} . \end{array}

(4)

Lastly, ESP performs the last step of data encryption.

Algorithm 4 ( ${E n c r y p t}_{E S P}$ (PK, s, T, $M M$ ) [7, 11]→CT).

ESP implements the algorithm. The access tree T is encrypted from the root node R to leaf nodes. For each node x in T, choose a polynomial $q_{x}$ .

For node x, consider the following:

$k_{x}$ : it denotes the threshold value of x.

$d_{x}$ : it denotes the degree of $q_{x}$ ; $d_{x} = k_{x} - 1$ .

$p a r e n t (x)$ : a function returns the parent node of x.

${n u m}_{x}$ : it is the number of child nodes of x. For a child node y, y is uniquely identified by an index number $i n d e x (y)$ , and $1 ⩽ i n d e x (y) ⩽ {n u m}_{x}$ . Consider

\begin{matrix} q_{x} (0) = q_{p a r e n t (x)} (i n d e x (x)) . \end{matrix}

(5)

For root node R, $q_{R} (0) = s$ . Choose $d_{R}$ other points randomly to completely define $q_{R}$ . For any other node x in T, let $q_{x} (0) = q_{p a e r e n t (x)} (i n d e x (x))$ , and choose $d_{x}$ other points randomly to completely define $q_{x}$ .

Y is the set of leaf nodes in T. Compute as follows:

\begin{matrix} C = h^{s} \forall y \in Y : C_{y} = g^{q_{y} (0)}, C_{y}^{'} = H {(a t t (y))}^{q_{y} (0)} . \end{matrix}

(6)

Then,

\begin{array}{l} C T & = {T, \tilde{C} = M \cdot e {(g, g)}^{a s} \cdot e {(g, g)}^{ε v}, C = h^{s}, \forall y \\ \in Y : C_{y} = g^{q_{y} (0)}, C_{y}^{'} = H {(a t t (y))}^{q_{y} (0)}} . \end{array}

(7)

CT is stored in SSP. Detailed communication information is shown in Figure 4.

Figure 4

Communication information in data outsourcing.

4.3.2. Data Request

When a DR requests data from SSP, TA generates SK and a certificate for DR. Most of decryption cost is taken by DSP but DSP cannot get M. Based on the effort of DSP, DR finishes the last step of decryption and gets M. Similar to data outsourcing, there are also three steps for data outsourcing.

Firstly, TA generates SK for DR.

Algorithm 5 (KeyGen(MK, S)→SK).

S is the attributes set of DR.

We generate a random number $r \in Z_{p}$ and then generate the random number $r_{j} \in Z_{p}$ for each $j \in S$ . Compute as follows:

\begin{array}{l} S K & = (D = g^{(α + r) / β}, \forall j \in S : D_{j} = g^{r} \cdot H {(j)}^{r_{j}}, D_{j}^{'} \\ = g^{r_{j}}) . \end{array}

(8)

Then, TA sends SK to DSP.

Secondly, DSP performs the first step of data decryption: decrypt the access tree in CT to get MM.

Algorithm 6 ( ${D e c r y p t}_{D S P}$ (SK, CT)→MM).

When x is a leaf node, let $i = a t t (x)$ . Function $a t t (x)$ denotes the attribute associated with the leaf node x in the tree.

If $i \in S$ ,

\begin{array}{l} D e c r y p t N o d e L (C T, S K, x) = \frac{e (D_{i}, C_{x})}{e (D_{i}^{'}, C_{x}^{'})} \\ = \frac{e (g^{r} \cdot H {(i)}^{q_{x} (0)}, g^{q_{x} (0)})}{e (g^{r_{i}}, H {(i)}^{q_{x} (0)})} = e {(g, g)}^{r \cdot q_{x} (0)} . \end{array}

(9)

Otherwise,

\begin{matrix} i \notin S, D e c r y p t N o d e L (C T, S K, x) = ⊥ . \end{matrix}

(10)

When x is an interior node, call the algorithm DecryptNodeNL $(C T, S K, x)$ .

For all of the children z of node x, call DecryptNodeL $(C T, S K, z)$ , and the output is $F_{z}$ . Let $S_{x}$ be $k_{x}$ (the threshold value of interior node) random set and let $F_{z} \neq ⊥$ . If no such set exists, the function cannot be satisfied, so return ⊥.

Otherwise, compute as follows and return the result:

\begin{array}{l} F_{x} & = \prod_{z \in S_{x}} F_{z}^{Δ_{i}, {S_{x}^{'}}^{(0)}}, \\ w h e r e i = i n d e x (z), S_{x}^{'} = \{i n d e x (z) : z \in S_{x}\} \\ = \prod_{z \in S_{x}} {(e {(g, g)}^{r . q_{z} (0)})}^{Δ_{i, {S_{x}^{'}}^{(0)}}} \\ = \prod_{z \in S_{x}} {(e {(g, g)}^{r \cdot q_{p a r e n t (z)} (i n d e x (z))})}^{Δ_{i, {S_{x}^{'}}^{(0)}}} \\ = \prod_{z \in S_{x}} {(e {(g, g)}^{r \cdot q_{x} (i)})}^{Δ_{i, {S_{x}^{'}}^{(0)}}} \\ = e {(g, g)}^{r \cdot q_{x} (0)} . \end{array}

(11)

In particular, for root node R,

\begin{matrix} A = e {(g, g)}^{r q_{T} (0)} = e {(g, g)}^{r \cdot s} . \end{matrix}

(12)

Finally,

\begin{array}{l} \frac{{\tilde{C}}_{k}}{(e (C, D) / A)} & = \frac{\tilde{C}}{(e (h^{s}, g^{(α + r) / β}) / e {(g, g)}^{r \cdot s})} \\ = M \cdot s i g n a t u r e . \end{array}

(13)

Then, $M \cdot s i g n a t u r e$ is sent to DR.

Receiving $M \cdot s i g n a t u r e$ and MCert, DR implements algorithm ${D e c r y p t}_{D R}$ to finish data decryption.

Lastly, DR performs the last step of data decryption: remove the masked value in MM to get M.

Algorithm 7 ( ${D e c r y p t}_{D R}$ ( $M \cdot s i g n a t u r e$ , MCert)→M).

DR retrieves Cert to get related signatures:

\begin{matrix} \frac{M C e r t}{e (g^{θ}, g^{t_{D R I D}})} = C e r t \cdot \frac{e {(g, g)}^{θ t_{D R I D}}}{e {(g, g)}^{θ t_{D R I D}}} = C e r t . \end{matrix}

(14)

Then, DR gets M with the signature:

\begin{matrix} M \cdot \frac{s i g n a t u r e}{s i g n a t u r e} = M . \end{matrix}

(15)

4.3.3. User Revocation

An invalid DR is a DR who is thought to be malicious or whose certificate is expired. The invalid DR should be revoked from the authorized access list. In MC-ABE, we can remove the MValue record in Table 1 to revoke DR. Firstly, TA modifies the revoked DR's “Revocation” item from “N” to “Y” in mask value table. Secondly, current signature must be updated to a new one (signature updating is shown in Figure 5). After these two steps, the invalid DR is revoked. When he requests new data, he will be taken as new comer (the signature is updated, and he does not have the new one), and TA will refuse his request since he is marked as revoked. For valid DR, they will get the new signature and access the system as usual.

Figure 5

Signature updating.

5. Security Analysis

5.1. Encryption and Decryption Outsource

In CP-ABE, both data encryption and data decryption are only done by the cloud users. Meanwhile, in MC-ABE, data encryption is done by DO and the cloud server collaboratively, and data decryption is undertaken by DR and the cloud server together. M is masked by DO before it is sent to ESP. DO and authorized DR can get M. ESP and DSP can get MM (Masked M), but they cannot deduce M from MM.

Theorem 8.

The security in encryption and decryption in MC-ABE is not weaker than that of CP-ABE.

Proof.

In algorithm ${E n c r y p t}_{E S P}$ , ESP encrypts the access tree T with the parameters s, T, and MM. Consider

\begin{array}{l} \tilde{C} & = M \cdot e {(g, g)}^{a s} \cdot s i g n a t u r e \\ = M \cdot e {(g, g)}^{a s} \cdot e {(g, g)}^{ε v} . \end{array}

(16)

Using PK and s, ESP can get

e (g, g)^{a s}

; what ESP got is

M \cdot e (g, g)^{ε v}

The encrypted data in CP-ABE is $\tilde{C} = M \cdot e (g, g)^{a s}$ ; both of α and s are random; let $z = α \cdot s$ ; z is also random; then $\tilde{C} = M e (g, g)^{z}$ is equal to $M e (g, g)^{ε v_{k}}$ . According to security proof in [7], the structure of $\tilde{C} = M \cdot e (g, g)^{a s}$ is secure to prevent the adversary from deducing M. Thus, $M e (g, g)^{ε v_{k}}$ in our scheme is secure. That is to say, ESP cannot deduce M with $M e (g, g)^{ε v_{k}}$ , and encryption outsourcing is secure in MC-ABE.

For DSP, it can decrypt CT using SK and get the masked $M = M \cdot s i g n a t u r e$ . The information DSP gets is the same as ESP. So, in MC-ABE, data decryption outsourcing is also secure since it is similar to data encryption outsourcing.

5.2. Certificate

From the above statement, the signature is vitally important to the security of our scheme. Since the signature is an item of the certificate, the security of the signature relies on the certificate. Each DR has his unique masked certificate; DR can retrieve his certificate only by his own MValue. In the following, we prove that malicious DR cannot get MCert without the right MValue.

Theorem 9.

MCert cannot be decrypted without the right MValue.

DR1 has $M C e r t$ 1 = $C e r t$ 1 ·MValue1 = $C e r t$ 1 $e (g, g)^{θ t_{D R 1}}$ ; $D R$ 2 wanted to retrieve $C e r t$ 1 without $e (g, g)^{θ t_{D R 1}}$ .

Proof.

DR1 forged $M V a l u e 1^{'} = e {(g, g)}^{θ t_{D R 1}^{'}},$ to get Cert1:

\begin{array}{l} C e r t 1 & = \frac{M C e r t 1}{{M V a l u e 1}^{'}} = C e r t 1 \cdot \frac{M V a l u e 1}{{M V a l u e 1}^{'}} \\ = C e r t 1 \cdot e {(g, g)}^{θ (t_{D R 1} - t_{D R 1}^{'})} . \end{array}

(17)

In other words, if the forged ${M V a l u e 2}^{'}$ is right, we must have $t_{D R 1} = t_{D R 1}^{'}$ to solve the DL problem. The DL problem is computationally infeasible; thus, MValue is difficult to be forged and MCert cannot be decrypted without the right MValue.

5.3. Collusion

Service providers might collude with each other to combine their information to deduce M. In the above statement, ESP and DSP hold similar information to retrieve M. If ESP colluded with DSP, the most information they could get is $M \cdot s i g n a t u r e$ . We have given the security proof of $M \cdot s i g n a t u r e$ in Theorem 8. Thus, MC-ABE is quite qualified for anticollusion.

SSP is a semitrusted server, which stores CT. If SSP colluded with ESP and DSP, it provides no useful information to deduce M. So, MC-ABE can defend against collusion among SSP, ESP, and DSP.

5.4. Revocation

If a DR is revealed to be malicious, he will be revoked from the authorized user list. We update the signature encrypted in CT; after that, as shown in the following, the revoked DR cannot get authorized data any more:

Revoked signature held by DR: $s i g n a t u r e = e {(g, g)}^{ε v_{k}}$ .

Updated signature: ${s i g n a t u r e}^{'} = e {(g, g)}^{ε v_{k}^{'}}$ .

Masked $M^{'} = M \cdot {s i g n a t u r e}^{'} = M e (g, g)^{v_{k}^{'}}$ .

Masked $M^{'} / s i g n a t u r e$ = $M e (g, g)^{ε v_{k}^{'}} / e (g, g)^{ε v_{k}}$ = $M e (g, g)^{ε v_{k}^{'}} / e (g, g)^{ε v_{k}}$ = $M e (g, g)^{ε (v_{k}^{'} - v_{k})}$ .

It is the same with the proof of Theorem 9. MC-ABE is secure in revocation.

6. Performance Evaluation

In this section, we numerically analyze the communication and computation cost of MC-ABE. We also give the simulation results in detail.

6.1. Numerical Analysis

6.1.1. Computation Cost

Setup. The setup procedure includes defining multiplicative cyclic group and generating PK and MK that will be used in encryption and key generation. There are four exponentiation operations and one pairing operation in setup procedure. Time complexity of the procedure is $O (1)$ . The computation cost has nothing to do with the number of attributes.

${E n c r y p t}_{D O}$ . In this procedure, DO is responsible for generating signature and masking M. Two operations are included in signature computation, which are random number generation and bilinear map computation. And operations performed in mask computation include random number generation and three multiplication operations. Thus, it needs to do two exponentiation operations, two multiplication operations, and one pairing operation for each file. But if more privileges are permitted at the same time, more signatures will be computed. For each privilege, computation cost is fixed, so the total cost is proportional to the number of privileges.

${E n c r y p t}_{E S P}$ . ESP encrypts the access tree in this procedure. The computation cost is proportional to the number of attributes in the tree. If the universal attributes set in T is I ( $|I|$ denotes the total number of attributes in set I), for each element in I, it needs two exponentiation operations; totally, the computation complexity is $O (|I|)$ .

KeyGen. This procedure is carried out to generate SK for DR. Computation cost is proportional to the number of attributes in SK. For each attribute, two pairing operations and one multiplication operation are needed. If the universal attributes set is S ( $|S|$ is the total number of attributes in set, $|S| \leq |I|$ ), the time complexity of SK computation is $O (|S|)$ .

CerGen. In this procedure, we construct the certificate and mask it. Items in certificate are denoted by DO. TA needs to do one exponentiation operation, one multiplication operation, and one pairing operation. Computation cost is fixed; the computation complexity is $O (1)$ .

${D e c r y p t}_{D S P}$ . In this procedure, DSP decrypts the ciphertext. The main overhead is incurred at the decryption of every attribute. The cost is proportional to the number of attributes in the access tree. Thus, the complexity is $O (|I|)$ .

${D e c r y p t}_{D R}$ . In this procedure, DR gets M from the masked M by a divide operation. Thus, the complexity is $O (1)$ .

6.1.2. Storage Cost

Compared to CP-ABE, more storage cost is incurred in MC-ABE because the certificate and the unique value are introduced. As shown in Table 2, the items in certificates are related to data access privileges, so the storage space of the certificate is proportional to the number of the documents (data). For each DR, one record is kept in mask value table (Table 1). Thus, the storage space for mask value table is proportional to the number of DR. Since the items in mask value table are quite simple, the total storage cost is not heavy.

Table 2

Impact factor of storage cost.

	Number of docs	Number of DR
Certificate storage space	Related	No
Mask value storage space	No	Related

6.2. Simulation Results

To evaluate the performance of MC-ABE, we develop simulation codes based on CP-ABE toolkit [21]. We make a comparison between MC-ABE and other two popular models (CP-ABE and PP-CP-ABE [11]) in four aspects: computation cost for data encryption, computation cost for key generation, computation cost for data decryption, and computation cost for user revocation.

(1) Computation Cost for Data Encryption. Most of the computation cost in encryption is incurred for the encryption of the access tree, which is proportional to the number of the leaf nodes. In CP-ABE, data encryption is done by DO. In PP-CP-ABE, data encryption/decryption is outsourced to service providers; the access tree was divided into two parts: one part is encrypted by DO and the other part is encrypted by ESP. In MC-ABE, the access tree is encrypted by ESP. In Figure 6(a), the computation cost of three different schemes is compared. x-axis indicates the number of leaf nodes in T (the access tree), and y-axis indicates time to encrypt M (computation cost). For x, ten values are selected evenly (10, 20, …, 100). For each x value, we run simulation codes 10 times and take the average value of the results as the final result. It is shown that MC-ABE has better performance than the other two ones. In PP-CP-ABE, the number of leaf nodes in DO's subtree will change with different tree division. So, for simplicity, we set the number of DO's subtrees to be half of the number of the whole leaves. As shown in Figure 6(b), we also show confidence interval to assess the results in Figure 6(a) (only results about DO's computation cost in MC-ABE are given, since the results in PP-CP-ABE and CP ABE are consistent with MC-ABE). In Figure 6(b), it is shown that all average results lie in the confidence interval.

Figure 6

(a) DO's computation cost for data encryption in CP-ABE, PP-CP-ABE, and MC-ABE. In PP-CP-ABE, part of encryption computation is transferred to cloud sever to reduce DO's cost. In MC-ABE, more efforts are made to reduce computation cost undertaken by DO. (b) Computation cost of DO (the 95% confidence interval assuming random data with normal distribution is shown). (c) Computation cost of key generation (the 95% confidence interval assuming random data with normal distribution is shown). (d) Computation cost of DR in CP-ABE and MC-ABE. Similar to ESP in MC-ABE, DSP also undertakes most of the computation in decryption. The cost is proportional to attributes number in private key. (e) Computation cost for user revocation. With the authorization certificate in MC-ABE, revocation cost can be reduced obviously.

(2) Computation Cost for Key Generation. Same with simulation about data encryption, we also take the average value of key generation cost as the final result. As shown in Figure 6(c), the average value is very close to lower bound and upper bound of the confidence interval, so we also list source data of the simulation results in Table 3. It shows that all average results lie in the confidence interval, so the simulation result is confident. From the results, we can get that the computation cost will grow with the number of attributes in private key. The algorithm KeyGen is implemented by TA, so there is no cost for DO.

Table 3

Computation cost of key generation (source data of Figure 6(c); the 95% confidence interval assuming random data with normal distribution is shown). Att_num indicates the number of DR's attributes, CI indicates confidence interval, and Ave indicates the average value.

Att_num	CI	Ave
5	[5.291941, 5.30779403]	5.2998678
10	[11.90953, 11.9336295]	11.9215787
15	[18.54277, 18.5893065]	18.5660398
20	[25.12693, 25.1588600]	25.1428953
25	[31.65159, 31.7310845]	31.6913405
30	[38.26554, 38.3662469]	38.3158938
35	[44.86881, 44.9555189]	44.9121638
40	[51.45481, 51.6333506]	51.5440794
45	[58.04029, 58.1582152]	58.0992549
50	[64.54168, 64.6776467]	64.6096648

(3) Computation Cost for Data Decryption. In MC-ABE, most of the computation cost has been shifted to DSP, so the computation cost of DR is constant. The comparison results are shown in Figure 6(d).

(4) Computation Cost for User Revocation. In MC-ABE, user revocation simplified for the signature is introduced. When user revocation happens, the revoked DR's “Revocation” item in mask value table is set as “Y”; his new data request will not be responded to; his former signature encrypted in ciphertext will be also changed. It needs one multiplication operation and one exponentiation operation for the above operations. The simulation results are as shown in Figure 6(e).

7. Conclusion

The C-BSN is one promising technology that can change people's healthcare experiences greatly. However, how to keep data security and data privacy in C-BSN is an important and challenging issue since the patients’ health-related data are quite sensitive. In this paper, we propose a novel encryption outsourcing scheme MC-ABE that meets the requirements of data security and data privacy in C-BSN. In MC-ABE, one specific signature is constructed to mask the plaintext; the unique authentication certificate for each visitor is constructed; the third-party trust authority to manage above-mentioned signatures and certificates is also introduced. By security analysis, we prove that MC-ABE can meet the security requirement of C-BSN. And, by performance evaluation, it shows that MC-ABE has less computation cost and storage cost compared with other popular models. In future work, we plan to explore the possibility of improving the scalability of MC-ABE.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work is partially supported by Natural Science Foundation of China under Grant no. 61402171, Central Government University Foundation under Grant no. JB2014075, and US Army Research Office under Grant no. WF911NF-14-1-0518.

References

Wan

Zou

Ullah

Lai

C.-F.

Zhou

Wang

Cloud-enabled wireless body area networks for pervasive healthcare

IEEE Network 2013 27 5 56 61

10.1109/mnet.2013.6616116

2-s2.0-84885589116

Bao

S.-D.

Efficient fuzzy vault application in node recognition for securing body sensor networks

Proceedings of the IEEE International Conference on Communications (ICC ′14)

June 2014

Sydney, Australia

IEEE

3648 3651

10.1109/icc.2014.6883888

2-s2.0-84906996493

Hassan

M. M.

Song

Huh

E.-N.

A framework of sensor-cloud integration opportunities and challenges

Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication (ICUIMC ′09)

January 2009

Suwon, The Republic of Korea

ACM

618 626

10.1145/1516241.1516350

2-s2.0-70349238955

Lou

Ren

Data security and privacy in wireless body area networks

IEEE Wireless Communications 2010 17 1 51 58

10.1109/MWC.2010.5416350

2-s2.0-77649094379

Sahai

Waters

Fuzzy identity-based encryption

Advances in Cryptology—EUROCRYPT 2005 2005 3494

Berlin, Germany

Springer

457 473 Lecture Notes in Computer Science

10.1007/11426639_27

Goyal

Pandey

Sahai

Waters

Attribute-based encryption for fine-grained access control of encrypted data

Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS ′06)

November 2006

89 98

10.1145/1180405.1180418

2-s2.0-34547273527

Bethencourt

Sahai

Waters

Ciphertext-policy attribute-based encryption

Proceedings of the IEEE Symposium on Security and Privacy (S&P ′07)

2007

321 334

Wang

Ren

Lou

Achieving secure, scalable, and fine-grained data access control in cloud computing

Proceedings of the IEEE INFOCOM

March 2010

1 9

10.1109/infcom.2010.5462174

2-s2.0-77953310709

Wang

Liu

Hierarchical attribute-based encryption for fine-grained access control in cloud storage services

Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS ′10)

October 2010

735 737

10.1145/1866307.1866414

2-s2.0-78649998200

10.

Ahmad

Hassan

M. M.

Aziz

A multi-token authorization strategy for secure mobile cloud computing

Proceedings of the 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering (MobileCloud ′14)

April 2014

136 141

10.1109/mobilecloud.2014.21

2-s2.0-84903842653

11.

Yadav

Dave

Secure data storage operations with verifiable outsourced decryption for mobile cloud computing

Proceedings of the International Conference on Recent Advances and Innovations in Engineering (ICRAIE ′14)

May 2014

Jaipur, India

IEEE

1 5

10.1109/icraie.2014.6909236

2-s2.0-84908635244

12.

Zhou

Huang

Efficient and secure data storage operations for mobile cloud computing

Proceedings of the 8th International Conference on Network and Service Management (CNSM ′12)

October 2012

37 45

2-s2.0-84872074603

13.

Rahulamathavan

Rajarajan

Phan

R. C.-W.

Low complexity multi-authority attribute based encryption scheme for mobile cloud computing

Proceedings of the IEEE 7th International Symposium on Service-Oriented System Engineering (SOSE ′13)

March 2013

IEEE

573 577

10.1109/sose.2013.12

2-s2.0-84880914747

14.

Yao

Han

A lightweight access control mechanism for mobile cloud computing

Proceedings of the IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS ′14)

May 2014

380 385

10.1109/infcomw.2014.6849262

2-s2.0-84904513885

15.

Barua

Liang

Shen

ESPAC: enabling security and patient-centric access control for ehealth in cloud computing

International Journal of Security & Networks 2011 6 2-3 67 76

10.1504/ijsn.2011.043666

2-s2.0-84857178198

16.

Guo

Susilo

Wong

D. S.

Varadharajan

CP-ABE with constant-size keys for lightweight devices

IEEE Transactions on Information Forensics and Security 2014 9 5 763 771

10.1109/tifs.2014.2309858

2-s2.0-84898823624

17.

Wang

Public auditing for shared data with efficient user revocation in the cloud

Proceedings of the 32nd IEEE Conference on Computer Communications (INFOCOM ′13)

April 2013

Turin, Italy

IEEE

2904 2912

10.1109/infcom.2013.6567101

2-s2.0-84883057189

18.

Beimel

Secure schemes for secret sharing and key distribution [Ph.D. thesis] 1996

Haifa, Israel

Technion—Israel Institute of Technology

19.

Boneh

Franklin

K. M.

Identity-based encryption from the Weil pairing

Advances in Cryptology—CRYPTO 2001: 21st Annual International Cryptology Conference, Santa Barbara, California, USA, August 19-23, 2001 Proceedings 2001 2139

Berlin, Germany

Springer

213 229 Lecture Notes in Computer Science

10.1007/3-540-44647-8_13

20.

Cheng

Zhang

Feng

AB-ACCS: a cryptographic access control scheme for cloud storage

Journal of Computer Research and Development 2010 47 z1 259 265

21.

Bethencourt

Sahai

Waters

CP-ABE toolkit

2006, http://acsc.cs.utexas.edu/cpabe/

Achieving Secure and Efficient Data Access Control for Cloud-Integrated Body Sensor Networks

Abstract

1. Introduction

2. Related Work

3. Preliminaries

3.1. Notations

3.2. Basics

3.2.1. Bilinear Pairing

3.2.2. Discrete Logarithm (DL) Problem

Definition 1 (discrete logarithm (DL) problem).

3.3. Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

3.3.1. Access Structure

3.3.2. Working Process

3.4. Assumptions

Assumption 1 (service providers (ESP, DSP, and SSP) are semitrusted).

Assumption 2 (SetS and TA are trusted).

4. MC-ABE

4.1. Overview

4.2. Two Important Notions

4.2.1. Authorization Certificate (Cert)

4.2.2. Mask Value (MValue)

4.3. Scheme Description

4.3.1. Data Outsourcing

Algorithm 2 (Setup→PK, MK).

Algorithm 3 ( E n c r y p t D O (PK, M, K)→MM).

Algorithm 4 ( E n c r y p t E S P (PK, s, T, M M ) [7, 11]→CT).

4.3.2. Data Request

Algorithm 5 (KeyGen(MK, S)→SK).

Algorithm 6 ( D e c r y p t D S P (SK, CT)→MM).

Algorithm 7 ( D e c r y p t D R ( M · s i g n a t u r e , MCert)→M).

4.3.3. User Revocation

5. Security Analysis

5.1. Encryption and Decryption Outsource

Theorem 8.

Proof.

5.2. Certificate

Theorem 9.

Proof.

5.3. Collusion

5.4. Revocation

6. Performance Evaluation

6.1. Numerical Analysis

6.1.1. Computation Cost

6.1.2. Storage Cost

6.2. Simulation Results

7. Conclusion

Footnotes

Conflict of Interests

Acknowledgments

References

Algorithm 3 ( ${E n c r y p t}_{D O}$ (PK, M, K)→MM).

Algorithm 4 ( ${E n c r y p t}_{E S P}$ (PK, s, T, $M M$ ) [7, 11]→CT).

Algorithm 6 ( ${D e c r y p t}_{D S P}$ (SK, CT)→MM).

Algorithm 7 ( ${D e c r y p t}_{D R}$ ( $M \cdot s i g n a t u r e$ , MCert)→M).