Access Control as a Service for Public Cloud Storage

With the rapid application of service-oriented technologies, service and data outsourcing has become a practical and useful computing paradigm. Combined use of access control and cryptography was proposed by many researchers to protect sensitive information in this outsourcing scenario. However, the rigid combination in existing approaches has difficulty in satisfying the flexibility requirement of access control for diverse applications. In this paper, we propose an access control service for public cloud storage, where authorization is controlled by the data owner, and the PDP (Policy Decision Point) and PEP (Policy Enforcement Point) can be securely delegated. In order to implement the service, an attribute-full proxy re-encryption scheme is presented as its corner stone. The other features of our service are as follows: simple key management without the need of key derivation for users to decrypt cipher texts, composing attributes for accessing resources with subject attributes´ having inner structures, and authorization relatively separating from encryption. We also give some proofs and analysis of our implementation.