The Attack on Mona: Secure Multi-owner Data Sharing for Dynamic Groups in the Cloud

With the characters of low maintenance and little management cost, cloud computing offers an effective and economical approach for data sharing in the cloud among group members. However, since the cloud is untrustworthy, the security guarantees for the sharing data become our concerns. Unfortunately, because of the frequent change of the membership, sharing data while providing privacy-preserving is still a challenging issue. Recently, Liu et al presented a secure multi-owner data sharing scheme, named Mona, which was claimed that any group member could anonymously share data with others by exploiting group signature technique. Meanwhile, the scheme could address fine-grained access control, which means that not only the group members could use the sharing data resource at any time, but also the new users were able to use the sharing data immediately after their revocations and the revoked users will not be allowed to use the sharing data again after they are removed from the group. However, through our security analysis, the Mona scheme still has some security vulnerabilities. It will easily suffer from the collusion attack, which can lead to the revoked users getting the sharing data and disclosing other legitimate members´ secrets. In addition, there is another security shortage in the user registration phase, which is how to protect the private key when distributing it in the unsecure communication channels. This kind of attack can also lead to disclosing the user´s secret data.