CloudHKA: A cryptographic approach for hierarchical access control in cloud computing

Yi Ruei Chen, Cheng Kang Chu, Wen-Guey Tzeng, Jianying Zhou

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

21 Scopus citations


Cloud services are blooming recently. They provide a convenient way for data accessing, sharing, and processing. A key ingredient for successful cloud services is to control data access while considering the specific features of cloud services. The specific features include great quantity of outsourced data, large number of users, honest-but-curious cloud servers, frequently changed user set, dynamic access control policies, and data accessing for light-weight mobile devices. This paper addresses a cryptographic key assignment problem for enforcing a hierarchical access control policy over cloud data. We propose a new hierarchical key assignment scheme CloudHKA that observes the Bell-LaPadula security model and efficiently deals with the user revocation issue practically. We use CloudHKA to encrypt outsourced data so that the data are secure against honest-but-curious cloud servers. CloudHKA possesses almost all advantages of the related schemes, e.g., each user only needs to store one secret key, supporting dynamic user set and access hierarchy, and provably-secure against collusive attacks. In particular, CloudHKA provides the following distinct features that make it more suitable for controlling access of cloud data. (1) A user only needs a constant computation time for each data accessing. (2) The encrypted data are securely updatable so that the user revocation can prevent a revoked user from decrypting newly and previously encrypted data. Notably, the updates can be outsourced by using public information only. (3) CloudHKA is secure against the legal access attack. The attack is launched by an authorized, but malicious, user who pre-downloads the needed information for decrypting data ciphertexts in his authorization period. The user uses the pre-downloaded information for future decryption even after he is revoked. Note that the pre-downloaded information are often a small portion of encrypted data only, e.g. the header-cipher in a hybrid encrypted data ciphertext. (4) Each user can be flexibly authorized the access rights of Write or Read, or both.

Original languageEnglish
Title of host publicationApplied Cryptography and Network Security - 11th International Conference, ACNS 2013, Proceedings
Number of pages16
StatePublished - 12 Jul 2013
Event11th International Conference on Applied Cryptography and Network Security, ACNS 2013 - Banff, AB, Canada
Duration: 25 Jun 201328 Jun 2013

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7954 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference11th International Conference on Applied Cryptography and Network Security, ACNS 2013
CityBanff, AB


  • Access control
  • Bell-LaPadula security model
  • cloud computing
  • hierarchical key assignment
  • key management
  • outsourced data
  • proxy re-encryption

Fingerprint Dive into the research topics of 'CloudHKA: A cryptographic approach for hierarchical access control in cloud computing'. Together they form a unique fingerprint.

Cite this