Design of access control framework for big data as a service platform

ABSTRACT


INTRODUCTION
In this digital era, data has become crucial asset for each and every organization as most of the decisions are based on these data.These data are generated from various sources like data from sensor-based devices, social media data, data of educational organizations, and government data [1].Security is one of the major concern for these data once they are collected to some repository [2].Blockchain technology was first developed for the exchange of digital currencies, but it has various applications for securing and protecting data, including internet of things (IoTs) [3].These various sorts of data may be completely unstructured, partially structured, or both.Big data as a service (BDaaS) is a technique that combines the facility of storing data with computing capabilities of cloud computing environment wrapped with the processing capability of big data.This model is useful for delivering the data, analyzing the data and database, and also a platform for processing, along with other service models like platform as a service (PaaS), software as a service (SaaS), and infrastructure as a service (IaaS).BDaaS is known as cloud-based framework which provides end-to-end solutions related to big data on the basis of user demand.It can also be understood as system with joint capabilities of data as a service, Hadoop as a service and data analytics as a service.Various service models can be chosen to fulfill the specific demands of users.Although there are ample benefits for using BDaaS platform but feature of security as well as privacy of the data kept in this environment becomes very critical issue.Researchers have developed various methods, frameworks, and architectures that can cater the issues related to the security and privacy of the data but still, there is a scope to address the issues of security and privacy such as access control, exposure of data, data breaches, and malicious adversary by cloud users [4].Thus, we come to know that level of protection that is needed for big data security and privacy are not assured by the cloud providers.
It has been observed that, blockchain technology has become one of the good solutions for providing secure and decentralized environment for data [5].Blockchain technology is useful in other areas of application which provide privacy and security to the data of smart home [6], smart city, education sector, and health sector.Bitcoin is one of the most well-known utilizations of the blockchain tasks.Technically, blockchain can be termed as distributed and decentralized blocks or ledgers that holds entire exchanges gathered in blocks that has finished at any point in the N/W.Blockchain is also popular distributed ledger technology (DLT).Working of blockchain technology is based on point to point (P2P) network in which every node is required to maintain a copy of the blockchain ledger.Blockchain databases are not governed by any central regulatory authority in this system.This technology also ensures that blockchain database is secured and protected from the various types of cyber-attacks.The objective of using blockchain technology in BDaaS kept on cloud storage architecture is to provide a more protected and secured environment for the users.Here we are not focusing on any specific resources in a single server, instead the blockchain network distributes all of them among nodes [7], [8].We are the approach of decentralization concept of blockchain for security purposes.This is the area where a lot of work is to be done using the fusion of different techniques and methods.
A method called ciphertext policy-attribute based encryption (CP-ABE) is used to retrieve the data for given set of attributes and prohibits individuals with different attributes from accessing data.This technique creates a secret key for users that is based on set of attributes.In this situation, decryption of the ciphertext is possible only when the attribute of the user's secret key matches with decryption policy CP-ABE technique is used to control access that is proposed in IoT environment, and furthermore, it employs a hashing algorithm to conceal the access policy and implements a signature verification scheme to safeguard against insider attacks [9], [10].CP-ABE-based access control and revocation of services mechanism has been proposed on blockchain-based cloud storage system [11].Maesa et al. [12] presents the encryption of data stored in the blockchain network using a combination of CP-ABE and symmetric key algorithms.All possible aspects of using blockchain concept on cloud has been discussed by Gong and Navimipour, [13].Use of block chain in different fields has been explored and case study of healthcare system has been presented [14].This technique dynamically switches between full encryption and partial encryption based on a prudent decision strategy using a machine learning (ML) algorithm.This scheme addresses various aspects, including authorization, authorization revocation, access control, and real-time data auditing [15].According to Saini et al. [16], a novel approach for creating an access control framework using smart contracts on a blockchain has been suggested.Authors has performed review of application of blockchain technology for securing cloud storage [17].
A strong cryptographic technique for access control and granular sharing on encrypted data is attribute based encryption (ABE).This functionality of ABE leads the adoption of ABE in encrypted cloud storage for flexible data sharing [18], [19].Blockchain-based anonymous authentication with selective revocation for smart industrial applications (BASS) offers support for attribute privacy, selective revocation, and credential soundness, aiming to enhance security and privacy within smart industrial environments [20].The basic architecture of BDaaS has been presented in [21] which is considered for this research paper.Random oracle model is used to handle security requirements such as mutual authentication and user anonymity and it also resists various malicious attacks [22].Secure cloud storage framework with access control that combines the Ethereum blockchain and CP-ABE, has been proposed for secured access control [23], [24] presents the review, opportunities and challenges of transforming big data using cloud computing resources.CP-ABE can enhance the security of access control on shared data with efficient authority verification [25].Homomorphic encryption, order-preserving encryption schemes, and ABE are also in trend as a good technique to provide data confidentiality and integrity.Thus, we can see that blockchain technology ABE are the technologies which are being used for various security aspects.Many authors have used different combination of technologies and concepts to handle different set of problems.
It has been observed that the combination of these two technologies can produce more better results.We have identified the following problems after the literature survey, which are as: i) owner of the data/software/services available at BDaaS environment, are not able to decide about the people who can access the data at run-time; ii) it is difficult to decide attributes for which access can be made possible for the users at the time of request; and iii) dependency of access control architecture on semi-trusted authority.
We have proposed an access control framework and designed algorithm for secure access control of data kept on BDaaS in cloud platform.The proposed framework uses CP-ABE algorithm to provide secured data access.Access information is stored in the blockchain in the form of smart contracts which are designed Int J Reconfigurable & Embedded Syst ISSN: 2089-4864  in the form of algorithm.Contributions of the research paper are as: i) access control framework for BDaaS has been proposed using decentralized and secure blockchain technology.Sequence of entire process is also presented in the paper through diagram; ii) the proposed framework contains all the access policies in the smart contracts of blockchain network using customized form of CP-ABE algorithm which is among very popular algorithms for access control.It also uses the digital signature for the authentication of data; and iii) algorithm for user key generation, attribute authority key generation, user key generation, encryption, and decryption has been designed in this research paper.

PROPOSED METHOD
We need to understand the relation between big data, IoT, and BDaaS.Sensors are installed to collect the data that is very huge in amount and sometimes complex also.This data is termed as big data.Now users want to access data from this big data with the help of cloud provider to help organizations to management and analysis.Among these all-existing techniques of data access, we are using attribute-based access control techniques.In this technique, the qualities of users, systems, and environmental factors are used to evaluate a set of rules, regulations, and relationships in order to allow or deny access to data and services.CP-ABE technique is used for secured access control on blockchain environment.Fusion of these two technologies are making more secured access control environment in the proposed work.

Ciphertext policy-attribute based encryption algorithm
The highly popular access control mechanism known as ABE depends on characteristics to create the secret key of user and the ciphertext.ABE comes under symmetric-key encryption and has two types, which are key-policy attribute-based encryption (KP-ABE) and CP-ABE.In this research paper, our access control algorithm is derived from the CP-ABE algorithm which is implemented on the blockchain platform.Access control is a way to limit the access of any system or resources physically or virtually.We may also describe it as a security method that limits who can view or access information.
Basic steps of CP-ABE algorithm are as: i) generate public key (PK) and master key (MK), ii) encrypt the message along with the access structure of all attributes, then final output will be the ciphertext, iii) generate private key (SK) using MK and the attributes used, iv) decrypt the message using PK and SK, and v) if required, we can perform delegate step that will take the secret key and return the secret key for given set of attributes.

Workflow of proposed blockchain based access framework using CP-ABE
In this section, we have shown the workflow of the proposed model.The workflow is based on working of three major technologies in which the BDaaS available on cloud is secured for access control using CP-ABE algorithm and blockchain technology.Figure 1 presents the framework of proposed access control using blockchain and CP-ABE algorithm.

Workflow of given framework
Data owners and attribute authorities transmit requests for the production of public and MK, as well as global parameters, in order to register in the suggested architecture.This framework is initiated by attribute authority.Entire workflow of proposed framework is as: Step 1. Attribute authorities send request to blockchain network for key generation requests.
Step 2. Blockchain network generates public key [PK(AA)] and master keys [MSK(AA)] for registration in the proposed architecture and sends to attribute authorities.Step 3. Service owner send request to blockchain network for key generation.Step 12. Service owner shares the cipher text with attribute authority.
Step 13.Cipher text generated in Step-11 is outsourced to BDaaS platform on cloud.
Step 14. Whenever the user sends the request for access to data owner, then data owner takes it from BDaaS platform on cloud and shares with the user.
Step 15.The user performs decryption process on cipher text and verify the digital signature.User can do it only if they are authenticated user.

Designing of smart contract algorithms for proposed framework
All the parameters of access control are handled by using smart contract which are simple programs and stored at blockchain.These programs execute when predefined condition given in smart contract are met.In the proposed model, entire access control is managed using different algorithms which will be written in CP-ABE.CP-ABE algorithm is based on four fundamental concepts, which are setup, encrypt, generation_of_key (KeyGen) and decrypt.Setup algorithm takes implicit security parameters and provides public parameters PK and MK.Encrypt algorithm takes parameters as PK, message (M) and access structure (A) which is represented as encrypt (PK, M, A) and after encryption it provides cipher text (CT) which can be decrypted by only those users who possess attributes defined in access structure.Key generation algorithm takes two parameters as MK and set of attributes (S) as an input which is represented as KeyGen (MK, S) and produces SK.After this the decrypt algorithm comes in the picture and takes PK, CT with access policy and SK with set of attributes as an input and represented as decrypt (PK, CT, SK) that produces message M after decryption if set of attributes satisfies the access structure.
All smart contracts functions will be designed using CP-ABE algorithm and data owner and attribute authorities are involved to provide all required services to the users.By analyzing the workflow of proposed framework, we are identifying all smart contract algorithm used for access control, which are as: i) PK and MK generation for registration process, ii) user key generation algorithm, iii) algorithm for encryption, iv) algorithm for re-encryption, and v) algorithm for decryption.

Algorithm for setting security parameters
This is section, we set up security parameters for the proposed model.It is represented by setup (GP, U) that takes the general security parameters and universal attribute set and generates the SK and MK for the owner and attribute authority.KeyGen (DO) (GP) and KeyGen (AA) (GP,c,d) are the two algorithms that are the parts of this setup.

Key generation algorithm for data owner
In this proposed framework data owner generates the keys using key generation algorithm.This algorithm takes general security parameters as an input and generates SK and MK for the data owner.Propose algorithm for key generation of data owner is shown in the Algorithm 1.

Key generation algorithm for attribute authority
Attribute authority of proposed framework generate keys using Algorithm 2. This algorithm accepts general security parameters and two random numbers from group under multiplication modulo of p. SK and MK of attribute authority are output of this algorithm.

Key generation algorithm for users
Attribute authority and data owners receive the attributes of user and generate access keys with the help of Algorithm 3.These access keys are used to generate a secret key for the user.We can use some such protocol by which they can generate a secret key without telling their own keys.Two party computation function can be used to generate such key.From implementation point of view, we are creating different classes in java programming language for creation, storing, and validation of blocks and then this blockchain network is deployed with CP-ABE algorithm.Core functionalities such as generation of user keys and data owner keys, encryption, and decryption are provided by cloud storage services.Now according to the responses of user and data owner smart contract functions triggers automatically.Cloud storage service are also deployed by using the CloudSim tool.Performance of proposed system is analysed in terms of key generation time, encryption time, and decryption process.Here keys are generated for user and owner.It is the time required to generate keys either for user or owner after giving registration details.Encryption time is that is required to convert the plaintext to ciphertext.Decryption time is defined as the time that is required to get the plaintext from the ciphertext.We are using the data set that contains 6 access policies in the form of smart contracts, 25 attributes.Starting from 10 attributes, we are increasing the number of attributes and calculation the key generation time, encryption time, and decryption time of proposed system using org.cloudbus.CloudSim package of CloudSim simulator.Results obtained from this setup are calculated and the comparison between the existing model and proposed model is compared.In Figure 2, we have shown the results of various calculation performed to calculate the performance of proposed system.Figures 2(a) to (c) clearly show that key generation time, encryption time, and decryption time of proposed system is less as compare to the existing model though the complexity of system is increasing due to involvement of blockchain.

CONCLUSION
As we know, the privacy and security of data kept on the BDaaS platform are challenging issues.In the proposed framework, we have designed the framework for secured data access in the BDaaS platform using blockchain technology in combination with the CP-ABE algorithm.The algorithm for secured access control has been designed according to the blockchain environment.The setup phase generates two algorithms which are for SK and MK generation of both data owner and attribute authority.Once the user registers on the blockchain network, the data owner, and attribute authority generate a secret key for that user.Both secret keys are passed through a two-party computation function to generate one common key for the user.Now the data encryption is performed and the digital signature of data is generated.The user decrypts the data using its secret key and also verifies the data.The existing model considered in this research was implemented without the involvement of blockchain technology.After implementing it with blockchain technology and compared the results on three parameters that are key generation time, encryption time, and decryption time.By analyzing the results, it is very clear that the performance of the proposed system has improved after putting one more layer of blockchain in the existing model of access control that is only with the CP-ABE algorithm.In the future, we are planning to try some modified versions of the CP-ABE algorithm and also the KP-ABE algorithm.Then we will compare the result with our proposed model and analyze the result.

Figure 1 .
Figure 1.Proposed architecture for blockchain based access control in BDaaS

Step 4 .
Blockchain network generates public key [PK(DO)] and master keys [MSK(DO] for registration in the proposed architecture and sends to service owner.Step 5. User sends the request for registration to the blockchain network.Step 6. Blockchain network sends the details [U(AT)] (attributes such as ID, Name, Contact No, Email ID) of user to the service owner and attribute authority.Step 7. The service owner and the attribute authority save the details of user and generates an access key using CP-ABE algorithm corresponding to the user's list of attributes and shares with attribute authority.Step 8. Service owners shares the generated access key [SK (DO, User)] with the user.Step 9. Attribute authority shares the access key [SK (AA, User)] with the user and also generate access key for attribute group key [SK* (AA, User)].Step 10.Now user generates secret key [SK(USER)] by executing key generation algorithm by using the keys generated by service owner and attribute authority.Step 11.Service owner encrypts the plain text into ciphertext and digital signature.

155 Algorithm 1 . 2 -
Int J Reconfigurable & Embedded Syst ISSN: 2089-4864  Design of access control framework for big data as a service platform (Santosh Kumar Sharma) Key generation for data owner Input: General Security Parameter (GP) Output: Private Key of Owner [PK (DO)], Master Key of Data Owner [MSK (DO)] Algorithm: This algorithm will be denoted as KeyGen (DO) (GP) →{PK(DO), MSK(DO)} Step 1-Start Step Choose a random number 'a' from the finite field over prime number p. a ϵ Zp Step 3-Choose a generator 'g' which fulfill the criteria: b ← ga Here b is also from the finite field over prime number p. i.e. b ϵ Zp Step 4-PK(DO) ← b Step 5-MSK(DO) ← a Step 6-Stop

Algorithm 3 .
Key generation for users Input: Master Key MSK (DO) and MSK (AA), User Attribute U (AT) Output: User Secret Key [SK (USER)] Algorithm: This algorithm will be denoted as UserKeyGen (MSK(DO), MSK(AA), U(AT)) → SK(USER) Step 1-Start Step 2-Attribute Authority and Data Owner authenticate the User Step 3-Data Owner selects random exponent which is unique and secret to user i.e. m ϵ Z*P Step 4-Attribute authority selects random exponent i.e. n ϵ Z*p Step 5-Define two party computation function as F = 2PC(DO(m,a), AA(c)) = (c + m) a Step 6-Data Owner computes the parameter M M = g (F/n) = g (c + m) a / n Step 7-Attribute Authority compute the parameter N N = M (1/a2) = g (c + m) / n a Step 8-Data Owner sent parament M to Attribute authority and attribute authority sent the parameter N to data owner using 2PC for computation of secret key.i.Attribute Authority generate secret key SK (AA, User) = N n = g (c + m) / a ii.Data Owner generates secret key SK (DO, User) = (Di= gn.H(i)Ri, Di = gRi) For all i ϵ Tree and Ri ϵ Z*P iii.Attribute authority generates another secret key for attribute group key SK* (AA, User) = H (User)C Step 9-Secret keys of data owner and attribute authority is used to generate SK(USER) = {SK (AA, User), SK (DO, User)} Step 10-Stop ISSN: 2089-4864  Design of access control framework for big data as a service platform (Santosh Kumar Sharma) 157

Figure 2 .
Figure 2. Comparison of (a) user key generation time, (b) encryption time, and (c) decryption time