Christian Neuhaus, Martin von Löwis, Andreas Polze


Cloud-based exchange of sensitive data demands the enforcement of fine-grained and flexible access rights, that can be time-bounded and revoked at any time. In a setting that does not rely on trusted computing bases on the client side, these access control features require a trusted authorization service that mediates access control decisions. Using threshold cryptography, we present an implementation scheme for a distributed authorization service which improves reliability over a single service instance and limits the power and responsibility of single authorization service nodes.


  1. Abghour, N., Deswarte, Y., Nicomette, V., and Powell, D. (1999). Specification of authorisation services. Maftia project ist, 11583.
  2. Akinyele, J., Lehmann, C., Green, M., Pagano, M., Peterson, Z., and Rubin, A. (2010). Self-protecting electronic medical records using attribute-based encryption. Technical report, Cryptology ePrint Archive, Report 2010/565, 2010. http://eprint. iacr. org/2010/565.
  3. Anderson, J. (1972). Computer security technology planning study. volume 2. Technical report, DTIC Document.
  4. Armbrust, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., et al. (2009). Above the clouds: A berkeley view of cloud computing. EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS2009-28.
  5. Bessani, A., Correia, M., Quaresma, B., André, F., and Sousa, P. (2011). Depsky: Dependable and secure storage in a cloud-of-clouds. In Proceedings of the sixth conference on Computer systems, pages 31-46. ACM.
  6. Bethencourt, J., Sahai, A., and Waters, B. (2007). Ciphertext-policy attribute-based encryption. In Security and Privacy, 2007. SP'07. IEEE Symposium on, pages 321-334. IEEE.
  7. Bowers, K., Juels, A., and Oprea, A. (2009). HAIL: A high-availability and integrity layer for cloud storage. In Proceedings of the 16th ACM conference on Computer and communications security, pages 187-198. ACM.
  8. Diffie, W. and Hellman, M. (1976). New directions in cryptography. Information Theory, IEEE Transactions on, 22(6):644-654.
  9. Fabre, J., Deswarte, Y., and Randell, B. (1994). Designing secure and reliable applications using fragmentationredundancy-scattering: an object-oriented approach. Dependable Computing-EDCC-1, pages 21-38.
  10. Gantz, J. and Reinsel, D. (2011). Extracting value from chaos. IDC research report IDC research report, Framingham, MA, June. Retrieved September, 19:2011.
  11. Ibraimi, L., Petkovic, M., Nikova, S., Hartel, P., and Jonker, W. (2009). Mediated Ciphertext-Policy AttributeBased Encryption and Its Application. Information Security Applications, pages 309-323.
  12. Kamara, S. and Lauter, K. (2010). Cryptographic cloud storage. Financial Cryptography and Data Security, pages 136-149.
  13. Kamara, S., Papamanthou, C., and Roeder, T. (2011). Cs2: A semantic cryptographic cloud storage system. Technical report, Technical Report MSR-TR2011-58, Microsoft Research, 2011. http://research. microsoft. com/apps/pubs.
  14. Katt, B., Breu, R., Hafner, M., Schabetsberger, T., Mair, R., and Wozak, F. (2009). Privacy and access control for ihe-based systems. Electronic Healthcare, pages 145-153.
  15. Kohl, J. and Neuman, C. (1993). The kerberos network authentication service (v5).
  16. Krawczyk, H., Bellare, M., and Canetti, R. (1997). HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational). Updated by RFC 6151.
  17. Kubiatowicz, J., Bindel, D., Chen, Y., Czerwinski, S., Eaton, P., Geels, D., Gummadi, R., Rhea, S., Weatherspoon, H., Wells, C., et al. (2000). Oceanstore: An architecture for global-scale persistent storage. ACM SIGARCH Computer Architecture News, 28(5):190- 201.
  18. Laprie, J. (1985). Dependable computing and faulttolerance. Digest of Papers FTCS-15, pages 2-11.
  19. McLean, J., Schell, R., and Brinkley, D. (1994). Security models. Encyclopedia of Software Engineering.
  20. Neuhaus, C., Wierschke, R., von L öwis, M., and Polze, A. (2011). Secure cloud-based medical data exchange. Lecture Notes in Informatics (LNI) - Proceedings, P192.
  21. Rabin, M. (1989). Efficient dispersal of information for security, load balancing, and fault tolerance. Journal of the ACM (JACM), 36(2):335-348.
  22. Rivest, R., Shamir, A., and Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120- 126.
  23. Sahai, A. and Waters, B. (2005). Fuzzy identity-based encryption. Advances in Cryptology-EUROCRYPT 2005, pages 457-473.
  24. Schnjakin, M., Alnemr, R., and Meinel, C. (2011). A security and high-availability layer for cloud storage. In Web Information Systems Engineering-WISE 2010 Workshops, pages 449-462. Springer.
  25. Shamir, A. (1979). How to share a secret. Communications of the ACM, 22(11):612-613.
  26. Tang, Y., Lee, P., Lui, J., and Perlman, R. (2010). Fade: Secure overlay cloud storage with file assured deletion. Security and Privacy in Communication Networks, pages 380-397.
  27. Zych, A., Petkovic, M., and Jonker, W. (2006). Key management method for cryptographically enforced access control. In Proc. of the 1st Benelux Workshop on Information and System Security, Antwerpen, Belgium.

Paper Citation

in Harvard Style

Neuhaus C., von Löwis M. and Polze A. (2012). A DEPENDABLE AND SECURE AUTHORISATION SERVICE IN THE CLOUD . In Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-8565-05-1, pages 568-573. DOI: 10.5220/0003925505680573

in Bibtex Style

author={Christian Neuhaus and Martin von Löwis and Andreas Polze},
booktitle={Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},

in EndNote Style

JO - Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
SN - 978-989-8565-05-1
AU - Neuhaus C.
AU - von Löwis M.
AU - Polze A.
PY - 2012
SP - 568
EP - 573
DO - 10.5220/0003925505680573