An efficient attribute-based access control system with break-glass capability for cloud-assisted industrial control system

1.   Introduction

In order to seek more intelligent and flexible industrial solutions, enterprises resort to cloud-assisted industrial control system (ICS), which integrates cloud computing, fog computing, Internet of Things (IoT) and Supervisory Control and Data Acquisition (SCADA) systems to perceive the changing state in the real world and acquire enormous amounts of data and achieve optimization control ^[1,2,3].

However, this compelling paradigm is confronted with various security and privacy risk, such as unauthorized access and information disclosure ^[4,5,6]. Encryption plays a crucial role in protecting the data confidentiality. Using encryption methods, a secure communication channel in the cloud-assisted ICS framework can be established ^[7,8,9,10]. While in the cloud environment where multiple users share the data, the data owner would have to share the data according to some access control policy. Therefore, fine-grained access control has been increasingly recognized as a critical issue.

Attribute-based encryption (ABE) ^[11] is a promising cryptographic technology that is capable of achieving confidentiality protection and fine-grained access control simultaneously. ABE schemes are classified into two categories, key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE) ^[12]. In the KP-ABE scheme, a ciphertext is associated with a set of attributes and a user's decryption key is associated with a tree access structure. Only if the attributes associated with the ciphertext satisfy the tree access structure can be decrypted by the user. In the CP-ABE scheme, the ciphertext is encrypted according to an access policy selected by the data owner, while the decryption key is generated with respect to a set of attributes. As long as the set of attributes satisfies the access policy, the decryption key can be used to decrypt the ciphertext. Using the CP-ABE scheme, the data owner can easily determine who can access the data by setting policies in the ciphertext, which is conceptually closer to traditional access control models such as role-based access control. Therefore, the CP-ABE has been adopted in the cloud computing system to implement the fine-grained attribute-based access control (ABAC) model.

The cloud-assisted ICS requires much faster response than other regular cloud computing systems do. Therefore, users can not simply use some ABE schemes for the ICS environment. One of the main drawbacks of ABE is that decryption involves expensive pairing operations and the size of the ciphertext and the duration of decryption grows with the complexity of the access policy. It would be a challenge for a production operator to complete the decryption on their resource-constrained devices, such as PDA, and it hinders the effort to migrate ABE to the ICS.

How to enable the data owner to update the access policy quickly in the CP-ABE scheme without privacy leakage becomes another research hotspot. In the CP-ABE scheme, the access policy is embedded in the encrypted data. To update the access policy, the data should be re-encrypted under the new access policy. As a result, the data owner undertakes the re-encryption caused by the policy update but the re-encryption causes a large computational overhead.

In addition, most of the ABE schemes are described in symmetric pairings. These constructions are considered rather inefficient, and have security vulnerabilities ^[13]. Therefore, the faster asymmetric pairings (Type-3) have been the recommended choice by experts ^[14].

Although several ABE schemes have been modified to support specific requirements, they are not applicable in emergency situations. When an accident occurs, for example, a chemical tank is on fire, the fire-fighters need to obtain the detailed information such as the type and quantity of materials, material condition of adjacent tanks, temperature of relevant storage tanks, concentration of combustible and toxic gases in the environment, the status of inlet and outlet valves and so on. At this point, the ICS administrator or its data owner may be unavailable. Thus, it's necessary to construct a break-glass access mechanism ^[15] that allows the emergency situation handlers (ESH) or rescuers who don't have access privileges can override the access policy and access the plaintext data quickly. Besides, to keep the emergency access from being abused, each break-glass access should be documented for later audits.

This paper proposes a new asymmetric pairing-based CP-ABE, namely CP-ABE with break-glass, and makes it more efficient and suitable for the cloud-assisted ICS. The scheme protects data confidentiality and effectively controls user access to resources with two modes. The paper has the following contributions.

1) This paper proposes an outsourced CP-ABE scheme with policy updating. The scheme outsources most of the decryption and the policy updating to the semi-trusted fog and cloud, thus reducing the computation on the user side.

2) Most of the ABE mechanisms are constructed by symmetric prime-order (Type-1) pairings, however, the pairings have been considered inefficient and insecure. Therefore, this paper describes CP-ABE scheme in terms of an asymmetric Type-3 pairings. Although researchers have rephrased some traditional CP-ABE schemes in asymmetric pairings ^[16], this is the first time (to authors' knowledge) that an outsourced CP-ABE with policy updating under the asymmetric setting is proposed.

3) We propose an improved CP-ABE with integrated break-glass access capability. In emergency, the ESH can utilize a password pre-shared by the data owner to break the glass and obtain the plaintext data.

The rest of the paper is organized as follows: Section 2 presents an overview of related works. Section 3 introduces the preliminaries and Section 4 provides the system architecture and workflow. Section 5 provides detailed construction method. In Section 6, the paper analyses the security of the proposed scheme, evaluates the performance, and presents the quantitative evaluation of the scheme, followed by a conclusion in Section 7.

2.   Related works

Attribute-based Encryption (ABE) was proposed by Sahai and Waters ^[17] to meet the requirement of confidentiality and access control demand of an open network environment such as cloud computing. In 2007, Bethencourt et al. ^[18] proposed the first CP-ABE construction. The scheme adopts threshold gate to build access policy and is proven to be secure in the generic group model. However the expression is not flexible enough. It is only suitable for applications with simple access policy requirements. Waters ^[19] proposed an expressive CP-ABE scheme that can support and/or and threshold operations. The access structure of this scheme is based on the LSSS matrix, and the scheme is proven secure in the standard model. Then Rouselakis et al. ^[20] constructed a large universe CP-ABE on prime order bilinear pairings.

Considering a revoked employee may attempt to access the files using his old key, Sahai et al. ^[21] discussed the access policy updating problem in CP-ABE, however, their scheme only allows a ciphertext to be re-encrypted to a more restrictive policy. Lai et al. ^[22] proposed an adapt CP-ABE which can update the access policy in a ciphertext to a new policy without retrieving and decrypting the encrypted data. Yang et al. ^[23] developed a dynamic policy updating method for LSSS structure. With an update key, the proxy can update the ciphertext from the previous access policy to the new policy.

Because the ABE schemes ^{[17,18,19,20,21,22,23]} require additional pairing operations in decryption and the ciphertext size and the cost of decryption grow with the size of the access policy, the CP-ABE brings in a large computation cost compared to standard public key cryptography. To overcome this problem, Green et al. ^[24] presented a method for outsourcing the decryption of CP-ABE ciphertext. Applying Green's idea, Tu et al. ^[25] presented a multimedia data forwarding scheme based on the CP-ABE and outsourced most of the computation to the cloud.

Pairing-based cryptography (PBC) is an important ingredient in the construction of ABE. Most of the current ABE schemes ^{[17,18,19,20,21,22,23,24,25]} are described in the context of the symmetric Type-1 pairings, which are implemented on super singular elliptic curves, with maximum embedding degrees of 2, 4 and 6 respectively. Whereas the asymmetric Type-3 pairings support embedding degrees greater than 6 (on elliptic curves). To achieve the same security level, the Type-3 pairings are more efficient than Type-1 pairings. Besides, the symmetric pairings have been faced with many security threats, such as attacks by Kim and Barbulescu ^[13]. The attack can reduce the complexity of solving the discrete logarithm problem (DLP). Therefore, Scott ^[16] described a CP-ABE scheme in the context of the asymmetric Type-3 pairings due to Waters ^[19]. Morales-Sandoval et al. ^[26] rephrased the large universe ABE ^[27] using the asymmetric Type-3 pairings, and the experiment showed that the asymmetric type F curve (BN-curve) can lead to a better performance.

Considering the emergency access to data without the credentials, Scafuro ^[28] introduced the concept of break-glass encryption for cloud storage that people can break the encrypted data at most one time in a traceable way. Then, to make ABE suitable for emergency situations, Brucker et al. ^[29] first integrated ABE with the break-glass encryption. They use a hierarchy of emergency attributes as override attributes to access the resource. Schefer-Wenzl et al. ^[30] proposed a generic model to integrate the break-glass policy into RBAC. Aski et al. ^[31] put forward an idea of integrating ABE with break-glass capabilities. They used a pre-shared password as an attribute to extract the break-glass key, but lacking of the concrete algorithm implementation. Oliveira et al. ^[32] proposed a break-glass protocol based on CP-ABE. They constructed an emergency policy in the ciphertext, and the ESH can utilize emergency attributes to access the resource. Zhang et al. ^[33] also proposed a break-glass access control scheme for emergency situation, but it could not realize fine-grained access control. Recently, Yang et al. ^[34] proposed a concrete access control system, which simultaneously supports break-glass access control and ABAC. However, they didn't show how to identify the malicious users who abuse the key. In break-glass encryption, the encrypted data should be broken in a traceable way.

3.   Preliminaries

3.1.   Bilinear maps

Definition 1 (bilinear maps) Let ${G}_{1}$, ${G}_{2}$ and ${G}_{T}$ be groups of prime order $p$. A bilinear map is a function $\mathrm{e}:{G}_{1}\times {G}_{2}\to {G}_{T}$ with the following properties:

1) Bilinear: For all ${g}_{1}\in {G}_{1}$ and ${g}_{2}\in {G}_{2}$, $a, b\in {Z}_{p}$, there is $e\left({{g}_{1}}^{a}, {{g}_{2}}^{b}\right) = e{\left({g}_{1}, {g}_{2}\right)}^{ab}$.

2) Non-degeneracy: $e\left({g}_{1}, {g}_{2}\right)$ generates ${G}_{T}$.

3) Efficiency: There exists an efficient algorithm to output the bilinear group $\left(p, {G}_{1}, {G}_{2}, {G}_{T}, e, {g}_{1}, {g}_{2}\right)$ and compute $e\left({g}_{1}, {g}_{2}\right)$ for $\forall {g}_{1}\in {G}_{1}, {g}_{2}\in {G}_{2}$.

Galbraith et al. ^[14] distinguish three types of pairings:

Type-1: ${G}_{1} = {G}_{2}$.

Type-2: ${G}_{1}\ne {G}_{2}$ and there exists an efficient homomorphism $\psi :{G}_{2}\to {G}_{1}$.

Type-3: ${G}_{1}\ne {G}_{2}$ there are no efficiently computable homomorphisms between ${G}_{1}$ and ${G}_{2}$.

Type 3 is the only choice which offers good performance and flexibility for high security parameters, and yet this choice does not permit a homomorphism from ${G}_{2}$ to ${G}_{1}$. Hence, this paper designs the CP-ABE scheme using asymmetric Type-3 pairings.

3.2.   Access structure

Definition 2 (access structure ^[19]) Let $\left\{{P}_{1}, {P}_{2}, \dots, {P}_{n}\right\}$ be a set of parties. A collection $\mathbb{A}\subseteq {2}^{\left\{{P}_{1}, {P}_{2}, \dots, {P}_{n}\right\}}$ is monotone if $\vee B, C:\mathrm{i}\mathrm{f}\;B\in \mathbb{A}\;\mathrm{a}\mathrm{n}\mathrm{d}\;B\subseteq C\;\mathrm{t}\mathrm{h}\mathrm{e}\mathrm{n}\;C\in A$. An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) $\mathbb{A}$ of non-empty subsets of $\left\{{P}_{1}, {P}_{2}, \dots, {P}_{n}\right\}$, ie $\mathbb{A}\subseteq {2}^{\left\{{P}_{1}, {P}_{2}, \dots, {P}_{n}\right\}}\backslash \left\{\mathrm{\varnothing }\right\}$. The sets in $\mathbb{A}$ are called the authorized sets, and the sets not in $\mathbb{A}$ are called the unauthorized sets.

3.3.   Linear secret sharing schemes (LSSS)

Definition 3 (linear secret-sharing schemes (LSSS) ^[19]) A secret-sharing scheme $\mathrm{\Pi }$ over a set of parties $\mathcal{P}$ is called linear (over ${Z}_{p}$) if

1) The shares for each party form a vector over ${Z}_{p}$.

2) There exists a matrix $\mathrm{{\rm A}}$ with $l$ rows and $n$ columns called the share-generating matrix for $\mathrm{\Pi }$. For all $i = 1, \dots, l$, the ${i}^{th}$ row of $\mathrm{{\rm A}}$ is labeled by a party ${\rho }_{\left(i\right)}$ ($\rho$ is a function from $\{1, \dots, l\}$ to $\mathcal{P}$).

When considering the column vector $= (s, {r}_{1}, {r}_{2}, \dots, {r}_{n})$, where ${s\in Z}_{p}$ is the secret to be shared, and ${r}_{2}, \dots, {r}_{n}\in {Z}_{p}$ are randomly chosen, then $\mathrm{{\rm A}}v$ is the vector of $l$ shares of the secret $s$ according to $\mathrm{\Pi }$. The share ${\left(\mathrm{{\rm A}}v\right)}_{i}$ belongs to party ${\rho }_{\left(i\right)}$.

Suppose that $\mathrm{\Pi }$ is an LSSS for the access structure $\mathbb{A}$. Let $S\in \mathbb{A}$ be any authorized set, and let $I\subset \{1, \dots, l\}$ be defined as $I = \{i:{\rho }_{\left(i\right)}\in S\}$. Then, there exist constants ${\left\{{\omega }_{i}{\in Z}_{p}\right\}}_{i\in I}$ such that, if ${\{\lambda }_{i}\}$ are valid shares of any secret s according to $\mathrm{\Pi }$, then ${\sum }_{\mathrm{i}\in \mathrm{I}}{\omega }_{i}{\lambda }_{i} = s\mathrm{ }$.

Let ${A}_{i}$ denotes the ${i}^{th}$ row of $\mathrm{{\rm A}}$, then ${\sum }_{\mathrm{i}\in \mathrm{I}}{\omega }_{i}{A}_{i} = (\mathrm{1, 0}, \dots, 0)\mathrm{ }$. Furthermore, these constants $\left\{{\omega }_{i}\right\}$ can be found in time polynomial in the size of the share-generating matrix $\mathrm{{\rm A}}$. For unauthorized sets, no such constants $\left\{{\omega }_{i}\right\}$ exist.

4.   System architecture and workflow

4.1.   System architecture

The system consists of five entities: central authority (CA), cloud server, fog nodes, data owner (DO), data consumer (DC) and emergency situation handlers (ESH), as shown in Figure 1. The following subsections will summarize the major functions of each entity.

1) Central authority

The CA is a fully trusted agency that is designated to generate the master key and public key. It also generates the attribute key associated with the user's attributes and distributes the public key to the DO for data encryption then transmits the attribute key to the DC for decryption. In order to prevent the break-glass key from being abused, the CA is responsible for tracing the break-glass key.

2) Cloud server

The cloud server offers a data storage service for the DO. It is considered to be semi-trusted that it will manage the uploaded data honestly but curious about the data. It may read the content and compromise user privacy. In the proposed scheme, the cloud is also in charge of helping the DO to update the access policy and re-encrypt the ciphertext.

3) Fog nodes

The fog nodes are also semi-trusted, and are responsible for keeping the DC's transform key. Using the transform key, the fog partially decrypt the ciphertext requested by the DC from the cloud, thus reducing the DC's decryption cost.

4) Data owner

The DO refers to the ICS or its data owner, which is used for industrial process control and have a great amount of data to be shared. Normally, the DO encrypts its data using the CP-ABE to realize the confidentiality and flexible access control. In response to some emergency case, the DO pre-shares a password with the ESH, and the ESH can utilize the password to recover the break-glass key to bypass the access policy and decrypt the encrypted data.

5) Data consumer

The DC refers to the party who is attached to the fog and would like to gain access to the ciphertext stored in cloud. A data consumer needs to contact the CA to obtain the attribute key corresponding to the attributes he claims to have. Once the DC's attributes satisfy the access policy, he can obtain a partially decrypted ciphertext from the fog and decrypt the encrypted data using his secret keys.

6) Emergency situation handlers

The ESH refers to the rescuers, fire fighters, polices or other disaster specialists. Once an emergency occurs, the ESH should start the disaster recovery plan and access the original data freely for safety and legal reasons. Using his identity and the password from the DO, the ESH interacts with the cloud to obtain the break-glass key. Then the ESH can access the original data freely under a controlled environment, because the break-glass key is traceable.

4.2.   System workflow

This subsection introduces the system workflow of attribute-based access control, break-glass access control and the access policy updating process.

In the ABAC, the CA runs the system setup algorithm and outputs the public key, then the DO encrypts its data and uploads the ciphertext to the cloud. It first encrypts the data with a random key ${K}_{a}$ by applying a symmetric encryption algorithm (e.g., AES), then encrypts the key ${K}_{a}$ by applying the CP-ABE algorithm under an access policy. The DC obtains his secret key SK and transform key TK associated with his attributes from the CA and stores the TK on the fog. When the DC requests the ciphertext, the cloud sends it to the fog for ciphertext transformation. Using the TK, the fog partially decrypts the ciphertext to reduce the decryption cost on the DC. Last the DC receives the partially decrypted ciphertext from the fog and recovers the plaintext by his secret key SK.

In the Break-Glass Access Control, the DO pre-shares a password $pw$ with the ESH. Then the DO calculates the ciphertext of the password and uploads it to the cloud. When an emergency occurs, the ESH and the cloud engage in a two party computation to extract the break-glass key $BK$. The ESH first calculates his identity elements and sends them to the cloud. Using the identity elements, the cloud computes a ciphertext ${BK}^{'}$ for the ESH. Then the ESH can compute the break-glass key $BK$ by the ${BK}^{'}$. Using the break-glass key $BK$, the ESH recovers the plaintext.

The ciphertext of the proposed scheme consists of two parts, one is the ciphertext of the symmetric key ${K}_{a}$, and the other is the ciphertext of the password $pw$, which are denoted as ${CT}_{m}$ and ${CT}_{pw}$ respectively. To update the access policy, the DO should update the ${CT}_{m}$ and ${CT}_{pw}$. Firstly, the DO selects the new vector ${A}_{i}^{'}$ corresponding to the i-th row of the ${l}^{'}\times {n}^{'}$ matrix ${A}^{'}$ and sends it to the cloud to update the ciphertext of the key ${K}_{a}$. Then, he generates and transmits the elements of the password $pw$ to the cloud to update the ciphertext of the password. Finally, the cloud runs the policy updating algorithm to generate the new ciphertext $C{T}_{m}^{'}$ and $C{T}_{pw}^{'}$.

5.   Algorithm descriptions

To achieve the efficient fine-grained access control with break-glass capability, this paper modifies the algorithm in ^[22] to outsource the computation overhead and utilize asymmetric Type-3 pairings. This paper also applies the idea of the password-controlled encryption shown in ^[33] to the proposed scheme to realize the break-glass access control. Next, this paper presents the construction of the CP-ABE with break-glass for the cloud-assisted ICS.

1) System Setup: $Setup\left({1}^{\lambda }\right)\to (PK, MK$)

The CA runs the setup algorithm to conduct an initial operation and setup important parameters. Take as input the security parameter $\mathrm{\lambda }$, the CA selects an asymmetric bilinear map: $e:{G}_{1}\times {G}_{2}\to {G}_{T}$, where ${G}_{1}$, ${G}_{2}$ and ${G}_{T}$ are groups of prime order $p$. Let $U$ be the size of system's universe attribute set. Then, the CA chooses generators ${g}_{1}\in {G}_{1}$, ${g}_{2}\in {G}_{2}$ and random group elements ${h}_{1}, \dots, {h}_{U}\in {G}_{1}$, ${g}_{3}\in {G}_{2}$. In addition, it randomly chooses $\mathrm{\alpha }, \beta \in {Z}_{p}$.

Finally, the CA generates the public key $PK$ and master key $MK$ as

2) Data Encryption: $Encrypt\left(PK, {K}_{a}, \left(A, \rho \right), pw\right)\to ({CT}_{m}, {CT}_{pw}$)

First, a symmetric key ${K}_{a}$ is used to encrypt the data $D$ to be shared, then the DO encrypts the key ${K}_{a}$ with the encrypt algorithm. The encrypt algorithm takes as input the public parameter $PK$, an LSSS access structure $(A, \rho)$, and the key ${K}_{a}$, then the DO selects a random vector $v = \left(s, {v}_{2}, \dots, {v}_{n}\right)\in {Z}_{p}^{n}$, and for $i = 1, \dots, l$, it computes ${\lambda }_{i} = {A}_{i}v$, where ${A}_{i}$ is the vector corresponding to the i-th row of the $l\times n$ matrix $A$, and the function $\rho$associates rows of $A$ to the attributes. Then it creates the ciphertext of the key ${K}_{a}$

Moreover, the DO generates the auxiliary ciphertext of the password pw. He randomly chooses a password $pw\in {Z}_{p}$ and calculates the ciphertext of the password pw:

Here, the $\gamma \in {Z}_{p}$ is the private key of the cloud and the ${g}_{\gamma } = {\left({g}_{1}^{\alpha }\right)}^{-\gamma }$ is its public key.

Last, the DO sends the ciphertext $CT = < {CT}_{m}, {CT}_{pw}>$ and the encrypted data $F = SE({K}_{a}, D)$ to the cloud.

3) Key Generation for user: $KeyGen\left(MK, S\right)\to (TK, SK$)

The method takes as input the master key MK and a set of attributes S, the CA randomly selects $t, z{\in Z}_{p}$ and generates the attribute keys $AK = < TK, SK>$ for the attribute set $S$ as

Here, the $TK$ is the transform key and the SK is the user's secret key. The $TK$ can be stored on the fog and the SK must be secretly maintained by the user. Since the $TK$ is associated with the user's attributes, the fog can partially decrypt the ciphertext for the user.

4) Break-Glass Key Extraction: $BKExt\left(pw\right)\to (BK$)

Considering the emergency situations, the DO pre-shares a password $pw$ with the ESH with an $ID\in {Z}_{p}$. When the ESH wants to decrypt the ciphertext in emergency, he interacts with the cloud to obtain the break-glass key $BK$ using the password $pw$.

The ESH randomly selects $\tau, \mu \in {Z}_{p}$ and calculates $R = {g}_{2}^{\tau }$, ${\tau }_{pw}^{'} = \tau \cdot ID$. Then the identity elements $< R, {\tau }_{pw}^{'}, \mu, pw>$ are sent to the cloud. Then the cloud computes $\mathrm{\delta } = \mu (\gamma -pw)$, ${g}_{pw}^{'} = {(R\cdot {g}_{3}^{{-\tau }_{pw}^{'}})}^{1/\mathrm{\delta }}$ and sends the ${BK}^{'} = < {\tau }_{pw}^{'}, {g}_{pw}^{'}>$ to the ESH.

Finally, the ESH calculates the break-glass key as

and verifies whether or not ${\tau }_{pw} = ID$. If the equation holds, the key $BK$ is valid. Otherwise, the cloud behaves dishonestly.

5) Trace: $Trace\left(BK\right)\to \left(ID\right)$

Given the break-glass key $BK = < {\tau }_{pw}, {g}_{pw}>$, the CA runs the algorithm to check the $ID$ of the $BK$ by verifying whether or not

If the equation holds, it means that the $BK$ is valid. Then the algorithm outputs the ${\tau }_{pw} = ID$.

6) Policy Update: $PolicyUp\left(PK, CT, ({A}^{'}, {\rho }^{'})\right)\to (C{T}^{'}$)

Take as input the public key PK, the ciphertext CT and a new access policy $({A}^{'}, {\rho }^{'})$, the cloud runs the policy update algorithm to update the access policy $(A, \rho)$ and generate the new ciphertext ${CT}^{'}$.

The DO randomly selects ${A}_{i}^{'} = {(a}_{i1}, {a}_{i2}, \dots, {a}_{i{n}^{'}})$, which is the vector corresponding to the i-th row of the ${l}^{'}\times {n}^{'}$ matrix ${A}^{'}$. Then the cloud randomly selects ${r}_{i}^{'}\in {Z}_{p}$ and a vector $\tilde {v} = \left(\tilde {s}, {\tilde {v}}_{2}, \dots, {\tilde {v}}_{{n}^{'}}\right)\in {Z}_{p}^{{n}^{'}}$. Assume ${s}^{'} = \tilde {s}+s$, the cloud can output a vector ${v}^{'} = \left({s}^{'}, {\tilde {v}}_{2}, \dots, {\tilde {v}}_{{n}^{'}}\right)$.

According to the Eq (3), the cloud generates the new ciphertext $C{T}_{m}^{'}$ as

It computes the new components as

According to the Eq (4), the cloud also generates the new ciphertext ${CT}_{pw}^{'}$

It receives the component ${{(g}_{1}^{\alpha })}^{pw}$ from the DO and computes the new components as

Although the cloud doesn't know the secret s, it can also compute the ciphertext ${CT}_{m}^{'}$ and ${CT}_{pw}^{'}$.

7) Ciphertext Transform: $Transform\left(TK, {CT}_{m}\right)\to ({CT}_{T}$)

With the input DC's transform key $TK$ and the requested ciphertext ${CT}_{m}$, the fog runs the transform algorithm to generates the ${CT}_{T}$ as

If the DC's attributes match the access policy of the encrypted data, the above equation holds. Otherwise, the algorithm outputs $\perp$, the fog deliveries nothing to the DC.

8) Decryption with Secret Key: ${Decrypt}_{ABE}\left(SK, {CT}_{T}\right)\to ({K}_{a}$)

If the DC has a valid set of attributes, he will receive the transformed ciphertext ${CT}_{T}$ from the fog. Take as input the secret key SK and the ciphertext ${CT}_{T}$, the DC runs the ${Decrypt}_{ABE}$ algorithm and recover the key ${K}_{a}$ as

9) Decryption with Break-Glass Key: ${Decrypt}_{BG}\left(BK, CT\right)\to ({K}_{a}$)

In emergency, the ESH executes the ${Decrypt}_{BG}$ algorithm to recover the key ${K}_{a}$. Take as input the break-glass key $BK$ and the ciphertext $CT$, the algorithm outputs

6.   Analysis and performance

6.1.   Security analysis

6.1.1.   Confidentiality

In the proposed scheme, the confidentiality of the plaintext data depends on the security of the symmetric key ${K}_{a}$. It would be difficult for the attacker to obtain the ${K}_{a}$, which is hidden in the ${K}_{a}e{\left({g}_{1}, {g}_{2}\right)}^{\alpha s}$.

There are two ways to obtain the ${K}_{a}$. One is using the key related to the user attributes to decrypt the ciphertext according to the CP-ABE. The other is to utilize the password $pw$ pre-shared by the data owner to break the glass.

Scott ^[16] has outlined the definition of Waters CP-ABE ^[19] in the asymmetric Type-3 pairings, and this paper improves it by outsourcing the decryption and re-encryption caused by the policy updating. Since its structure has not been changed, the modified version is secure. Normally, in order to obtain the ${K}_{a}$, the user has to recover the secret $s$, which is hidden using the LSSS matrix for the access structure. Only if the user attributes satisfy the access policy embedded in the ciphertext, the fog can correctly transform the ciphertext by using the transform key $TK$ which is associated with the user attributes. Otherwise, the transformation will be failed and the fog will deliver nothing to the user. In the transform process, the fog cannot obtain the plaintext. Therefore, this paper realizes the attribute-based access control and protects the confidentiality of the shared data.

When emergency occurs, the ESH utilizes the password $pw$ pre-shared by the DO to break the glass and access the plaintext data. The underlying scheme adopts Zhang's mechanism ^[33] and has been proved to be IND-ID-CPA secure. In the secure two party computation, the ESH and the semi-trusted cloud jointly compute the break-glass key $BK$. In this progress, the cloud cannot compute the key $BK$ by ${BK}^{'}$ because the $\tau$ is randomly selected by the ESH and hidden in the ${g}_{2}^{\tau }$. Finding the $\tau$ from ${g}_{2}^{\tau }$ is hard due to the discrete logarithm problem.

Therefore, the proposed solution protects the data confidentiality.

6.1.2.   Collusion attack resistance

In order to recover the key ${K}_{a}$ from ${K}_{a}e{\left({g}_{1}, {g}_{2}\right)}^{\alpha s}$, the malicious users need to get the secret $s$, which is stored on the DO privately. In the CP-ABE scheme, the DO utilizes the LSSS to share the secret $s$. Only if the user's attributes satisfy the access policy, his transform key $TK$ can be combined with the ciphertext components ${C}_{i}, {D}_{i}$ to complete the bilinear pairing operation and recover the secret $s$. In the key $TK$, its components $K$, $L$ and ${K}_{x}$ are all randomized by the parameter $t$, so each user has a different transform key $TK$. Therefore, users cannot collude with others to combine an available key $TK$ with their key components $K$, $L$ and ${K}_{x}$.

6.2.   Performance analysis

This subsection analyses and compares the performance of the proposed solution with existing schemes. Since this paper rephrases the Lai's scheme ^[22] in terms of the asymmetric Type-3 pairings and supports break-glass access function, the analysis in this subsection compares the proposed scheme with Lai's scheme ^[22] and the ABAC Schemes with break-glass access^[32,34].

6.2.1.   Capability analysis

A detailed comparison of CP-ABE is given in Table 1. The proposed scheme is defined in the asymmetric Type-3 pairings setting and supports the access policy updating, therefore a more efficient and fine-grained user access control can be achieved. To maintain the efficiency of data processing on resource-constrained devices, the policy updating and most of the decryption are outsourced to the cloud and fog. This paper also integrates the password-based break-glass encryption with the CP-ABE to enable timely access when emergency occurs, and the break-glass key is traceable.

6.2.2.   Storage overhead on the data consumer

Table 2 lists schemes to be compared with the proposed algorithm in terms of storage overhead. In these schemes, the storage overhead of the data consumer mainly comes from the $SK$, $BK$, ${CT}_{m}$ and ${CT}_{pw}$. Then, the comparison from the theoretical aspect is given in Table 2. Let $\left|{G}_{1}\right|$, $\left|{G}_{2}\right|$, $\left|{G}_{T}\right|$ and $\left|{Z}_{p}\right|$ denote the length of each element in ${G}_{1}$, ${G}_{2}$, ${G}_{T}$ and ${Z}_{p}$ respectively. Let $\left|S\right|$ denote the number of attributes in user's key, and $\left|l\right|$ denote the number of attributes in an access structure. Because the scheme in ^[32] lacks specific implementation algorithm, this paper applies the algorithm in the scheme ^[22] to the scheme ^[32].

In terms of the storage overhead of the DC, the proposed scheme has obvious advantages. Especially when the access structure is complex, the size of the ciphertext stored on the DC is kept small and constant in the proposed scheme. Moreover, other schemes are limited to the symmetric pairings, whereas the proposed method is described in the asymmetric Type-3 pairings. The proposed scheme will be more efficient in the actual implementation and the results will be reflected in subsection 6.2.4.

6.2.3.   Computation cost

Let $\left|I\right|$ for number of user's attributes utilized for satisfying the policy. Let ${exp}_{1}$, ${exp}_{2}$, ${exp}_{T}$ denote exponentiation in ${G}_{1}$, ${G}_{2}$, ${G}_{T}$ and $e$ denote bilinear pairing. This paper compares the computation cost of the proposed scheme with the schemes shown in Table 3.

The proposed scheme only has a higher computation overhead in the file access with break-glass key on the ESH. It is because this paper decomposes the break-glass key into two parts and design the trace algorithm. Utilizing the break-glass key, the trace algorithm can find out the ESH's ID in case that the ESH abuses the key.

6.2.4.   Quantitative evaluation

This subsection focuses on the quantitative performance of the proposed scheme based on the Java Pairing-Based Cryptography Library (JPBC) ^[34] libraries. It is a Port of the Pairing-Based Cryptography Library (PBC), and the library is developed to perform the mathematical operations underlying pairing-based cryptosystems directly in Java. All the implementations are executed on an Intel® Core ® CPU i5-3470 2.6 GHz with 8.00 GB of RAM running the Linux system and Eclipse. This paper evaluates the storage overhead and the encryption/decryption time of the related schemes ^[32,34] under different security levels (80 bit, 112 bit, 128 bit, 192 bit, 256 bit). The PBC library contains a series of elliptic curves to generate the bilinear pairs. The embedding degree of the Type-A curve is 2, which is often used to realize the symmetric bilinear pairings, but the security level is low. The embedding degree of the Type-F curve is 12, which is often used to realize the asymmetric bilinear pairings. Since the schemes in ^[32,34] are constructed based on the symmetric bilinear pairings, this paper will adopt the Type-A curve; while the proposed scheme is constructed based on the asymmetric bilinear pairings, so this paper will adopt the Type-F curve. In this subsection, these two kinds of curves are used to construct the two bilinear pairs $e:{G}_{1}\times {G}_{1}\to {G}_{T}$ and $e:{G}_{1}\times {G}_{2}\to {G}_{T}$, respectively. According to the recommended parameters in the literature ^[26], which is also recommended by the National Institute for Standards and Technology (NIST) and the European Union (ENISIA agency), we evaluate the relevant schemes. The parameters of each curve are set and shown in Table 4.

Due to the lack of specific implementation algorithm in the scheme ^[32], this paper applies the algorithm in the scheme ^[22] to the scheme ^[32]. Let $\left|S\right| = \left|l\right| = 10$. This paper first evaluate the storage overhead in the proposed scheme and the schemes ^[32,34] at different security levels.

Figure 5 (a) describes the ciphertext stored on the DC at different security levels. In the scheme ^[32], the ciphertext size on the DC is 2856, 5688, 8512, 21260 and 42368 bytes in different security levels. In the scheme ^[34], the ciphertext size is 128,256,384,962 and 1920 bytes in different security levels. In the proposed scheme, the ciphertext size is 240,336,384,960 and 1920 bytes in different security levels.

It is obvious that the storage space required by the data consumers in the scheme ^[32] is the largest. It is because the proposed scheme and the scheme ^[34] both outsource the decryption to the fog/cloud, the DC only needs to receive the transformed ciphertext, which is small. Although in the table 3, the storage consumptions on the DC of the proposed scheme and the scheme ^[34] are both $\left|{G}_{T}\right|$, the proposed scheme requires a higher security level in the real implementation. Because the proposed scheme is the only one implemented in the Type-F curve.

Figure 5(b) describes the secret key stored on the data consumer at different security levels. In the scheme ^[32], the secret key size on the DC is 1536, 3072, 4608, 11544 and 23040 bytes in different security levels. In the scheme ^[34], the secret key size is 1468, 2900, 4320 10726 and 21312 bytes in different security levels. In the proposed scheme, the secret key size is 20, 28, 32, 80 and 160 bytes in different security levels. It is obvious that the proposed scheme achieves the best performance. The storage consumption is small and constant, which even can be ignored.

This paper also evaluates the computation cost in the proposed scheme and the scheme ^[32] at different security levels.

Figure 5(c) describes the encryption time at different security levels. In the scheme ^[32], the encryption time on the DO is 0.225s, 0.75s, 2.3s, 10.5s, and 45s in different security levels. In the proposed scheme, the encryption time on the DO is 0.09s, 0.15s, 0.22s, 1.5s, and 8.2s in different security levels. Since the proposed scheme adopts the Type-F curve, it reduces the encryption cost. When the security level reaches 128-bit, the encryption cost of the scheme ^[32] begins to increase significantly. And the higher the security level, the more computation cost. When the security level reaches 256-bit, the encryption time of the scheme ^[32] is 5 times as much as that of the proposed scheme.

Figure 5(d) describes the decryption time at different security levels. In the scheme ^[32], the decryption time on the DC is 0.08s, 0.28s, 0.5s, 4s, and 16s in different security levels. Since the proposed scheme outsources the most of the decryption to the fog, the decryption cost of the DC is small and constant, even less than 0.005s. Moreover, this paper compares the decryption time in the scheme ^[32] with the ciphertext outsourced decryption (ciphertext transform on the fog) in the proposed scheme. The decryption time on the DC of the proposed scheme is 0.18s, 0.28s, 0.32s, 2s, and 10s. It can be seen that the decryption time on the DC of the scheme ^[32] is lower than that of the proposed scheme at the security level 80-bit and 112-bit only. However, at the security level 128-bit, 192-bit and 256-bit, the advantage of the Type-F curve selected in the proposed scheme has been obviously reflected. The proposed scheme achieves the lower decryption time than the scheme ^[32].

7.   Conclusions

This paper proposes an efficient access control scheme for the cloud-assisted ICS, which allows the attribute-based access control in normal state and the break-glass access control in emergency. The proposed scheme securely outsources the decryption and access policy updating to the fog and cloud, thus achieves small and constant local storage on the user, and especially suits the resource-constrained environment. Furthermore, this paper implements the CP-ABE scheme using the asymmetric Type-3 pairings, which are more efficient for an implementation than the symmetric Type-1 pairings. Finally, this paper analyses the security properties, compares it with other schemes and presents the qualitative and quantitative analysis.

Acknowledgments

This work was supported by the Nanjing Tech University [grant number 39809110], the National Natural Science Foundation of China [grant numbers 61572263, 61272084], The Natural Science Foundation of the Jiangsu Higher Education Institutions of China [grant number 11KJA520002].

Conflict of interest

The authors declare no conflicts of interest regarding the publication of this paper.