From RBAC to ABAC: Constructing Flexible Data Access Control for Cloud Storage Services

This paper addresses how to construct an RBAC-compatible secure cloud storage service with a user-friendly and easy-to-manage attribute-based access control (ABAC) mechanism. Similar to role hierarchies in RBAC, attribute hierarchies (considered as partial ordering relations) are introduced into attribute-based encryption (ABE) in order to define a seniority relation among all values of an attribute, whereby a user holding senior attribute values acquires permissions of his/her juniors. Based on these notations, we present a new ABE scheme called attribute-based encryption with attribute hierarchies (ABE-AH) to provide an efficient approach to implement comparison operations between attribute values on a poset derived from an attribute lattice. By using bilinear groups of a composite order, we present a practical construction of ABE-AH based on forward and backward derivation functions. Compared with prior solutions, our scheme offers a compact policy representation approach that can significantly reduce the size of private-keys and ciphertexts. To demonstrate how to use the presented solution, we illustrate how to provide richer expressive access policies to facilitate flexible access control for data access services in clouds.