Achieving Secure and Efficient Data Access Control for Cloud-Integrated Body Sensor Networks

Body sensor network has emerged as one of the most promising technologies for e-healthcare, which makes remote health monitoring and treatment to patients possible. With the support of mobile cloud computing, large number of health-related data collected from various body sensor networks can be managed efficiently. However, how to keep data security and data privacy in cloud-integrated body sensor network (C-BSN) is an important and challenging issue since the patients’ health-related data are quite sensitive. In this paper, we present a novel secure access control mechanism MC-ABE (Mask-Certificate Attribute-Based Encryption) for cloud-integrated body sensor networks. A specific signature is designed to mask the plaintext, and then the masked data can be securely outsourced to cloud severs. An authorization certificate composed of the signature and related privilege items is constructed which is used to grant privileges to data receivers. To ensure security, a unique value is chosen to mask the certificate for each data receiver. Thus, the certificate is unique for each user and user revocation can be easily completed by removing the mask value. The analysis shows that proposed scheme can meet the security requirement of C-BSN, and it also has less computation cost and storage cost compared with other popular models.


Introduction
Body sensor network (BSN) emerges recently with rapid development of wearable sensors, implantable sensors, and short range wireless communication, which make pervasive healthcare monitoring and management become increasingly popular [1,2]. By the body sensor network, health-related data of the patient can be collected and transferred to the healthcare staff in real time, so the patient's state of health can be under monitoring and precautions can be taken if something bad happened.
In order to enhance the scalability of the body sensor network, some work focuses on combining cloud computing and body sensor network together. As shown in Figure 1, with the support of mobile cloud computing, cloud-integrated body sensor network (C-BSN) can be constructed [3]. In C-BSN, massive local body sensor networks are integrated together and mass data are collected and stored in cloud servers; healthcare staffs will continually monitor their patients' status and exchange views when it is difficult to make diagnosis; researchers can make data analysis to get some useful results such as regularity of disease development; government agencies also can take measures on disease prevention and control based on data analysis.
However, there are still several problems and challenges in C-BSN [3,4]. For example, data security and data privacy must be concerned since patient-related data is private and sensitive. In this paper, we propose a secure data access control scheme named MC-ABE, which can efficiently ensure data security and data privacy. For data security, data can be securely transferred from data owners to the cloud servers and securely stored; for data privacy, data can be only accessed by authorized users with fine-grained policies.
For example, Bob (data owner) is a patient, and Alice (data requester) is his healthcare doctor. By C-BSN, Bob's health-related data can be collected and sent to cloud server in real time; and Alice gets Bob's information from cloud server to monitor his health status. Besides the authorized  person, Bob does not want anyone else to know about his health data. However, his information may be leaked in many ways: the cloud operator/administrator may access his data; malicious user may intrude into the cloud server to steal user data; unauthorized DR may exceed to access others' data. In summary, there are three key problems which need to be solved to ensure the users' data security and data privacy in C-BSN. Firstly, the cloud is semitrusted; that is, although we outsource the data to the cloud, we still need to prevent cloud operators from accessing the data content; secondly, we must take measures to keep malicious users out of C-BSN system; lastly, it is also important to study how to avoid the unauthorized access of other users. In this paper, we propose a novel secure access control mechanism MC-ABE to tackle the aforementioned problems. And main contributions of this paper can be summarized as follows: (i) We construct one specific signature to CP-ABE to mask the plaintext and then realize securely encryption/decryption outsourcing. (ii) We construct the unique authentication certificate for each visitor, which makes the system achieve more effective control on malicious visitors; in particular, it also leads to a low cost for user revocation. (iii) We introduce the third-party trust authority to manage above-mentioned signatures and certificates, which can guarantee data security even if the cloud server is semitrusted. (iv) In C-BSN, processing data in time is quite necessary.
Our proposed scheme can meet such requirement. From the section of performance evaluation, our scheme takes less time than other compared methods to do data collecting, data transmission, and data acquisition.
The rest of this paper is organized as follows. Section 2 introduces the related work. Then, in Section 3, some preliminaries are given. Our scheme is stated in Section 4. In Section 5, security analysis is given. In Section 6, the performance of our scheme is evaluated. The paper is concluded in Section 7.

Related Work
Recently, various techniques have been proposed to address the problems of data security and data privacy in C-BSN. In [5], Sahai and Waters proposed the Attribute-Based Encryption (ABE) to realize access control on encrypted data. In ABE, the ciphertext's encryption policy is associated with a set of attributes, and the data owner can be offline after data is encrypted. One year later, Goyal et al. proposed a new type of ABE, Key-Policy Attribute-Based Encryption (KP-ABE) [6]. In KP-ABE, the ciphertext's encryption policy is also associated with a set of attributes, but the attributes are organized into a tree structure (named access tree). The benefit of this approach is that more flexible access control strategy can be got and fine-grained access control can be realized. However, data owner was short of entire control over the encryption policy; that is, he cannot decide who can access the data and who cannot. To solve this problem, Bethencourt et al. proposed CP-ABE (Ciphertext-Policy Attribute-Based Encryption) [7], in which data owner constructed the access tree together with visitors' identity information. The user can decrypt the ciphertext if and only if attributes in his private key match the access tree. So, in CP-ABE, data owner can configure more flexible access policy. In [8], Yu et al. tried to achieve secure, scalable, and fine-grained access control in cloud environment. Their proposed scheme is based on KP-ABE and combines with the other two techniques, proxy reencryption and lazy reencryption. It is proved that the proposed scheme can meet the security requirement in cloud quite well. Similarly, Wang et al. proposed an access control scheme based on CP-ABE, which is also secure and efficient in cloud environment [9].
In [10], Ahmad et al. proposed a multitoken authorization strategy to remedy the weaknesses of the authorization architecture in mobile cloud. It reduces the probability of unauthorized access to the cloud data and service when malicious activity happened; for example, IdM (Identity Management Systems) are compromised, network links are eavesdropped, or even communication tokens are stolen. In [11], Yadav and Dave presented an access model based on CP-ABE which could provide the remote integrity check by the way of augmenting secure data storage operations. To reduce computation overhead and achieve secure encryption/decryption outsourcing, the access tree is divided into two parts: one part is encrypted by the data owner and the other part is encrypted by the cloud sever. So a portion of computation overhead was transferred from data owner to cloud sever. The similar method is also adopted in the work of Zhou and Huang [12]. In addition to the access tree division, Zhou and Huang also propose an efficient data management model to balance communication and storage overhead to reduce the cost of data management operations. In [13], Li et al. presented a low complexity multiauthority attributebased encryption scheme for mobile cloud computing which uses masked shared-decryption-keys to ensure the security of decryption outsourcing and adopts multiauthorities for authorization to enhance security assurance. The above schemes are based on CP-ABE, in which complex bilinear map calculation is performed. In [14], Yao el al. proposed a novel access control mechanism, in which data operation privileges are granted based on authorization certificates. The advantage of such mechanism is that the computation cost can be decreased remarkably, since there is no bilinear map calculation. And the disadvantage is that lots of operations need to be handled by data owner, such as privilege designation, and then it demands that the data owner must know all information about the visitors. In [15], the authors considered the problem of patient self-controlled access privilege to highly sensitive Personal Health Information. They proposed a Secure Patient-Centric Access Control scheme which allows data requesters to have different access privileges based on their roles and then assigns different attribute sets to them. However, they took the cloud server as trusted, and their scheme does not work well for user revocation. In [16], the authors proposed a novel CP-ABE scheme with constantsize decryption keys independent of the number of attributes. Their scheme is suitable for applications based on lightweight mobile devices but is not suitable for large scale C-BSN. DO and DR are cloud users. ESP is cloud server that can help DO do data encryption. SSP is cloud storage server. DSP is the server that is responsible for data decryption. TA is the third-party trust authority. SetS is the setup server whose responsibility is to generate PK and MK.

Preliminaries
PK and MK are parameters that are used for data encryption/decryption. SK is held by DR which is used to decrypt ciphertext, which is generated using PK and MK. The data is plaintext before encryption, denoted as , and CT is the ciphertext of . is the access policy (access tree). MM is the masked plaintext; in MC-ABE, the plaintext will be masked to MM by a signature before being encrypted to achieve "double protection." Cert is the authorization certificate (see Section 4.2.1 for details). Mask value is used to mask Cert to generate MCert (see Section 4.2.2 for details).

Discrete Logarithm (DL) Problem
Definition 1 (discrete logarithm (DL) problem). Let be a multiplicative cyclic group of prime order and let be its generator, for all ∈ , given , as input, output .
The DL assumption holds in if it is computationally infeasible to solve the DL problem in [17].
The access structure in CP-ABE is the tree structure, which is named access tree [2]. For the access tree , the leaf nodes are associated with descriptive attributes; each interior node is a relation function, such as AND ( of ), OR (1 of ), and of ( > ).
Each DR has a set of attributes, which are associated with DR's SK. If DR's attributes set satisfies the access tree, the encrypted data can be decrypted by DR's SK.

Working Process.
In CP-ABE, the plaintext is encrypted with a symmetric key, and then the key is shared in the access tree. In the process of decryption, if DR's SK satisfies the access tree, then DR gets the shared secret and the data can be recovered.

Assumptions.
In this work, we make the following assumptions.
Assumption 1 (service providers (ESP, DSP, and SSP) are semitrusted). That is, they will follow our proposed protocol in general but try to find out as much secret information as possible. And the information may be accessed illegally by internal malicious employees or external attackers. In particular, although ESP and DSP undertake most of the computing cost, they do not have enough information to deduce the plaintext.
Assumption 2 (SetS and TA are trusted). On no conditions will they leak information about data and related keys.
In order to deduce more information about encrypted data, service providers might combine their information to perform collusion attack. In our scheme, collusions between service providers are taken into consideration. Figure 2. Seven algorithms are included in MC-ABE: Setup, Encrypt DO , Encrypt ESP , KeyGen, CerGen, Decrypt DSP , and Decrypt DR .

Overview. Our proposed scheme MC-ABE is shown in
For data outsourcing, DO encrypts with algorithm Encrypt DO , in which signature is used to mask . Then ESP encrypts with algorithm Encrypt ESP to finish the encryption. The encrypted data is stored in SSP.
For data access, when DR requests data from SSP, the request is sent to TA after verification. TA chooses a unique value to the mask certificate for DR. Then, using the attributes set of DR, TA computes SK with algorithm KeyGen. After that, SK is sent to DSP and the certificate is sent to DR. At Once DR receives the certificate, he decrypts the masked certificate with his unique value (TA sends the unique value to this DR when the first authorized request occurred. It will be used in the following requests until this DR is revoked) to get the certificate. Using the certificate, DR can decrypt the masked with signatures in the certificate.
In addition, if a DR is revoked, TA will mark the DR as "revoked" and this DR's unique mask value will be invalid. No certificate will be granted to this DR any more.

Authorization Certificate (Cert).
The authorization certificate is introduced in MC-ABE to grant data privileges for DR. As shown in Structure of Authorization Certificate, it includes five items that are privilege related information. DO provides the certificate related information to TA, and then TA constructs the unique authorization certificate for each authorized DR. File ID is ID list of the authorized files. Valid Period denotes the valid period of the signature from the start time to the end time. Signature is used by DO to mask the plaintext in data encryption; it is used by DR to get the plaintext in data decryption. Privilege is the privilege denoted by the signature such as read, modify, or delete. PK, MK are two keys noted in Notations in MC-ABE.

Mask Value (MValue).
To achieve fine-grained access control over DR, the mask value is introduced in MC-ABE. The mask value is maintained by TA. For each DR, TA sets a unique mask value for him. The mask value is used to blind the authorization certificate before the certificate is sent to DR. Thus, each DR receives its own unique blinded certificate since the mask value is unique. In the following, the process is described in detail.
After TA receives a data access request, it checks DRID firstly. If the requester is a new user, TA generates a random number DRID ∈ and inserts it into the mask value table. Otherwise, if this DRID already exists in mask value table and the item of revocation is "N" (initial value of this item is "N." Only at the time when the DRID is revoked will this item be set as "Y"), TA invokes algorithm CerGen to compute the masked certificate (see Table 1).
Then, compute as follows: If DR is a new user, MValue and MCert will be sent to him. Otherwise, send MCert to the DR.

Scheme Description.
The whole process of MC-ABE is shown in Figure 3. In this section, we describe each step in detail.

Data
Outsourcing. In C-BSN, DO usually uses mobile devices that lack computing power and storage space. To reduce the encryption overhead of DO, the encryption process is divided into two parts: Encrypt DO and Encrypt ESP . Encrypt DO is the encryption algorithm implemented by DO and Encrypt ESP is carried out by ESP. Since ESP is semitrusted, we introduce the signature in Encrypt DO to mask . In general, there are three steps for data outsourcing. Firstly, SetS generates PK and MK.

(2)
Secondly, DO performs the first step of data encryption. 6 International Journal of Distributed Sensor Networks Algorithm 3 (Encrypt DO (PK, , ) → MM). DO implements the algorithm. PK is got from SetS; is DO's plaintext; MM is masked ; is the set of operation privileges, and is one of the elements in .
For ⊂ , we choose a random number V ⊂ and then compute the signature: For simplicity, let V denote the set of V : V = {V | ∈ }; signature denotes the set of signature : signature = {signature | ∈ }.
Choose a random number ∈ ; then Lastly, ESP performs the last step of data encryption.
Algorithm 4 (Encrypt ESP (PK, , , MM) [7,11] → CT). ESP implements the algorithm. The access tree is encrypted from the root node to leaf nodes. For each node in , choose a polynomial . For node , consider the following: : it denotes the threshold value of .
For root node , (0) = . Choose other points randomly to completely define . For any other node in , let (0) = paerent( ) (index( )), and choose other points randomly to completely define .
is the set of leaf nodes in . Compute as follows: = ℎ ∀ ∈ : Then, CT is stored in SSP. Detailed communication information is shown in Figure 4

Data
Request. When a DR requests data from SSP, TA generates SK and a certificate for DR. Most of decryption cost is taken by DSP but DSP cannot get . Based on the effort of DSP, DR finishes the last step of decryption and gets . Similar to data outsourcing, there are also three steps for data outsourcing. Firstly, TA generates SK for DR.
We generate a random number ∈ and then generate the random number ∈ for each ∈ . Compute as follows: Then, TA sends SK to DSP.
Secondly, DSP performs the first step of data decryption: decrypt the access tree in CT to get MM. Otherwise, When is an interior node, call the algorithm DecryptNodeNL(CT, SK, ).
For all of the children of node , call DecryptNodeL(CT, SK, ), and the output is . Let be (the threshold value of interior node) random set and let ̸ = ⊥. If no such set exists, the function cannot be satisfied, so return ⊥. = M · e(g, g) as · (g, g) · e(g, g) − = M · e(g, g) as · e(g, g) rk = k / k Choose k ∈ Z p randomly, Signature → signatureC k =C k · (signature /signature) Otherwise, compute as follows and return the result: , In particular, for root node , Finally,( Then, ⋅ signature is sent to DR. Receiving ⋅ signature and MCert, DR implements algorithm Decrypt DR to finish data decryption.
Lastly, DR performs the last step of data decryption: remove the masked value in MM to get .
Then, DR gets with the signature:

User
Revocation. An invalid DR is a DR who is thought to be malicious or whose certificate is expired. The invalid DR should be revoked from the authorized access list. In MC-ABE, we can remove the MValue record in Table 1 to revoke DR. Firstly, TA modifies the revoked DR's "Revocation" item from "N" to "Y" in mask value table. Secondly, current signature must be updated to a new one (signature updating is shown in Figure 5). After these two steps, the invalid DR is revoked. When he requests new data, he will be taken as new comer (the signature is updated, and he does not have the new one), and TA will refuse his request since he is marked as revoked. For valid DR, they will get the new signature and access the system as usual.

Encryption and Decryption
Outsource. In CP-ABE, both data encryption and data decryption are only done by the cloud users. Meanwhile, in MC-ABE, data encryption is done by DO and the cloud server collaboratively, and data decryption is undertaken by DR and the cloud server together. is masked by DO before it is sent to ESP. DO and authorized DR can get . ESP and DSP can get MM (Masked ), but they cannot deduce from MM.

8
International Journal of Distributed Sensor Networks

Theorem 8. The security in encryption and decryption in MC-ABE is not weaker than that of CP-ABE.
Proof. In algorithm Encrypt ESP , ESP encrypts the access tree with the parameters , , and MM. Consider Using PK and s, ESP can get ( , ) ; what ESP got is The encrypted data in CP-ABE is̃= ⋅ ( , ) ; both of and are random; let = ⋅ ; is also random; theñ = ( , ) is equal to ( , ) V . According to security proof in [7], the structure of̃= ⋅ ( , ) is secure to prevent the adversary from deducing . Thus, ( , ) V in our scheme is secure. That is to say, ESP cannot deduce with ( , ) V , and encryption outsourcing is secure in MC-ABE.
For DSP, it can decrypt CT using SK and get the masked = ⋅ signature. The information DSP gets is the same as ESP. So, in MC-ABE, data decryption outsourcing is also secure since it is similar to data encryption outsourcing.

Certificate.
From the above statement, the signature is vitally important to the security of our scheme. Since the signature is an item of the certificate, the security of the signature relies on the certificate. Each DR has his unique masked certificate; DR can retrieve his certificate only by his own MValue. In the following, we prove that malicious DR cannot get MCert without the right MValue. Proof. DR1 forged MValue1 = ( , ) DR1 , to get Cert1: In other words, if the forged MValue2 is right, we must have DR1 = DR1 to solve the DL problem. The DL problem is computationally infeasible; thus, MValue is difficult to be forged and MCert cannot be decrypted without the right MValue.

Collusion.
Service providers might collude with each other to combine their information to deduce . In the above statement, ESP and DSP hold similar information to retrieve . If ESP colluded with DSP, the most information they could get is ⋅ signature. We have given the security proof of ⋅ signature in Theorem 8. Thus, MC-ABE is quite qualified for anticollusion.
SSP is a semitrusted server, which stores CT. If SSP colluded with ESP and DSP, it provides no useful information to deduce . So, MC-ABE can defend against collusion among SSP, ESP, and DSP.

Revocation.
If a DR is revealed to be malicious, he will be revoked from the authorized user list. We update the signature encrypted in CT; after that, as shown in the following, the revoked DR cannot get authorized data any more: Revoked signature held by DR: signature = ( , ) V .
It is the same with the proof of Theorem 9. MC-ABE is secure in revocation.

Performance Evaluation
In this section, we numerically analyze the communication and computation cost of MC-ABE. We also give the simulation results in detail.

Computation Cost
Setup. The setup procedure includes defining multiplicative cyclic group and generating PK and MK that will be used in encryption and key generation. There are four exponentiation operations and one pairing operation in setup procedure. Time complexity of the procedure is (1). The computation cost has nothing to do with the number of attributes.
. In this procedure, DO is responsible for generating signature and masking . Two operations are included in signature computation, which are random number generation and bilinear map computation. And operations performed in mask computation include random number generation and three multiplication operations. Thus, it needs to do two exponentiation operations, two multiplication operations, and one pairing operation for each file. But if more privileges are permitted at the same time, more signatures will be computed. For each privilege, computation cost is fixed, so the total cost is proportional to the number of privileges.
. ESP encrypts the access tree in this procedure. The computation cost is proportional to the number of attributes in the tree. If the universal attributes set in is (| | denotes the total number of attributes in set ), for each element in , it needs two exponentiation operations; totally, the computation complexity is (| |).
KeyGen. This procedure is carried out to generate SK for DR. Computation cost is proportional to the number of International Journal of Distributed Sensor Networks 9 attributes in SK. For each attribute, two pairing operations and one multiplication operation are needed. If the universal attributes set is (| | is the total number of attributes in set, | | ≤ | |), the time complexity of SK computation is (| |).
CerGen. In this procedure, we construct the certificate and mask it. Items in certificate are denoted by DO. TA needs to do one exponentiation operation, one multiplication operation, and one pairing operation. Computation cost is fixed; the computation complexity is (1).
. In this procedure, DSP decrypts the ciphertext. The main overhead is incurred at the decryption of every attribute. The cost is proportional to the number of attributes in the access tree. Thus, the complexity is (| |).
. In this procedure, DR gets from the masked by a divide operation. Thus, the complexity is (1).

Storage
Cost. Compared to CP-ABE, more storage cost is incurred in MC-ABE because the certificate and the unique value are introduced. As shown in Table 2, the items in certificates are related to data access privileges, so the storage space of the certificate is proportional to the number of the documents (data). For each DR, one record is kept in mask value table (Table 1). Thus, the storage space for mask value table is proportional to the number of DR. Since the items in mask value table are quite simple, the total storage cost is not heavy.

Simulation Results.
To evaluate the performance of MC-ABE, we develop simulation codes based on CP-ABE toolkit [21]. We make a comparison between MC-ABE and other two popular models (CP-ABE and PP-CP-ABE [11]) in four aspects: computation cost for data encryption, computation cost for key generation, computation cost for data decryption, and computation cost for user revocation.
(1) Computation Cost for Data Encryption. Most of the computation cost in encryption is incurred for the encryption of the access tree, which is proportional to the number of the leaf nodes. In CP-ABE, data encryption is done by DO. In PP-CP-ABE, data encryption/decryption is outsourced to service providers; the access tree was divided into two parts: one part is encrypted by DO and the other part is encrypted by ESP. In MC-ABE, the access tree is encrypted by ESP. In Figure 6(a), the computation cost of three different schemes is compared.
-axis indicates the number of leaf nodes in (the access tree), and -axis indicates time to encrypt (computation cost). For , ten values are selected evenly (10, 20, . . ., 100). For each value, we run simulation codes 10 times and take the average value of the results as the final result. It is shown that MC-ABE has better performance than the other two ones. In PP-CP-ABE, the number of leaf nodes in DO's subtree will change with different tree division. So, for simplicity, we set the number of DO's subtrees to be half of the number of the whole leaves. As shown in Figure 6(b), we also show confidence interval to assess the results in Figure 6 Table 3: Computation cost of key generation (source data of Figure 6(c); the 95% confidence interval assuming random data with normal distribution is shown with MC-ABE). In Figure 6(b), it is shown that all average results lie in the confidence interval.
(2) Computation Cost for Key Generation. Same with simulation about data encryption, we also take the average value of key generation cost as the final result. As shown in Figure 6(c), the average value is very close to lower bound and upper bound of the confidence interval, so we also list source data of the simulation results in Table 3. It shows that all average results lie in the confidence interval, so the simulation result is confident. From the results, we can get that the computation cost will grow with the number of attributes in private key. The algorithm KeyGen is implemented by TA, so there is no cost for DO.
(3) Computation Cost for Data Decryption. In MC-ABE, most of the computation cost has been shifted to DSP, so the computation cost of DR is constant. The comparison results are shown in Figure 6(d).
(4) Computation Cost for User Revocation. In MC-ABE, user revocation simplified for the signature is introduced. When user revocation happens, the revoked DR's "Revocation" item in mask value table is set as "Y"; his new data request will not be responded to; his former signature encrypted in ciphertext will be also changed. It needs one multiplication operation and one exponentiation operation for the above operations. The simulation results are as shown in Figure 6(e).

Conclusion
The C-BSN is one promising technology that can change people's healthcare experiences greatly. However, how to keep  Figure 6: (a) DO's computation cost for data encryption in CP-ABE, PP-CP-ABE, and MC-ABE. In PP-CP-ABE, part of encryption computation is transferred to cloud sever to reduce DO's cost. In MC-ABE, more efforts are made to reduce computation cost undertaken by DO. (b) Computation cost of DO (the 95% confidence interval assuming random data with normal distribution is shown). (c) Computation cost of key generation (the 95% confidence interval assuming random data with normal distribution is shown). (d) Computation cost of DR in CP-ABE and MC-ABE. Similar to ESP in MC-ABE, DSP also undertakes most of the computation in decryption. The cost is proportional to attributes number in private key. (e) Computation cost for user revocation. With the authorization certificate in MC-ABE, revocation cost can be reduced obviously. data security and data privacy in C-BSN is an important and challenging issue since the patients' health-related data are quite sensitive. In this paper, we propose a novel encryption outsourcing scheme MC-ABE that meets the requirements of data security and data privacy in C-BSN. In MC-ABE, one specific signature is constructed to mask the plaintext; the unique authentication certificate for each visitor is constructed; the third-party trust authority to manage abovementioned signatures and certificates is also introduced. By security analysis, we prove that MC-ABE can meet the security requirement of C-BSN. And, by performance evaluation, it shows that MC-ABE has less computation cost and storage cost compared with other popular models. In future work, we plan to explore the possibility of improving the scalability of MC-ABE.