Secure data sharing by restricting user to one-time access
Is Version Of
The rapid adaptation to mobile devices and data sharing has changed our life style significantly. Despite the fact that this provides great comfort and proficiency, it also imposes greater challenges in ensuring a secure transfer of sensitive information through these devices. This information could be highly confidential that the owner wants to provide access privileges only to authorized individuals. Many cryptographic algorithms together with potent data protection mechanisms available today are robust enough to ensure the Confidentiality, Integrity and Availability of information. One significant use-case in this regard is when the data owner wants to only share the data securely with the authorized user just once, and making it extremely difficult for user to store or make a copy of the data or to share it with others. In this scenario, it is practically impossible for the data owner to be available and spy on the user all the time to ensure these security requirements are met.
In order to address this concern, this thesis work tried to provide a secure mechanism to share information that would authorize end users to access data only once and endeavors to prevent the user from duplicating the data and sharing it with unauthorized users. A part of this work proposes a variant of Proxy Re-encryption algorithm, a relatively new cryptographic primitive, which offers the data owner a way to securely share his/her data via a proxy server, without the need to be available all the time. The proxy server takes care of data re-encryption and data distribution to the registered users, without letting any unauthorized user to decrypt the information and also the proxy itself cannot decrypt the information. With this scheme, the proxy encrypts an already encrypted information in such a way that another secret key can decrypt it. The re-encryption key is unique for each registered user and is generated by the data owner by combining the registered user’s public key and his/her own private key. Here, the novelty of this thesis and the most challenging part is to allow only one-time access to data and to attempt to prevent the user from storing the decrypted data or making a copy of it. To meet these security requirements, in this research work, the proxy re-encryption algorithm is finely tweaked and along with it, a novel way of leveraging the security features of the recipient’s device (iOS) is proposed: by having the proxy re-encrypt the data with re-encryption key and send it to the user block by block. The proxy sends a subsequent block only after making sure that the previous block of decrypted data has been discarded from the user’s device. Each block gets stored at the same location in device memory, replacing a previous block. This block-by-block functionality has been implemented in order to ensure two things (i) To enable one-time access to user by making sure that previous block of data in the device memory has been modified by replacing it with the next block of data (ii) To provide additional security by sending only one block of data each time and waiting for the hashed-decrypted block from the user (for verification), thus assuring that the data is being read by the authorized user each time. The data owner provides a copy of the hashed decrypted data to the proxy beforehand. This unique variant of proxy re-encryption that exploits the security features of an iOS device to make an attempt to restrict the receiver from storing or duplicating the sensitive information transferred, is the core essence of this thesis work.
From the experimental evaluation and results it is observed that the proposed scheme can be effectively used to share sensitive data with authorized users while trying to prevent the users from sharing with unauthorized users. The results also show that the proposed scheme only contributes to a negligible computational and storage overhead at the proxy server and, at the data owner end it doesn’t add any significant overhead in terms of computation, storage and communication. This proves that the proposed scheme is practical, without adding any notable overhead to the original proxy re-encryption algorithm.