DualAcE: fine‐grained dual access control enforcement with multi‐privacy guarantee in DaaS

Database as a service (DaaS), a new paradigm of software as a service based on cloud computing, is attracting more and more enterprises (data owners) to delegate their database management to a professional third party (database service provider) such as Amazon Web Services and Rackspace. Data owners in DaaS lose control of their sensitive data, which are stored in the delegated database and managed by the untrusted database service provider. Therefore, many encryption‐based approaches including attribute‐based encryption were proposed to implement fine‐grained access control in DaaS scenarios. However, most of the proposed access control enforcement approaches only support one or two of the following privacy guarantees: data privacy, policy privacy and key privacy. In this paper, we first propose a novel concept of DualAcE: a flexible fine‐grained dual access control enforcement mechanism in DaaS by efficiently combining the ciphertext‐policy attribute‐set‐based encryption with database service provider re‐encryption into a DaaS paradigm. The proposed mechanism has implemented dual access control enforcement with multi‐privacy guarantee: data privacy in delegated database, policy privacy in delegated authorization table and key privacy in key distribution process.We describe the security and efficiency analysis through cryptography theory and experimental results. Copyright © 2014 John Wiley & Sons, Ltd.