Procuring Clever Architecture For Secure, Scalable

& Fine-Grained Data Access Control In

Agglutinated Iot & Cloud Arena
[1] SHAIK SALMA BEGUM ASST.PROF (AITS-R)
Email: salma.aryan@gmail.com
[3] C SUGUNA DEVI ASST.PROF (AITS-R)
[2] R RANA PRATHAP ASST.PROF (AITS-R) Email: suguna.cse583@gmail.com
Email: ranaprathap819@gmail.com

Abstract— Internet of Things (IoT) and Cloud Computing
paradigm is a next wave in the era of computing and it has been
identified as one of the emerging technologies in the field of
Computer Science and Information Technology. It has been
understood from the review reports that integration of IoT and
Cloud Computing is in its infantile phase and it has not been
extended to all application domains due to its inadequate security
architecture. Hence, this paper builds an integrated, secured and
intelligent architecture for the IoT and Cloud Computing is
envisaged to offer secure smart services and applications
anywhere, anytime, any firm, any device and any network
independent of any underlying technologies with one IoT enabled
Acute Smart Card (ASC). ASC eases the secure access of
diversified applications and services distributed in a cloud
environment with one Special Identification (SID) number per
citizen through the intelligent systems and also Utilize & uniquely
combine KP-ABE (Key Policy Attribute-Based Encryption), lazy
re-encryption to achieve Scalable, Fine-Grained access control on
out sourced data in the cloud.
Keywords— IOT, Acute Smart Card (ASC), Special Identification
(SID), KP-ABE (Key Policy Attribute- Based Encryption)
I. INTRODUCTION
Internet of Things (IoT) and Cloud Computing play a vital
role in the field of Information Technology [1]. Internet of
things is not a single technology, it is the concept in which
many of the new things are getting networked and connected
anytime, anyplace, with anything and anyone ideally using
any path or network and any service in a heterogeneous
environment [2]. In contrast, Cloud Computing is
characterized by virtual world with unlimited capability in
terms of storage and Processing power. According to National
Institute of Standard and Technology (NIST), “Cloud
Computing is a model for enabling convenient, on demand
network access to a shared pool of configurable computing
resources that can be rapidly provisioned and released with
minimal management effort or cloud provider interaction”.
Though the IoT and Cloud Computing have emerged as
independent technology, merging these two have brought
renaissance in the field of future networks. Internet of Things
is enhanced by the unlimited capabilities and resources of
cloud to compensate its technological constraints such as
storage and processing. On the other hand, cloud has extended
its scope to the real world through IoT in a more dynamic and
distributed way to deliver new applications and services in a
real time scenario at large scale. Consequently, the integration
of IoT and Cloud, the complementary technologies enhance
the smart environment to reach the heights of availing any
services and applications anywhere, anytime, any firm and any
device irrespective of any underlying technology [7]. Since,
the integration of IoT and Cloud in its developmental stage, it
has not been implemented in all the fields. The review of
literature articulates the state of the art in this field with its
diversified application domains in creating the smart
environment and the challenges in deploying this new scenario
to all the fields [8]. The significant challenges to be resolved
with the existing smart applications are interoperability,
security, QoS, load balancing, mobility, IPv6 deployment, data
management solution and acceptability of IoT and Cloud
applications by users and citizens [9]. Several research works
have been carried out to address these issues faced in creating
the smart environment and to extend the same for all
application domains, but so far no proposed work seems to be
integrated and secured. Hence, in this paper a secured and
clever architecture for integrating Internet of Things and
Cloud Computing is proposed. Furthermore, we observe that
there are also cases in which cloud users themselves are
content providers. They publish data on cloud servers for
sharing and need fine-grained data access control in terms of
which user (data consumer) has the access privilege to which
types of data. In the healthcare case, for example, a medical
center would be the data owner who stores millions of
healthcare records in the cloud. It would allow data consumers
such as doctors, patients, researchers and etc, to access various
types of healthcare records under policies admitted by HIPAA.
To enforce these access policies, the data owners on one hand
would like to take advantage of the abundant resources that
the cloud provides for efficiency and economy; on the other
hand, they may want to keep the data contents confidential
against cloud servers. As a significant research area for system
protection, data access control has been evolving in the past
thirty years and various techniques [6]–[9] have been
developed to effectively implement finegrained access control,
which allows flexibility in specifying differential access rights
of individual users. Traditional access control architectures
usually assume the data owner and the servers storing the data
are in the same trusted domain, where the servers are fully

978-1-5386-4304-4/18/$31.00 ©2018 IEEE.

entrusted as an omniscient reference monitor [10] responsible
for defining and enforcing access control policies. This
assumption however no longer holds in cloud computing since
the data owner and cloud servers are very likely to be in two
different domains. On one hand, cloud servers are not entitled
to access the outsourced data content for data confidentiality;
on the other hand, the data resources are not physically under
the full control of the owner. For the purpose of helping the
data owner enjoy finegrained access control of data stored on
untrusted cloud servers, a feasible solution would be
encrypting data through certain cryptographic primitive(s),
and disclosing decryption keys only to authorized users.
Unauthorized users, including cloud servers, are not able to
decrypt since they do not have the data decryption keys. This
general method actually has been widely adopted by existing
works which aim at securing data storage on untrusted servers.
One critical issue with this branch of approaches is how to
achieve the desired security goals without introducing a high
complexity on key management and data encryption.
II. RELATED WORK
Cubo et al. Have presented a novel cloud based IoT
platform ‘DEEP’ (DPWS (Devices Profile for Web Services)
enabled devices platform) to manage the integration and
behavior aware orchestration of heterogeneous devices as
services, stored and accessed via the cloud. DEEP platform is
illustrated with the example of Ambient Assisted Living
(AAL) by deploying it on the Google App Engine Cloud
platform . Zhou et al. have proposed a Cloud-based Internet of
Things platform for smart home applications where the
sensors read the home temperature and luminosity from
Arduino-enabled IoT things and cloud applications store and
visualize the data. To store IoT data in the cloud and to
provide access to the resources anywhere at any time
Benazzouz et al. have adopted Cloud Data Management
Interface (CDMI) in Cloud IoT platform. A sensor- centric
framework called IoTCloud has been developed by Fox et al.
to support an extensible set of sensor-types and a large number
of geographically distributed smart objects to communicate
with one another. The rapidly increasing number of connected
devices and smart objects generate more volume of
unnecessary data. To filter the unnecessary communication of
data Aazam et al. have proposed Smart Gateway based
communication for Cloud of Things (CoT). Though the
integration phenomena create more technical advantages and
business opportunities there are equally larger threats from the
attackers. Because the information is not ciphered and the pr
ivacy of the information is not ensured and also the senders
and the receivers are not authenticated via secure connections.
Apart from the security and privacy challenges, there are also
some other key issues such as protocol support, energy
efficiency, resource allocation, identity management, service
discovery, quality of service provisioning, IPv6 deployment
and data storage location. In spite of these technical
constraints, this integration phenomena are considered to be a
viable approach to facilitate ‘things’ application development
that can be extended to many more application domains with
the specific emphasis on secure data transmission . In this
paper, we address this open issue and propose a secure and
scalable fine-grained data access control scheme for cloud
computing. Our proposed scheme is partially based on our
observation that, in practical application scenarios each data
file can be associated with a set of attributes which are
meaningful in the context of interest. The access structure of
each user can thus be defined as a unique logical expression
over these attributes to reflect the scope of data files that the
user is allowed to access. As the logical expression can
represent any desired data file set, fine-graininess of data
access control is achieved. To enforce these access structures,
we define a public key component for each attribute. Data files
are encrypted using public key components corresponding to
their attributes. User secret keys are defined to reflect their
access structures so that a user is able to decrypt a cipher text
if and only if the data file attributes satisfy his access
structure. Such a design also brings about the efficiency
benefit, as compared to previous works, in that, 1) the
complexity of encryption is just related the number of
attributes associated to the data file, and is independent to the
number of users in the system; and 2) data file
creation/deletion and new user grant operations just affect
current file/user without involving system-wide data file
update or re-keying. One extremely challenging issue with this
design is the implementation of user revocation, which would
inevitably require re-encryption of data files accessible to the
leaving user, and may need update of secret keys for all the
remaining users. If all these tasks are performed by the data
owner himself/herself, it would introduce a heavy computation
overhead on him/her and may also require the data owner to
be always online. To resolve this challenging Issue, our
proposed scheme enables the data owner to delegate tasks of
data file re-encryption and user secret key update to cloud
servers without disclosing data contents or user access
privilege information. We achieve our design goals by
exploiting a novel cryptographic primitive, namely key policy
attribute based encryption (KP-ABE), and uniquely combine it
with the technique of lazy re-encryption.
III. PROPOSED ARCHITECTURE
The proposed secured and clever architecture for the
Internet of Things and Cloud Computing is envisaged to offer
secure smart services and applications anywhere, anytime, any
firm, any device and any network independent of any
underlying technologies with one IoT enabled Acute Smart
Card (ASC). ASC eases the secure access of diversified
applications and services distributed in a cloud environment
with one Special Identification (SID) number per citizen
through the intelligent systems. The intelligent system
processes the data at smart gateway and then uploads the
necessary data to the cloud through IP/MPLS core network.
The information on the ASC is widely spread throughout the
world at different datacenters to enhance the authentication
process and the availability of data anytime, anywhere and any
firm since all the sectors are interlinked through an integrated
platform to exchange and retrieve information instantly and
intelligently. This system adopts elliptic curve cryptography
and ECC based digital certificate to ensure authentication,
confidentiality, privacy and integrity. The functional
components of the proposed architecture are explained below
and it is depicted in Fig. 1. The proposed architecture consists
of four key components, namely intelligent system, security
gateway, IP/MPLS core and integrated cloud IoT platform.
A. Intelligent System
The intelligent system comprises of an IoT enabled
Intelligent Smart Card (ISC), Smart Reader, Near Field
Communication (NFC) enabled Mobile Device and Smart
Gateway.
1) Acute Smart Card: The proposed Intelligent Smart Card
is an IoT enabled active card conforms to the ISO/IEC
standard. ASC designed for the proposed architecture has
RFID tag, biometric template image template and Special
Identification Number (SID) as the special features. ISC
adopts System on Card (SoC) process to ensure security and
avails services using one SID per citizen
Figure 1. Integrated Cloud IoT Architecture
a) SID of ISC: SID is a 20 digit alpha numeric number which
includes country name, state name, place of birth, date of
birth, sex, father’s initial and five digit number. The last
defined five digit number will be the PIN number. This
facilitates the entire system to be unique and secure in nature.
Fig. 2 presents the sample SID number. Fields 1 and 2 indicate
country name initial, 3 to 10 specify Date of Birth, 11
indicates father’s initial, 16 to 20 can be used as the last five
digits of the PIN. (16,17- state name, 18 - AZ, 19,20 -
sequence number (TNA00 (26x99 = 2574 ))). b) Security
Features: Storing the template on card helps the card holder to
have their biometric information on their hands always. It
ensures the protection of the personal data. MAC ID of the
ISC will be encrypted using SID to ensure confidentiality and
encrypted MAC ID will be hashed to ensure integrity. Multi-
application can be installed on the same ISC which will have
no connection with each other to ensure the privacy of the user
at any context
Figure 2. Sample SID
B. Smart Gateway
The proposed smart gateway is the heart of the smart
environment which has the immediate access to the closest
data center to retrieve the customers’ information as soon as it
receives the SID from the ISC through intelligent smart reader.
This proposed smart gateway is very flexible and configurable
to adopt different application requirements and supports
multiple protocols. It is responsible for protocol conversion. It
is very compatible and adaptable for both IPv4 and IPv6,
which make the user feel comfortable to avail any applications
and services from anywhere at any time independent of
underlying networks. It collects the data, stores the data
temporarily, performs preprocessing, filters the data,
reconstructs the data into a more useful form and uploads only
the necessary data to the cloud through IP-MPLS core
C. Integrated Cloud IoT Platform
The ASC with limited storage and processing power
leverages the cloud technology, which has the massive storage
capacity and effective processing. ASC enables automatic
machine to machine communication with its radio frequency
interface. The data generated are processed and sent to the
cloud. The service providers should register themselves in the
proposed system and to be authenticated to provide their
services. The cloud vendors are connected through the
IP/MPLS core. The cloud security broker receives the service
request and assigns the cloud services followed by service
level authentication. Since the different services of the cloud
providers are interconnected interoperability is achieved easily
with no single point of failure
IV. TECHNIQUE PRELIMINARIES
A. Key Policy Attribute-Based Encryption (KPABE) KP-ABE
is a public key cryptography primitive for one-to-many
communications. In KP-ABE, data are associated with
attributes for each of which a public key component is
defined. The encryptor associates the set of attributes to the
Message by encrypting it with the corresponding public key
components. Each user is assigned an access structure which
is usually defined as an access tree over data attributes, i.e.,
interior nodes of the access tree are threshold gates and leaf
nodes are associated with attributes. User secret key is defined
to reflect the access structure so that the user is able to decrypt
a cipher text if and only if the data attributes satisfy his access
structure. A KP-ABE scheme is composed of four algorithms
which can be defined as follows:
Setup This algorithm takes as input a security
Parameter κ and the attribute universe U =
{1, 2. . . N } of cardinality N . It defines a
bilinear group G1 of prime order p with a
generator g, a bilinear map e: G1 × G1 →
G2 which has the properties of bi linearity,
computability, and non-degeneracy.
 It returns the public key P K as well as a system
master key M K as follows
P K = (Y, T1 , T2 , . . . , TN )M K = (y, t1 t2
, . . . , tN ) Where Ti ∈ G1 and ti ∈ Zp are for
attribute i, 1 ≤ i ≤ N , and Y ∈ G2 is another
public key component. We have Ti = g ti
and Y = e(g, g)y , y ∈ Zp . While P K is
publicly known to all the parties in the
system, M K is kept as a secret by the authority
party. Encryption This algorithm takes a message M,
the public key P K, and a set of attributes I as input.
It outputs the cipher text E with the following format:
E = (I , E˜ , {Ei }i∈I )
where E˜ = M Y s ,
Ei = T s , and
s is randomly chosen from Zp .
Decryption This algorithm takes as input the
cipher text E
encrypted under the attribute set I , the user’s secret key
SK for access tree T , and the public key P K . It first
computes e(Ei , ski ) = e(g, g)pi (0)s for leaf nodes. Then,
it aggregates these pairing results in the
Bottom-up manner using the polynomial interpolation
technique. Finally, it may recover the blind factor Y s = e(g,
g)ys and output the message M if and only if I satisfies T .
Please refer to for more details on KP-ABE algorithms is an
enhanced KP-ABE scheme which supports user secret key
accountability than its subordinate loops. In order to achieve
secure, scalable and fine-grained access control on outsourced
data in the cloud, we utilize and uniquely combine the
following advanced cryptographic techniques: KP-ABE, lazy
re-encryption. More specifically, we associate each data file
with a set of attributes, and assign each user an expressive
access structure which is defined over these attributes. To
enforce this kind of access control, we utilize KPABE to
escort data encryption keys of data files. Such a construction
enables us to immediately enjoy fine-grainedness of access
control. However, this construction, if deployed alone, would
introduce heavy computation overhead and cumbersome
online burden towards the data owner, as he is in charge of all
the operations of data/user management. Specifically, such an
issue is mainly caused by the operation of user revocation,
which inevitably requires the data owner to re-encrypt all the
data files accessible to the leaving user, or even needs the data
owner to stay online to update secret keys for users. To resolve
this challenging issue and make the construction suitable for
cloud computing, we uniquely combine Lazy re-encryption
with KPABE.
For clarity we will present our proposed scheme in two levels:
System Level and Algorithm Level. At system level, we
describe the implementation of high level operations, i.e.,
System Setup, New File Creation, New User Grant, and User
Revocation, File Access, File Deletion, and the interaction
between involved parties. At algorithm level, we focus on the
implementation of low level algorithms that are invoked by
system level operations.
1) System Level Operations: System level operations in our
proposed scheme are designed as follows. System Setup In
this operation, the data owner chooses a security parameter κ
and calls the algorithm level interface A Setup (κ), which
outputs the system public parameter PK and the system master
key MK. The data owner then signs each component of PK
and sends PK along with these signatures to Cloud Servers.
2) Algorithm level operations: Algorithm level operations
include eight algorithms: ASetup, AEncrypt, AKeyGen,
ADecrypt, AUpdateAtt, AUpdateSK, AUpdateAtt4File, and
AMinimalSet. As the first four algorithms are just the same as
Setup, Encryption, Key Generation, and Decryption of the
standard KP-ABE respectively, we focus on our
implementation of the last four algorithms. Fig.5 depicts two
of the four algorithms. In order to achieve secure, scalable and
fine-grained access control on outsourced data in the cloud,
we utilize and uniquely combine the following advanced
cryptographic techniques:
KP-ABE, lazy re-encryption. More specifically, we associate
each data file with a set of attributes, and assign each user an
expressive access structure which is defined over these
attributes. To enforce this kind of access control, we utilize
KPABE to escort data encryption keys of data files. Such a
construction enables us to immediately enjoy fine-grainedness
of access control. However, this construction, if deployed
alone, would introduce heavy computation overhead and
cumbersome online burden towards the data owner, as he is in
charge of all the operations of data/user management.
Specifically, such an issue is mainly caused by the operation
of user revocation, which inevitably requires the data owner to
re-encrypt all the data files accessible to the leaving user, or
even needs the data owner to stay online to update secret keys
for users. To resolve this challenging issue and make the
construction suitable for cloud computing, we uniquely
combine Lazy re-encryption with KPABE.
For clarity we will present our proposed scheme in two levels:
System Level and Algorithm Level. At system level, we
describe the implementation of high level operations, i.e.,
System Setup, New File Creation, New User Grant, and User
Revocation, File Access, File Deletion, and the interaction
Between involved parties. At algorithm level, we focus on the
implementation of low level algorithms that are invoked by
system level operations.
1) System Level Operations: System level operations in our throughput is illustrated in Fig. 3. The graph generated
proposed scheme are designed as follows. System Setup In corresponding to the data is presented in below.
this operation, the data owner chooses a security parameter κ
and calls the algorithm level interface A Setup (κ), which
outputs the system public parameter PK and the system master
key MK . The data owner then signs each component of PK
and sends PK along with these signatures to Cloud Servers.

2) Algorithm level operations: Algorithm level operations

include eight algorithms: ASetup, AEncrypt, AKeyGen,
ADecrypt, AUpdateAtt, AUpdateSK, AUpdateAtt4File, and
AMinimalSet. As the first four algorithms are just the same as
Setup, Encryption, Key Generation, and Decryption of the
standard KP-ABE respectively, we focus on our
implementation of the last four algorithms. That depicts two
of the four algorithms.
AUpdateAtt (i, Mk)
R
randomly pick t i  Z p ;
tI
Compute Ti  gt t , and rK i  i  ;
ti
Output t i , Ti and rK i  i . Figure 3.Overall System Throughput
AUpdateAtt 4file (i, E i , AHLi )
If I has the latest version, exit; VI. CONCLUSION
Search AHLi and locate the old version of i;
// assume the latest definition of I in MK is ti (n); The proposed secure and clever architecture for integrating
t (nInternet
) of Things and Cloud Computing is a unique one to
rK i  i ( n )  rK i  i. rK i  i...rK i (n  1)  i ( n )  i avail; any applications and any services irrespective of any
t i underlying technologies anywhere, anytime with one ASC.
(n) Implementing this architecture will help every citizen to have
Compute E i  ( E i ) ( n )  g i ;
rK t (n) s
i i only one ISC for any applications in a smart environment. ISC
(n ) can connect people and enable automatic machine to machine
Output E i . communication. The message encryption and the multifactor
authentication ensure unique authentication, integrity,
confidentiality and privacy of the users. This ensures that the
V. EXPERIMENTAL STUDY users and the service providers can adopt this system with its
salient features of ease of use and security. The simulated
The objective of the experimental study is to test the results prove the performance of the proposed system. Higher
performance of the proposed system with respect to level security by incorporating ECC. Certainly, the proposed
throughput and transaction response time. The results of the architecture eliminates ambiguity and enhances security,
experiments are tabulated and graphically presented. The Moreover, our proposed scheme can enable the data owner to
performance test is carried out to measure the system delegate most of computation overhead to powerful cloud
throughput. It represents the amount of the work, the proposed servers. Confidentiality of user access privilege and user secret
system does at a given time. To analyze the system key accountability can be achieved. Formal security proofs
throughput, Meter, an open source tool is used. Sample tests show that our proposed scheme is secure under standard
have been done with 10, 20, 30, 40, 50, 60, 70, 80, 90,100,110 cryptographic models
and 120 service requesters, requesting for the service through
the proposed system. The system throughput increases VII. FUTURE SCOPE
gradually up to 10 requests and keeps rapidly increasing till
120. At one point, the system has reached the saturation point Overall simulation of this architecture and real time
due to various factors and the throughput declines. However, implementation are in the progress of this research.
the proposed system provides responses to the service requests
with a reasonable response time. The overall system References
throughput is depicted in Fig. 2. The screenshots describe the [1] A. Botta, W. Donato, V. Persico and A. Pescap, “On the Integration
of cloud computing and Internet of Things.”Proc, IEEE conf. Future
system throughput for different loads on the server with 10 to Internet of Things and Cloud (FiCloud), IEEE, Aug. 2014, pp. 23-30,
120 service requests. The data used to perform the system doi: 10.1109/FiCloud.2014.14.
[2] L. Badger T. Grance, R.P. Corner and J. Voas, “DRAFT Cloud.
[3] Computing Synopsis and Recommendations,” National Institute of
Standards and Technology, Washington, DC, May 2011, p.84. Systems,
July 2014, vol. 37, pp. 267–281, doi: 10.1016/j. future. 2013.07.014.
[4] “Enabling Connected Smart Cities For A Better Tomorrow,”
Elitecore Wi-Fi Service Management Platform (SMP), 2015,
http://www. elitecore.com/ downloads/datasheets/wifioffload/Elitecore
-Smart-City-Solution.pdf.
[5] H. Harney, A. Colgrove, and P. D. McDaniel, “Principles of policy
in secure groups,” in Proc. of NDSS’01, 2001.
[6] P. D. McDaniel and A. Prakash, “Methods and limitations of
security policy reconciliation,” in Proc. of SP’02, 2002.
[7] T. Yu and M. Winslett, “A unified scheme for resource protection in
automated trust negotiation,” in Proc. of SP’03, 2003.
[8] J. Li, N. Li, and W. H. Winsborough, “Automated trust negotiation
using cryptographic credentials,” in Proc. of CCS’05, 2005. D. Sheridan,
“The optimality of a fast CNF conversion and its use with SAT,” in Proc.
of SAT’04, 2004.
[9] D. Naor, M. Naor, and J. B. Lotspiech, “Revocation and tracing
schemes for stateless receivers,” in Proc. of CRYPTO’01, 2001.
[10] M. Atallah, K. Frikken, and M. Blanton, “Dynamic and efficient
key management for access hierarchies,” in Proc. of CCS’05, 2005.