Keywords

1 Introduction

First of all, we give a brief introduction to this paper from three aspects: background and related work, our solution and solution and contributions.

1.1 Background and Related Work

Cloud storage, as the further development of distributed computing, are widely used through the advantages of fine-grained price and high scalability. It provides users with online storage services available anytime and anywhere, so that users can store local data into the cloud server. Thus, it facilitates people's life to a large extent. At the same time, it also has problems with information leaks, illegal access and so on. If medical privacy data is obtained by some illegal elements for illegal activities, it may cause great trouble to patients’ life and even endanger the life of the owner. Therefore, the security of medical privacy data must be inseparable from access control.

Attribute-based Encryption assigns certain attributes to each legitimate participant. According to the Attribute set of the participant, the data owner formulates an access policy and encrypts the data. Only the data visitor whose attributes meet the access policy can decrypt the data. So, It can effectively protect medical privacy data.

Attribute encryption is derived from identity encryption (IBE), which was first proposed by Shamir in 1984 [1]. In 2020, Zheng et al. [2] proposed an attribute-based data sharing scheme that supports efficient revocation of users, allowing users to join, revoke and re-join efficiently. In 2021, Gao et al. [3] combined blockchain, CP-ABE and IPFS to propose a blockchain-based personal data secure sharing and privacy protection solution. In 2021, Hijawi et al. [4] proposed a lightweight KP-ABE scheme. In 2022, Li et al. [5] introduced a white-box traceable CP-ABE scheme that can solve the problems of user and authorization center key abuse.

These Attribute-based Encryption schemes use ABE encryption and decryption locally. However, data security is not guaranteed in the process of two-terminal communication transmission. These hybrid encryption schemes do not implement access control. Therefore, in order to remedy this defect, we propose a hybrid encryption approach: RSA-ABE. In this scheme, we not only uses ABE to implement access control of medical privacy data, but also uses RSA to encrypt ABE keys. Because this way can enhance the security of two-terminal communication. And in two-terminal communication, the mpk used for encryption needs to be transmitted through the two-terminal communication, which ensures the security of the mpk during transmission. This is different from the local use of ABE encryption and decryption.

1.2 Our Solution

The purpose of this paper is to design an access control approach, which not only satisfies the requirement that a person can specify his own access policy, namely fine-grained access, but also satisfies the requirement that users with legal permissions can access the resources they have the right to access, while illegal users or malicious users cannot access the protected resources. Medical privacy data access control based on attribute encryption, patients do not need to know in advance which medical staff can view their medical data, and in order to enhance the security of patients’ health privacy, only medical staff related to the patient's condition can access the patient's medical data, that is, in addition to protecting the security of patients’ medical data, One-to-many data sharing and flexible access control are also required. The data owner can precisely control the data user who decrypts the Ciphertext by embedding the developed access policy in the ciphertext. With fine-grained access control. The patient only needs to formulate access policies for encrypted medical data according to the attributes of the authorizer. If the attributes of the user meet the access policies defined by the patient, the corresponding medical data can be obtained by decrypting the ciphertext.

1.3 Contributions

  • CP-ABE is used to control access to medical privacy data, meet the “one-to-many” data sharing and flexible access control, and protect data security.

  • Implement user-driven authorized access, where users can define their own access control policies and follow their own privacy preferences.

  • Compared with traditional medical data access control, attribute-based access control is fine-grained, flexible, adaptable to the cloud environment, and does not require users to manage keys online.

2 Hybrid Encryption System

This paper uses hybrid encryption system (CP-ABE and RSA) to realize access control and protect data security. The process of hybrid encryption as Fig. 1.

Fig. 1
A flow chart defines how the generated A B E keys, m p k, and m s k are encrypted and sent to Bob using two terminals of communication, where Bob encrypts the plaintext to cipher text and sends it to Alice. Alice decrypts the cipher text and then verifies that the user is legitimate.

The process of hybrid encryption

Full size image

Example: As shown in Fig. 1, Alice generates ABE keys (public parameters mpk and master key msk), then uses RSA to encrypt mpk to s_mpk. This ensures the security of mpk during transmission. Then, when Alice and Bob establish a connection using two-terminal communication, Alice sends s_mpk to Bob. After receiving s_mpk, Bob decrypt it. Moreover, Bob encrypts the plaintext M to CT, and send CT to Alice. After Alice receives the CT, she decrypts it. And then, Alice can verify the legitimacy of the user.

2.1 OpenABE

This article uses the attribute encryption and decryption library OpenABE. The architecture diagram is as Fig. 2.

Fig. 2
The architecture of open A B E scheme A P I with 2 stages. Cryptographic Tools are linear secret sharing, crypto box A P, key derivation and pseudorandom functions, keystore, and R N G. Zeutro Math Library includes C C A A B E and P K S I G scheme contexts, RELIC, open S S L for E C, and future library.

OpenABE architecture diagram

Full size image

In this paper, CP-ABE in OpenABE is used. The encryption and decryption process is as Fig. 3. After initializing the OpenABE library by constructing the Crypto Box context and generating domain parameters, you can perform key generation by specifying attributes, attribute lists, and access policies, then encrypt messages under a chosen access policy with the public key, and authorized users can decrypt the ciphertexts and recover the original messages using their private keys.

Fig. 3
A flow chart includes seven steps to initialize the open A B E, construct crypto box context, open A B E attributes, attribute lists, and policies, generate parameters, key generation, encrypt a single message, and decrypt a single message.

The encryption and decryption process

Full size image

2.2 Two-Terminal Communication

As illustrated in Fig. 4, to achieve two-terminal communication between the Server and Client, two dedicated and non-interfering threads, one handling input and the other output, need to be implemented on both sides.

Fig. 4
A flow diagram defines how the client generates the signal, and the server generates the address, forms a waiting queue, accepts a connection request, and connects to the client. Both read and write by the Put On message.

The two-terminal communication process

Full size image

3 Experiment and Results

This article adopts RSA-ABE: A Hybrid encryption Approach for Medical Privacy Data with Cloud Storage. This article not only uses ABE to implement access control of medical privacy data, but also uses RSA to encrypt ABE keys. Because this way can enhance the security of two-terminal communication. And in two-terminal communication, the mpk used for encryption needs to be transmitted through the two-terminal communication, which ensures the security of the mpk during transmission.

We use CP-ABE to realize access control, allowing patients to define the access control structure by themselves, and specifying people to access their medical privacy data, so that the control is fine-grained and flexible. In the process of public key transmission, the asymmetric key RSA is used for encryption to realize data confidentiality. One end defines the access control structure, and the other end uses attributes to decrypt access, which satisfies the characteristics of cloud storage.

  1. 1.

    First, generate mpk and msk at the A terminal. As shown in Fig. 5.

  2. 2.

    Then, use RSA to encrypt mpk on end A.

  3. 3.

    The connection between A terminal and B terminal is established. As shown in Fig. 6.

  4. 4.

    The encrypted data is sent to B terminal. As shown in Fig. 7.

  5. 5.

    After receiving the encrypted mpk, B terminal decrypts the mpk using RSA. Then, use CP-ABE to encrypt data. As shown in Fig. 8.

  6. 6.

    The encrypted data is sent to A terminal. As shown in Fig. 9.

  7. 7.

    A terminal decrypts and verifies whether the user is legitimate. The result is shown in Fig. 10.

Fig. 5
A screenshot of a set of generated m p k and m s k commands at the A terminal.

Mpk

Full size image
Fig. 6
A screenshot of a set of commands represents the established connection between A terminal and B terminal.

Establish a two-terminal connection

Full size image
Fig. 7
A screenshot of a set of generated encrypted commands that are sent to the B terminal.

Send to B terminal

Full size image
Fig. 8
A screenshot of a set of encrypted m p k and m s k commands at the A terminal, which are decrypted by the B terminal using the R S A algorithm and encrypted using the C P-A B E algorithm.

Encrypt data at the B terminal

Full size image
Fig. 9
A screenshot of a set of generated encrypted commands that are sent to the A terminal.

Send to A terminal

Full size image
Fig. 10
A screenshot of a set of commands which are decrypted by the A terminal.

Verify identity

Full size image

In this experiment, first, the public and private keys of CP-ABE are randomly generated, and then stocket is used to establish the two-ended communication. After encrypting the public key using RSA, it is sent to the patient using two-ended communication. The patient himself define access structure (id4254111988342 and man and age30 and day444 and chronicrespiratoryinfections).Obviously, it must have all the above properties to meet the access structure. Then, the patient encrypts the data using the access structure and the transmitted key. Encrypted data is transmitted to the end that Users need access to patients’ medical data. When a user access to the patient's medical data, submit his own properties (| id4254111988342 | man | age30 | day444 | chronicrespiratoryinfections).Obviously, the set of properties meet the patients themselves defined access structure, and the ciphertext can be decrypted, so the authentication passed (User qualification!).

Our hybrid encryption scheme can achieve the following goals:

First of all, patients can define their own access structure, and only the person designated by the patient can access the patient's medical data, enhancing the security of the patient's medical privacy.

Secondly, a patient's medical data can be accessed by multiple users, satisfying the “one-to-many” data sharing and flexible access control.

Finally: RSA is used to encrypt data during transmission to protect data security.

4 Conclusion

In this paper, to protect the privacy of medical data, we propose the RSA-ABE: a hybrid encryption approach for medical privacy data with cloud storage. In our construction we employ two-terminal communication and CP-ABE. The user can customize the access structure on one end. At the other end, Identity authentication can be performed through the transmitted data and attribute entered by a user for an access request. And RSA encryption is used during data transmission to protect data security. In the cloud storage environment, one end defines the access control structure, and the other end uses attributes to decrypt access, meeting the cloud storage characteristics. Therefore, this solution is feasible. In the future, this scheme can be applied to various industries, such as transportation, education, power, etc., and CP-ABE can also be improved to realize hierarchical control and encrypt transmitted data with other encryption algorithms.