FAST: Fast Accessing Scheme for data Transmission in cloud computing

Abstract

With the rapid advancement of emerging technologies, a huge amount of data is created and processed in daily life. Nowadays, Cloud Computing (CC) technology is one of the frequently adopted technologies to access and store data over the internet. CC mainly provides on-demand and pay-per-use services to users. However, access control and security are two major issues that users face in a cloud environment. During data access from a cloud server, the searching time of a Data Owner (DO) and the data accessing time are high. Therefore, users utilize more cloud services and pay more. High system overhead is another issue of a cloud environment. In this paper, a novel access control model has been proposed to overcome all these concerns. Here, the Cloud Service Provider (CSP) maintains a temporary table based on the data type and popularity value of the DO for fast and efficient data accessing. The cloud service provider can easily search the data owner by using the table and the data accessing time is remarkably reduced. Experimental results and theoretical analysis of the proposed scheme prove its efficiency over the existing schemes.

1 Introduction

Cloud computing is a radical paradigm for providing computational services and unlimited storage to the users on a pay-per-use basis. In a CC environment, numerous computers are combined by different technologies, namely utility computing, network system and many more [1]. CC is an advanced field in Information Technology (IT) industries because of its attractive features. There are mainly four types of cloud deployment models: (i) public cloud (ii) private cloud (iii) hybrid cloud, and (iv) community cloud. By definition, a cloud operated only by a single organization or by a third party is a “private cloud”. The CSP in a “public cloud” provides resources to the users. Anyone can join in the public cloud. In a “community cloud”, the cloud infrastructure is shared by a community of numerous organizations. All these organizations must have a common goal. A combination of community, private and pubic cloud is a “hybrid cloud”. There are mainly three types of entities in a CC environment: (i) cloud service provider (ii) data owner, and (iii) user. The CSP plays the role of the central authority by controlling all the activities of a cloud environment. DOs are responsible for storing their data on the cloud server, and users access data or any service from the cloud server [2,3,4]. CC has several benefits, such as pay-per-use, on-demand service, unlimited storage capacity, flexibility and many more. However, it also has many limitations, such as access control, security, limited control, downtime and many more. Among all these limitations or issues, access control is the most critical one. Access control can be defined as a process of allowing only authorized parties to access any resource or data from a server or organization. There are three primitives of an access control model: (i) subject (ii) object, and (iii) operation. An entity that initiates an access request is considered as a subject and an object is an entity for which an access request is being initiated. An operation decides the actions that must apply to the object. Implementing an efficient access control model mainly based on three concepts: (i) policy (ii) model, and (iii) mechanism. All the cloud environments use their own access control models for earning revenue. However, all of them face some common issues, such as high time to search a DO, high time to provide any data, high CPU utilization and high system overhead. In the cloud environment, there is no systematic process to save the details of the DOs. Due to this problem, when the user initiates a data access request to the CSP, the service provider may need to check the entire database to find the owner of the requested data. After finding the details of the DO, the CSP provides the Public Key of the DO (PCKDO) to the user, who initiates the request. Therefore, the CSP experiences high searching time of PCKDO, and as result, the user must wait for a long time to send the request to the respective DO for the secret key and Access Certificate (AC) of the requested data. The user is only allowed to send the request to the DO by using the corresponding PCKDO. Thus, the data accessing time is also increased. When the CSP takes more time to search the PCKDO from the cloud database, the users automatically utilize more cloud services and they need to pay more. High system overhead is another issue in the existing scheme [5] because the DO has to be always online during the complete data communication process.

Many access control models are already developed to solve these aforementioned problems [6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26]. Ferraiolo and Kuhn [27] have used the role of a job to propose the Role Based Access Control (RBAC) model. Job roles are used in RBAC to control data accessing of the users. However, this scheme consumes time to provide data to the users. Attributes of a ciphertext are utilized in Key Policy based Attribute-Based Encryption (KPABE)  [28]. In KPABE, the DOs must depend on a key generator and they are not allowed to control the access policies. In [29], authors have designed a model that supports accessing any resource based on the user’s attributes. There are many complex operations in their proposed model. In a particular organization, the AC of any user in the activity based access control model [30] for any data can be assigned by using the designation of the user. But, the system overhead of this model is high because of the presence of several components in its working architecture. Another model was introduced based on the substring index generation process [31]. Here, the searching time of a DO is high. Thus, the system overhead is automatically increased. In 2017, Zigzag Morse Code based Access Control Model (ZMCACM) was proposed by Murugan and Thilagavathy [32] for the CC environment. In ZMCACM, Morse code is used to support efficient data accessing. However, the CPU utilization is more in this scheme. A novel technique for a multitenant CC environment has been proposed by Almutairi et al. [33]. However, this scheme does not support fast data accessing. So, users must pay more for using the cloud services. All these existing schemes experience the high searching time of DO, high data accessing time and high system overhead. In addition, CPU utilizations are more in these existing schemes. These issues motivate to develop an efficient and fast access control model for the CC environment.

A novel Access Control Model (ACM) has been proposed in this paper, namely Fast Accessing Scheme for data Transmission (FAST) in the CC environment to overcome the problems of the existing schemes. In FAST, the CSP manages a temporary table based on the data type of the DO and the popularity value of the DO. Here, the CSP maintains a popularity value for every DO in the Table. A popularity value of any DO can be defined as the number of times that the DO provides data to the users. Whenever a user requests for a resource or data from the cloud server, the CSP initiates a query in the table based on the requested data type and the popularity value of the DO. Therefore, the CSP does not search the whole database to find one DO, and after finding the DO from the temporary table, the CSP easily can provide the PCKDO to the user in less time. Thus, the searching time of PCKDO can be decreased. The accessing time of data can be continually reduced in the proposed scheme since the searching of PCKDO is minimized. Therefore, the CPU utilization can also be less in FAST and the users can pay less for using the cloud service. The main contributions of the proposed work are mentioned below:

1. 1

   A novel data access control model has been proposed in this paper. In the proposed FAST, the CSP maintains a table based on the data type of the DO and the popularity value of the DO for fast and efficient data accessing.

2. 2

   The proposed scheme minimizes the searching time of PCKDO, data accessing time and CPU utilization. Moreover, the proposed ACM also reduces the system overhead.

3. 3

   Theoretical analysis and experimental results of FAST have been presented for proving its efficiency.

The rest of the paper consists of several parts. Section 2 discusses the literature reviews. Problem statements are presented in section 3. Section 4 and section 5 deal with the detailed discussion of the proposed scheme and complexity analysis of the proposed algorithms, respectively. Section 6 presents results and discussions of the proposed access control model. At last, section 7 concludes the entire paper.

2 Literature reviews

Many ACMs are already proposed for efficient data accessing from the cloud server.

In RBAC [27] , every user or customer gets a separate role during data access. Here, the role is used for assigning access rights, and users cannot give access right to other users. In RBAC, users have to satisfy a few rules: (i) rule authorization (iii) rule assignment, and (iii) transaction authorization to access any data. Transaction authorization guarantees that only the valid users are able to execute a transaction by confirming both the rule assignment and rule authorization. RBAC takes much time to provide a resource or data to the users.

Yu et al. [29] have proposed an Attribute Based Access Control (ABAC) model in which access is granted based on the user’s attributes. Here, the user must confirm the attributes at the time of accessing the data. In ABAC, to assign a set of attributes, the CSP faces problems due to the large number of users, especially, when the user wants to access data from outside his/her domain. ABAC provides fine-grained data accessing, and it does not reveal the original content of data. In ABAC, setting a group or set of attributes is quite difficult. In addition, it takes much time to provide data to the users, so users have to pay more.

In  [34], authors have extended the proposed concept of Attribute Set Based Encryption (ASBE) with a hierarchical structure and proposed Hierarchical Attribute Set Based Encryption (HASBE) scheme . In this scheme, users’ access rights are expired after a predefined time. This scheme increases overhead because the workload of the higher-level trusted authority is transferred to the lower-level domain authority.

Mutual Trust Based Access Control Model (MTBACM) [35] has been proposed to achieve mutual trust among different entities of a cloud environment. This scheme uses the credibility of the CSP and user. Here, the relationship of trust is achieved between the CSP and users by using mutual trust technique. There are five entities in the system model of MTBACM: (i) authentication and authorization centre (ii) CSP (iii) users (iv) CSP’s trust database, and (v) user’s behaviour trust database. However, MTBACM takes much time to search a DO from the cloud database, and it also increases the system overhead.

In 2017, Alam et al. [36] have proposed a scheme, namely Cross Tenant Access Control (CTAC) scheme, where the cloud service provider plays the activity of the trusted third party and supports the sharing of resources between two different tenants. There are four algorithms in this scheme for delegation mechanism and permission activation between tenants: (i) activation (ii) forward revocation (iii) delegation, and (iv) backward revocation. This scheme does not support fast data access.

In a CC environment, data leakage issue is increasing because of sharing resources. To solve this issue, a novel mechanism was proposed by Almutairi et al. [33] for the multitenant cloud environment, namely Notion Based ACM (NBACM). NBACM introduces the notion of sensitivity at the data centre’s end. NBACM is based on RBAC, and it is designed to minimize the risk of assigning the Virtual Machine (VM) for each task. However, this scheme does not support to minimize the searching time of DO.

Modified Hierarchical Attribute-Based Encryption (MHABE) model has been proposed in [37] for focusing data processing, data accessing and data storing in the multi-user cloud environment. Nevertheless, the searching time of DO is high in MHABE and the CPU utilization is more in this scheme. Therefore, users need to pay more for using the cloud services.

3 Problem statements

This section presents the system model and design goals of the proposed scheme.

3.1 System model

The proposed FAST is composed of three entities:

1. 1

   Cloud service provider: CSP is the central authority of any cloud environment. It has the overall power, and uses numerous servers to provide various kinds of services to the users and DOs [38].

2. 2

   Data owners: DOs are the entities, who store their data on the CC environment in the encrypted form. However, they are completely dependent on the CSP to manage or control their data.

3. 3

   User: Users are basically the end customers, who access resources or data or services from a CSP. Only the authorized users are allowed to access data or service from the cloud server and they depend on the CSP for infrastructure.

3.2 Design goals

The main design goals of FAST are:

1. 1

   Achieving a fast and effective ACM for the cloud environment by reducing three aspects: (i) searching time of the DO to provide the corresponding PCKDO (ii) data accessing time, and (iii) CPU utilization.

2. 2

   To provide different data access rights or certificates for different users for the same data. It improves data security in the cloud environment.

3. 3

   To minimize the system overhead of the cloud environment by not keeping the DO always connected during the entire data communication process.

4 Proposed model

In the proposed FAST, the CSP maintains a temporary CSP Table (CSP-TAB). In the CSP-TAB, there are six attributes: (i) Group Identity (ID) (GP_ID) (ii) Data Type (DT) (iii) Popularity Value (PV) (iv) Data Owner’s ID (DO_ID) (v) DO’s Time & Date (DO_T&D), and (vi) Group’s Time & Date (GP_T&D). The identities of all the groups are maintained in the GP_ID. DT keeps the data types of the DOs. PV maintains the popularity value of each and every DO. When a DO provides data to the user, the PV of that DO is increased by 1. In FAST, threshold popularity value is considered as 10 i.e. the PV of any DO can be between 1 and 10. The data type and threshold PV of the DO are decided by the CSP as per convenience. There may be many DOs, who share the same type of data. So, they are kept in the same DO_ID. Respective date and time of the DO are kept in the DO_T&D i.e. when s/he has shared the requested data. GP_T&D holds the formation details of the groups. Whenever the DO shares data on the cloud server, the CSP adds the DO in the table based on the data type. At the time of data access, the CSP searches the DO from the CSP-TAB based on the user’s requested data type and PV. Then, the CSP increases the PV of the DO by 1, if the DO already exists in the table and the PV of the particular DO has not reached to the threshold value. Otherwise, a new GP_ID is created with the details of the DO. Then, the CSP gives the PCKDO to the user. So, the DO having the threshold PV of a particular data type is placed at the top of the DO_ID, and the CSP doesn’t need to look the entire database for providing the PCKDO. The user can send a request in lees time to the DO in order to get the credentials by using the PCKDO. Thus, the CSP-TAB can help to reduce the searching time of a DO as well as the data access time.

The proposed scheme consists of mainly five phases: (i) system setup (ii) registration (iii) login (iv) processes on the CSP-TAB, and (v) data access. The entire workflow of FAST has been shown in Fig. 1.

Fig. 1

Workflow of the proposed FAST

4.1 System  setup phase

In this phase, the CSP chooses a big prime number (p) to calculate a multiplicative group \( {Z}_p^{\ast } \). This multiplicative group is used to choose the Public-Private Key Pair (PPKP) of the CSP. The CSP also chooses PPKP for the DO and user from the \( {Z}_p^{\ast } \) that are sent to them during their registration. In FAST, the Public Key of the User (PCKUSR) is accessible to all the registered entities of the cloud server, and only the registered user knows the respective PCKDO after sending a data access request. All the registered users and DOs know the Public Key of the CSP (PCKCSP), and the private key of the CSP and other entities are always kept secret.

4.2 Registration phase

Every user must be registered in the cloud server by sending a registration request to the CSP. Then, the CSP uses some confidential information of the user, namely date of birth, address, full name and first school name to generate a personal profile of the user. Then, the Secure Socket Layer (SSL) is developed to provide the PPKP of the user. The DOs are also registered in the cloud server by the same process.

4.3 Login phase

When the users complete the registration phase, the CSP allows them to login to the cloud server. To login to the cloud server, the user must send a request to the CSP. The CSP verifies, if the user is authorized or not. If the user is authorized, the CSP accepts the login request and sends a reply to the user. Then, the user can send a data access request to the CSP.

4.4 Processes on the CSP-TAB phase

In the CSP-TAB, DOs’ IDs are placed based on the popularity values. The DO, who has the threshold PV is kept at the top position of the respective DO_ID. Then, in the next position, the DO is placed, who has the next PV and so on. There are 3 main operations on the CSP-TAB: (i) insertion (ii) deletion, and (iii) searching a PCKDO. Let us assume that GP_ID is defined by S = {GID₁, GID₂, GID₃, …, GID_P} and DO_ID is defined by S^′ = {DID₁, DID₂, DID₃, …, DID_Q}. In the CSP-TAB, P and Q denote the maximum number of GP_ID and the maximum number of DOs’ IDs per DO_ID, respectively. Here, GID_x represents x^th GP_ID and DID_x represents x^th DO’s ID. Table 1 demonstrates an example of a CSP-TAB.

Table 1 CSP-TAB

4.4.1 Insertion algorithm

The insertion algorithm is used to insert the ID of a DO in the CSP-TAB. At first, the DO must be registered in the cloud server. Then, the DO needs to login to the cloud server to share any data. When the DO shares data, to inset the DO in the CSP-TAB, at first, the CSP checks whether the data type of the DO exists in the CSP-TAB or not. If the type of data is already existed in the CSP-TAB, the CSP checks whether the respective DO_ID field is full or not. If it is not full, the CSP adds the DO in the corresponding position of the CSP-TAB. Otherwise, a new group is added to the CSP-TAB with the details of the DO, if the CSP-TAB is not full. When DO_ID and CSP-TAB is full, the CSP deletes a DO’s ID from DO_ID and a group from CSP-TAB, respectively based on the condition to add the details of the DO. After adding the DO in the corresponding position, the CSP sets the PV of the DO as 1. Table 2 presents the notations and their descriptions, which are used throughout this paper.

Table 2 Notations and their descriptions

4.4.2 Deletion

The deletion operation is controlled by the CSP based on the requirement. An entire GP_ID or a particular DO’s ID can be deleted from the DO_ID to manage the entries of the CSP-TAB. Here, both the deletions are actually parts of the aforementioned insertion algorithm. Therefore, an authorized DO’s ID is the input of both the deletion algorithms.

1. 1

   DO’s ID deletion algorithm (DEL _ DO _ ID (GP _ ID)): The CSP can delete the ID of a DO from the DO_ID after traversing GP_ID and the respective DO_ID. After finding the DO having the lowest PV, the DO’s ID is assigned to an array m[ ], and finally, DO’s ID is deleted from DO_ID. If the CSP finds that there are two or more DOs, who have the same lowest PV, the CSP follows the Least Recently Used (LRU) principle to delete the DO’s ID from DO_ID. The CSP gets the information of LRU from DO_T&D. Then, the CSP updates the CSP-TAB.

2. 2

   Entire GP_ID deletion algorithm (DEL _ GP _ ID()): The CSP also uses the LRU principle to delete a long time unused GP_ID from the CSP-TAB. At first, the details of the LRU GP_ID have been searched from GP_T&D, then, the CSP deletes the entire entries of GID_x and updates the table.

4.4.3 Searching the public key of a DO

After login to the cloud server, when a user requests to access any resource or data, the first task of the CSP is to search the PCKDO from the cloud server and send it to the user. In the proposed FAST, to search a PCKDO, the CSP matches the U_DT against the \( {GID}_{x_{DT}} \). Then, again the CSP searches each entry of the corresponding DO_ID. As the DOs’ IDs are systematically organized by using the popularity value, the CSP can simply find the PCKDO from the corresponding position of the CSP-TAB. Then, the DO provides it to the user in less time. Otherwise, the CSP shows an invalid data type.

4.5 Data access phase

There are the following steps to access any resource or data from the cloud server:

• Step 1: A registration request is sent from the user to the CSP.

• Step 2: The CSP uses the user’s information to generate a corresponding profile. Then, the CSP sends a registration reply along with PPKP.

• Step 3: The user can login after a successful registration process i.e. after getting the registration reply.

• Step 4: In the fourth step, if the user is authorized to login, the CSP sends an acknowledgment.

• Step 5: The user sends a data access request to the CSP in the encrypted form by using the Private Key of the User (PRKUSR) and PCKCSP.

• Step 6: The CSP uses the CSP-TAB to search the corresponding PCKDO in the sixth step.

• Step 7: The CSP provides the PCKDO to the requested user after encrypting by the Private Key of the CSP (PRKCSP) and PCKUSR. The user decrypts the message by using the PRKUSR and PCKCSP.

$$ PCKDO\to {EK}_{PRKCSP}(PCKDO)\to {EK}_{PCKUSR}\left\{{EK}_{PRKCSP}(PCKDO)\right\}\to User $$

$$ PCKDO\leftarrow {DK}_{PCKCSP}\left\{{EK}_{PRKCSP}(PCKDO)\right\}\leftarrow {DK}_{PRKUSR}\left[{EK}_{PCKUSR}\left\{{EK}_{PRKCSP}(PCKDO)\right\}\right] $$

• Step 8: In this step, the user sends a request to the corresponding DO by using the PCKDO. The request is sent in the encrypted form by the PRKUSR and PCKDO to provide the Secret Key of the Data (SKD) and corresponding AC of the data.

• Step 9: The DO checks the authorization of the user from the cloud server’s end.

• Step 10: The CSP confirms the user’s authorization in the tenth step.

• Step 11: In this step, the DO sends the SKD along with its corresponding AC to the user as an encrypted message by the Private Key of the DO (PRKDO) and PCKUSR. Here, the DO generates different ACs for different users for the same data to improve data security. Thus, two ACs cannot be the same in any condition. The user uses the PRKUSR and PCKDO to get the SKD and AC.

$$ SKD\ and\ AC\to {EK}_{PRKDO}\left( SKD\ and\ AC\right)\to {EK}_{PCKUSR}\left\{{EK}_{PRKDO}\left( SKD\ and\ AC\right)\right\}\to User $$

$$ SKD\ and\ AC\leftarrow {DK}_{PCKDO}\left\{{EK}_{PRKDO}\left( SKD\ and\ AC\right)\right\}\leftarrow {DK}_{PRKUSR}\left[{EK}_{PCKUSR}\left\{{EK}_{PRKDO}\left( SKD\ and\ AC\right)\right\}\right] $$

• Step 12: Here, the DO encrypts the requested resource or data as a message by the SKD. The DO then uses the PRKDO and PCKCSP to encrypt the message and the AC of the corresponding data before storing it on the cloud database. The CSP is only able to moderately decrypt the encrypted message by the PRKCSP and PCKDO.

$$ Data\to {EK}_{SKD}\left( Data\ \right)\to {EK}_{PRKDO}\left\{{EK}_{SKD}(Data)\ and\ AC\right\}\to {EK}_{PCKCSP}\left[{EK}_{PRKDO}\left\{{EK}_{SKD}(Data)\ and\ AC\right\}\right]\to CSP $$

$$ {EK}_{SKD}(Data)\ and\ AC\leftarrow {DK}_{PCKDO}\left[{EK}_{PRKDO}\left\{{EK}_{SKD}(Data)\ and\ AC\right\}\right]\leftarrow {DK}_{PRKCSP}\left[{EK}_{PCKCSP}\left[{EK}_{PRKDO}\left\{{EK}_{SKD}(Data)\ and\ AC\right\}\right]\right] $$

• Step 13: In the thirteenth step, the user sends the AC to the CSP by using the PRKUSR and PCKCSP. The CSP decrypts the encrypted message by the PRKCSP and PCKUSR.

$$ AC\to {EK}_{PRKUSR}(AC)\to {EK}_{PCKCSP}\left\{{EK}_{PRKUSR}(AC)\right\}\to CSP $$

$$ AC\leftarrow {DK}_{PCKUSR}\left\{{EK}_{PRKUSR}(AC)\right\}\leftarrow {DK}_{PRKCSP}\left[{EK}_{PCKCSP}\left\{{EK}_{PRKUSR}(AC)\right\}\right] $$

• Step 14: In this fourteenth step, the CSP verifies the AC of the user against the AC provided by the DO. If the AC is authentic, the CSP provides the ciphertext of the resource or data in the encrypting form by using the PRKCSP and PCKUSR. Otherwise, the user’s data access request is rejected by the CSP.

• $$ {EK}_{SKD}(Data)\to {EK}_{PRKCSP}\left\{{EK}_{SKD}(Data)\right\}\to {EK}_{PCKUSR}\left[{EK}_{PRKCSP}\left\{{EK}_{SKD}(Data)\right\}\right]\to User $$

The user executes three decryption processes by using the PRKUSR, PCKCSP and SKD to retrieve the original resource or data.

$$ Data\leftarrow {DK}_{SKD}\left\{{EK}_{SKD}(Data)\right\}\leftarrow {DK}_{PCKCSP}\left[{EK}_{PRKCSP}\left\{{EK}_{SKD}(Data)\right\}\right]\leftarrow {DK}_{PRKUSR}\left[{EK}_{PCKUSR}\left[{EK}_{PRKCSP}\left\{{EK}_{SKD}(Data)\right\}\right]\right] $$

5 Complexity analysis

There are mainly three algorithms in the proposed scheme, which are discussed in the previous section. Therefore, complexity has been calculated for these three algorithms:

1. 1

   Insertion: To insert the ID of a DO in DO_ID of the CSP-TAB, the CSP needs to consider two aspects: (i) data type of the DO, and (ii) popularity value of the DO. Here, the CSP matches the data type of the DO against the data type of the CSP-TAB. If the matched data type is not found after searching P number of groups, the CSP adds the DO in a newly created group. Otherwise, in the worst case, the CSP searches all P number of groups, and in the matched GP_ID, the CSP again needs to search Q number of DO IDs to insert a DO’s ID. When the CSP adds the DO in the CSP-TAB, the PV of the DO is set as 1. Thus, the worst-case complexity of insertion algorithm is \( \mathcal{O}(PQ) \).

2. 2

   Deletion: When the CSP deletes a group, it needs to find the LRU GP_ID. In the worst case, the CSP needs to search P number of groups to find the LRU GP_ID. So, the worst-case complexity is \( \mathcal{O}\Big(P \)). To delete a DO’s ID, the CSP needs to search all the Q entries of the DO_ID in the worst case. As the deletion algorithms are actually parts of the insertion algorithm, the CSP may need to delete the DO’s ID of the P^th GP_ID in the worst case. Thus, the worst-case complexity to delete a DO’s ID is \( \mathcal{O}(PQ) \).

3. 3

   Searching the public key of a DO: Searching a PCKDO from the CSP-TAB is the main algorithm of the proposed access control model. To search a PCKDO from the CSP-TAB, the CSP uses the requested data type of the user. If it is matched with the DT of the CSP-TAB, the CSP again requires searching the entries of the corresponding DO_ID. Therefore, the CSP searches P number of groups and its corresponding Q number of DOs’ IDs to find a PCKDO in the worst case. After finding the PCKDO, it is sent to the user. Then, the CSP increases the PV of the DO by 1, if the PV is not reached the threshold value. Thus, the worst-case complexity of searching a PCKDO is \( \mathcal{O}(PQ) \). Complexities of the proposed algorithms in the worst case are shown in Table 3.

Table 3 Complexities of the proposed algorithms in the worst case

6 Results and discussions

Results and discussions of the proposed FAST have been presented in this section in detail.

6.1 Simulation setting

The proposed FAST has been evaluated by using a cloud simulation environment. Here, CloudSim 3.0.3 is used to develop a simulation environment to evaluate efficiency [39]. CloudSim 3.0.3 has been setup on a Dell Optiplex 7050 MT desktop with the following configurations:

1. 1

   Storage capacity: 2 TB

2. 2

   RAM: 16 GB

3. 3

   Operating system: Windows 10

4. 4

   Processor: Corei5

CloudSim is used to configure Apache Commons Math 3.6.1 [40], and Java version 8 [41] is also installed on the above mentioned Dell desktop. Forty data centres have been used to develop a heterogeneous CC environment. The memory capacity of the heterogeneous cloud environment is 4 GB, and there are 4000 physical nodes. Four types of VMs are considered in the simulation with 1 GB/s bandwidth:

1. 1

   1500MIPS, 2.5 GB

2. 2

   2000MIPS, 3 GB

3. 3

   2500MIPS, 3.5 GB

4. 4

   3000MIPS, 4 GB

6.2 Results and discussions

The proposed scheme i.e. FAST is evaluated against three existing schemes: (i) notion based access control model [33] (ii) mutual trust based access control model [35], and (iii) modified hierarchical attribute-based encryption scheme [37]. 200 experiments are performed with different criterion to get the searching time of PCKDO, data accessing time and percentage of CPU utilization. At last, average values are calculated from 200 experiments. CityPulse Dataset Collection [42] is used to collect pollution dataset for the experiments.

The first experiment is for calculating the searching time of the public key of a DO from the cloud database. Figure 2 shows that the proposed FAST gives better results to search the PCKDO than three other existing schemes: MTBACM, NBACM and MHABE. In FAST, when the CSP gets an access request for data, the time is recorded. The CSP searches the DO from the CSP-TAB by using the user’s requested data type and popularity value. The CSP matches the user’s requested data type with the entries of the CSP-TAB i.e. data type of the CSP-TAB. As the CSP organizes the DOs based on their popularity values, the respective DO is searched based on the top-down approach in the particular DO_ID field. Then, the CSP easily gets the corresponding public key of the DO, and after encrypting it by the CSP’s private key and the public key of the user, it is sent to the user in less time. Then, again the time is recorded. Thus, the CSP does not require finding the entire cloud database for a single DO. However, if the number of users increases, the load on the CSP also increases and it consumes a little bit of time to search the PCKDO, which produces a linearly increasing curve for the proposed FAST. In the existing schemes, namely MHABE, MTBACM and NBACM, the CSP stores the details of the DOs in a scattered matter. These schemes do not maintain any technique or CSP-TAB to store the details of the DOs. Sometimes, the CSP searches the entire database to find a DO, and sometimes, the CSP does not require searching the entire database to find a DO, which consumes less time. Thus, zigzag curves are generated for the existing schemes.

Fig. 2

Searching time of the public key of a DO vs. number of users

The next result is to validate the data accessing time. The data accessing time is the time interval between the data request time and the data decryption time. In FAST, the CSP easily searches the PCKDO from the CSP-TAB in less time by using the popularity value of the DO and the requested data type. Here, the users do not wait to get the corresponding PCKDO, and by using the PCKDO, the users initiate requests to the data owners for the respective secret keys and ACs. As the searching time of the PCKDO is less in the proposed access control model, the data accessing time is automatically reduced. Thus, in Fig. 3, a linearly increasing curve is generated for the proposed ACM. In all the existing schemes, the CSP sometimes searches the entire cloud database to find the PCKDO, and as result, the time to search the PCKDO is increased and the users need to wait to send the requests to the corresponding data owners for the secret keys and access certificates. Thus, the data accessing time is much high for MHABE, MTBACM and NBACM.

Fig. 3

Data accessing time vs. number of users

The last experiment validates the efficiency of CPU utilization. The proposed ACM does not take more time to search the PCKDO and to provide the data to the users. Here, the CSP instantly responses to the users without consuming time after receiving the data access requests. As both the searching time of the PCKDO and the data accessing time are minimized in the proposed data access control model, the CPU utilization is also less. As the number of data accessing requests is proportional to the number of users, the data access requests are automatically increased, when there are numerous users in the cloud server. Thus, the CPU utilization is linearly increased in FAST, which can be seen in Fig. 4. Attribute-based encryption and hierarchical identity-based encryption are combined in MHABE to achieve efficient data access control. MHABE consists of many complex operations because of combining both the schemes, which result high CPU utilization. In MTBACM, many communications are required among the five entities to complete a data communication process. In NBACM, the notion of sensitivity is considered for data accessing i.e. degree of data sharing among many tenants that consumes much time. In addition, as all these existing schemes take more time to deliver the requested data to the users, the CPU utilization is automatically high. The CPU utilization has been considered per 5 s, which involves 12 values/min. At last, the average value is calculated from all the values. To calculate the CPU utilization, the following  Eq. (1) has been used:

$$ {U}_n=\frac{\sum_{i=1}^n{U}_i(n)}{n} $$

(1)

where, n is the full utilization of CPU for each experiment. So, n ∈ 1, 2, 3, …

Fig. 4

Percentage of CPU utilization vs. number of users

\( {\sum}_{i=1}^n{U}_i(n) \) is the total CPU usage.

7 Conclusions and future works

In a cloud environment, access control is one of the major problems, where users need to pay more for using cloud services. In this paper, a novel fast and efficient access control model has been introduced. In the proposed access control model, the CSP maintains a temporary table based on the data types of the data owners and the popularity values of the data owners. Here, the DO must be online to provide the secret key and access certificate to the user. Then, the DO needs not to be online and can go offline, which reduces the system overhead. The results of many experiments demonstrate that the proposed access control model is much better than the other existing schemes in the cloud computing environment. The authentication and identity management technique of the cloud environment can be improved in the future for both the data owner and user.