Privacy-Preserving Flexible Access Control for Encrypted Data in Internet of Things

Along with the development of edge computing and the cloud, the Internet of Things (IoT) is affecting and changing people's lives. Data sharing has played an important role in the IoT, but the leakage of private user information poses a new security threat to the users. Thus, flexible fine-grained access control for such shared data is proposed in this article as an effective and secure method of eliminating vulnerabilities. However, the disclosure of access policies will also expose users' private information. Recently, Yang et al. attempted to solve this problem and proposed a framework based on attribute-based encryption for shared data onto IEEE IoT-J(DOI: 10.1109/JIOT.2016.2571718). They hide the access policies by using a bloom filter (BF) and attempt to address privacy preservation in IoT. However, we demonstrate several security weaknesses of their framework and point out its vulnerability to dictionary attacks and access policy guessing attacks. Then, an improved IoT solution is proposed. Under this proposal, the attribute values are stored in BF while the attribute names are embedded in the access policy. The proposed scheme can resist dictionary attacks and access policy guessing attacks. In addition, it simultaneously realizes large attribute sets, an efficient decryption algorithm, and adaptive security. Security analysis and performance evaluations show that the presented scheme achieves higher security and implementation simplicity in the IoT than other currently available schemes.