92 6. ACCESS CONTROL OF AGGREGATED DATA IN SENSOR CLOUDS
component in the user secret key SK and a corresponding component in the public key PK. To
revoke a user, a new master secret y
0
and the corresponding public component Y
0
D e.P; P /
y
0
is generated. e new public component Y
0
is broadcasted to the sensor nodes, while the dif-
ferential between the new secret components is broadcasted to all users except the one whose
access is to be revoked. e selective broadcasting is done by using ciphertext based attribute
based encryption (CP-ABE) [103].
e scheme presented in this chapter also uses an additional secret key and corresponding
public key component for user revocation. In Section 6.6.3, it was explained how the access tree is
augmented with an ID node and a unique secret key component t
j
and public key component T
j
is computed for each user U
j
. e public component T
j
is used by the sensors when encrypting
data for the user U
j
. Each sensor generates s
i
T
j
for the user U
j
during the data aggregation
key generation. s
i
T
j
is then used in key establishment. is added component hence serves two
purposes. First it binds the key to the user. e data aggregation key would be established only
if the user possesses the corresponding secret key component t
j
. is can be used to keep track
of individual data usage of the users and is important in commercial systems like sensor clouds.
Second, it helps in easy revocation of users. To revoke a user, the SCA simply has to broadcast U
j
in the sensor cloud. Once the sensor nodes receive U
j
, they simply stop sending s
i
T
j
in further
data aggregation key generations. is makes sure that the revoked user U
j
would not be able
to generate data aggregation keys required to decrypt sensor data.
Our user revocation scheme only incurs one broadcast in the sensor network and the
maintenance of a list of revoked users. On the other hand, the revocation scheme in FDAC [97]
requires one broadcast in the sensor network and one selective broadcast to the users. e selec-
tive broadcast is done using CP-ABE [103] which requires computational overhead at the SCA
and for each user U
j
for every revocation. Moreover, the users may be mobile and they may be
online as well as offline. If the selective broadcast fails to reach a user, that user will not be able
to receive data from the sensor network in the future.
6.9 MODIFYING ACCESS AT RUNTIME
Data generated by a sensor network may hold different degrees of importance at different times.
Sensor data, which under normal circumstances is allowed to be accessed by everyone, may
become more important under special circumstances and may require special privileges to be
accessed. Two examples below illustrate the point.
Example 1: A network owner has deployed A WSN in a building which keeps track of
the number of people coming in and out of the building. is information is public and may be
accessed by anyone. In case of a planned public performance event in the building, however, the
network owner may escalate the authorization level of this information so that only authorized
personnel may access the information about the event.
Example 2: A network owner has deployed seismic sensors in a wide field. is data is
public and may be accessed to study the seismic activity of the area. In case the sensors, sensing
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.