Abstract: Cloud storage is a novel data storage architecture. There are some challenges about data security and manageability in cloud. Cloud needs to provide secure and reliable data access service for users. Because of the variety and volume of the data in cloud, a fine-grained access control mechanism named attribute-based encryption (ABE) has been proposed to ensure data security. In ABE mechanism, data owner describes access privileges of data by access policies and encrypts the data with the policy. User can recover the data if and only if he matches with the policy. Due to various reasons, the access privilege is dynamic and changeable, which increases the difficulty of data management and costs lot of system resource in cloud. Thus, we construct a cloud storage architecture provided by fine-grained ciphertext access control mechanism by use of utilizing ABE which supports efficient, security and manageable data access service. Firstly, we propose a transformation method amongst the common types of access policy, such that the access policy is expressed more generaly. Secondly, we provide three methods to manage access policy: updating privilege, agency privilege and temporary privilege. All of the methods can reduce a lot of computation and communication cost brought by policy updating. Finally, we give the analysis and simulation about our scheme. The results show that our cloud storage architecture is security, efficient and manageable.

Key words: cloud storage architecture, data security, dynamic privilege, attribute-based encryption (ABE), access control system