Distributed attribute-based access control system using permissioned blockchain

World Wide Web - Auditing provides essential security control in computer systems by keeping track of all access attempts, including both legitimate and illegal access attempts. This phase can be...     

基于属性加密的云存储隐私保护机制研究

以典型的云存储体系结构为研究对象,从数据拥有者、云服务器、授权机构、用户以及用户撤销机制5个方面对云存储系统的隐私保护机制进行了研究,通过分析比较发现,云存储系统中的隐私保护问题主要可以分为系统参与者的身份隐私问题、敏感属性信息泄露问题、云存储系统敏感内容信息泄露问题。针对上述问题,研究了当前基于属性加密的云存储系统隐私保护机制,并讨论了其中存在的不足、可能的解决方案以及未来可能的研究方向。     

An attribute-based lightweight cloud data access control using hypergraph structure

The Journal of Supercomputing - Cloud file storage systems are the current trend of enterprises and also of individual users. Due to the malicious or unauthorized users, file sharing among the...     

Secure and privacy preserving keyword searching for cloud storage services

Cloud storage services enable users to remotely access data in a cloud anytime and anywhere, using any device, in a pay-as-you-go manner. Moving data into a cloud offers great convenience to users since they do not have to care about the large capital investment in both the deployment and management of the hardware infrastructures. However, allowing a cloud service provider (CSP), whose purpose is mainly for making a profit, to take the custody of sensitive data, raises underlying security and privacy issues. To keep user data confidential against an untrusted CSP, a natural way is to apply cryptographic approaches, by disclosing the data decryption key only to authorized users. However, when a user wants to retrieve files containing certain keywords using a thin client, the adopted encryption system should not only support keyword searching over encrypted data, but also provide high performance. In this paper, we investigate the characteristics of cloud storage services and propose a secure and privacy preserving keyword searching (SPKS) scheme, which allows the CSP to participate in the decipherment, and to return only files containing certain keywords specified by the users, so as to reduce both the computational and communication overhead in decryption for users, on the condition of preserving user data privacy and user querying privacy. Performance analysis shows that the SPKS scheme is applicable to a cloud environment.     

Secure cloud file sharing scheme using blockchain and attribute-based encryption

This paper presents a novel collaboration scheme for secure cloud file sharing using blockchain and attribute-based encryption(ABE). Blockchain enables us to implement access control as a smart contract between data owner and users. Each data owner creates its own smart contract where in a data user can request to access a specific file by registering a transaction. In response transaction, the data owner sends the required credential to the user thereby enabling her/him to decrypt the intended file on the cloud storage. This scheme is decentralized, fault tolerant and secured against DoS attacks. The cipher-key, which is used for file encryption, is embedded into a set of coefficients of a polynomial so-called access polynomial. It is attached to the encrypted file on the cloud storage as a metadata. The data user can restore the cipher-key by means of the credential receiving in response transaction and access polynomial. The data owner uses ABE scheme in response transaction to impose her/him access policy to the file as well as preserving user anonymity. This scheme supports fast revocation of the user access by means of updating the access polynomial coefficients and without any communication overhead to non-revoked users. Through formal verification, we show that the scheme is secure in terms of secrecy of credential information and authentication of participants. Finally, the evaluation results show that our scheme is scalable with acceptable performance up to 20,000 users.     

基于密文策略属性加密的云存储访问控制方案

针对现有方案存在的访问策略公开、密文存储开销较大的问题,提出一种支持策略隐藏且固定长度密文的云存储访问控制方案,并在安全模型下证明方案可抵抗选择明文攻击。方案中用户私钥由多个授权机构共同生成,中央授权机构不参与生成任何主密钥与属性私钥;访问结构隐藏在密文之中,恶意用户无法通过访问结构获取敏感信息。此外,方案实现了固定密文长度,并且加密时的指数运算和解密时的双线性对运算次数均是固定值。最后,理论分析和实验结果表明该方案在密文长度和加解密时间上都明显优于对比方案。     

Access control based privacy preserving secure data sharing with hidden access policies in cloud

Attribute-based encryption is a promising solution to the access control based data sharing in the cloud. In this scheme, access policies are being sent in plaintext form which discloses the user privacy and data privacy. Once the ciphertext has been shared among the set of authorized users they would be able to decrypt the ciphertext. Whenever the authorized users are acting as malicious users, they may alter the data and further encrypt and outsource the modified data. It may adversely affect the data owner. In the existing attribute-based encryption scheme, data owner’s authenticity cannot be verified. In order to resolve these problems, we are proposing a novel idea to anonymize the access policy and a signature scheme to verify the authenticity of data as well as that of the data owner. Anonymized access policy never discloses the privacy. The signature scheme is able to detect the insider attack on attribute-based encryption scheme. The proposed system is secure against indistinguishable chosen-ciphertext attack. It is a provably secure and existentially unforgeable access control based data sharing method in the public cloud.     

Accountable attribute-based authentication with fine-grained access control and its application to crowdsourcing

We introduce a new notion called accountable attribute-based authentication with fine-grained access control (AccABA), which achieves (i) fine-grained access control that prevents ineligible users from authenticating; (ii) anonymity such that no one can recognize the identity of a user; (iii) public accountability, i.e., as long as a user authenticates two different messages, the corresponding authentications will be easily identified and linked, and anyone can reveal the user’s identity without any help from a trusted third party. Then, we formalize the security requirements in terms of unforgeability, anonymity, linkability and traceability, and give a generic construction to fulfill these requirements. Based on AccABA, we further present the first attribute-based, fair, anonymous and publicly traceable crowdsourcing scheme on blockchain, which is designed to filter qualified workers to participate in tasks, and ensures the fairness of the competition between workers, and finally balances the tension between anonymity and accountability.     

具有隐私保护功能的移动云服务接入控制

针对移动云服务中的安全和隐私保护问题,提出一种匿名使用云存储服务的机制。在匿名身份注册部分,零知识验证和数字签名技术简化了移动云用户的密钥验证步骤,同时第三方使用户与自己的身份证书绑定,防止用户对移动云服务的恶意使用;在数据共享部分,系统通过提取共享者账号参数,用于解决因共享密钥丢失导致数据安全性降低的问题。结合理论分析的方法对所提出的机制进行安全性验证与评价,结果表明身份证书和共享密钥生成算法对用户隐私安全有很好的保护作用。     

AB-DAM: attribute-based data access model in blockchain for healthcare applications

Multimedia Tools and Applications - This research introduces a novel attribute-based data access model in Blockchain (AB-DAM) Framework in Healthcare Systems to enhance the authentication of the...     

A privacy preserving authorisation system for the cloud

In this paper we describe a policy based authorisation infrastructure that a cloud provider can run as an infrastructure service for its users. It will protect the privacy of users? data by allowing the users to set their own privacy policies, and then enforcing them so that no unauthorised access is allowed to their data. The infrastructure ensures that the users? privacy policies are stuck to their data, so that access will always be controlled by the policies even if the data is transferred between cloud providers or services. This infrastructure also ensures the enforcement of privacy policies which may be written in different policy languages by multiple authorities such as: legal, data subject, data issuer and data controller. A conflict resolution strategy is presented which resolves conflicts among the decisions returned by the different policy decision points (PDPs). The performance figures are presented which show that the system performs well and that each additional PDP only imposes a small overhead.     

SAPDS: self-healing attribute-based privacy aware data sharing in cloud

This paper addresses the issue of data governance in a cloud-based storage system. To achieve fine-grained access control over the outsourced data, we propose Self-Healing Attribute-based Privacy Aware Data Sharing in Cloud (SAPDS). The proposed system delegates the key distribution and management process to a cloud server without seeping out any confidential information. It facilitates data owner to restrain access of the user with whom data has been shared. User revocation is achieved by merely changing one attribute associated with the decryption policy, instead of modifying the entire access control policy. It enables authorized users to update their decryption keys followed by each user revocation, making it self-healing, without ever interacting with the data owner. Computation analysis of the proposed system shows that data owner can revoke n′ users with the complexity of O(n′). Besides this, legitimate users can update their decryption keys with the complexity of O(1).     

Building access control policy model for privacy preserving and testing policy conflicting problems

This paper proposes a purpose-based access control model in distributed computing environment for privacy preserving policies and mechanisms, and describes algorithms for policy conflicting problems. The mechanism enforces access policy to data containing personally identifiable information. The key component is purpose involved access control models for expressing highly complex privacy-related policies with various features. A policy refers to an access right that a subject can have on an object, based on attribute predicates, obligation actions, and system conditions. Policy conflicting problems may arise when new access policies are generated that are possible to be conflicted to existing policies. As a result of the policy conflicts, private information cannot be well protected. The structure of purpose involved access control policy is studied, and efficient conflict-checking algorithms are developed and implemented. Finally a discussion of our work in comparison with other related work such as EPAL is presented.     

扩展的基于属性的访问矩阵模型

针对传统访问矩阵模型的不足,提出了一种扩展的基于属性的访问矩阵模型。该模型以主体属性、客体属性、时间属性为参数,按照一定的授权规则来授权,授权规则是根据用户的需求而制定的。授权模型的提出和授权规则的灵活制定保证了访问矩阵能够灵活多样的赋予主体权限,弥补了传统访问矩阵的不足,并很好的适应当前的复杂情况。通过模型的理论设计,表明了模型的可行性。     

Authentication-enabled attribute-based access control for smart homes

International Journal of Information Security - Smart home technologies constantly bring significant convenience to our daily lives. Unfortunately, increased security risks accompany this...     

基于区块链的细粒度物联网访问控制模型

基于已有的区块链和访问控制相结合相关的研究存在难管理访问权限、低效率、难支持轻量级物联网设备的缺点,提出一种基于属性的物联网访问控制模型.通过引入属性的概念,支持细粒度的访问控制;将访问控制策略以智能合约部署在区块链上,降低物联网设备的计算压力,使该策略可以应用于轻量级设备;引入token概念,通过访问主体提前申请访问...     

大数据环境下基于用户属性的细粒度访问控制

为解决大数据环境下统一授权管理的问题,分析开源组件Apache Ranger的模型与授权方式,综合考虑授权用户数量、策略管理难度等问题,提出基于用户属性的访问控制模型。将CP-ABE算法引入Ranger原生访问控制模型中,通过算法的加、解密为Ranger策略添加访问控制树,实现用户属性级别的授权和基于用户可变属性的动态访问控制。通过开发原型系统,实现权限管理、用户管理、属性管理等功能。在实验部分,通过对不同量级用户进行访问控制,验证模型的有效性。     

基于属性的授权和访问控制研究

因开放环境的分布性、异构性和动态性，对访问控制提出了独特的安全挑战。基于属性的访问控制（ABAC）机制比基于身份的访问控制机制更能解决管理规模和系统灵活性问题，并提供细粒度的控制，已证明了对这种环境的适应性。讨论了ABAC的授权和访问控制机制、实现框架、属性管理等问题，并通过对关键技术的比较分析，提出了将来需要研究的内容，为该领域的进一步研究提供了思路。     

云环境下一种隐私文件分类存储与保护方案*

针对云计算环境下存储的隐私文件会造成隐私泄漏、信息量过载,使用传统加密算法对隐私文件进行加密后再外包给云的方法严重影响了隐私文件的可检索性问题进行研究,提出了一种既能够有效减少云环境中信息存储量过载,同时又能够满足隐私文件的加密保护和检索的方案。该方案首先对隐私文件进行分类,将直接隐私文件存储在数据拥有者本地存储器,非直接隐私文件则加密后上传云环境中存储,实现了隐私文件的分类存储和安全保护。然后基于改进的哈希列表建立了一个包含文件属性描述的文件检索索引、生成了文件检索陷门,实现了使用关键词在密文状态下完成文件检索。最后,通过详细的理论分析和实验对比分析证明了方案的可行性和实用性。     

Secure access privilege delegation using attribute-based encryption

International Journal of Information Security - Attribute-based encryption (ABE) is widely used for a secure and efficient data sharing. The predetermined access policy of ABE shares the data with...