云存储中基于虚拟用户的数据完整性验证

针对验证数据完整性过程中被撤销用户与云服务器存在共谋的问题,提出基于虚拟用户的数据完整性校验方案。在管理群组用户的过程中,管理员让云服务器作为代理,通过重签名方法将被撤销用户的签名转换为虚拟用户签名,以防止攻击者获取群组用户身份隐私信息。另一方面,管理员在本地存储所有用户的身份隐私信息,用户在访问共享数据之前需要通过管理员的验证,这样既能保证校验者可以正确验证共享数据的完整性,又能保护群组用户的隐私和共享数据的安全。分析证明结果表明,所提方案在用户撤销时不仅能够验证共享数据的完整性,还能降低攻击者精确获取用户身份隐私信息和共享数据内容的概率。     

基于GlusterFS的分布式数据完整性验证系统

云存储为用户提供了弹性而可靠的数据存储方案,使得用户可以在任何时刻通过网络访问云服务器存取数据,大大降低了用户自己维护数据的成本,但也引发了一系列安全问题。对于云存储而言,采取审计措施用于检查数据的完整性至关重要,但已有的大多数云数据完整性审计机制只是通过模拟实验证明了方案具有高效性,并未结合具体云存储场景进行分析实验。针对上述问题,文章结合GlusterFS分布式文件系统与BLS短签名机制设计了一种分布式并行数据审计方案。利用GlusterFS的多个存储节点并行计算数据块所对应的标签,通过验证数据块对应标签的完整性来验证数据块的完整性,实现数据的单块审计、多块审计、多用户审计和异步审计,且不会泄露用户的隐私信息。此外,还进行了安全性分析。实验结果表明,文章方案可实现多块数据的高效并行审计,且并发量随节点的增加而线性增长。     

云存储完整性验证密码学技术研究进展

云存储完整性验证技术允许用户将数据存储至云端服务器,并为用户提供可验证的完整性保证。典型的云存储完整性验证方案由两个阶段组成：一是数据处理阶段,用户使用私钥处理数据、生成可验证的元数据存储于云服务器,而本地只需保存与数据相关的一些参数,如密钥和数据标签等;二是数据完整性验证阶段,验证者通过和云服务器交互执行一个挑战/证明协议,能够以极高的概率判断出云端数据当前的完整性。到目前为止,已经涌现了大量的相关密码学方案。本文对可证明安全的可公开验证的云存储完整性验证关键密码学技术研究进展进行简要回顾,主要涵盖代理数据外包技术、代理完整性验证技术、基于身份的数据外包技术以及几种计算和通信效率优化技术等。     

基于盲签名的云共享数据完整性审计方案

云端共享数据完整性审计用来验证一个用户群组共享在云端的数据的完整性。传统方式下,成员用户需要为每一个数据块生成认证器,再将数据块和对应的认证器上传到云服务器中保存。然而用户的计算资源有限且计算能力不高,由用户产生数据块认证器需要消耗用户很大的计算开销。为了节省用户的计算资源,提高认证器生成的效率,提出基于盲签名算法的云共享数据完整性审计方案。用户先对数据块进行盲化再发送到认证器生成中心生成相应的认证器,此外,方案中对第三方审计者TPA进行审计授权,有效地避免了攻击者对于云服务器的DDoS攻击。安全性分析和实验结果表明该方案是安全、高效的。     

基于数据持有性证明的完整性验证技术综述

在云存储环境中,为确保用户数据的完整性和可用性,用户需要对存储在云服务器中的数据进行完整性验证。现有的数据完整性验证机制主要有两种：数据持有性证明（Provable Data Possession,PDP）与可恢复数据证明（Proof of Retrievability,POR）。重点讨论了基于PDP的云存储数据完整性验证机制。结合PDP验证机制特性,对PDP方案进行分类,并总结了各分类使用的关键技术;根据分类阐述了PDP方案的研究现状,并对典型方案在动态验证、批量审计、计算开销等几个方面进行了对比分析;讨论了基于PDP的云存储数据完整性验证机制未来的发展方向。     

多云存储中保护隐私的数据完整性验证方案

随着云存储的应用,越来越多的用户选择将数据分散地存储在多个云服务器上,但是这种远程存储方式给用户数据的完整性带来了挑战。同时,代替用户校验数据完整性的第三方审计（TPA）近来也被指出存在泄露用户数据隐私的风险。针对现有的远程数据安全性、隐私性及高效验证的问题,提出一种多用户多服务器环境下支持隐私保护的批处理数据完整性验证方案。方案在一般群模型和随机谕言机模型下是可证明安全的。性能分析和实验表明,与其他在多用户多服务器环境下拓展并保护隐私的方案相比,该方案具有较低的通信复杂度和计算复杂度。     

一种基于同态标签的动态云存储数据完整性验证方法

在云存储服务中,为使用户可以随时验证存储在云存储服务器上数据的完整性,提出一种基于同态标签的动态数据完整性验证方法。通过引入同态标签和用户随机选择待检测数据块,可以无限次验证数据是否完好无损,并支持数据动态更新;可信第三方的引入解决了云用户与云存储服务供应商因数据完整性问题产生的纠纷,实现数据完整性的公开验证;然后给出该方法的正确性和安全性分析,以及该方法的性能分析;最后通过实验验证了该方法是高效可行的。     

一种基于代数签名的远程数据完整性验证方法

云存储服务中,用户将数据存储在不可信的云储存服务器上,用户数据面临安全考验。针对这种情况,为了让用户可以验证存储在云存储服务器上数据的完整性,提出一种基于代数签名的远程数据完整性验证方法。首先运用代数签名的特性,生成轻型的代数标签进行数据验证,同时引入一种新的数据结构(DT)来实现远程数据的动态更新从而降低数据验证的计算和通信开销。最后给出该方法的正确性和安全性分析,以及性能分析。实验结果表明,在大规模数据验证时,该方法与其他方法相比具有更高的验证效率、较小的计算和通信开销。     

一种面向云存储的数据动态验证方案

云存储是一种新型的数据存储体系结构,云储存中数据的安全性、易管理性等也面临着新的挑战。由于用户在本地不再保留任何数据副本,无法确保云中数据的完整性,因此保护云端数据的完整性是云数据安全性研究的重点方向。数据完整性证明(Provable Data Integrity,PDI)被认为是解决这一问题的重要手段。文中提出了一种面向云存储环境的、基于格的数据完整性验证方案。本方案在已有研究的基础上,基于带权默克尔树(Ranked Merkle Hash Tree,RMHT),实现了云数据的动态验证。方案实现了数据粒度的签名,降低了用户方生成认证标签所需的消耗;引入RMHT对数据进行更改验证,支持数据动态更新;具有较强的隐私保护能力,在验证过程中对用户的原始数据进行盲化,使得第三方无法获取用户的真实数据信息,用户的数据隐私得到了有效的保护。此外,为了防止恶意第三方对云服务器发动拒绝服务攻击,方案中只有授权的第三方才能对用户数据进行完整性验证,这在保护云服务器安全的同时也保障了用户数据的隐私性。安全分析和性能分析表明,该方案不仅具有不可伪造性、隐私保护等特性,其签名计算量也优于同类算法。     

基于MapReduce的云存储数据审计方法研究

云存储是一种新兴的网络存储技术,它是云计算提供的一个重要服务。云存储因其快速、廉价和方便而广受云用户喜爱。然而,它也给云用户的外包数据带来了许多安全问题。其中一个重要问题就是如何确保半可信云服务器上数据的完整性。因此,云用户和云服务器亟需一个稳定、安全、可信的数据审计方法。随着大数据时代的到来,传统数据审计方案批量处理云环境下海量数据的效率不高;并且,随着移动客户端的流行,传统数据审计方案带给用户的在线负担太过繁重。因此,提出一种基于MapReduce编程框架的云数据审计方案,使用代理签名技术将用户对数据签名计算代理出去,并且并行化处理数据签名和批量审计过程。实验结果表明,所提方法明显提高了批量审计的效率,增强了云存储服务的可用性,并且减轻了用户的在线负担。     

NaEPASC: a novel and efficient public auditing scheme for cloud data

Cloud computing is deemed the next-generation information technology （IT） platform, in which a data center is crucial for providing a large amount of computing and storage resources for various service applications with high quality guaranteed. However, cloud users no longer possess their data in a local data storage infrastructure, which would result in auditing for the integrity of outsourced data being a challenging problem, especially for users with constrained computing resources. Therefore, how to help the users complete the verification of the integrity of the outsourced data has become a key issue. Public verification is a critical technique to solve this problem, from which the users can resort to a third-party auditor （TPA） to check the integrity of outsourced data. Moreover, an identity-based （ID-based） public key cryptosystem would be an efficient key management scheme for certificatebased public key setting. In this paper, we combine ID-based aggregate signature and public verification to construct the protocol of provable data integrity. With the proposed mechanism, the TPA not only verifies the integrity of outsourced data on behalf of cloud users, but also alleviates the burden of checking tasks with the help of users＇ identity. Compared to previous research, the proposed scheme greatly reduces the time of auditing a single task on the TPA side. Security analysis and performance evaluation results show the high efficiency and security of the proposed scheme.     

基于模糊身份的动态数据审计方案

云存储服务的快速发展,也带来众多安全挑战.针对云存储数据的完整性,已有的基于模糊身份的审计方案仅仅支持静态数据,因此很多情况并不适用.本文提出了一种基于模糊身份的动态数据完整性审计方案,结合默克哈希树的动态数据结构,实现用户对云端数据的完全动态操作.该方案采用基于模糊身份的密码体制,与基于公钥基础设施的数据完整性审计方案相比,避免了对公钥证书颁发、管理、吊销的过程,降低了通信代价.并且该方案能够支持批量验证,提高认证效率.最后,本文从安全性和功能上对新方案进行分析,能够抵抗伪造攻击,也保护了数据隐私安全,并且在功能上较其他方案也有一定的优势.     

高效可撤销的共享数据云存储审计

共享数据的云存储审计是指对群用户共享的云数据的完整性进行审计. 由于在共享数据云存储审计中, 用户可能因各种原因加入和离开用户群, 因此这种方案通常支持群用户撤销. 在大多数现存的共享数据云审计方案中, 用户撤销的计算开销与用户群要上传的文件块总数成线性关系, 造成很大的计算和通信代价, 如何减少用户撤销产生的计算和通...     

A secure and efficient public auditing scheme using RSA algorithm for cloud storage

Cloud storage is widely used by both individual and organizational users due to the many benefits, such as scalability, ubiquitous access, and low maintenance cost (and generally free for individual users). However, there are known security and privacy issues in migrating data to the cloud. To ensure or verify data integrity, a number of cloud data integrity checking schemes with different properties have been presented in the literature. Most existing schemes were subsequently found to be insecure or have high computation and communication costs. More recently in 2016, Yu et al. (Future Gener Comput Syst 62:85–91, 2016) proposed an identity-based auditing scheme for checking the integrity of cloud data. However, in this paper, we reveal that the scheme is vulnerable to data recovery attack. We also present a new identity-based public auditing scheme and formally prove the security of the scheme under the RSA assumption with large public exponents in the random oracle model. We then evaluate the performance of our proposed scheme and demonstrate that in comparison with Yu et al.’s scheme, our proposal is more practical in real-world applications.     

Cloud data integrity checking with an identity-based auditing mechanism from RSA

Cloud data auditing is extremely essential for securing cloud storage since it enables cloud users to verify the integrity of their outsourced data efficiently. The computation overheads on both the cloud server and the verifier can be significantly reduced by making use of data auditing because there is no necessity to retrieve the entire file but rather just use a spot checking technique. A number of cloud data auditing schemes have been proposed recently, but a majority of the proposals are based on Public Key Infrastructure (PKI). There are some drawbacks in these protocols: (1) It is mandatory to verify the validity of public key certificates before using any public key, which makes the verifier incur expensive computation cost. (2) Complex certificate management makes the whole protocol inefficient. To address the key management issues in cloud data auditing, in this paper, we propose ID-CDIC, an identity-based cloud data integrity checking protocol which can eliminate the complex certificate management in traditional cloud data integrity checking protocols. The proposed concrete construction from RSA signature can support variable-sized file blocks and public auditing. In addition, we provide a formal security model for ID-CDIC and prove the security of our construction under the RSA assumption with large public exponents in the random oracle model. We demonstrate the performance of our proposal by developing a prototype of the protocol. Implementation results show that the proposed ID-CDIC protocol is very practical and adoptable in real life.     

Towards Public Integrity Audition for Cloud-IoT Data Based on Blockchain

With the rapidly developing of Internet of Things (IoT), the volume of data generated by IoT systems is increasing quickly. To release the pressure of data management and storage, more and more enterprises and individuals prefer to integrate cloud service with IoT systems, in which the IoT data can be outsourced to cloud server. Since cloud service provider (CSP) is not fully trusted, a variety of methods have been proposed to deal with the problem of data integrity checking. In traditional data integrity audition schemes, the task of data auditing is usually performed by Third Party Auditor (TPA) which is assumed to be trustful. However, in real-life TPA is not trusted as people thought. Therefore, these schemes suffer from the underlying problem of single-point failure. Moreover, most of the traditional schemes are designed by RSA or bilinear map techniques which consume heavy computation and communication cost. To overcome these shortcomings, we propose a novel data integrity checking scheme for cloud-IoT data based on blockchain technique and homomorphic hash. In our scheme, the tags of all data blocks are computed by a homomorphic hash function and stored in blockchain. Moreover, each step within the process of data integrity checking is signed by the performer, and the signatures are stored in blockchain through smart contracts. As a result, each behavior for data integrity checking in our scheme can be traced and audited which improves the security of the scheme greatly. Furthermore, batch-audition for multiple data challenges is also supported in our scheme. We formalize the system model of our scheme and give the concrete construction. Detailed performance analyses demonstrate that our proposed scheme is efficient and practical without the trust-assumption of TPA.     

A blockchain-based compact audit-enabled deduplication in decentralized storage

Secure deduplication and data auditing are significant in improving the resource utilization and data integrity protection of data outsourcing services. However, existing audit-enabled deduplication schemes cannot implement block-level deduplication over audit tags since they contain file information, and have to bear the consequent storage burden. Also, they suffer from the low coupling problem caused by the difference in optimal data chunking between deduplication and auditing. In this paper, we propose a blockchain-based compact audit-enabled deduplication scheme in decentralized storage. Specifically, we introduce the concept of $N$-ary tag commitment tree (NTCT), which integrates the information of all data blocks into a file authenticator to support integrity verification and enable block-level deduplication over audit tags. On this basis, we propose a blockchain-based compact audit-enabled deduplication protocol, which adopts an aggregatable vector commitment to generate audit tags, thereby overcoming the low coupling problem between deduplication and auditing. Notably, data users can outsource the task of tag generation to storage servers. Meanwhile, the capabilities of duplication detection, proof of ownership (PoW), and integrity verification are integrated into audit tags to reduce tag redundancy. Furthermore, we present an update protocol to allow data users to achieve a lightweight data update without uploading the entire new data. Finally, security analysis and performance evaluation demonstrate that our scheme is practical.     

Comment on “Privacy-preserving public auditing for non-manager group shared data”

Using cloud storage, users can remotely store their data without the burden on complicated local storage management and maintenance. However, users will no longer physically possess the storage of their data after they upload the data to the cloud. It is very natural for users to suspect whether their data stored in the cloud is intact. To help users efficiently check the integrity of the outsourced data, many public auditing schemes have been proposed. Recently, Huang et al. have proposed a privacy-preserving public auditing scheme for non-manager group shared data. In this paper, we find a security flaw in their auditing scheme. Even if the cloud has deleted or polluted the whole outsourced data, it still can pass the verification of the verifier. And then, we overcome this shortcoming by improving their scheme, which prevents the cloud forging a valid proof to pass the integrity auditing. Last, we perform the concrete implementation of our improved scheme and Huang et al. ’s scheme.

     

基于区块链的云数据审计方案

云存储凭借高扩展性、高可靠性、低成本的数据管理优点得到用户青睐。然而,如何确保云数据完整性成为亟待解决的安全挑战。目前的云数据完整性审计方案,绝大部分是基于半可信第三方来提供公共审计服务,它们存在单点失效、性能瓶颈以及泄露用户隐私等问题。针对这些缺点提出了基于区块链的审计模型。该模型采用分布式网络、共识算法建立一个去中心化、易扩展的网络解决单点失效问题和计算力瓶颈,利用区块链技术和共识算法加密用户数据保证数据不可窜改和伪造,确保了用户数据的隐私。实验结果表明,与基于半可信第三方云数据审计方案相比,该模型能够保护用户隐私,显著提高了审计效率,减少通信开销。