基于Paillier加密的数据多副本持有性验证方案

云存储服务中,用户将数据存储在不可信的云储存服务器上,为检查云存储中服务提供商(CSP)是否按协议完整地存储了用户的所有数据副本,提出一种 支持对数据副本进行动态操作 的基于Paillier加密的数据多副本持有性验证方案, 即DMR-PDP方案。该方案为实现多副本检查,将文件块以文件副本形式存储在云服务器上,将各副本编号与文件连接后利用Paillier密码系统生成副本文件以防止CSP各服务器的合谋攻击。利用BLS签名实现对所有副本的批量验证。将文件标志和块位置信息添加到数据块标签中,以保证本方案的安全性,支持对文件的动态更新操作。安全性分析和仿真实验结果表明,该方案在安全性、通信和计算开销方面的性能优于其他文献提出的方案,极大地提高了文件存储和验证的效率,减少了计算开销。     

面向云存储的多副本文件完整性验证方案

文件完整性验证是云存储服务的一项重要安全需求.研究者已经提出多项针对云存储文件完整性验证的机制,例如数据持有性验证(prove of data possession,PDP)或者数据可恢复证明(proof of retrievability,POR)机制.但是,现有方案只能够证明远程云存储持有一份正确的数据,不能检验其是否保存多份冗余存储.在云存储场景中,用户需要验证云存储确实持有一定副本数的正确文件,以防止部分文件意外损坏时无法通过正确的副本进行恢复.提出的多副本文件完整性验证方案,能够帮助用户确定服务器正确持有的文件副本数目,并能够定位出错的文件块位置,从而指导用户进行数据恢复.实验证明,充分利用了多服务器分布式计算的优势,在验证效率上优于单副本验证方案.     

基于编码Hash同态性的数据持有性证明方案

为了保证用户在云存储服务器中数据的完整性,在分析已有数据持有性证明方案的基础上,提出了一种基于编码Hash同态性的数据持有性证明方案。通过将伪随机数与数据块进行“捆绑”作为标签来固定数据块位置,同时引进一种基于编码的Hash,并利用同态性来完成数据持有性验证。该方案的安全性依赖于译码的NP完全问题,可抵抗量子攻击,较传统的基于Hash同态性的数据持有性证明方案更难被攻破,同时通过理论分析,算法时间开销比以往方案更快,更有效。     

EMCA:一种新的多云存储中高效的多副本审计方案

云数据审计是一项允许数据所有者在不下载数据的情况下检查数据是否在远程云服务器上完整存储的技术。目前,云数据审计可分为单副本审计和多副本审计,针对多副本审计方案中计算开销大以及无法审计多云存储数据的不足,提出了一种在多云情景下高效的多副本云数据审计方案。所提方案使用较轻量级的模幂加密技术代替传统上计算成本较高的双线性配对技术,以降低在审计过程中的计算开销,提高了方案的效率。为每个副本数据块生成一个同态验证标签(HVT)作为元数据,当用户发出审计要求,每个云服务提供商生成对应的证据,由云服务器管理者聚合证据,实现了在多云存储中的审计。安全分析表明,所提方案可抵挡恶意云服务提供商的伪造攻击,以及恶意云服务提供商与第三方审计者的合谋攻击。性能分析表明,所提方案在计算开销上低于现有多副本审计方案,实现了高效的多云存储多副本审计。     

一种基于公钥分割的多副本持有性证明方案

在数据外包的云存储环境中,如何验证存储服务方是否忠诚地按照客户需求保存足够数量的副本数据是一个挑战性问题。现有方案只能对各个副本逐一进行验证,存在验证效率低、计算开销大和对数据更新支持弱等缺点。提出一种带 Collector 的多副本云存储模型,在此基础上给出一种基于公钥分割的多副本持有性证明方案（multiple replica possession proving scheme based on public key partition , MRP‐PKP）。该方案将公钥分割为多个份额并分配给对应的副本存储节点;在验证时,能够一次性对所有副本的持有性进行高效验证。此外,该方案可有效防御同谋攻击,能够方便地支持数据块级更新操作。进一步理论分析和模拟实验表明：与传统方案相比,MRP‐PKP 方案具有安全性高、通信开销低、运算代价小等优势。     

客户端密文去重方案的新设计

云存储可以使用户在不扩大自身存储的情况下保存更多数据,而客户端去重技术的引入使用户在本地对重复数据进行有效删除,极大提高云存储利用率,节省通信开销.本文利用文献[10]中基于盲签名随机化收敛密钥的思想,提出了一个新的基于客户端密文去重方案.新方案中重复验证标签和拥有权证明可有效抵抗暴力字典攻击,并利用三方密钥协商方案的思想设计了灵活的加密密钥管理方案.实验结果表明新方案能够有效降低用户存储和计算开销.     

一种基于同态标签的动态云存储数据完整性验证方法

在云存储服务中,为使用户可以随时验证存储在云存储服务器上数据的完整性,提出一种基于同态标签的动态数据完整性验证方法。通过引入同态标签和用户随机选择待检测数据块,可以无限次验证数据是否完好无损,并支持数据动态更新;可信第三方的引入解决了云用户与云存储服务供应商因数据完整性问题产生的纠纷,实现数据完整性的公开验证;然后给出该方法的正确性和安全性分析,以及该方法的性能分析;最后通过实验验证了该方法是高效可行的。     

改进的高效云存储数据去重方案

针对Chen等人提出的云存储数据去重方案BL-MLE的计算开销过大的问题,对其方案进行了改进,提出了一种更高效的数据去重方案。首先对BL-MLE方案进行了分析,指出其在计算效率等方面的不足;随后通过使用hash函数和标签决策树对BL-MLE的块标签生成过程以及块标签比较过程进行改进;最后,实验仿真了改进的方案。结果表明,改进后的方案在块标签比较所需次数更少,且块标签生成上时间开销更低,能更好地适应当前的云存储环境。     

身份加密多云多副本完整性审计协议

为解决现有可证明数据持有(PDP)协议只适用于单云存储服务器且过度依赖公钥基础设施的问题,提出一种新的基于身份的多云多副本PDP协议。该协议采用身份加密来简化证书管理,并设计双层默克尔哈希树作为新的安全数据结构,以维护多副本的新鲜性和一致性。安全性分析和实验结果均验证了该协议具备安全性和高效性,能够在多个云存储服务器上实现多副本完整性审计,并在标签生成、证据生成和证据验证3个阶段的效率上明显优于对比算法。     

轻量级的安全跨域去重方案

云存储为用户提供文件外包存储功能,然而随着数据外包数量的激增,数据去重复变得至关重要.目前数据压缩非常有效也是很常用的一个手段是去重,即识别数据中冗余的数据块,只存储其中的一份.以前的方案可以满足不同的用户将相同的文件加密为相同的密文,这样暴露了文件的一致性,随后的方案提出基于集中式服务器作为去重辅助的方案,随着用户的增加,数据去重效率也随之降低.针对目前云存储的安全性及数据去重效率低等问题,本文提出了跨区域的重复数据删除方案.所提方案为每个数据生成随机标签和固定长度的随机密文,确保多域重复数据消除下的数据机密性及抵抗暴力攻击、保护信息平等信息不被披露.同时,对所提方案的实施情况和功能比较进行了仔细分析,安全性分析表明,所提方案在抵抗蛮力攻击的同时,实现了数据内容、平等信息和数据完整性等隐私保护,性能分析表明,所提方案展示了优于现有方案的重复搜索计算成本及时间复杂度,可实现轻量级特色.     

Towards Public Integrity Audition for Cloud-IoT Data Based on Blockchain

With the rapidly developing of Internet of Things (IoT), the volume of data generated by IoT systems is increasing quickly. To release the pressure of data management and storage, more and more enterprises and individuals prefer to integrate cloud service with IoT systems, in which the IoT data can be outsourced to cloud server. Since cloud service provider (CSP) is not fully trusted, a variety of methods have been proposed to deal with the problem of data integrity checking. In traditional data integrity audition schemes, the task of data auditing is usually performed by Third Party Auditor (TPA) which is assumed to be trustful. However, in real-life TPA is not trusted as people thought. Therefore, these schemes suffer from the underlying problem of single-point failure. Moreover, most of the traditional schemes are designed by RSA or bilinear map techniques which consume heavy computation and communication cost. To overcome these shortcomings, we propose a novel data integrity checking scheme for cloud-IoT data based on blockchain technique and homomorphic hash. In our scheme, the tags of all data blocks are computed by a homomorphic hash function and stored in blockchain. Moreover, each step within the process of data integrity checking is signed by the performer, and the signatures are stored in blockchain through smart contracts. As a result, each behavior for data integrity checking in our scheme can be traced and audited which improves the security of the scheme greatly. Furthermore, batch-audition for multiple data challenges is also supported in our scheme. We formalize the system model of our scheme and give the concrete construction. Detailed performance analyses demonstrate that our proposed scheme is efficient and practical without the trust-assumption of TPA.     

支持动态操作的多副本数据完整性验证方案

针对云存储环境下外包数据面临的安全隐患，并结合现有云数据完整性验证方案的不足，提出了支持动态操作的多副本数据完整性验证方案。方案考虑了多副本应用场景，并在现有云数据完整性验证方案的基础上以较小的代价实现了文件的多副本验证，并通过引入认证的数据结构—基于等级的Merkle哈希树，实现了文件的可验证动态更新。通过对多副本进行关联，可以实现多个副本的同步更新。安全性分析与实验表明了该方案的安全性与有效性，实现了数据的安全存储与更新，并有效保证了数据多副本的隐私安全。     

Data dynamics for remote data possession checking in cloud storage

In cloud storage, storage servers may not be fully trustworthy. Therefore, it is of great importance for users to check whether the data is kept intact. This is the goal of remote data possession checking (RDPC) schemes. In this paper, an RDPC scheme based on homomorphic hashing is proposed. To enable data dynamics, the Merkle hash tree is introduced to record the location for each data operation in the scheme. Data dynamics, including the most general forms of data operations such as block modification, insertion and deletion, are supported. Our scheme provides provable data possession and integrity protection. The security and performance analysis shows that the scheme is practical for real-world use.     

Efficient data integrity auditing for storage security in mobile health cloud

Cloud storage services can enable data owners to eliminate the need for the initial investment of expensive infrastructure setup and also minimize development and maintenance costs. Outsourcing the health data to e-health cloud storage server is very beneficial. Nonetheless, storing the health data on cloud servers also brings serious security challenges. In this paper, we propose a highly efficient data integrity auditing scheme for cloud storage for mobile health applications. The authentication tag for each data block generated by biosensor nodes is minimal in our scheme due to the use of hash operation. Moreover, in data integrity checking phase, message-locked encryption scheme is utilized to encrypt and transport the auditing information of the checked data blocks, which significantly reduces the required amount of calculation and communication resources. Compared with the conventional third party auditing schemes, the presented scheme speeds up the tag generation and tag checking process by more than one thousand times.     

一个网络归档存储中实用的数据持有性检查方案

在网络归档存储中,数据持有性检查(DPC)用来在实际文件访问发生之前实时地检测远端服务器是否仍然完好地持有文件.提出一个实用的DPC方案.在一个挑战-应答协议中,检查者要求服务器计算文件中若干随机指定的数据块的一个Hash值,并和对应的校验块一起返回,以此判断文件的持有性.通过这种随机抽样校验的方法,在保证足够的置信度的同时降低了持有性检查的计算和通信开销.同时提出一个基于校验块循环队列的挑战更新机制,从而允许动态增加检查者可发起的有效挑战的次数.分析表明检查者端的存储开销和检查者和服务器间的通信开销均为常数量级.测试结果表明一次置信度为99.4%的持有性检查的计算开销为1.8ms,和磁盘I/O开销相比可以忽略不计;通过避免使用公钥密码系统,将文件预处理的计算开销降低了3个数量级.     

Multi-Authority-Based File Hierarchy Hidden CP-ABE Scheme for Cloud Security

Cloud technology is emerging as a widely accepted technology in the recent years due to its robust nature. Cloud computation is basically developed on the fact that the resources can be shared between numerous devices to achieve efficient network operation among devices with minimized computation expenses. However, the sharing nature poses a security risk for the devices whose resources are being shared. Almost in all the existing works on cloud security, a single trusted third party (TTP) is used for key issue and authorization. However, using a single TTP may results in single-point failure and security risks. Most of the previous works on cloud security focus on storage security rather than considering the computation security. In order to solve these issues, in this paper, multi-authority-based file hierarchy hidden CP-ABE scheme for cloud security is proposed. In this scheme, the files are arranged in hierarchical order based on their attribute weights. Then when a cloud user needs certain resources, it requests the cloud service provider (CSP). The CSP links with the cloud owner to provide the requested file after encrypting it. The cloud server encrypts and places the encrypted file in CSP, which is later retrieved by cloud user. In this way, all the files that are being used are encrypted along with strict authentication to ensure cloud security.     

Efficient integrity verification of replicated data in cloud using homomorphic encryption

The cloud computing is an emerging model in which computing infrastructure resources are provided as a service over the internet. Data owners can outsource their data by remotely storing them in the cloud and enjoy on-demand high quality services from a shared pool of configurable computing resources. However, since data owners and the cloud servers are not in the same trusted domain, the outsourced data may be at risk as the cloud server may no longer be fully trusted. Therefore, data confidentiality, availability and integrity is of critical importance in such a scenario. The data owner encrypts data before storing it on the cloud to ensure data confidentiality. Cloud should let the owners or a trusted third party to check for the integrity of their data storage without demanding a local copy of the data. Owners often replicate their data on the cloud servers across multiple data centers to provide a higher level of scalability, availability, and durability. When the data owners ask the cloud service provider (CSP) to replicate data, they are charged a higher storage fee by the CSP. Therefore, the data owners need to be strongly convinced that the CSP is storing data copies agreed on in the service level contract, and data-updates have been correctly executed on all the remotely stored copies. To deal with such problems, previous multi copy verification schemes either focused on static files or incurred huge update costs in a dynamic file scenario. In this paper, we propose a dynamic multi-replica provable data possession scheme (DMR-PDP) that while maintaining data confidentiality prevents the CSP from cheating, by maintaining fewer copies than paid for and/or tampering data. In addition, we also extend the scheme to support a basic file versioning system where only the difference between the original file and the updated file is propagated rather than the propagation of operations for privacy reasons. DMR-PDP also supports efficient dynamic operations like block modification, insertion and deletion on replicas over the cloud servers. Through security analysis and experimental results, we demonstrate that the proposed scheme is secure and performs better than some other related ideas published recently.     

Zero knowledge based client side deduplication for encrypted files of secure cloud storage in smart cities

As typical applications in the field of the cloud computing, cloud storage services are popular in the development of smart cities for their low costs and huge storage capacity. Proofs-of-ownership (PoW) is an important cryptographic primitive in cloud storage to ensure that a client holds the whole file rather than part of it in secure client side data deduplication. The previous PoW schemes worked well when the file is in plaintext. However, the privacy of the clients’ data may be vulnerable to honest-but-curious attacks. To deal with this issue, the clients tend to encrypt files before outsourcing them to the cloud, which makes the existing PoW schemes inapplicable any more. In this paper, we first propose a secure zero-knowledge based client side deduplication scheme over encrypted files. We prove that the proposed scheme is sound, complete and zero-knowledge. The scheme can achieve a high detection probability of the clients’ misbehavior. Then we introduced a proxy re-encryption based key distribution scheme. This scheme ensures that the server knows nothing about the encryption key even though it acts as a proxy to help distributing the file encryption key. It also enables the clients who have gained the ownership of a file to share the file with the encryption key generated without establishing secure channels among them. It is proved that the clients’ private key cannot be recovered by the server or clients collusion attacks during the key distribution phase. Our performance evaluation shows that the proposed scheme is much more efficient than the existing client side deduplication schemes.     

多源网络编码同态签名方案*

由于网络编码的系统很容易受到污染攻击,提出了一个适用于多源网络编码应对污染攻击的同态签名方案.该方案使用了同态哈希函数,能够阻止恶意修改的数据分组.被污染的数据分组会被验证者丢弃,从而保证了系统的安全性.该方案是同态的且是为多源网络编码特别设计的,与文件和分组的大小无关,而且方案中的公钥和每个分组的开销是常量.