密文策略属性加密中的撤销控制方案

在云环境下使用数据共享功能时,由于云环境的复杂性,需要对数据进行安全保护和访问控制,这就要求使用加密机制。基于密文策略属性的加密(CP-ABE)是当前广泛使用的加密机制,它可以根据用户的属性来设置访问权限,任何具有合格访问权限的用户都可以访问数据。然而云是一个动态环境,有时可能只允许具有访问权限用户中的一部分用户访问数据,这就需要用户权限的撤销机制。然而,在CP-ABE中,访问权撤销或用户撤销是一个冗长且代价高昂的事件。所提出方案根据对CP-ABE流程的改进,在原密文中嵌入了可灵活控制的用户个人秘密,使得用户权限撤销时既不要求使用新访问策略的用户撤销数据,也不要求对数据进行重新加密,大幅减少撤销时的计算成本。与知名CP-ABE撤销方案对比,所提出方案的计算成本更低且具有良好的安全性。

Revocation Control Scheme in CP-ABE

When using the data sharing function in the cloud environment, due to the complexity of the cloud environment, the data needs to be secured and access controlled, which requires the use of encryption mechanism. Encryption based on Ciphertext Policy Attributes（CP-ABE） is a widely used encryption mechanism, which can set access rights according to the user’s attributes. Any user with qualified access rights can access the data. However, the cloud is a dynamic environment, and sometimes only a part of users with access rights may be allowed to access data, which requires the revocation mechanism of user rights. However, in CP-ABE, access revocation or user revocation is a lengthy and costly event. According to the improvement of CP-ABE process, the proposed scheme embedded the user’s personal secret that can be flexibly controlled in the original ciphertext, so that when the user’s permission revocation is carried out, neither the user revocation data using the new access policy nor the data re-encryption is required, which greatly reduces the computing cost of permission revocation. Compared with the well-known CP-ABE revocation scheme, the proposed scheme has lower computational cost and better security.