Multiuser access control searchable privacy‐preserving scheme in cloud storage

Searchable encryption scheme‐based ciphertext‐policy attribute‐based encryption (CP‐ABE) is a effective scheme for providing multiuser to search over the encrypted data on cloud storage environment. However, most of the existing search schemes lack the privacy protection of the data owner and have higher computation time cost. In this paper, we propose a multiuser access control searchable privacy‐preserving scheme in cloud storage. First, the data owner only encrypts the data file and sets the access control list of multiuser and multiattribute for search data file. And the computing operation, which generates the attribute keys of the users' access control and the keyword index, is given trusted third party to perform for reducing the computation time of the data owner. Second, using CP‐ABE scheme, trusted third party embeds the users' access control attributes into their attribute keys. Only when those embedded attributes satisfy the access control list, the ciphertext can be decrypted accordingly. Finally, when the user searches data file, the keyword trap door is no longer generated by the user, and it is handed to the proxy server to finish. Also, the ciphertext is predecrypted by the proxy sever before the user performs decryption. In this way, the flaw of the client's limited computation resource can be solved. Security analysis results show that this scheme has the data privacy, the privacy of the search process, and the collusion‐resistance attack, and experimental results demonstrate that the proposed scheme can effectively reduce the computation time of the data owner and the users.     

Attribute-based encryption scheme supporting attribute revocation in cloud storage environment

Attribute-based encryption (ABE) scheme is widely used in the cloud storage due to its fine-grained access control.Each attribute in ABE may be shared by multiple users at the same time.Therefore,how to achieve attribute-level user revocation is currently facing an important challenge.Through research,it has been found that some attribute-level user revocation schemes currently can’t resist the collusion attack between the revoked user and the existing user.To solve this problem,an attribute-based encryption scheme that supported the immediate attribute revocation was proposed.The scheme could achieve attribute-level user revocation and could effectively resist collusion attacks between the revoked users and the existing users.At the same time,this scheme outsourced complex decryption calculations to cloud service providers with powerful computing ability,which reduced the computational burden of the data user.The scheme was proved secure based on computational Diffie-Hellman assumption in the standard model.Finally,the functionality and efficiency of the proposed scheme were analyzed and verified.The experimental results show that the proposed scheme can safely implement attribute-level user revocation and has the ability to quickly decrypt,which greatly improves the system efficiency.     

Searchable ciphertext‐policy attribute‐based encryption with revocation in cloud storage

To protect the sensitive data outsourced to cloud server, outsourcing data in an encrypted way has become popular nowadays. However, it is not easy to find the corresponding ciphertext efficiently, especially the large ciphertext stored on cloud server. Besides, some data owners do not want those users who attempt to decrypt to know the sensitive access structure of the ciphertext because of some business or private reasons. In addition, the user attributes revocation and key updating are important issues, which affect application of ciphertext‐policy attribute‐based encryption (CP‐ABE) in cloud storage systems. To overcome the previous problems in cloud storage, we present a searchable CP‐ABE with attribute revocation, where access structures are partially hidden so that receivers cannot extract sensitive information from the ciphertext. The security of our scheme can be reduced to the decisional bilinear Diffie–Hellman (DBDH) assumption and decisional linear (DL) assumption. Copyright © 2015 John Wiley & Sons, Ltd.     

Research on cloud storage systems supporting secure sharing

A practical scheme for the cloud storage system was proposed to ensure security and efficiency during data sharing.The scheme which combine attribute-based encryption,proxy encryption with symmetric encryption,could integrate access control,efficient search with encryption well together.The scheme archived conjunctive-keyword non-field subset search by using bilinear mapping and polynomial equation.The scheme reduced the cost of decryption by outsourcing most of the decryption operations from the terminal to the cloud.At last,the performance was analyzed and an experiment was made for verification.     

指定测试者的基于身份可搜索加密方案

对指定测试者的基于身份可搜索加密(dIBEKS)方案进行了研究。指出Tseng等人所提dIBEKS方案并不是完全定义在基于身份密码系统架构上,而且方案不能满足dIBEKS密文不可区分性。首次提出了基于身份密码系统下的指定测试者可搜索加密方案的定义和安全需求,并设计了一个高效的dIBEKS新方案。证明了dIBEKS密文不可区分性是抵御离线关键字猜测攻击的充分条件,并证明了新方案在随机预言模型下满足适应性选择消息攻击的dIBEKS密文不可区分性、陷门不可区分性,从而可以有效抵御离线关键字猜测攻击。     

基于区块链且支持验证的属性基搜索加密方案

针对一对多搜索模型下共享解密密钥缺乏细粒度访问控制且搜索结果缺乏正确性验证的问题,提出了一种基于区块链且支持验证的属性基搜索加密方案。通过对共享密钥采用密文策略属性加密机制,实现细粒度访问控制。结合以太坊区块链技术,解决半诚实且好奇的云服务器模型下返回搜索结果不正确的问题,在按需付费的云环境下,实现用户和云服务器之间服务-支付公平,使各方诚实地按照合约规则执行。另外,依据区块链的不可篡改性,保证云服务器得到服务费,用户得到正确的检索结果,而不需要额外验证,减少用户计算开销。安全性分析表明,所提方案满足自适应选择关键词语义安全,能很好地保护用户的隐私以及数据的安全。性能对比及实验结果表明,所提方案在安全索引产生、搜索令牌生成、检索效率以及交易数量方面有一定的优化,更加适用于智慧医疗等一对多搜索场景。     

基于区块链的公钥可搜索加密方案

针对公钥加密方案的陷门安全问题,引入随机数构造陷门与索引,用于抵御来自服务器内部的关键字猜测攻击,避免因服务器好奇行为带来的数据泄露。对第三方的可信问题进行研究,将区块链技术与可搜索加密方案相结合,使用智能合约作为可信第三方进行检索工作,既可以防止服务器内部的关键字猜测攻击,又可以保证检索结果的正确性,从而限制服务器在下发数据时的恶意行为。通过安全性分析,验证了所提方案满足IND-KGA安全性。经过与其他方案进行实验对比,证明了所提方案在时间开销上具有一定的优势。     

Dynamic searchable encryption with privacy protection for cloud computing

The dynamic searchable encryption schemes generate search tokens for the encrypted data on a cloud server periodically or on a demand. With such search tokens, a user can query the encrypted data whiles preserving the data's privacy; ie, the cloud server can retrieve the query results to the user but do not know the content of the encrypted data. A framework DSSE with Forward Privacy (dynamic symmetric searchable encryption [DSSE] with forward privacy), which consists of Internet of Things and Cloud storage, with the attributes of the searchable encryption and the privacy preserving are proposed. Compared with the known DSSE schemes, our approach supports the multiusers query. Furthermore, our approach successfully patched most of the security flaws related to the sensitive information's leakage in the DSSE schemes. Both security analysis and simulations show that our approach outperforms other DSSE schemes with respect to both effectiveness and efficiency.     

FETCH: A cloud-native searchable encryption scheme enabling efficient pattern search on encrypted data within cloud services

Searchable encryption (SE) is considered important as it provides both confidentiality and searchability for the data stored in semi-trusted environments such as cloud. However, it is rarely deployed because most SE schemes are not native to cloud services as they require database modifications. In this paper, we present an SE scheme called Frequency-Eliminated Trapdoor-Character Hopping (FETCH) that, based on novel common-conditioned-subsequence-preserving (CCSP) techniques, is able to work natively with off-the-shelf databases and supports wildcard-based pattern search on encrypted data thereof. In fact, with the CCSP techniques, we transform the problem of wildcard SE searching into a problem of subsequence searching, which is solved fast in most databases and thus fits well with cloud services in general. Although in our security analysis, CCSP removes the possibility of obtaining theoretical indistinguishability between indexed items, we show that FETCH does provide adequate confidentiality protection and fares much better than other existing wildcard SE schemes in terms of query performance, storage overhead, and deployment complexity. In particular, FETCH is able to efficiently handle data sets whose size is multiple orders of magnitude larger than those that existing schemes can comfortably support.     

Electronic medical record data sharing scheme based on searchable encryption via consortium blockchain

Considering that it was difficult to share medical record data among different medical institutions in cloud storage,an electronic medical record data sharing scheme based on searchable encryption on blockchain was proposed.In order to realize the secure storage and sharing of electronic medical records in the scheme,the patient’s electronic medical record ciphertext was stored in the hospital server,the ciphertext hash value was stored in the private blockchain,and the keyword index was stored in the consortium blockchain.Searchable encryption was used to implement secure search of keywords in the consortium blockchain,and proxy re-encryption technology was used to realize the sharing of electronic medical records of patients by other data users.Security analysis shows that the proposed scheme can achieve ciphertext security and keyword security.Moreover,the performance of the scheme was analyzed by function analysis,computational efficiency analysis and numerical simulation.The performance analysis shows that the scheme can achieve high computational efficiency.     

云存储系统中支持用户隐私保护的细粒度访问控制

从云存储实际需求出发,设计了一个云存储环境下支持用户隐私保护和用户属性撤销的多属性权威的属性加密机制,为了保证系统实现的效率和减轻数据持有者的负担,在属性撤销中,复杂的计算任务都委托给可信第三方或云服务器完成。所提方案在DBDH假设下被证明是安全的。     

A secure regenerating code‐based cloud storage with efficient integrity verification

Cloud storage is gaining popularity as it relieves the data owners from the burden of data storage and maintenance cost. However, outsourcing data to third‐party cloud servers raise several concerns such as data availability, confidentiality, and integrity. Recently, regenerating codes have gained popularity because of their low repair bandwidth while ensuring data availability. In this paper, we propose a secure regenerating code‐based cloud storage (SRCCS) scheme, which utilizes the verifiable computation property of homomorphic encryption scheme to check the integrity of outsourced data. In this work, an error‐correcting code (ECC)–based homomorphic encryption scheme (HES) is employed to simultaneously provide data privacy as well as error correction while supporting efficient integrity verification. In SRCCS, server regeneration process is initiated on detection of data corruption events in order to ensure data availability. The ECC‐based HES significantly reduces the probability of server regeneration and minimizes the repair cost. Extensive theoretical analysis and simulation results validate the security, efficiency, and practicability of the proposed scheme.     

Research on data encryption system and technology for cloud storage

To order to address the problem of cloud storage data security,the generic proxy-based data protection system was proposed,which could automatically and transparently secure sensitive data in browser-based cloud storage applications.A novel dynamic program analysis technique was adopted based on JavaScript API function hooking for automatically extending to various cloud applications.And a novel proxy executed searchable encryption solution was presented so that it could achieve data encryption while maintaining the original functions of cloud applications.Experimental results show that the system can support a variety of typical cloud services,effectively protect sensitive data,and bring a relatively low overhead.     

基于属性的安全增强云存储访问控制方案

为了保证云存储中用户数据和隐私的安全,提出了一种基于属性的安全增强云存储访问控制方案。通过共用属性集,将基于属性的加密体制(ABE)与XACML框架有机结合,在XACML框架上实现细粒度的基于属性的访问控制并由ABE保证数据的机密性。考虑到数据量很大时ABE的效率较低,因此,云存储中海量敏感数据的机密性用对称密码体制实现,ABE仅用于保护数据量较小的对称密钥。实验分析表明,该方案不仅能保证用户数据和隐私的机密性,而且性能优于其他同类系统。     

云存储环境下的密文安全共享机制

With the convenient of storing and sharing data in cloud storage environment,the concerns about data security arised as well.To achieve data security on untrusted servers,user usually stored the encrypted data on the cloud storage environment.How to build a cipertext-based access control scheme became a pot issue.For the access control problems of ciphertext in cloud storage environment,a CP-ABE based data sharing scheme was proposed.Novel key generation and distribution strategies were proposed to reduce the reliance on a trusted third party.Personal information was added in decryption key to resistant conclusion attacks at the same time.Moreover,key revocation scheme was proposed to provide the data backward secrecy.The security and implement analysis proves that proposed scheme is suit for the real application environment.     

Efficient revocable ID‐based encryption with cloud revocation server

The capability to efficiently revoke compromised/misbehaving users is important in identity‐based encryption (IBE) applications, as it is not a matter of if but of when that one or more users are compromised. Existing solutions generally require a trusted third party to update the private keys of nonrevoked users periodically, which impact on scalability and result in high computation and communication overheads at the key generation center. Li et al proposed a revocable IBE scheme, which outsources most of the computation and communication overheads to a Key Update Cloud Service Provider (KU‐CSP). However, their scheme is lack of scalability since the KU‐CSP must maintain a secret value for each user. Tseng et al proposed another revocable IBE scheme with a cloud revocation authority, seeking to provide scalability and improve both performance and security level. In this paper, we present a new revocable IBE scheme with a cloud revocation server (CRS). The CRS holds only one secret time update key for all users, which provides the capability to scale our scheme. We demonstrate that our scheme is secure against adaptive‐ID and chosen ciphertext attacks under the k‐CAA assumption and outperforms both schemes mentioned above, in terms of having lower computation and communication overheads.     

SecCloudSharing: Secure data sharing in public cloud using ciphertext‐policy attribute‐based proxy re‐encryption with revocation

An efficient cryptography mechanism should enforce an access control policy over the encrypted data to provide flexible, fine‐grained, and secure data access control for secure sharing of data in cloud storage. To make a secure cloud data sharing solution, we propose a ciphertext‐policy attribute‐based proxy re‐encryption scheme. In the proposed scheme, we design an efficient fine‐grained revocation mechanism, which enables not only efficient attribute‐level revocation but also efficient policy‐level revocation to achieve backward secrecy and forward secrecy. Moreover, we use a multiauthority key attribute center in the key generation phase to overcome the single‐point performance bottleneck problem and the key escrow problem. By formal security analysis, we illustrate that our proposed scheme achieves confidentiality, secure key distribution, multiple collusions resistance, and policy‐ or attribute‐revocation security. By comprehensive performance and implementation analysis, we illustrate that our proposed scheme improves the practical efficiency of storage, computation cost, and communication cost compared to the other related schemes.     

Research on technology of data encryption and search based on access broker

Broker executed searchable encryption (BESE) scheme was proposed for the confidentiality issues of cloud application data.The scheme did not need to modify the cloud application or user habits,thus had strong applicability.Firstly,systematic and quantitative analysis on BESE scheme was conducted in terms of query expressiveness,performance and security.Then,the main challenges of BESE scheme including securely sharing index and encrypted data between brokers were pointed out,and corresponding schemes were proposed to address the above challenges.The experimental results show that the BESE scheme can effectively protect the user data in the cloud,achieve a variety of search functions,and has high efficiency and security.     

Cloud storage scheme based on closed-box encryption

Aiming at protecting the confidentiality of data for cloud storage users,a scheme that encrypt data in cloud service providers was presented.The scheme constructed a closed-box computing environment by virtual machine isolation technique,improved algorithm of RSA to change keys without having to produce large prime numbers,transfer data and keys through SSL and encrypted data in the closed computing environment before storing to the distributed file system.Closed-box computing environment can prevent attacks from cloud administrators and malicious applications in the operating system.It also can guard against data leakage effectively.The result of experiment shows that the confidentiality of data improved and the performance loss is decreased considering to other cloud storage scheme that encrypt data in cloud.     

Differential data update scheme on network-coding-based cloud storage system

In order to solve the problem that the communication overhead of date update was too large on network-coding-based cloud storage system,a new differential data update scheme was proposed.By encoding and compressing the updated part of file,the communication overhead was reduced significantly.A network-coding-based storage prototype system was designed and implemented,and update scheme was deployed in the real network settings.Experimental results show that the proposed scheme has less communication overhead and better scalability than the existing schemes.