一种适于云存储的数据确定性删除方法

 为保护云存储模式下数据的机密性,本文提出了一种适于云存储系统的数据确定性删除方法.该方法通过密钥派生树组织管理密钥,将密钥经秘密共享方案处理后分发到DHT网络中,利用DHT网络的动态特性实现密钥的定期删除,使得在非授权时间内密文数据不能被解密和访问,从而实现云存储系统中数据的确定性删除.实验结果表明,该方法能够有效地删除密钥,且性能开销低,满足云存储系统中过期数据或备份文件的确定性删除要求.     

DACPCC:一种包含访问权限的云计算数据访问控制方案

目前云计算访问控制技术最常用的加密体系是CP-ABE,但传统的CP-ABE加密体系中没有涉及用户的访问权限问题,数据提供者只能让用户去读取数据而不能写数据,访问控制机制不灵活,且效率低.针对这一不足,本文提出了一种包含访问权限的高效云计算访问控制方案DACPCC,该方案在CP-ABE基础上设置了权限控制密钥来加密云中的数据,数据提供者通过对权限控制密钥的选择来控制数据的访问权限.文章对DACPCC进行了详细的设计,并做了安全性证明和实验验证,结果表明DACPCC能够让数据提供者对其数据资源进行权限控制,并且是安全和高效的.     

一种云存储数据确定性删除方案（英文）

In order to provide a practicable solution to data confidentiality in cloud storage service,a data assured deletion scheme,which achieves the fine grained access control,hopping and sniffing attacks resistance,data dynamics and deduplication,is proposed.In our scheme,data blocks are encrypted by a two-level encryption approach,in which the control keys are generated from a key derivation tree,encrypted by an All-OrNothing algorithm and then distributed into DHT network after being partitioned by secret sharing.This guarantees that only authorized users can recover the control keys and then decrypt the outsourced data in an ownerspecified data lifetime.Besides confidentiality,data dynamics and deduplication are also achieved separately by adjustment of key derivation tree and convergent encryption.The analysis and experimental results show that our scheme can satisfy its security goal and perform the assured deletion with low cost.     

基于属性的安全增强云存储访问控制方案

为了保证云存储中用户数据和隐私的安全,提出了一种基于属性的安全增强云存储访问控制方案。通过共用属性集,将基于属性的加密体制(ABE)与XACML框架有机结合,在XACML框架上实现细粒度的基于属性的访问控制并由ABE保证数据的机密性。考虑到数据量很大时ABE的效率较低,因此,云存储中海量敏感数据的机密性用对称密码体制实现,ABE仅用于保护数据量较小的对称密钥。实验分析表明,该方案不仅能保证用户数据和隐私的机密性,而且性能优于其他同类系统。     

Secure Data Access and Sharing Scheme for Cloud Storage

Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.

     

A certificateless signcryption with proxy re-encryption for practical access control in cloud-based reliable smart grid

Cloud computing has proven to be applicable in smart grid systems with the help of the cloud-based Internet of things (IoT) technology. In this concept, IoT is deployed as a front-end enabling the acquisition of smart grid-related data and its outsourcing to the cloud for data storage purposes. It is obvious that data storage is a pertinent service in cloud computing. However, its wide adoption is hindered by the concern of having a secure access to data without a breach on confidentiality and authentication. To address this problem, we propose a novel data access control scheme that simultaneously accomplishes confidentiality and authentication for cloud-based smart grid systems. Our scheme can enable the storing of encrypted smart grid-related data in the cloud. When a user prefers to access the data, the data owner issues a delegation command to the cloud for data re-encryption. The cloud is unable to acquire any plaintext information on the data. Only authorized users are capable of decrypting the data. Moreover, the integrity and authentication of data can only be verified by the authorized user. We obtain the data access control scheme by proposing a pairing free certificateless signcryption with proxy re-encryption (CLS-PRE) scheme. We prove that our CLS-PRE scheme has indistinguishability against adaptive chosen ciphertext attack under the gap Diffie–Hellman problem and existential unforgeability against adaptive chosen message attack under elliptic curve discrete logarithm problem in the random oracle model.

     

基于授权的多服务器可搜索密文策略属性基加密方案

针对现有属性基可搜索加密方案缺乏对云服务器授权的服务问题,该文提出一种基于授权的可搜索密文策略属性基加密(CP-ABE)方案。方案通过云过滤服务器、云搜索服务器和云存储服务器协同合作实现搜索服务。用户可将生成的授权信息和陷门信息分别发送给云过滤服务器和云搜索服务器,在不解密密文的情况下,云过滤服务器可对所有密文进行检测。该方案利用多个属性授权机构,在保证数据机密性的前提下能进行高效的细粒度访问,解决数据用户密钥泄露问题,提高数据用户对云端数据的检索效率。通过安全性分析,证明方案在提供数据检索服务的同时无法窃取数据用户的敏感信息,且能够有效地防止数据隐私的泄露。     

Cloud data secure deduplication scheme via role-based symmetric encryption

The rapid development of cloud computing and big data technology brings prople to enter the era of big data,more and more enterprises and individuals outsource their data to the cloud service providers.The explosive growth of data and data replicas as well as the increasing management overhead bring a big challenge to the cloud storage space.Meanwhile,some serious issues such as the privacy disclosure,authorized access,secure deduplication,rekeying and permission revocation should also be taken into account.In order to address these problems,a role-based symmetric encryption algorithm was proposed,which established a mapping relation between roles and role keys.Moreover,a secure deduplication scheme was proposed via role-based symmetric encryption to achieve both the privacy protection and the authorized deduplication under the hierarchical architecture in the cloud computing environment.Furthermore,in the proposed scheme,the group key agreement protocol was utilized to achieve rekeying and permission revocation.Finally,the security analysis shows that the proposed role-based symmetric encryption algorithm is provably secure under the standard model,and the deduplication scheme can meet the security requirements.The performance analysis and experimental results indicate that the proposed scheme is effective and efficient.     

具有隐私保护的云存储访问控制方案

针对传统的访问控制方案无法在云计算环境下保护用户的属性隐私,提出了具有隐私保护的云存储访问控制方案。采用混合加密体制实现了数据的机密性,即利用对称密钥加密明文数据,再利用公钥密码体制对对称密钥进行加密。在新的访问控制方案中,公钥加密采用了匿名的密文策略下基于属性的加密技术。安全性分析表明,新方案在保护用户属性隐私的同时,达到了选择明文安全性,可抵抗恶意用户及云存储服务器的合谋攻击。     

云计算环境中的数据安全评估技术量化研究

分析了现有云计算系统中机密性的几种保护机制,并提出了一种基于数据流分析的机密性风险评估模型。通过LKM部署的监控器截获系统调用获得系统的数据流,交由评估器与服务提供的数据流模式集进行比较分析,来对服务机密性进行综合评估。实验表明该方法能够有效识别云计算环境中破坏服务和数据机密性的行为。     

面向云计算环境下Web数据挖掘技术

在云计算环境下,Web数据挖掘技术得到了快速发展。由于云计算的应用,Web数据挖掘体系已体现出新的特点。分析云计算环境下Web数据挖掘技术的特点,可以明确应用要点,可以实现云计算在数据存储中的突破,实现存储的能力与安全性的提高。从海量数据中高效挖掘有价值的资源,属于信息技术要解决的关键问题。云计算技术支持下的数据挖掘实现了资源的优化配置,体现出实用性、虚拟性的特点,可以保证数据挖掘的高效、精准。因此,有必要构建基于云计算的数据挖掘模式,保证数据挖掘具有更高的精准度,并实现挖掘成本的降低。     

基于异构密码系统的混合群组签密方案

群组签密既能实现群组签名,又能实现群组加密,但是现有的群组签密方案的发送者和接收者基本上在同一个密码系统中,不能满足现实环境的需求,而且基本上采用的是公钥加密技术,公钥加密技术在加密长消息时效率较低。因此该文提出由基于身份的密码体制(IBC)到无证书密码体制(CLC)的异构密码系统的混合群组签密方案。在该方案中,私钥生成器(PKG)和密钥生成中心(KGC)能够分别在IBC密码体制和CLC密码体制中产生自己的系统主密钥;而且群组成员只有协作才能解签密,提高了方案的安全性;同时在无需更换群组公钥和其他成员私钥的情况下,用户可以动态地加入该群组。所提方案采用了混合签密,具有可加密任意长消息的能力。在随机预言模型下,证明了该文方案在计算Diffie-hellman困难问题下具有保密性和不可伪造性。通过理论和数值实验分析表明该方案具有更高的效率和可行性。     

属性加密访问控制方法在云环境下的应用研究

随着云计算技术的普遍应用,云环境下云资源的安全性问题也受到了信息安全技术领域研究人员的普遍关注.传统的访问控制方法不能适应云计算环境下的数据存储和处理的安全需要,属性加密访问控制方法在云计算环境下的应用,可以有效的保证云环境下数据的安全性.本文对云安全进行了简单的分析,对基于属性的访问控制方法进行了研究,结合云计算环境数据处理的实际情况,提出了基于属性加密访问控制方法在云计算环境下应用的方案,并进行了研究.     

面向移动云计算的多要素代理重加密方案

云与移动计算的融合使用户能够更方便快捷地获取数据和服务,但是由于云平台和移动通信网络的开放性,如何在移动云计算环境下实现数据安全的访问和使用成为了亟待解决的问题。设计了一种基于多要素访问控制条件的代理重加密方案,包含系统模型、重加密算法及重加密密钥描述方法。基于该方案,云计算数据中心通过移动用户的访问请求,获取用户的客观访问控制条件,为用户生成相应的重加密密文,用户使用自身私钥即可对授权数据解密。在不增加用户密钥管理量的前提下,实现了移动云计算的多要素代理重加密。     

QMLFD Based RSA Cryptosystem for Enhancing Data Security in Public Cloud Storage System

Nowadays sharing secure data turns out to be a challenging task for the data owner due to its privacy and confidentiality. Several IT companies stores their important information in the cloud since computing has developed immense power in sharing the data. On the other hand, privacy is considered a serious issue in cloud computing as there are numerous privacy concerns namely integrity, authentication as well as confidentiality. Among all those concerns, this paper focuses on enhancing the data integrity in the public cloud environment using Qusai modified levy flight distribution for the RSA cryptosystem (QMLFD-RSA). An effective approach named QMLFD for the RSA cryptosystem is proposed for resolving the problem based on data integrity in public cloud environment. A secured key generation and data encryption are done by employing the RSA cryptosystem thus the data is secured from unauthorized users. The key selection is done by using quasi based modified Levy flight distribution algorithm. Thus the proposed approach provides an effective model to enhance the integrity of data in cloud computing thus checking the data integrity uploaded in the public cloud storage system. In addition to this, ten optimization benchmark functions are calculated to determine the performances and the functioning of the newly developed QMLFD algorithm. The simulation results and comparative performances are carried out and the analysis reveals that the proposed QMLFD for the RSA cryptosystem provides better results when compared with other approaches.

     

基于边缘计算的支持多密钥的加密图像检索

针对现有加密图像检索方案未考虑不同密钥加密图像集的情况,基于局部敏感哈希、安全近邻及代理重加密技术提出了基于边缘计算的支持多密钥的加密图像检索系统(包含基础方案和改进方案)。所提方案不但提高了图像查询效率、精度,而且降低了查询用户的额外计算开销。安全性分析表明,所提基础方案仅可抵抗已知密文攻击,而所提改进方案可抵抗已知背景攻击。基于实际数据集的实验性能测试表明,所提方案在实际应用场景中是可行的。     

Multiuser access control searchable privacy‐preserving scheme in cloud storage

Searchable encryption scheme‐based ciphertext‐policy attribute‐based encryption (CP‐ABE) is a effective scheme for providing multiuser to search over the encrypted data on cloud storage environment. However, most of the existing search schemes lack the privacy protection of the data owner and have higher computation time cost. In this paper, we propose a multiuser access control searchable privacy‐preserving scheme in cloud storage. First, the data owner only encrypts the data file and sets the access control list of multiuser and multiattribute for search data file. And the computing operation, which generates the attribute keys of the users' access control and the keyword index, is given trusted third party to perform for reducing the computation time of the data owner. Second, using CP‐ABE scheme, trusted third party embeds the users' access control attributes into their attribute keys. Only when those embedded attributes satisfy the access control list, the ciphertext can be decrypted accordingly. Finally, when the user searches data file, the keyword trap door is no longer generated by the user, and it is handed to the proxy server to finish. Also, the ciphertext is predecrypted by the proxy sever before the user performs decryption. In this way, the flaw of the client's limited computation resource can be solved. Security analysis results show that this scheme has the data privacy, the privacy of the search process, and the collusion‐resistance attack, and experimental results demonstrate that the proposed scheme can effectively reduce the computation time of the data owner and the users.     

A group key exchange and secure data sharing based on privacy protection for federated learning in edge-cloud collaborative computing environment

Federated learning (FL) is widely used in internet of things (IoT) scenarios such as health research, automotive autopilot, and smart home systems. In the process of model training of FL, each round of model training requires rigorous decryption training and encryption uploading steps. The efficiency of FL is seriously affected by frequent encryption and decryption operations. A scheme of key computation and key management with high efficiency is urgently needed. Therefore, we propose a group key agreement technique to keep private information and confidential data from being leaked, which is used to encrypt and decrypt the transmitted data among IoT terminals. The key agreement scheme includes hidden attribute authentication, multipolicy access, and ciphertext storage. Key agreement is designed with edge-cloud collaborative network architecture. Firstly, the terminal generates its own public and private keys through the key algorithm then confirms the authenticity and mapping relationship of its private and public keys to the cloud server. Secondly, IoT terminals can confirm their cryptographic attributes to the cloud and obtain the permissions corresponding to each attribute by encrypting the attributes. The terminal uses these permissions to encrypt the FL model parameters and uploads the secret parameters to the edge server. Through the storage of the edge server, these ciphertext decryption parameters are shared with the other terminal models of FL. Finally, other terminal models are trained by downloading and decrypting the shared model parameters for the purpose of FL. The performance analysis shows that this model has a better performance in computational complexity and computational time compared with the cited literature.     

基于f-mOPE的数据库密文检索方案

在云数据库环境下,为保证云存储数据的安全性,通常将数据加密存储。针对加密存储数据查询开销大,不支持密文排序,查询等缺点,该文提出一种 f-mOPE数据库密文检索方案。该方案基于可变保序编码(mOPE),采用二叉排序树数据结构思想,生成明文一一对应的保序编码;基于AES加密方案将数据明文转化为密文存储;采用改进的部分同态加密算法提升保序加密方案的安全性。通过安全性分析及实验结果表明,该方案在保证数据隐私的基础上,不但能抵御统计型攻击,而且能够有效地降低服务器计算开销,提高数据库处理效率。     

Proxy re-encryption based multi-factor access control scheme in cloud

Cloud computing is one of the space-ground integration information network applications.Users can access data and retrieve service easily and quickly in cloud.The confidentiality and integrity of the data cloud have a direct correspondence to data security of the space-ground integration information network.Thus the data in cloud is transferred with encrypted form to protect the information.As an important technology of cloud security,access control should take account of multi-factor and cipher text to satisfy the complex requirement for cloud data protection.Based on this,a proxy re-encryption based multi-factor access control (PRE-MFAC) scheme was proposed.Firstly,the aims and assumptions of PRE-MFAC were given.Secondly,the system model and algorithm was defined.Finally,the security and properties of PRE-MFAC were analyzed.The proposed scheme has combined the PRE and multi-factor access control together and realized the multi-factor permission management of cipher text in cloud.Meanwhile,it can make the best possible use of cloud in computing and storing,then reduce the difficulty of personal user in cryptographic computing and key managing.