医疗大数据隐私保护多关键词范围搜索方案

随着医疗信息系统的急速发展,基于医疗云的信息系统将大量电子健康记录（EHRs）存储在医疗云系统中,利用医疗云强大的存储能力和计算能力对EHRs数据进行安全与统一的管理.尽管传统加密机制可以保证医疗数据在半诚实云服务器中的机密性,但对加密后的EHRs数据执行安全、快速、有效的范围搜索,仍是一个有待解决的关键问题.提出一种支持多关键词范围搜索的可搜索加密方案：利用向量积保持加密机制实现复杂查询结构的可搜索加密,可支持连接关键词查询、范围查询以及通配符的查询;通过随机化构建搜索索引和搜索陷门,实现搜索模式隐藏,达到搜索语句的隐私保护;采用矩阵哈达马积缩小所需密钥矩阵的维度.理论分析和实验结果表明：该方案在达到医疗数据隐私保证的同时,对用户的检索策略也进行了有效的隐私性保护,有效提高了检索效率,降低了创建索引及陷门所用时间,实现了多用户多文件下医疗数据的范围搜索能力.     

Proxy re-encryption architect for storing and sharing of cloud contents

Internet-based online cloud services provide enormous volumes of storage space, tailor-made computing resources and eradicate the obligation of native machines for data maintenance as well. Cloud storage service providers claim to offer the ability of secure and elastic data-storage services that can adapt to various storage necessities. Most of the security tools have a finite rate of failure, and intrusion comes with more complex and sophisticated techniques; the security failure rates are skyrocketing. Once we upload our data into the cloud, we lose control of our data, which certainly carries new security hazards toward integrity and privacy of our information. In this paper, we discuss a secure file sharing mechanism for the cloud with proxy re-encryption (PRE). PRE-scheme is implemented with the Disintegration Protocol to secure storage data in storage and in the flight. The paper introduces a new contribution of a seamless file sharing technique among different clouds without sharing an encryption key.     

面向混合云的可并行多关键词Top-k密文检索技术

随着云计算技术的迅猛发展,越来越多的企业和个人青睐使用私有云和公有云相结合的混合云环境,用于外包存储和管理其私有数据。为了保护外包数据的私密性,数据加密是一种常用的隐私保护手段,但这同时也使得针对加密数据的搜索成为一个具有挑战性的问题。文中提出了面向混合云的可并行的多关键词Top-k密文检索方案。该方案通过对文档、关键词分组进行向量化处理,并引入对称加密和同态矩阵加密机制,保护外包数据的私密性,同时支持多关键词密文检索;通过引入MapReduce计算模式,使得公有云和私有云合作完成的密文检索过程能够按照并行化方式执行,从而能够支持针对大规模加密数据的并行化检索。安全分析和实验结果表明,提出的检索方案能够保护外包数据的隐私,且其检索效率优于现有的同类方案。     

Secure and efficient privacy-preserving public auditing scheme for cloud storage

Cloud computing poses many challenges on integrity and privacy of users’ data though it brings an easy, cost-effective and reliable way of data management. Hence, secure and efficient methods are needed to ensure integrity and privacy of data stored at the cloud. Wang et al. proposed a privacy-preserving public auditing protocol in 2010 but it is seriously insecure. Their scheme is vulnerable to attacks from malicious cloud server and outside attackers regarding to storage correctness. So they proposed a scheme in 2011 with an improved security guarantee but it is not efficient. Thus, in this paper, we proposed a scheme which is secure and with better efficiency. It is a public auditing scheme with third party auditor (TPA), who performs data auditing on behalf of user(s). With detail security analysis, our scheme is proved secure in the random oracle model and our performance analysis shows the scheme is efficient.     

Cryptanalysis and improvement of Panda - public auditing for shared data in cloud and internet of things

Cloud computing and internet of things have gained remarkable popularity by a wide spectrum of users recently. Despite of the convenience of cloud storage, security challenges have risen upon the fact that users do not physically possess their data any more. Thus, some auditing schemes are introduced to ensure integrity of the outsourced data. And among them Panda is a public auditing scheme for shared data with efficient and secure user revocation proposed by Wang et al. It argued that it could verify the integrity of shared data with storage correctness and public auditing. In this paper, we analyze this scheme and find some security drawbacks. Firstly, Panda cannot preserve shared data privacy in cloud storage. Furthermore, our analysis shows that Panda is vulnerable to integrity forgery attack, which can be performed by malicious cloud servers to forge a valid auditing proof against any auditing challenge even without correct data storage. Then we pinpoint that the primary cause of the insecurity is the linear combinations of sampled data blocks without random masking properly. Finally, we propose an improvement of Panda together with data privacy preserving and sound public auditing while incurring optimal communication and computation overhead.     

云存储中一种动态模糊多关键字检索方案

随着云计算技术的迅速发展,云存储的数据安全和隐私保护问题受到了人们密切关注。为了保护用户的隐私数据,云端一般是以密文形式存储文件,给检索带来了不便。为了解决云环境中使用关键字查找密文文件的问题,有必要构建支持隐私保护的安全云存储系统。基于MRSE方案并引入了TF-IDF规则,给出了云环境下动态模糊多关键字排行搜索方案。并将第三方审计机制加入到系统当中,进行文件可持有性验证和密钥管理。     

Application-Aware Client-Side Data Reduction and Encryption of Personal Data in Cloud Backup Services

Cloud backup has been an important issue ever since large quantities of valuable data have been stored on the personal computing devices. Data reduction techniques, such as deduplication, delta encoding, and Lempel-Ziv （LZ） compression, performed at the client side before data transfer can help ease cloud backup by saving network bandwidth and reducing cloud storage space. However, client-side data reduction in cloud backup services faces efficiency and privacy challenges. In this paper, we present Pangolin, a secure and efficient cloud backup service for personal data storage by exploiting application awareness. It can speedup backup operations by application-aware client-side data reduction technique, and mitigate data security risks by integrating selective encryption into data reduction for sensitive applications. Our experimental evaluation, based on a prototype implementation, shows that our scheme can improve data reduction efficiency over the state-of-the-art methods by shortening the backup window size to 33%-75%, and its security mechanism for＇ sensitive applications has negligible impact on backup window size.     

Privacy-preserving public auditing for educational multimedia data in cloud computing

Nowadays, as distance learning is being widly used, multimedia data becomes an effective way for delivering educational contents in online educational systems. To handle the educational multimedia data efficiently, many distance learning systems adopt a cloud storage service. Cloud computing and storage services provide a secure and reliable access to the outsourced educational multimedia contents for users. However, it brings challenging security issues in terms of data confidentiality and integrity. The straightforward way for the integrity check is to make the user download the entire data for verifying them. But, it is inefficient due to the large size of educational multimedia data in the cloud. Recently many integrity auditing protocols have been proposed, but most of them do not consider the data privacy for the cloud service provider. Additionally, the previous schemes suffer from dynamic management of outsourced data. In this paper, we propose a public auditing protocol for educational multimedia data outsourced in the cloud storage. By using random values and a homomorphic hash function, our proposed protocol ensures data privacy for the cloud and the third party auditor (TPA). Also, it is secure against lose attack and temper attack. Moreover, our protocol is able to support fully dynamic auditing. Security and performance analysis results show that the proposed scheme is secure while guaranteeing minimum extra computation costs.     

VMKDO: Verifiable multi-keyword search over encrypted cloud data for dynamic data-owner

The advantages of cloud computing encourage individuals and enterprises to outsource their local data storage and computation to cloud server, however, data security and privacy concerns seriously hinder the practicability of cloud storage. Although searchable encryption (SE) technique enables cloud server to provide fundamental encrypted data retrieval services for data-owners, equipping with a result verification mechanism is still of prime importance in practice as semi-trusted cloud server may return incorrect search results. Besides, single keyword search inevitably incurs many irrelevant results which result in waste of bandwidth and computation resources. In this paper, we are among the first to tackle the problems of data-owner updating and result verification simultaneously. To this end, we devise an efficient cryptographic primitive called as verifiable multi-keyword search over encrypted cloud data for dynamic data-owner scheme to protect both data confidentiality and integrity. Rigorous security analysis proves that our scheme is secure against keyword guessing attack (KGA) in standard model. As a further contribution, the empirical experiments over real-world dataset show that our scheme is efficient and feasible in practical applications.     

高效且可验证的多授权机构属性基加密方案

移动云计算对于移动应用程序来说是一种革命性的计算模式,其原理是把数据存储及计算能力从移动终端设备转移到资源丰富及计算能力强的云服务器.但是这种转移也引起了一些安全问题,例如,数据的安全存储、细粒度访问控制及用户的匿名性.虽然已有的多授权机构属性基加密云存储数据的访问控制方案,可以实现云存储数据的保密性及细粒度访问控制;但其在加密和解密阶段要花费很大的计算开销,不适合直接应用于电力资源有限的移动设备;另外,虽然可以通过外包解密的方式,减少解密计算的开销,但其通常是把解密外包给不完全可信的第三方,其并不能完全保证解密的正确性.针对以上挑战,本文提出了一种高效的可验证的多授权机构属性基加密方案,该方案不仅可以降低加密解密的计算开销,同时可以验证外包解密的正确性并且保护用户隐私.最后,安全分析和仿真实验表明了方案的安全性和高效性.     

工业互联网中增强安全的云存储数据访问控制方案

在工业互联网应用中,由于异构节点计算和存储能力的差异,通常采用云方案提供数据存储和数据访问服务.云存储中的访问控制如扩展多权限的云存储数据访问控制方案(NEDAC-MACS),是保证云存储中数据的安全和数据隐私的基石.给出了一种攻击方法来证明NEDAC_MACS中,被撤销的用户仍然可以解密NEDAC-MACS中的新密文;并提出了一种增强NEDAC-MACS安全性的方案,该方案可以抵抗云服务器和用户之间的合谋攻击;最后通过形式密码分析和性能分析表明,该方案能够抵抗未授权用户之间以及云服务器与用户之间的合谋攻击,保证前向安全性、后向安全性和数据保密性.     

Privacy preserving security using biometrics in cloud computing

Cloud computing and the efficient storage provide new paradigms and approaches designed at efficiently utilization of resources through computation and many alternatives to guarantee the privacy preservation of individual user. It also ensures the integrity of stored cloud data, and processing of stored data in the various data centers. However, to provide better protection and management of sensitive information (data) are big challenge to maintain the confidentiality and integrity of data in the cloud computation. Thus, there is an urgent need for storing and processing the data in the cloud environment without any information leakage. The sensitive data require the storing and processing mechanism and techniques to assurance the privacy preservation of individual user, to maintain the data integrity, and preserve confidentiality. Face recognition has recently achieved advancements in the unobtrusive recognition of individuals to maintain the privacy-preservation in the cloud computing. This paper emphasizes on cloud security and privacy issues and provides the solution using biometric face recognition. We propose a biometrics face recognition approach for security and privacy preservation of cloud users during their access to cloud resources. The proposed approach has three steps: (1) acquisition of face images (2) preprocessing and extraction of facial feature (3) recognition of individual using encrypted biometric feature. The experimental results establish that our proposed recognition approach can ensure the privacy and security of biometrics data.

     

Secure proof of storage with deduplication for cloud storage systems

Explosion of multimedia content brings forth the needs of efficient resource utilization using the state of the arts cloud computing technologies such as data deduplication. In the cloud computing environments, achieving both data privacy and integrity is the challenging issue for data outsourcing service. Proof of Storage with Deduplication (POSD) is a promising solution that addresses the issue for the cloud storage systems with deduplication enabled. However, the validity of the current POSD scheme stands on the strong assumption that all clients are honest in terms of generating their keys. We present insecurity of this approach under new attack model that malicious clients exploit dishonestly manipulated keys. We also propose an improved POSD scheme to mitigate our attack.     

可验证的多用户云加密关键字搜索方案

针对云环境下多用户访问和大数据量存储的特点,提出了一种云环境下加密关键字搜索方案。与已有的大多数方案相比,该方案使用签名绑定关键字索引和其关联加密文件,实现了查询结果完备性和完整性的验证,使用重加密技术实现了多用户隐查询,并动态更新用户查询权限。此外,该方案在查询过程中使用哈希查询优化索引结构,实现了对云数据的快速访问。安全性分析表明,该方案是安全的;性能分析及仿真实验结果表明该方案和已有的一些算法相比有了较大的性能提升。     

物联网环境下云数据存储安全及隐私保护策略研究

物联网依托云计算强大的数据处理能力实现信息智能,而目前云计算对数据和服务的管理并不值得用户完全信赖。针对物联网环境下云数据安全性问题,在云计算中为了保证用户数据的准确性和隐私性,提出了一种物联网环境下云数据存储安全及隐私保护策略。实验结果表明该方案有效、灵活,且能抵御Byzantine失效、恶意修改数据甚至是服务器共谋攻击。     

A survey on design and implementation of protected searchable data in the cloud

While cloud computing has exploded in popularity in recent years thanks to the potential efficiency and cost savings of outsourcing the storage and management of data and applications, a number of vulnerabilities that led to multiple attacks have deterred many potential users.As a result, experts in the field argued that new mechanisms are needed in order to create trusted and secure cloud services. Such mechanisms would eradicate the suspicion of users towards cloud computing by providing the necessary security guarantees. Searchable Encryption is among the most promising solutions—one that has the potential to help offer truly secure and privacy-preserving cloud services. We start this paper by surveying the most important searchable encryption schemes and their relevance to cloud computing. In light of this analysis we demonstrate the inefficiencies of the existing schemes and expand our analysis by discussing certain confidentiality and privacy issues. Further, we examine how to integrate such a scheme with a popular cloud platform. Finally, we have chosen – based on the findings of our analysis – an existing scheme and implemented it to review its practical maturity for deployment in real systems. The survey of the field, together with the analysis and with the extensive experimental results provides a comprehensive review of the theoretical and practical aspects of searchable encryption.     

基于云计算的数据查找与加密方案研究

云计算环境下的数据查找与加密技术是目前的研究热点。针对现有方案的不足,提出了一种改进的数据查找与加密方案。在数据查找方面,首先建立了身份管理模型,然后提出了基于权限的身份鉴别算法来实现从系统资源到身份数量之间的最优指派;在数据加密方面,提出了一种可计算加密方案CES,该方案能支持云数据的模糊检索和基本算术运算,有效地对用户的敏感数据进行隐私保护。仿真实验结果表明,方案是有效的,在加、解密性能以及存储与通信开销等方面要优于传统的方法。     

移动医疗系统中的可撤销无证书代理重签名方案

代理重签名在保证委托双方私钥安全的前提下, 通过半可信代理实现了双方签名的转换, 在本文方案中, 通过代理重签名实现了在通信过程中终端用户对于身份的隐私要求。移动医疗服务系统因为其有限的计算和存储能力, 需要借助云服务器来对医疗数据进行计算和存储。然而, 在将医疗数据外包给云服务器后, 数据便脱离了用户的控制, 这给用户隐私带来了极大地安全隐患。现有的无证书代理重签名方案大多都不具有撤销功能, 存在着密钥泄露等安全性问题。为了解决这一问题, 本文提出了一种可撤销的无证书代理重签名方案, 在不相互信任的移动医疗服务系统中, 实现了医疗数据传输过程以及云存储过程中的用户匿名性, 同时, 本文方案具有单向性和非交互性, 更适合在大规模的移动医疗系统中使用。此外, 当用户私钥泄露时, 本文利用 KUNode 算法实现了对用户的高效撤销, 并利用移动边缘计算技术将更新密钥和撤销列表的管理外包给移动边缘计算设备,降低了第三方的计算成本, 使其具有较低的延迟。最后, 在随机谕言机模型下证明了所构造的方案在自适应选择消息攻击下的不可伪造性, 并利用 JPBC 库与其他方案进行计算与通信开销的对比。其结果表明, 本方案在具备更优越的功能的同时, 具有较小的计算成本、通信成本和撤销成本。     

A secure re‐encryption scheme for data services in a cloud computing environment

Cloud computing as a promising technology and paradigm can provide various data services, such as data sharing and distribution, which allows users to derive benefits without the need for deep knowledge about them. However, the popular cloud data services also bring forth many new data security and privacy challenges. Cloud service provider untrusted, outsourced data security, hence collusion attacks from cloud service providers and data users become extremely challenging issues. To resolve these issues, we design the basic parts of secure re‐encryption scheme for data services in a cloud computing environment, and further propose an efficient and secure re‐encryption algorithm based on the EIGamal algorithm, to satisfy basic security requirements. The proposed scheme not only makes full use of the powerful processing ability of cloud computing but also can effectively ensure cloud data security. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security model. Copyright © 2015 John Wiley & Sons, Ltd.     

云存储服务中数据完整性审计方案综述

云存储是由云计算提供的一个重要服务,允许数据拥有者将数据远程存储到云服务器上,同时又能够从云服务器上便捷、高效地获取这些数据,没有本地存储和维护数据的负担。然而,这种新的数据存储模式也引发了众多安全问题,一个重要的问题就是如何确保云服务器中数据拥有者数据的完整性。因此,数据拥有者以及云存储服务提供商亟需一个稳定、安全、可信的完整性审计方案,用于审核云服务器中数据的完整性和可用性。不仅如此,一个好的数据完整性审计方案还需满足如下功能需求：支持数据的动态操作,包括插入、删除、修改;支持多用户、多云服务器的批量审计;确保用户数据的隐私性;注重方案的执行效率,尽量减少数据拥有者和云服务器的计算开销与通信开销。为了促进云存储服务的广泛应用与推广,文章重点对云数据完整性审计方案的研究现状进行综述,描述云存储以及数据完整性审计的相关概念、特点,提出云计算环境下数据完整性审计模型和安全需求,阐述云存储数据完整性审计的研究现状,并重点分析部分经典方案,通过方案对比,指出当前方案存在的优点及缺陷。同时,文章还指出了本领域未来的研究方向。