基于同态hash的数据多副本持有性证明方案

为检查云存储中服务提供商(CSP)是否按协议完整地存储了用户的所有数据副本,在分析并指出一个基于同态hash的数据持有性证明方案安全缺陷的基础上,对其进行了改进和扩展,提出了一个多副本持有性证明方案。为实现多副本检查,将各副本编号与文件连接后利用相同密钥加密以生成副本文件,既有效防止了CSP各服务器的合谋攻击,又简化了用户和文件的授权访问者的密钥管理;为提高检查效率,利用同态hash为数据块生成验证标签,实现了对所有副本的批量检查;为保证方案安全性,将文件标志和块位置信息添加到数据块标签中,有效防止了CSP进行替换和重放攻击。安全性证明和性能分析表明,该方案是正确和完备的,并具有计算、存储和通信负载低,以及支持公开验证等特点,从而为云存储中数据完整性检查提供了一种可行的方法。     

面向云存储的多副本文件完整性验证方案

文件完整性验证是云存储服务的一项重要安全需求.研究者已经提出多项针对云存储文件完整性验证的机制,例如数据持有性验证(prove of data possession,PDP)或者数据可恢复证明(proof of retrievability,POR)机制.但是,现有方案只能够证明远程云存储持有一份正确的数据,不能检验其是否保存多份冗余存储.在云存储场景中,用户需要验证云存储确实持有一定副本数的正确文件,以防止部分文件意外损坏时无法通过正确的副本进行恢复.提出的多副本文件完整性验证方案,能够帮助用户确定服务器正确持有的文件副本数目,并能够定位出错的文件块位置,从而指导用户进行数据恢复.实验证明,充分利用了多服务器分布式计算的优势,在验证效率上优于单副本验证方案.     

一种基于公钥分割的多副本持有性证明方案

在数据外包的云存储环境中,如何验证存储服务方是否忠诚地按照客户需求保存足够数量的副本数据是一个挑战性问题。现有方案只能对各个副本逐一进行验证,存在验证效率低、计算开销大和对数据更新支持弱等缺点。提出一种带 Collector 的多副本云存储模型,在此基础上给出一种基于公钥分割的多副本持有性证明方案（multiple replica possession proving scheme based on public key partition , MRP‐PKP）。该方案将公钥分割为多个份额并分配给对应的副本存储节点;在验证时,能够一次性对所有副本的持有性进行高效验证。此外,该方案可有效防御同谋攻击,能够方便地支持数据块级更新操作。进一步理论分析和模拟实验表明：与传统方案相比,MRP‐PKP 方案具有安全性高、通信开销低、运算代价小等优势。     

EMCA:一种新的多云存储中高效的多副本审计方案

云数据审计是一项允许数据所有者在不下载数据的情况下检查数据是否在远程云服务器上完整存储的技术。目前,云数据审计可分为单副本审计和多副本审计,针对多副本审计方案中计算开销大以及无法审计多云存储数据的不足,提出了一种在多云情景下高效的多副本云数据审计方案。所提方案使用较轻量级的模幂加密技术代替传统上计算成本较高的双线性配对技术,以降低在审计过程中的计算开销,提高了方案的效率。为每个副本数据块生成一个同态验证标签(HVT)作为元数据,当用户发出审计要求,每个云服务提供商生成对应的证据,由云服务器管理者聚合证据,实现了在多云存储中的审计。安全分析表明,所提方案可抵挡恶意云服务提供商的伪造攻击,以及恶意云服务提供商与第三方审计者的合谋攻击。性能分析表明,所提方案在计算开销上低于现有多副本审计方案,实现了高效的多云存储多副本审计。     

支持动态操作的多副本数据完整性验证方案

针对云存储环境下外包数据面临的安全隐患，并结合现有云数据完整性验证方案的不足，提出了支持动态操作的多副本数据完整性验证方案。方案考虑了多副本应用场景，并在现有云数据完整性验证方案的基础上以较小的代价实现了文件的多副本验证，并通过引入认证的数据结构—基于等级的Merkle哈希树，实现了文件的可验证动态更新。通过对多副本进行关联，可以实现多个副本的同步更新。安全性分析与实验表明了该方案的安全性与有效性，实现了数据的安全存储与更新，并有效保证了数据多副本的隐私安全。     

云存储中基于MHT的动态数据完整性验证与恢复方案

针对云服务器上存储数据完整性验证过程中的高通信开销和动态数据验证问题,提出一种基于Merkle哈希树(MHT)的动态数据完整性验证与恢复方案。首先,基于MHT构建了一种新型分层认证数据结构,将数据块的每个副本块组织成副本子树,以此大幅降低多副本更新验证的通信开销。然后,在数据验证中,融入了对服务器安全索引信息的认证,以此避免服务器攻击。最后,当发现数据损坏时,通过二分查找和Shamir秘密共享机制来恢复数据。实验结果表明,该方案在验证过程中能有效降低计算和通讯开销,并能够很好地支持数据的动态操作。     

用户可动态撤销及数据可实时更新的云审计方案

随着云存储的出现,越来越多的用户选择将大量数据存储在远程云服务器上,以节约本地存储资源.如何验证用户远程存储在云端数据的完整性,成为近年来学术界的一个研究热点.虽然现已提出了很多云审计方案,但大多数方案都假设个人和企业在使用云存储系统的整个过程中,用户及其公私钥始终不变,且不能高效地对数据进行实时动态更新.为此,提出一种轻量级的支持用户可动态撤销及存储数据可动态更新的云审计方案.首先,该方案允许用户可高效地动态撤销（包括更换公私钥）,在用户撤销阶段,采用了多重单向代理重签名技术,新用户只需计算重签名密钥,而无需从云端下载数据再重新签名后上传到云端;其次,该方案能够保证数据可实时动态更新（插入、删除、修改）,通过在数据块的身份识别码中引入虚拟索引,数据动态更新时,只有被更新数据块的身份识别码发生变化,其余数据块的身份识别码保持不变;最后,在重签名阶段,云服务器代替新用户进行签名,在审计阶段,第三方审计者代表当前用户对存储在远程云服务器上的数据进行完整性验证,减轻了终端用户的计算开销及系统的通信开销（轻量级）.安全性分析和性能分析进一步说明,该方案是安全的和高效的.     

一种基于HDFS的远程文件备份系统的设计和实现

针对传统远程文件备份系统,备份数据存储在单节点服务器存在的存储空间受限、多用户情况下的读写性能以及备份数据单副本问题,提出了一种基于HDFS的远程文件备份系统的设计方案。将用户的备份数据分布式存储于多台不同的数据存储服务器,元数据存储在单独的控制服务器。该存储架构可以有效解决单存储服务器存储空间受限的问题,改善面对多用户并发读性能问题,提供了文件多副本存储策略,并且该系统增强了备份文件存储的安全性。     

基于SBT全结点存储的云数据完整性

云存储可以为用户提供高质量、按需分配的数据存储服务,使用户用低廉的价格就能享受到海量的存储能力,但是对于用户而言,云存储服务器并不是完全可信,因此会担心存储在云端的数据出现安全性问题,同时为了满足云中的应用,需要完整性验证机制支持全动态操作以及第三方公开认证。因此,提出一种基于全结点存储的云数据完整性方案。引入平衡二叉搜索树结构--结点大小平衡树(SizeBalancedTree,SBT),该结构使得树中所有的结点都可以用来存储实际的数据,相比叶子结点存储的树,无疑减少了服务器上的空间开销,同时降低了树的高度,从而也降低了进行数据插入删除等基本操作的时间复杂度。该方案在支持动态操作上具有更好的效率,能够很好地支持云存储环境下数据完整性验证。     

基于可审计多副本的云存储差错副本恢复机制

针对具备可审计特性的多副本云存储系统的差错副本恢复问题，在多副本云存储完整性审计方案的基础上，从总体流程、影响因素、恢复策略、故障定位和计算模型5个方面阐述差错副本恢复机制，将差错副本恢复策略归纳为全副本下载上传、全副本差值上传、故障块上传和故障段上传4种，并对影响恢复效率的因素进行了量化，提出通信开销、计算开销和总开销的计算模型。针对一个具体的多副本云存储完整性审计方案，对不同策略和参数下纠正一个数据块随机差错的开销进行量化分析。实验结果表明，当带宽分别为1 Mb/s、10 Mb/s、100 Mb/s和1 Gb/s时，实验中最优策略的耗时分别只有全副本差值上传策略的0.34%、2.44%、15.27%和46.93%。可见所提模型可用于为可审计多副本云存储系统选择合适的策略与参数，以提高差错副本恢复效率，尤其适用于网络带宽受限的情况。     

A highly secured and streamlined cloud collaborative editing scheme along with an efficient user revocation in cloud computing

These days with the expanded fame of cloud computing, the interest for cloud-based collaborative editing service is rising. The encryption method is utilized to ensure and secure the data, during the collaborative editing process. In the encryption process, the cloud requires more time to work the collaborative editing. This paper proposes an efficient scheme for reducing the encryption burden over the cooperative users, as the possibilities of cooperative users read and write data by means of any gadget. In the proposed scheme, the encrypted file sent by the data owner is split into smaller segments and stored in the cloud by the cloud service provider (CSP) along with specific tags. Once the cooperative user receives and decrypts the file from the CSP, it modifies and encrypts only the modified segment and resends to the CSP. The CSP after verifying the signature replace the original file segment in the cloud with the modified segment based on the tag information. The scheme that is put forward is performed based on the modified ciphertext-policy hierarchical attribute–based encryption, and the security process is done based on the attribute-based signature schemes. This work employs a proficient attribute updating method to accomplish the dynamic change of users' attributes, consisting granting new attributes, revoking previous attributes, and regranting formerly revoked attributes. A writer's attributes and keys have been revoked, and the stale information cannot be written.     

Improved Cloud Storage Encryption Using Block Cipher-Based DNA Anti-Codify Model

When it comes to data storage, cloud computing and cloud storage providers play a critical role. The cloud data can be accessed from any location with an internet connection. Additionally, the risk of losing privacy when data is stored in a cloud environment is also increased. A variety of security techniques are employed in the cloud to enhance security. In this paper, we aim at maintaining the privacy of stored data in cloud environment by implementing block-based modelling to boost the privacy level with Anti-Codify Technique (ACoT) and block cipher-based algorithms. Initially, the cipher text is generated using Deoxyribo Nucleic Acid (DNA) model. Block-cipher-based encryption is used by ACoT, but the original encrypted file and its extension are broken up into separate blocks. When the original file is broken up into two separate blocks, it raises the security level and makes it more difficult for outsiders to cloud data access. ACoT improves the security and privacy of cloud storage data. Finally, the fuzzy-based classification is used that stores various access types in servers. The simulation results shows that the ACoT-DNA method achieves higher entropy against various block size with reduced computational cost than existing methods.     

云存储威胁模型的伪随机双线性映射完整性检查

在云存储应用中,用户文件不在本地存储,因此文件安全性、数据机密性和鲁棒性是关键问题。首先,针对现有文献提出的多个密钥服务器的安全擦除码存储系统未考虑数据鲁棒性导致数据恢复存在缺陷的问题,利用伪随机双线性映射构建云存储完整性检查策略威胁模型;其次,编制接口文件块结构,并参照相关文献算法进行完整性检查方案设计,实现多密钥服务器安全擦除码存储系统算法功能补充,并给出算法计算复杂度分析;最后,实验结果显示,所提出的完整性检查方案可实现较大的数据成功检索概率。     

云加密数据安全重复删除方法

在云环境存储模式中,采用用户端数据加密虽然能够有效降低数据的存储安全风险,但同时会使云服务商丧失重复数据鉴别能力,导致存储开销随数据量增大而不断攀升.加密数据重复删除技术是解决该问题的方法之一,现有方案通常基于可信第三方设计,安全性假设过强,执行效率较低.基于椭圆曲线与密文策略属性加密两种高安全密码学原语,构造了重复加密数据识别与离线密钥共享两种安全算法,进而实现一种无需初始数据上传用户与可信第三方实时在线的加密数据重复删除方法.详细的安全性与仿真实验分析,证明该方法不仅实现数据的语义安全,同时能够保证系统的高效率运行.     

一种面向隐私保护的密文检索算法

针对移动云计算环境下数据外包所带来的安全问题,为了保证数据的安全性和密文检索的效率,通过改进传统的密文检索结构,增加私有云索引服务器以实现索引文件与密文文件的存储分离,并在此基础上提出了一种面向隐私保护的密文检索算法。考虑到移动设备的弱计算能力,算法采用对称可搜索加密的方式以减少计算开销,并以Trie树作为索引结构以提高检索效率,同时支持对检索结果排序。理论分析与实验结果表明,该算法能够实现对用户的隐私保护,并具有较好的存储空间和检索时间的性能。     

Efficient integrity verification of replicated data in cloud using homomorphic encryption

The cloud computing is an emerging model in which computing infrastructure resources are provided as a service over the internet. Data owners can outsource their data by remotely storing them in the cloud and enjoy on-demand high quality services from a shared pool of configurable computing resources. However, since data owners and the cloud servers are not in the same trusted domain, the outsourced data may be at risk as the cloud server may no longer be fully trusted. Therefore, data confidentiality, availability and integrity is of critical importance in such a scenario. The data owner encrypts data before storing it on the cloud to ensure data confidentiality. Cloud should let the owners or a trusted third party to check for the integrity of their data storage without demanding a local copy of the data. Owners often replicate their data on the cloud servers across multiple data centers to provide a higher level of scalability, availability, and durability. When the data owners ask the cloud service provider (CSP) to replicate data, they are charged a higher storage fee by the CSP. Therefore, the data owners need to be strongly convinced that the CSP is storing data copies agreed on in the service level contract, and data-updates have been correctly executed on all the remotely stored copies. To deal with such problems, previous multi copy verification schemes either focused on static files or incurred huge update costs in a dynamic file scenario. In this paper, we propose a dynamic multi-replica provable data possession scheme (DMR-PDP) that while maintaining data confidentiality prevents the CSP from cheating, by maintaining fewer copies than paid for and/or tampering data. In addition, we also extend the scheme to support a basic file versioning system where only the difference between the original file and the updated file is propagated rather than the propagation of operations for privacy reasons. DMR-PDP also supports efficient dynamic operations like block modification, insertion and deletion on replicas over the cloud servers. Through security analysis and experimental results, we demonstrate that the proposed scheme is secure and performs better than some other related ideas published recently.     

Zero knowledge based client side deduplication for encrypted files of secure cloud storage in smart cities

As typical applications in the field of the cloud computing, cloud storage services are popular in the development of smart cities for their low costs and huge storage capacity. Proofs-of-ownership (PoW) is an important cryptographic primitive in cloud storage to ensure that a client holds the whole file rather than part of it in secure client side data deduplication. The previous PoW schemes worked well when the file is in plaintext. However, the privacy of the clients’ data may be vulnerable to honest-but-curious attacks. To deal with this issue, the clients tend to encrypt files before outsourcing them to the cloud, which makes the existing PoW schemes inapplicable any more. In this paper, we first propose a secure zero-knowledge based client side deduplication scheme over encrypted files. We prove that the proposed scheme is sound, complete and zero-knowledge. The scheme can achieve a high detection probability of the clients’ misbehavior. Then we introduced a proxy re-encryption based key distribution scheme. This scheme ensures that the server knows nothing about the encryption key even though it acts as a proxy to help distributing the file encryption key. It also enables the clients who have gained the ownership of a file to share the file with the encryption key generated without establishing secure channels among them. It is proved that the clients’ private key cannot be recovered by the server or clients collusion attacks during the key distribution phase. Our performance evaluation shows that the proposed scheme is much more efficient than the existing client side deduplication schemes.     

一种基于数据分割与分级的云存储数据隐私保护机制

云存储系统数据管理权和所有权的分离导致数据安全和隐私保护难题。传统的基于单纯加密技术的云存储数据隐私保障机制在实际的数据操作过程中带来了较大的系统开销。为了以低开销实现云存储系统中异地托管数据的隐私保护机制,提出了一种基于数据分割与分级的云存储数据隐私保护机制。机制首先将数据合理分割为大小数据块;再分别将小块数据和大块数据部署在本地和异地;然后按数据不同的安全级别需求,联合采用数据染色和不同强度的数据加密技术进行数据染色或加密,以在保护云存储用户数据隐私的同时,提高灵活性,降低系统开销。