Privacy preservation of electronic health records with adversarial attacks identification in hybrid cloud

An increasing trend in healthcare organizations to outsource EHRs’ data to the cloud highlights new challenges regarding the privacy of given individuals. Healthcare organizations outsource their EHRs data in a hybrid cloud that elevates the problem of security and privacy in terms of EHRs’ access to an unlimited number of recipients in a hybrid cloud environment. In this paper, we investigated the need for a privacy-preserving access control model for the hybrid cloud. A comprehensive and exploratory analysis of privacy-preserving solutions with the help of taxonomy for cloud-based EHRs is described in this work. We have formally identified the existence of internal access control and external privacy disclosures in outsourcing system architecture for hybrid cloud. Then, we proposed a privacy-preserving XACML based access control model (PPX-AC) that supports fine-grained access control with the multipurpose utilization of EHRs alongside state-of-the-art privacy mechanism. Our proposed approach invalidates the identified security and privacy attacks. We have formally verified the proposed privacy-preserving XACML based access control model (PPX-AC) with the invalidation of identified privacy attacks using High-Level Petri Nets (HLPN). Moreover, property verification of the proposed model in SMT-lib and Z3 solver and implementation of the model proves its effectiveness in terms of privacy-aware EHRs access and multipurpose usage.     

基于假名的智能交通条件隐私保护认证协议

在智能交通、无人驾驶等场景中,车辆节点与路边设施进行数据交换以实现车路协同,有助于提高交通安全、缓解交通拥堵.但该场景下的数据交换面临很多安全问题,隐私泄露是其中的主要安全风险之一.现有智能交通隐私保护方案多涉及复杂度较高的运算或需配置高成本的防篡改设备,效率较低,不能满足无人驾驶等智能交通应用的实时要求.为此,文章提...     

普适环境下基于生物加密的认证机制

普适计算的出现对网络通信中的安全和隐私提出了新的挑战,传统的认证技术已经不能满足普适环境的安全需求。提出了一种普适环境中用于完成服务使用者与提供者之间双向认证及密钥建立的机制。该机制高度融合了生物加密技术和Diffie-Hellman密钥交换技术,在不泄露用户隐私的情况完成双向认证。该机制提供了安全的建立密钥的算法,并且通过使用生物加密技术实现了访问控制策略的区别对待。经分析证明,该协议能很好地抵抗各种攻击,尤其是拒绝服务（DoS）攻击。     

Cooperative private searching in clouds

With the increasing popularity of cloud computing, there is increased motivation to outsource data services to the cloud to save money. An important problem in such an environment is to protect user privacy while querying data from the cloud. To address this problem, researchers have proposed several techniques. However, existing techniques incur heavy computational and bandwidth related costs, which will be unacceptable to users. In this paper, we propose a cooperative private searching (COPS) protocol that provides the same privacy protections as prior protocols, but with much lower overhead. Our protocol allows multiple users to combine their queries to reduce the querying cost while protecting their privacy. Extensive evaluations have been conducted on both analytical models and on a real cloud environment to examine the effectiveness of our protocol. Our simulation results show that the proposed protocol reduces computational costs by 80% and bandwidth cost by 37%, even when only five users query data.     

工业物联网中基于PUFs轻量级的密钥交换协议研究

为了保障数据的安全性和隐私性,防止恶意用户访问传感器设备,针对工业物联网提出一种轻量级的认证与密钥交换协议.该协议采用物理不可克隆函数,模糊提取器保障传感器设备的安全.同时采用单向散列函数、异或操作和对称加解密等技术建立安全的会话通道.实验结果表明,相比于其他认证方案,该协议有效减少了密钥交换的通信和计算开销,所提出的...     

A secure re‐encryption scheme for data services in a cloud computing environment

Cloud computing as a promising technology and paradigm can provide various data services, such as data sharing and distribution, which allows users to derive benefits without the need for deep knowledge about them. However, the popular cloud data services also bring forth many new data security and privacy challenges. Cloud service provider untrusted, outsourced data security, hence collusion attacks from cloud service providers and data users become extremely challenging issues. To resolve these issues, we design the basic parts of secure re‐encryption scheme for data services in a cloud computing environment, and further propose an efficient and secure re‐encryption algorithm based on the EIGamal algorithm, to satisfy basic security requirements. The proposed scheme not only makes full use of the powerful processing ability of cloud computing but also can effectively ensure cloud data security. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security model. Copyright © 2015 John Wiley & Sons, Ltd.     

Secure and efficient privacy-preserving public auditing scheme for cloud storage

Cloud computing poses many challenges on integrity and privacy of users’ data though it brings an easy, cost-effective and reliable way of data management. Hence, secure and efficient methods are needed to ensure integrity and privacy of data stored at the cloud. Wang et al. proposed a privacy-preserving public auditing protocol in 2010 but it is seriously insecure. Their scheme is vulnerable to attacks from malicious cloud server and outside attackers regarding to storage correctness. So they proposed a scheme in 2011 with an improved security guarantee but it is not efficient. Thus, in this paper, we proposed a scheme which is secure and with better efficiency. It is a public auditing scheme with third party auditor (TPA), who performs data auditing on behalf of user(s). With detail security analysis, our scheme is proved secure in the random oracle model and our performance analysis shows the scheme is efficient.     

Outsourcing high-dimensional healthcare data to cloud with personalized privacy preservation

According to the recent rule released by Health and Human Services (HHS), healthcare data can be outsourced to cloud computing services for medical studies. A major concern about outsourcing healthcare data is its associated privacy issues. However, previous solutions have focused on cryptographic techniques which introduce significant cost when applied to healthcare data with high-dimensional sensitive attributes. To address these challenges, we propose a privacy-preserving framework to transit insensitive data to commercial public cloud and the rest to trusted private cloud. Under the framework, we design two protocols to provide personalized privacy protections and defend against potential collusion between the public cloud service provider and the data users. We derive provable privacy guarantees and bounded data distortion to validate the proposed protocols. Extensive experiments over real-world datasets are conducted to demonstrate that the proposed protocols maintain high usability and scale well to large datasets.     

移动医疗系统中的可撤销无证书代理重签名方案

代理重签名在保证委托双方私钥安全的前提下, 通过半可信代理实现了双方签名的转换, 在本文方案中, 通过代理重签名实现了在通信过程中终端用户对于身份的隐私要求。移动医疗服务系统因为其有限的计算和存储能力, 需要借助云服务器来对医疗数据进行计算和存储。然而, 在将医疗数据外包给云服务器后, 数据便脱离了用户的控制, 这给用户隐私带来了极大地安全隐患。现有的无证书代理重签名方案大多都不具有撤销功能, 存在着密钥泄露等安全性问题。为了解决这一问题, 本文提出了一种可撤销的无证书代理重签名方案, 在不相互信任的移动医疗服务系统中, 实现了医疗数据传输过程以及云存储过程中的用户匿名性, 同时, 本文方案具有单向性和非交互性, 更适合在大规模的移动医疗系统中使用。此外, 当用户私钥泄露时, 本文利用 KUNode 算法实现了对用户的高效撤销, 并利用移动边缘计算技术将更新密钥和撤销列表的管理外包给移动边缘计算设备,降低了第三方的计算成本, 使其具有较低的延迟。最后, 在随机谕言机模型下证明了所构造的方案在自适应选择消息攻击下的不可伪造性, 并利用 JPBC 库与其他方案进行计算与通信开销的对比。其结果表明, 本方案在具备更优越的功能的同时, 具有较小的计算成本、通信成本和撤销成本。     

ECCbAS: An ECC based authentication scheme for healthcare IoT systems

Smart technology is a concept for efficiently managing smart things such as vehicles, buildings, home appliances, healthcare systems and others, through the use of networks and the Internet. Smart architecture makes use of technologies such as the Internet of Things (IoT), fog computing, and cloud computing. The Smart Medical System (SMS), which is focused on communication networking and sensor devices, is one of the applications used in this architecture. In a smart medical system, a doctor uses cloud-based applications such as mobile devices, wireless body area networks, and other cloud-based apps to provide online therapy to patients. Consequently, with the advancement and growth of IoT and 6G wireless technology, privacy and security have emerged as two of the world’s most important issues. Recently, Sureshkumar et al. proposed an authentication scheme for medical wireless sensor networks (MWSN) by using an Elliptic Curve Cryptography (ECC) based lightweight authentication protocol and claimed that it provides better security for smart healthcare systems. This paper will demonstrate that this protocol is susceptible to attacks such as traceability, integrity contradiction, and de-synchronization with the complexity of one run of the protocol and a success probability of one. Furthermore, we also propose an ECC based authentication scheme called ECCbAS to address the Sureshkumar et al. protocol’s vulnerabilities and demonstrate its security using a variety of non-formal and formal methods.     

User Centric Block-Level Attribute Based Encryption in Cloud Using Blockchains

Cloud computing is a collection of distributed storage Network which can provide various services and store the data in the efficient manner. The advantages of cloud computing is its remote access where data can accessed in real time using Remote Method Innovation (RMI). The problem of data security in cloud environment is a major concern since the data can be accessed by any time by any user. Due to the lack of providing the efficient security the cloud computing they fail to achieve higher performance in providing the efficient service. To improve the performance in data security, the block chains are used for securing the data in the cloud environment. However, the traditional block chain technique are not suitable to provide efficient security to the cloud data stored in the cloud. In this paper, an efficient user centric block level Attribute Based Encryption (UCBL-ABE) scheme is presented to provide the efficient security of cloud data in cloud environment. The proposed approach performs data transaction by employing the block chain. The proposed system provides efficient privacy with access control to the user access according to the behavior of cloud user using Data Level Access Trust (DLAT). Based on DLAT, the user access has been restricted in the cloud environment. The proposed protocol is implemented in real time using Java programming language and uses IBM cloud. The implementation results justifies that the proposed system can able to provide efficient security to the data present in and cloud and also enhances the cloud performance.     

云计算环境下的P2P流量识别

由于内存限制使得单机环境下的P2P流量识别方法只能对小规模数据集进行处理,并且基于朴素贝叶斯分类的识别方法所使用的属性特征均为人工选择,因此,识别率受到了限制并且缺乏客观性。基于以上问题分析提出了云计算环境下的朴素贝叶斯分类算法并改进了在云计算环境下属性约简算法,结合这两个算法实现了对加密P2P流量的细粒度识别。实验结果表明该方法可以高效处理大数据集网络流量,并且有很高的P2P流量识别率,同时结果也具备客观性。     

A survey on security challenges in cloud computing: issues,threats, and solutions

Cloud computing has gained huge attention over the past decades because of continuously increasing demands. There are several advantages to organizations moving toward cloud-based data storage solutions. These include simplified IT infrastructure and management, remote access from effectively anywhere in the world with a stable Internet connection and the cost efficiencies that cloud computing can bring. The associated security and privacy challenges in cloud require further exploration. Researchers from academia, industry, and standards organizations have provided potential solutions to these challenges in the previously published studies. The narrative review presented in this survey provides cloud security issues and requirements, identified threats, and known vulnerabilities. In fact, this work aims to analyze the different components of cloud computing as well as present security and privacy problems that these systems face. Moreover, this work presents new classification of recent security solutions that exist in this area. Additionally, this survey introduced various types of security threats which are threatening cloud computing services and also discussed open issues and propose future directions. This paper will focus and explore a detailed knowledge about the security challenges that are faced by cloud entities such as cloud service provider, the data owner, and cloud user.

     

云计算中基于可转换代理签密的可证安全的认证协议

云用户与公有云之间的双向认证是云计算中用户访问公有云的重要前提.2011年,Juang等首次提出了云计算环境下采用代理签名的认证协议,其优点是用户只需到私有云中注册,然后在私有云的帮助下通过公有云的认证.但是,该方案存在3个缺陷:1)为保护用户的隐私,每次会话都需更新用户公钥;2)当私有云中的许多用户同时登录不同的公有云时,私有云会遭遇网络拥堵;3)用户的私有云与访问的公有云之间需要预先共享秘密.为弥补上述不足,提出了一种保护用户隐私的可证安全的可转换代理签密方案,基于该方案设计了一种一轮云计算认证协议.新方案的优点在于用户向私有云注册后,就能通过公有云的认证,而不需要私有云的帮助,并且它还能保护用户的隐私性、抗抵赖性.协议不需要在每次会话开始前更新用户公钥,同时私有云与访问的公有云之间不再需要预先共享秘密.在随机谕言机模型下证明了新协议的安全性,并且比较说明新协议在效率方面优于Juang等的协议.     

A hybrid solution for privacy preserving medical data sharing in the cloud environment

Storing and sharing of medical data in the cloud environment, where computing resources including storage is provided by a third party service provider, raise serious concern of individual privacy for the adoption of cloud computing technologies. Existing privacy protection researches can be classified into three categories, i.e., privacy by policy, privacy by statistics, and privacy by cryptography. However, the privacy concerns and data utilization requirements on different parts of the medical data may be quite different. The solution for medical dataset sharing in the cloud should support multiple data accessing paradigms with different privacy strengths. The statistics or cryptography technology alone cannot enforce the multiple privacy demands, which blocks their application in the real-world cloud. This paper proposes a practical solution for privacy preserving medical record sharing for cloud computing. Based on the classification of the attributes of medical records, we use vertical partition of medical dataset to achieve the consideration of different parts of medical data with different privacy concerns. It mainly includes four components, i.e., (1) vertical data partition for medical data publishing, (2) data merging for medical dataset accessing, (3) integrity checking, and (4) hybrid search across plaintext and ciphertext, where the statistical analysis and cryptography are innovatively combined together to provide multiple paradigms of balance between medical data utilization and privacy protection. A prototype system for the large scale medical data access and sharing is implemented. Extensive experiments show the effectiveness of our proposed solution.     

医疗健康大数据隐私保护综述

随着智能移动设备普及化、医疗设备数字化及电子病历结构化的推进,医疗数据呈现爆发增长的特点.在深入研究探讨医疗大数据发展规律,提高对医疗大数据真实价值的认识的同时,如何有效保护数据的隐私安全现已成为广受关注的重要议题.医疗大数据自身特点以及存储环境等都为隐私保护带来了不小的挑战.首先,介绍了医疗大数据的相关概念以及特点....     

工业互联网中增强安全的云存储数据访问控制方案

在工业互联网应用中,由于异构节点计算和存储能力的差异,通常采用云方案提供数据存储和数据访问服务.云存储中的访问控制如扩展多权限的云存储数据访问控制方案(NEDAC-MACS),是保证云存储中数据的安全和数据隐私的基石.给出了一种攻击方法来证明NEDAC_MACS中,被撤销的用户仍然可以解密NEDAC-MACS中的新密文;并提出了一种增强NEDAC-MACS安全性的方案,该方案可以抵抗云服务器和用户之间的合谋攻击;最后通过形式密码分析和性能分析表明,该方案能够抵抗未授权用户之间以及云服务器与用户之间的合谋攻击,保证前向安全性、后向安全性和数据保密性.     

A protocol for establishing secure communication channels in alarge network

Knowledge exchange and information access in a truly distributed network often require transmitting of data through open media. Consequently, data presented through such an environment are vulnerable to attacks. To minimize such vulnerability, data transformation or encryption/decryption techniques are often utilized among senders and receivers to achieve secure communication. Since data encryption/decryption requires sharing of a secret session key, finding an efficient way to distribute the session key in a large-scale, truly distributed network has been a nontrivial task. This paper presents a protocol for efficiently distributing session keys in such an environment to establish a secure channel. We assume the target network consists of many locally trusted centers, and each center has many users attached to it. The scheme incorporates the public-key distribution concept and the RSA encryption scheme as the basic mathematical tools, but eliminates the storage problem associated with huge public-key files. In addition, the proposed scheme has the added feature of providing the authenticate session key to the two parties in a secure communication     

Hash message authentication codes for securing data in wireless body area networks

There are numerous medical applications for the growing use of wireless body area networks (WBANs), including remote patient health monitoring, early illness detection, and computer-assisted rehabilitation. WBAN links many sensor nodes implanted or affixed to the human body to monitor physiological data. WBAN technology has the potential to benefit medical healthcare systems tremendously. However, the gathering and transferring sensitive physiological data in an unprotected environment raises severe security and privacy concerns. The limited resources and broadcast transmission of a WBAN pose grave safety issues in biomedical applications. Keeping sensitive patient data safe during broadcasts is critical in the healthcare business. As a result of the massive memory and processing requirements required by traditional public or private key architectures, tiny sensor nodes cannot use them. WBAN sensor nodes can communicate securely using the KHMAC key-agreement technique proposed in this article. Measurements and confirmations of shared physiological parameters at the transmitter and recipient sensors are key to the proposed protocol KHMAC before communication is established. The proposed KHMAC protocol enables sensors to use their prior session knowledge for secure communication within a predetermined time window. This will shorten the time it takes to establish a shared key, prevent the retransmission of extracted characteristics in the medium and eavesdropping attacks, and preserve the unpredictability of the key. Both the feature extraction and key agreement stages will be shown to have higher precision and lower error rates with KHMAC's proposed key management methodology. The proposed protocol is proven to be more energy and memory efficient than existing key agreement systems.