ACDAS: Authenticated controlled data access and sharing scheme for cloud storage

Cloud storage services require cost‐effective, scalable, and self‐managed secure data management functionality. Public cloud storage always enforces users to adopt the restricted generic security consideration provided by the cloud service provider. On the contrary, private cloud storage gives users the opportunity to configure a self‐managed and controlled authenticated data security model to control the accessing and sharing of data in a private cloud. However, this introduces several new challenges to data security. One critical issue is how to enable a secure, authenticated data storage model for data access with controlled data accessibility. In this paper, we propose an authenticated controlled data access and sharing scheme called ACDAS to address this issue. In our proposed scheme, we employ a biometric‐based authentication model for secure access to data storage and sharing. To provide flexible data sharing under the control of a data owner, we propose a variant of a proxy reencryption scheme where the cloud server uses a proxy reencryption key and the data owner generates a credential token during decryption to control the accessibility of the users. The security analysis shows that our proposed scheme is resistant to various attacks, including a stolen verifier attack, a replay attack, a password guessing attack, and a stolen mobile device attack. Further, our proposed scheme satisfies the considered security requirements of a data storage and sharing system. The experimental results demonstrate that ACDAS can achieve the security goals together with the practical efficiency of storage, computation, and communication compared with other related schemes.     

一种有效率的方法用于检测云中数据的完整性(英文)

Cloud computing and storage services allow clients to move their data center and applications to centralized large data centers and thus avoid the burden of local data storage and maintenance.However,this poses new challenges related to creating secure and reliable data storage over unreliable service providers.In this study,we address the problem of ensuring the integrity of data storage in cloud computing.In particular,we consider methods for reducing the burden of generating a constant amount of metadata at the client side.By exploiting some good attributes of the bilinear group,we can devise a simple and efficient audit service for public verification of untrusted and outsourced storage,which can be important for achieving widespread deployment of cloud computing.Whereas many prior studies on ensuring remote data integrity did not consider the burden of generating verification metadata at the client side,the objective of this study is to resolve this issue.Moreover,our scheme also supports data dynamics and public verifiability.Extensive security and performance analysis shows that the proposed scheme is highly efficient and provably secure.     

Multiuser access control searchable privacy‐preserving scheme in cloud storage

Searchable encryption scheme‐based ciphertext‐policy attribute‐based encryption (CP‐ABE) is a effective scheme for providing multiuser to search over the encrypted data on cloud storage environment. However, most of the existing search schemes lack the privacy protection of the data owner and have higher computation time cost. In this paper, we propose a multiuser access control searchable privacy‐preserving scheme in cloud storage. First, the data owner only encrypts the data file and sets the access control list of multiuser and multiattribute for search data file. And the computing operation, which generates the attribute keys of the users' access control and the keyword index, is given trusted third party to perform for reducing the computation time of the data owner. Second, using CP‐ABE scheme, trusted third party embeds the users' access control attributes into their attribute keys. Only when those embedded attributes satisfy the access control list, the ciphertext can be decrypted accordingly. Finally, when the user searches data file, the keyword trap door is no longer generated by the user, and it is handed to the proxy server to finish. Also, the ciphertext is predecrypted by the proxy sever before the user performs decryption. In this way, the flaw of the client's limited computation resource can be solved. Security analysis results show that this scheme has the data privacy, the privacy of the search process, and the collusion‐resistance attack, and experimental results demonstrate that the proposed scheme can effectively reduce the computation time of the data owner and the users.     

Cross-domain data cloud storage auditing scheme based on certificateless cryptography

With the development of Internet of things (IoT), more and more intelligent terminal devices outsource data to cloud servers (CSs). However, the CS is not fully trusted, and the heterogeneity among different domains makes it difficult for third-party auditor (TPA) to conduct an efficient integrity auditing of outsourced data. Therefore, the cross-domain data cloud storage auditing scheme based on certificateless cryptography is proposed, which can effectively avoid the big burden of certificate management or key escrow problems in identity-based cryptography. At the same time, TPA can effectively audit the integrity of outsourced data in different domains. Formal security proof and analysis show that the cloud storage auditing scheme satisfies the security and privacy requirements. Performance analysis demonstrates that the efficiency is acceptable.     

支持策略隐藏且密文长度恒定的可搜索加密方案

属性加密体制是实现云存储中数据灵活访问控制的关键技术之一,但已有的属性加密方案存在密文存储开销过大和用户隐私泄露等问题,并且不能同时支持云端数据的公开审计.为了解决这些问题,该文提出一个新的可搜索属性加密方案,其安全性可归约到q-BDHE问题和CDH问题的困难性.该方案在支持关键词搜索的基础上,实现了密文长度恒定;引入...     

A survey on blockchain-based integrity auditing for cloud data

With the rapid advancement of cloud computing, cloud storage services have developed rapidly. One issue that has attracted particular attention in such remote storage services is that cloud storage servers are not enough to reliably save and maintain data, which greatly affects users’ confidence in purchasing and consuming cloud storage services. Traditional data integrity auditing techniques for cloud data storage are centralized, which faces huge security risks due to single-point-of-failure and vulnerabilities of central auditing servers. Blockchain technology offers a new approach to this problem. Many researchers have endeavored to employ the blockchain for data integrity auditing. Based on the search of relevant papers, we found that existing literature lacks a thorough survey of blockchain-based integrity auditing for cloud data. In this paper, we make an in-depth survey on cloud data integrity auditing based on blockchain. Firstly, we cover essential basic knowledge of integrity auditing for cloud data and blockchain techniques. Then, we propose a series of requirements for evaluating existing Blockchain-based Data Integrity Auditing (BDIA) schemes. Furthermore, we provide a comprehensive review of existing BDIA schemes and evaluate them based on our proposed criteria. Finally, according to our completed review and analysis, we explore some open issues and suggest research directions worthy of further efforts in the future.     

基于属性加密的高效密文去重和审计方案

针对当前支持去重的属性加密方案既不支持云存储数据审计,又不支持过期用户撤销,且去重搜索和用户解密效率较低的问题,该文提出一种支持高效去重和审计的属性加密方案。该方案引入了第3方审计者对云存储数据的完整性进行检验,利用代理辅助用户撤销机制对过期用户进行撤销,又提出高效去重搜索树技术来提高去重搜索效率,并通过代理解密机制辅助用户解密。安全性分析表明该方案通过采用混合云架构,在公有云达到IND-CPA安全性,在私有云达到PRV-CDA安全性。性能分析表明该方案的去重搜索效率更高,用户的解密计算量较小。     

Attribute-Based Access Control with Efficient and Secure Attribute Revocation for Cloud Data Sharing Service

Nowadays, there is the tendency to outsource data to cloud storage servers for data sharing purposes. In fact, this makes access control for the outsourced data a challenging issue. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic solution for this challenge. It gives the data owner (DO) direct control on access policy and enforces the access policy cryptographically. However, the practical application of CP-ABE in the data sharing service also has its own inherent challenge with regard to attribute revocation. To address this challenge, we proposed an attribute-revocable CP-ABE scheme by taking advantages of the over-encryption mechanism and CP-ABE scheme and by considering the semi-trusted cloud service provider (CSP) that participates in decryption processes to issue decryption tokens for authorized users. We further presented the security and performance analysis in order to assess the effectiveness of the scheme. As compared with the existing attribute-revocable CP-ABE schemes, our attribute-revocable scheme is reasonably efficient and more secure to enable attribute-based access control over the outsourced data in the cloud data sharing service.     

基于多分支认证树的多用户多副本数据持有性证明方案

在云存储环境下,如何高效、动态地完成对多用户多副本数据的完整性验证是一个挑战性问题。基于双线性代数映射的签名机制和多分支认证树特性,提出了一种新的多用户多副本数据持有性证明方案。该方案通过使用随机掩码技术对密文进行处理确保数据隐私性,采用多分支认证树来提高数据分块的签名效率,能够支持数据动态更新操作。此外,引入第三方审计者对多用户多副本数据进行批量审计以减少计算开销。最后,分析表明本方案具有较高的安全性和效率。     

基于联盟链的云存储完整性审计机制研究

针对云存储完整性审计公正性问题,提出一种基于联盟区块链的云存储完整性审计模型(CSACB,Cloud Storage Integrity Auditing Model Based on Consortium Blockchains).首先,该模型以树型结构描述审计联盟(AC,Audit Consortium)构成,同时利用层级证书链(LCC,Layer Certificate Chain)对联盟成员进行身份标识和权限控制.其次,采用完整性审计链与动态操作链的双链形式支持可变云存储审计.最后,利用智能合约(SC,Smart Contract)并结合数据块标签索引机制构建公正的动态操作审计模型,理论分析和实验结果表明该模型在安全性和性能上具备明显优势.     

基于DDCT表的多副本完整性审计方案

在云存储环境下,云数据采用多副本存储已经成为一种流行的应用.针对恶意云服务提供商威胁云副本数据安全问题,提出一种基于DDCT（Dynamic Divide and Conquer Table）表的多副本完整性审计方案.首先引入DDCT表来解决数据动态操作问题,同时表中存储副本数据的块号、版本号和时间戳等信息;接下来为抵制恶意云服务商攻击,设计一种基于时间戳的副本数据签名认证算法;其次提出了包括区块头和区块体的副本区块概念,区块头存储副本数据基于时间戳识别认证的签名信息,区块体存放加密的副本数据;最后委托第三方审计机构采用基于副本时间戳的签名认证算法来审计云端多副本数据的完整性.通过安全性分析和实验对比,本方案不仅有效的防范恶意存储节点之间的攻击,而且还能防止多副本数据泄露给第三方审计机构.     

云存储环境下的密文安全共享机制

With the convenient of storing and sharing data in cloud storage environment,the concerns about data security arised as well.To achieve data security on untrusted servers,user usually stored the encrypted data on the cloud storage environment.How to build a cipertext-based access control scheme became a pot issue.For the access control problems of ciphertext in cloud storage environment,a CP-ABE based data sharing scheme was proposed.Novel key generation and distribution strategies were proposed to reduce the reliance on a trusted third party.Personal information was added in decryption key to resistant conclusion attacks at the same time.Moreover,key revocation scheme was proposed to provide the data backward secrecy.The security and implement analysis proves that proposed scheme is suit for the real application environment.     

云存储中数据完整性的聚合盲审计方法

To solve the problem of data integrity in cloud storage,an aggregated privacy-preserving auditing scheme was proposed.To preserve data privacy against the auditor,data proof and tag proof were encrypted and combined by using the bilinearity property of the bilinear pairing on the cloud server.Furthermore,an efficient index mechanism was designed to support dynamic auditing,which could ensure that data update operations did not lead to high additional computation or communication cost.Meanwhile,an aggregation method for different proofs was designed to handle multiple auditing requests.Thus the proposed scheme could also support batch auditing for multiple owners and multiple clouds and multiple files.The communication cost of batch auditing was independent of the number of auditing requests.The theoretical analysis and experimental results show that the proposed scheme is provably secure.Compared with existing auditing scheme,the efficacy of the proposed individual auditing and batch auditing improves 21.5% and 31.8% respectively.     

Privacy-Preserving Public Auditing for Non-manager Group Shared Data

By the widespread use of cloud storage service, users get a lot of conveniences such as low-price file remote storage and flexible file sharing. The research points in cloud computing include the verification of data integrity, the protection of data privacy and flexible data access. The integrity of data is ensured by a challenge-and-response protocol based on the signatures generated by group users. Many existing schemes use group signatures to make sure that the data stored in cloud is intact for the purpose of privacy and anonymity. However, group signatures do not consider user equality and the problem of frameability caused by group managers. Therefore, we propose a data sharing scheme PSFS to support user equality and traceability meanwhile based on our previous work HA-DGSP. PSFS has some secure properties such as correctness, traceability, homomorphic authentication and practical data sharing. The practical data sharing ensures that the data owner won’t loss the control of the file data during the sharing and the data owner will get effective incentive of data sharing. The effective incentive is realized by the technology of blockchain. The experimental results show that the communication overhead and computational overhead of PSFS is acceptable.     

Cloud Dynamic Scheduling for Multimedia Data Encryption Using Tabu Search Algorithm

The cloud computing is interlinked with recent and out-dated technology. The cloud data storage industry is earning billion and millions of money through this technology. The cloud remote server storage is on-demand technology. The cloud users are expecting higher quality in minimal cost. The quality of service is playing a vital role in any latest technology. The cloud user always depends on thirty party service providers. This service provider is facing higher competition. The customer is choosing a service based on two parameters one is security and another one is cost. The reason behind this is all our personal data is stored on some third party server. The customer is expecting higher security level. The service provider is choosing many techniques for data security, best one is encryption mechanism. This encryption method is having many algorithms. Then again one problem is raised, that is which algorithm is best for encryption. The prediction of algorithm is one of major task. Each and every algorithm is having unique advantage. The algorithm performance is varying depends on file type. The proposed method of this article is to solve this encryption algorithm selection problem by using tabu search concept. The proposed method is to ensure best encryption method to reducing the average encode and decode time in multimedia data. The local search scheduling concept is to schedule the encryption algorithm and store that data in local memory table. The quality of service is improved by using proposed scheduling technique.

     

云数据安全研究进展

云数据安全问题是制约云计算发展的重要因素之一.该文综述了云数据安全方面的研究进展,将云数据安全所涉及的云身份认证、云访问控制、云数据安全计算、虚拟化安全技术、云数据存储安全、云数据安全删除、云信息流控制、云数据安全审计、云数据隐私保护及云业务可持续性保障10方面相关研究工作纳入到物理资源层、虚拟组件层及云服务层所构成的云架构中进行总结和分析;并给出了相关技术的未来发展趋势.     

云数据安全研究进展

云数据安全问题是制约云计算发展的重要因素之一.该文综述了云数据安全方面的研究进展,将云数据安全所涉及的云身份认证、云访问控制、云数据安全计算、虚拟化安全技术、云数据存储安全、云数据安全删除、云信息流控制、云数据安全审计、云数据隐私保护及云业务可持续性保障10方面相关研究工作纳入到物理资源层、虚拟组件层及云服务层所构成的...     

基于Ceph对象存储的云网盘设计与实现

针对基于传统NAS存储实现云网盘存在扩展性差,响应性能低、数据不可靠性、安全性低等问题,提出一种基于Ceph分布式对象存储系统构建高性能、高可靠、可扩展的云网盘设计与实现方案,底层基于X86服务器作为Ceph存储集群池,通过设计多对象网关发布对象存储服务,采用软负载均衡,提升云网盘请求响应吞吐能力,并集成基于Token认证系统实现对象数据的隔离与安全。经实验测试表明,该设计实现方案可满足现实应用需求。     

Secure Data Access and Sharing Scheme for Cloud Storage

Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.

     

Secure deduplication and integrity audit system based on convergent encryption for cloud storage

Cloud storage applications quickly become the best choice of the personal user and enterprise storage with its convenience,scalability and other advantages,secure deduplication and integrity auditing are key issues for cloud storage.At first,convergent key encapsulation/decoupling algorithm based on blind signature was set up,which could securely store key and enable it to deduplicate.Besides,a BLS signature algorithm based on convergence key was provided and use TTP to store public key and proxy audit which enables signature and pubic key deduplication and reduces client storage and computing overhead.Finally,cloud-based secure deduplicaion and integrity audit system was designed and implemented.It offered user with data privacy protection,deduplication authentication,audit authentication services and lowered client and cloud computation overhead.