Lightweight integrity verification scheme for cloud based group data

In order to protect the security of the data stored in the cloud by group users,a data integrity verification scheme was designed which can protect the privacy of the group users.The scheme can efficiently detect the shared data in the cloud and support the dynamic updating of the data,and use the characteristic of the ring signature to hide the iden-tity of the signer corresponding to the data block.That is,the third-party verifier can not spy on the users identity and other private information when validating.The aggregated approach is used to generate data labels,which reduces the storage cost of labels and supports the dynamic operation of group data,so that the users in the group can easily modify the cloud group data.     

Identity-based cloud storage integrity checking from lattices

With the rapid development of cloud storage,more and more users are storing their data in the cloud.To verify whether the users’ data stored in the cloud is corrupted,one effective method is to adopt cloud storage integrity checking schemes.An identity-based cloud storage integrity checking scheme was proposed on the small integer solution problem over ideal lattices,and it was proven to be secure against the adaptive identity attacks of clouds in the random oracle model.To validate the efficiency of the scheme,extensive experiments were conducted to make performance-comparisons between the scheme and the existing two identity-based cloud storage integrity checking schemes.The experimental results show that the online tag-generation time and the proof-verification time of the scheme are respectively reduced by 88.32%～93.74% and 98.81%～99.73%.     

云存储中数据完整性的聚合盲审计方法

To solve the problem of data integrity in cloud storage,an aggregated privacy-preserving auditing scheme was proposed.To preserve data privacy against the auditor,data proof and tag proof were encrypted and combined by using the bilinearity property of the bilinear pairing on the cloud server.Furthermore,an efficient index mechanism was designed to support dynamic auditing,which could ensure that data update operations did not lead to high additional computation or communication cost.Meanwhile,an aggregation method for different proofs was designed to handle multiple auditing requests.Thus the proposed scheme could also support batch auditing for multiple owners and multiple clouds and multiple files.The communication cost of batch auditing was independent of the number of auditing requests.The theoretical analysis and experimental results show that the proposed scheme is provably secure.Compared with existing auditing scheme,the efficacy of the proposed individual auditing and batch auditing improves 21.5% and 31.8% respectively.     

云计算中数据隐私保护研究进展

由于社会分工和资源共享的必然,公共云平台必将成为和电网、互联网等同等重要的国家基础设施。云计算面临的安全问题制约着云计算的广泛使用。数据安全在云计算中尤为重要,如何保证数据的安全性是云计算安全的核心。从数据的隐私保护计算、数据处理结果的完整性认证、数据访问权限控制以及数据的物理安全4个方面对已有研究工作进行了分类和总结,为后续云计算中数据的安全性研究提供参照。     

对一个格基身份签名方案的分析和改进

首先分析了Liu等人2013年给出的一个格基身份签名（IBS）方案在安全性证明中存在的问题,进而说明方案的证明达不到作者所宣称的选择身份和自适应选择消息攻击下的强不可伪造性。其次,使用Boyen10签名技术（PKC 2010）对此方案中签名算法进行改进,并在标准模型下证明了改进方案在选择身份和自适应选择消息攻击下具有强不可伪造性的安全性质。另外,对比分析了改进的方案和其他IBS方案的效率和安全性。     

Differential data update scheme on network-coding-based cloud storage system

In order to solve the problem that the communication overhead of date update was too large on network-coding-based cloud storage system,a new differential data update scheme was proposed.By encoding and compressing the updated part of file,the communication overhead was reduced significantly.A network-coding-based storage prototype system was designed and implemented,and update scheme was deployed in the real network settings.Experimental results show that the proposed scheme has less communication overhead and better scalability than the existing schemes.     

Provable data possession scheme based on public verification and private verification

More and more users choose to transfer their applications and data into the cloud.Data security is a key issue for cloud storage systems.To ensure the integrity and validity of the data stored in the cloud,provable data possession (PDP) scheme is particularly important.In order to verify whether the cloud storage service provider had stored the data of the user completely,a scheme on the basis of NRPDP (non-repudiable PDP) was improved and extended,and a data retention scheme based on public authentication and private authentication was proposed.The scheme can verify the trustworthiness of the service provider and the user in the cloud storage at the same time,which satisfies the non-repudiation of the verification.The theory proves the non-repudiation of the proposed scheme.The experiment proves that the efficiency of each stage is better than that of the existing single public verification method or private authentication method.     

支持动态更新的多副本持有性证明方案

考虑多副本数据安全和数据动态更新的应用需求,提出一个支持数据动态更新的多副本数据持有性证明方案。本方案中原数据文件采用动态认证结构进行动态更新与管理,其他多个副本采用追加日志记录的方式记录数据的动态更新,支持公开聚合验证。若原数据文件或副本数据损坏或丢失,可恢复到最新状态。由此分析了方案的安全性、通信性能、存储性能,结果表明新方案是高效的、安全的。     

基于密文采样分片的云端数据确定性删除方法

“确定性删除”技术旨在保障云服务器内过期或备份数据的确定性删除,使数据被彻底删除或者是永远不可解密和访问的,以保护用户的数据隐私性。但现有方案仅仅只删除了密钥,云端密文依旧完整,一旦密钥被窃取,会威胁数据隐私性,因此未实现“真正”意义上的确定性删除。针对上述问题,提出了一种基于密文采样分片的方案,来实现云端数据的确定性删除。利用密文采样分片思想,使云端存储不完整的密文,即使在密钥被泄露的情况下,也能保证数据的高机密性。而对采样密文的销毁,也实现了云端数据的即时确定性删除。理论分析以及实验结果表明,所提方法能够满足云存储系统中机密数据的确定性删除要求,并且在性能开销低的同时能提供比现有方案更高的安全性。     

基于PaaS云平台的数据存储方案设计与应用

当前的云平台数据存储方案忽略了数据的重复性,易产生大量冗余数据,为优化数据存储性能,基于PaaS云平台设计数据存储方案并实现应用.分区删减云平台冗余数据,计算各分区剩余数据权重因子,基于权重因子设计PaaS云平台数据存储顺序,动态生成数据存储方案,将Proxmox VE的虚拟环境模拟系统作为虚拟节点,通过底层服务器实现...     

Integrity checking protocol with identity-based proxy signature in mobile cloud computing

Based on provable data possession(PDP)model,a more perfect data integrity checking model for mobile cloud computing was proposed,in which there was an additional proxy party with stronger computing power to help the mobile users to calculate the block tags.Furthermore,for the proposed model,an identity-based proxy signature PDP(IBPS-PDP)protocol was presented.By using identity-based signatures,the system did not need to manage public key certificates and further the users did not need to take the additional computations to verify the other’s certificates yet.Finally,the security of the proposed IBPS-PDP protocol is proved in the random oracle model.     

基于身份加密中可验证的私钥生成外包算法

提出了包含私钥生成外包算法的基于身份加密方案,PKG将私钥生成的任务外包给服务器,并能有效验证外包结果的正确性。在标准模型中证明了方案的密文不可区分性和外包结果的可验证性,并对所提方案进行了仿真实现。实验结果表明,外包算法中PKG的计算量远小于直接生成用户私钥,且小于服务器的计算量。     

对一个基于身份签密方案的分析与改

基于身份的签密方案计算开销小,密钥管理简单,适用于保证信息的保密性和认证性。Zhang等提出了一个高效的基于身份签密方案,并在随机预言模型下证明了该方案的安全性。通过分析发现Zhang等的签密方案存在缺陷,针对缺陷提出了相应的改进方案,并且基于随机预言模型证明了新方案的安全性。理论分析和实验仿真证明,所提方案计算复杂度低,适合于实际应用。     

Public integrity verification for data sharing in cloud with asynchronous revocation

Cloud data sharing service, which allows a group of people to access and modify the shared data, is one of the most popular and efficient working styles in enterprises. Recently, there is an uprising trend that enterprises tend to move their IT service from local to cloud to ease the management and reduce the cost. Under the new cloud environment, the cloud users require the data integrity verification to inspect the data service at the cloud side. Several recent studies have focused on this application scenario. In these studies, each user within a group is required to sign a data block created or modified by him. While a user is revoked, all the data previously signed by him should be resigned. In the existing research, the resigning process is dependent on the revoked user. However, cloud users are autonomous. They may exit the system at any time without notifying the system admin and even are revoked due to misbehaviors. As the developers in the cloud-based software development platform, they are voluntary and not strictly controlled by the system. Due to this feature, cloud users may not always follow the cloud service protocol. They may not participate in generating the resigning key and may even expose their secret keys after being revoked. If the signature is not resigned in time, the subsequent verification will be affected. And if the secret key is exposed, the shared data will be maliciously modified by the attacker who grasps the key. Therefore, forcing a revoked user to participate in the revocation process will lead to efficiency and security problems. As a result, designing a practical and efficient integrity verification scheme that supports this scenario is highly desirable. In this paper, we identify this challenging problem as the asynchronous revocation, in which the revocation operations (i.e., re-signing key generation and resigning process) and the user's revocation are asynchronous. All the revocation operations must be able to be performed without the participation of the revoked user. Even more ambitiously, the revocation process should not rely on any special entity, such as the data owner or a trusted agency. To address this problem, we propose a novel public data integrity verification mechanism in which the data blocks signed by the revoked user will be resigned by another valid user. From the perspectives of security and practicality, the revoked user does not participate in the resigning process and the re-signing key generation. Our scheme allows anyone in the cloud computing system to act as the verifier to publicly and efficiently verify the integrity of the shared data using Homomorphic Verifiable Tags (HVTs). Moreover, the proposed scheme resists the collusion attack between the cloud server and the malicious revoked users. The numerical analysis and experimental results further validate the high efficiency and scalability of the proposed scheme. The experimental results manifest that re-signing 10,000 data blocks only takes 3.815 ?s and a user can finish the verification in 300 ?ms with a 99% error detection probability.     

安全的WSN数据融合隐私保护方案设计

针对无线传感器网络数据融合过程中的数据隐私和完整性保护问题,提出一种安全的数据融合隐私保护方案(SPPDA),把节点的私密因子与原始数据构成复数,采用同态加密方法对复数进行加密,实现在密文不解密的情况下进行数据融合,同时采用基于复数的完整性验证方法,确保数据的可靠性。理论分析和仿真结果表明,SPPDA方案的计算代价和通信开销较少,数据融合的精确度高。     

Cloud data assured deletion scheme based on overwrite verification

At the end of data life cycle,there is still a risk of data leakage,because mostly data which was stored in cloud is removed by logical deletion of the key.Therefore,a cloud data assured deletion scheme (WV-CP-ABE) based on ciphertext re-encrypt and overwrite verification was proposed.When data owner wants to delete the outsourced data,the data fine-grained deletion operation was realized by re-encrypting the ciphertext to change the access control policy.Secondly,a searchable path hash binary tree (DSMHT) based on dirty data block overwrite was built to verify the correctness of the data to be deletion.Finally,the dual mechanism of changing the ciphertext access control policy and data overwriting guarantees the data assured deletion.The experimental analysis proves that the fine-grained control is better and the security is more reliable than the previous logical delete method in the assured deletion of data.     

云计算环境下的资源管理研究

首先提出高性能的大规模的云计算资源是实现云计算服务的基本条件,而对庞大的资源如何进行管理和分配,是云计算服务必须解决的后继问题。其次分析云计算资源管理主要分为数据存储的资源管理,存储层,基础管理层、应用接口层和访问层构成了云存储系统的4层结构模型,云安全是存储技术的重要方面,而云资源调度则包括资源发现、调度组织、调度策略、状态评估以及对资源的再调度等。最后针对目前亟需解决的信息存储安全、服务可靠性、大规模隐私泄露以及资源的可移植性和兼容性等问题提出了相应的资源管理技术方法。     

基于云计算的作战数据存储系统研究

为了解决部队战斗时产生的海量数据的存储问题,做了一种基于云计算的作战数据存储系统的实验。通过实际的应用,该方案可以很好地克服现行的存储方式存在的不足,有效提高部队战斗效率。     

基于PBAC模型和IBE的医疗数据访问控制方案

医疗卫生领域形成的医疗大数据中包含了大量的个人隐私信息,面临着外部攻击和内部泄密的潜在安全隐患。传统的访问控制模型没有考虑用户访问目的在侧重数据隐私的访问控制中的重要作用,现有的对称、非对称加密技术又都存在密钥管理、证书管理复杂的问题。针对这些问题,提出了综合应用PBAC模型和IBE加密技术的访问控制方案,支持针对医疗数据密文的灵活访问控制。通过加入条件目的概念对PBAC模型进行扩展,实现了对目的树的全覆盖;以病患ID、条件访问位和预期目的作为IBE身份公钥进行病患数据加密,只有通过认证并且访问目的符合预期的用户才能获得相应的私钥和加密数据,从而实现对病患信息的访问。实验结果证明,该方案达到了细粒度访问控制和隐私保护的目的,并具有较好的性能。     

云存储系统中支持用户隐私保护的细粒度访问控制

从云存储实际需求出发,设计了一个云存储环境下支持用户隐私保护和用户属性撤销的多属性权威的属性加密机制,为了保证系统实现的效率和减轻数据持有者的负担,在属性撤销中,复杂的计算任务都委托给可信第三方或云服务器完成。所提方案在DBDH假设下被证明是安全的。