基于内积谓词的属性基隐私保护加密方案

隐私保护是信息安全中的热点话题,其中属性基加密(ABE)中的隐私问题可分为数据内容隐私、策略隐私及属性隐私。针对数据内容、策略和属性3方面隐私保护需求,该文提出基于内积谓词的属性基隐私保护加密方案(PPES)。所提方案利用加密算法的机密性保障数据内容隐私,并通过向量承诺协议构造策略属性及用户属性盲化方法,实现策略隐私及属性隐私。基于混合论证技术,该文证明了所提方案满足标准模型下适应性选择明文安全,且具备承诺不可伪造性。性能分析结果显示,与现有方法相比,所提方案具有更优的运行效率。     

基于属性的安全增强云存储访问控制方案

为了保证云存储中用户数据和隐私的安全,提出了一种基于属性的安全增强云存储访问控制方案。通过共用属性集,将基于属性的加密体制(ABE)与XACML框架有机结合,在XACML框架上实现细粒度的基于属性的访问控制并由ABE保证数据的机密性。考虑到数据量很大时ABE的效率较低,因此,云存储中海量敏感数据的机密性用对称密码体制实现,ABE仅用于保护数据量较小的对称密钥。实验分析表明,该方案不仅能保证用户数据和隐私的机密性,而且性能优于其他同类系统。     

具有隐私保护的云存储访问控制方案

针对传统的访问控制方案无法在云计算环境下保护用户的属性隐私,提出了具有隐私保护的云存储访问控制方案。采用混合加密体制实现了数据的机密性,即利用对称密钥加密明文数据,再利用公钥密码体制对对称密钥进行加密。在新的访问控制方案中,公钥加密采用了匿名的密文策略下基于属性的加密技术。安全性分析表明,新方案在保护用户属性隐私的同时,达到了选择明文安全性,可抵抗恶意用户及云存储服务器的合谋攻击。     

基于区块链且支持数据共享的密文策略隐藏访问控制方案

传统的属性基加密方案虽然实现了一对多的访问控制，但仍存在单点故障、效率低下、不支持数据共享以及隐私泄露等挑战。针对以上问题，提出了一种基于区块链且支持数据共享的密文策略隐藏访问控制方案。利用素数阶双线性群和正负号与门访问结构，实现细粒度访问控制的同时避免了用户属性值的泄露；结合以太坊和星际文件系统解决了用户属性撤销问题和云存储模型中的单点故障问题，通过代理重加密的方法实现了数据共享。基于困难问题假设，证明了所提方案的安全性。仿真实验结果表明，所提方案在实现策略隐藏的同时具有较高的效率。     

区块链上基于云辅助的密文策略属性基数据共享加密方案

针对云存储的集中化带来的数据安全和隐私保护问题,该文提出一种区块链上基于云辅助的密文策略属性基(CP-ABE)数据共享加密方案.该方案采用基于属性加密技术对加密数据文件的对称密钥进行加密,并上传到云服务器,实现了数据安全以及细粒度访问控制;采用可搜索加密技术对关键字进行加密,并将关键字密文上传到区块链(BC)中,由区块...     

基于CP-ABE的访问控制研究

在分布式应用中,难以在不损害用户隐私的情况下,一次性获取群体的规模与成员身份,而传统公钥加密机制由于需用接收群体每个成员的公钥加密后再分发,所以必须获取接收群体中每个成员的身份。针对这一矛盾,论文给出了一种基于CP-ABE(Ciphertext-Policy Attribute-Based Encryption,基于密文策略的属性加密体制)的访问控制系统的设计与实现方案。由于CP-ABE具有广播式的、授权人通过满足某些条件就能确定的特点,使本方案能够在保证访问控制安全性与用户隐私的前提下,对共享数据进行细粒度的访问控制,降低了共享处理开销和加密次数。通过笔者单位所开发的两套系统的实际应用,进一步证明本方案的正确性与优越性。     

面向敏感数据共享环境下的融合访问控制机制

为解决敏感数据共享应用中的数据分发问题和提高数据共享的安全性,将属性基加密机制和使用控制技术相结合,提出一种融合访问控制机制。该机制一方面采用属性基加密机制保证了数据在存储和分发过程中的机密性,通过灵活且可扩展的访问控制策略控制敏感数据的共享范围;另一方面,通过使用控制技术实现对用户的权限控制,防止合法用户对敏感数据进行非法操作,解决共享用户中的权限滥用问题。最后,对机制的安全性和性能进行了分析,显著地降低了服务端的工作负荷,并通过实验测试了该机制的有效性。     

基于属性的k次匿名大数据中心访问控制方案

在研究信息服务中心云存储用户的隐私保护问题时,基于属性的加密方案是一种前景看好的解决途径,它有效满足了匿名访问和数据加密等要求。然而,基于属性的加密方案只适用于对云存储服务中加密数据的认证访问。在云计算服务访问控制的环境中,部署这一方案是不切实际的。文章研究大数据中心云存储匿名访问控制的安全需求,介绍基于属性的访问控制方案构成,设计基于属性的k次匿名访问控制安全模型,描述方案的基本原理,给出方案的工作流程,并对方案的安全性和效率进行分析。     

云计算环境中支持隐私保护的数字版权保护方案简

针对云计算环境中数字内容安全和用户隐私保护的需求,提出了一种云计算环境中支持隐私保护的数字版权保护方案。设计了云计算环境中数字内容版权全生命周期保护和用户隐私保护的框架,包括系统初始化、内容加密、许可授权和内容解密4个主要协议;采用基于属性基加密和加法同态加密算法的内容加密密钥保护和分发机制,保证内容加密密钥的安全性;允许用户匿名向云服务提供商订购内容和申请授权,保护用户的隐私,并且防止云服务提供商、授权服务器和密钥服务器等收集用户使用习惯等敏感信息。与现有的云计算环境中数字版权保护方案相比,该方案在保护内容安全和用户隐私的同时,支持灵活的访问控制,并且支持在线和超级分发应用模式,在云计算环境中具有较好的实用性。     

基于XML的电子病历系统访问控制模型

由于基于云的电子病历系统需要为不同的医疗机构提供病历的数据共享,因此面临患者医疗数据被泄露的巨大风险,为此文中提出了一个面向访问控制和数据加密签名的两阶段的电子病历系统访问控制模型。该模型通过执行基于属性的访问控制来实现兼具灵活性和细粒度的访问控制,通过执行病历文档加密和电子签名提高病历文档数据的隐私性和不可否认性。系统原型的实现和安全评估表明,相对于当前多数电子病历系统,该系统模型具有更好的数据安全性。     

Secure personal data sharing in cloud computing using attribute-based broadcast encryption

The ciphertext-policy (CP) attribute-based encryption (ABE) (CP-ABE) emergings as a promising technology for allowing users to conveniently access data in cloud computing. Unfortunately, it suffers from several drawbacks such as decryption overhead, user revocation and privacy preserving. The authors proposed a new efficient and privacy-preserving attribute-based broadcast encryption (BE) (ABBE) named EP-ABBE, that can reduce the decryption computation overhead by partial decryption, and protect user privacy by obfuscating access policy of ciphertext and user's attributes. Based on EP-ABBE, a secure and flexible personal data sharing scheme in cloud computing was presented, in which the data owner can enjoy the flexibly of encrypting personal data using a specified access policy together with an implicit user index set. With the proposed scheme, efficient user revocation is achieved by dropping revoked user's index from the user index set, which is with very low computation cost. Moreover, the privacy of user can well be protected in the scheme. The security and performance analysis show that the scheme is secure, efficient and privacy-preserving.     

Hybrid cloud approach for block-level deduplication and searchable encryption in large universe

Ciphertext-policy attribute-based searchable encryption (CP-ABSE) can achieve fine-grained access control for data sharing and retrieval, and secure deduplication can save storage space by eliminating duplicate copies. However, there are seldom schemes supporting both searchable encryption and secure deduplication. In this paper, a large universe CP-ABSE scheme supporting secure block-level deduplication are proposed under a hybrid cloud mechanism. In the proposed scheme, after the ciphertext is inserted into bloom filter tree (BFT), private cloud can perform fine-grained deduplication efficiently by matching tags, and public cloud can search efficiently using homomorphic searchable method and keywords matching. Finally, the proposed scheme can achieve privacy under chosen distribution attacks block-level (PRV-CDA-B) secure deduplication and match-concealing (MC) searchable security. Compared with existing schemes, the proposed scheme has the advantage in supporting fine-grained access control, block-level deduplication and efficient search, simultaneously.     

Attribute-based fully homomorphic encryption scheme over rings

The fully homomorphic encryption has important applications in the area of data security and privacy security of cloud computing,but the size of secret keys and ciphertext in most of current homomorphic encryption schemes were too large,which restricted its practical.To improve these drawbacks,a recoding scheme and a attribute-based encryption scheme based on learning with errors problem over rings were provided,then a attribute-based fully homomorphic encryption was constructed.The new scheme overcame the above mentioned drawbacks,because it did't need public key certificate,meanwhile,it can achieve the fine-grained access control to the ciphertext.Compared with similar results,proposed method decreases the size of keys and ciphertext greatly.     

RLWE-based ciphertext-policy attribute proxy re-encryption

To solve LWE-based proxy re-encryption schemes cannot achieve fine-grained access and low efficiency problem,a ciphertext-policy attribute-based proxy re-encryption scheme was proposed.The scheme based on linear secret sharing scheme,RLWE and attribute encryption could shorten the key size,reduce the ciphertext space and improve the efficiency of encryption and decryption.At the same time,the linear secret sharing matrix was used as an access matrix to meet the requirements of authorized person fine-grained commissioning control and to resist the collusion between the agent and the authorized person.In addition,the proposed scheme is shown to be secure under the ring learning with errors assumption in the standard model.     

Multi-authority attribute-based access control system in mHealth with traceability

Mobile healthcare (mHealth) is an emerging technology which facilitates the share of personal health records (PHR),however,it also brings the risk of the security and privacy of PHR.Attribute-based encryption (ABE) is regarded as a new cryptology to enhance fine-grained access control over encrypted data.However,existing attribute-based mHealth systems either lack of efficient traceable approach,or support only single authority.A traceable multi-authority attribute-based access control mHealth scheme was proposed,which was constructed over composite order groups and supports any monotonic access structures described by linear secret sharing scheme (LSSS).The adaptive security was proved under subgroup decisional assumptions.The traceability was proved under k-strong Diffie-Hellman (k-SDH) assumption.The performance analysis indicates that the proposed scheme is efficient and available.     

个人健康记录云管理系统中支持用户撤销的细粒度访问控制

随着云计算的发展,越来越多的用户在使用个人健康记录(PHR)云管理系统,由于PHR包含了患者的隐私信息,因此一般在将PHR上传到云平台之前会先对其进行加密。基于比较的加密(CBE)在基于属性的访问策略中实现了时间比较,然而CBE加密时间与访问策略中的属性数目线性增长,从而导致其开销过大;同时,方案难以实时撤销用户的访问权限。该文提出支持用户撤销的细粒度访问控制(FGUR)方案,通过将属性层次引入到CBE中,同时结合广播密文策略的基于属性加密(BCP-ABE),高效地实现PHR云管理系统中的细粒度访问控制及用户实时撤销。实验结果表明,与CBE相比,FGUR方案在加密开销和动态访问权限方面具有更好的性能。     

支持属性撤销的可验证多关键词搜索加密方案

近年来,可搜索加密技术及细粒度访问控制的属性加密在云存储环境下得到广泛应用。考虑到现存的基于属性的可搜索加密方案存在仅支持单关键词搜索而不支持属性撤销的问题,以及单关键词搜索可能造成返回搜索结果部分错误并导致计算和宽带资源浪费的缺陷,该文提出一种支持属性撤销的可验证多关键词搜索加密方案。该方案允许用户检测云服务器搜索结果的正确性,同时在细粒度访问控制结构中支持用户属性的撤销,且在属性撤销过程中不需要更新密钥和重加密密文。该文在随机预言机模型下基于判定性线性假设被证明具有抵抗选择关键词集攻击安全性及关键词隐私性,同时从理论和实验两方面分析验证了该方案具有较高的计算效率与存储效率。

     

Encrypted data sharing with multi-owner based on digital rights management in online social networks简

The online social networks（OSNs） offer attractive means for social interactions and data sharing, as well as raise a number of security and privacy issues. Although current solutions propose to encrypt data before sharing, the access control of encrypted data has become a challenging task. Moreover, multiple owners may enforce different access policy to the same data because of their different privacy concerns. A digital rights management（DRM） scheme is proposed for encrypted data in OSNs. In order to protect users＇ sensitive data, the scheme allows users outsource encrypted data to the OSNs service provider for sharing and customize the access policy of their data based on ciphertext-policy attribute-based encryption. Furthermore, the scheme presents a multiparty access control model based on identity-based broadcast encryption and ciphertext-policy attribute-based proxy re-encryption, which enables multiple owners, such as tagged users who appear in a single data, customize the access policy collaboratively, and also allows the disseminators update the access policy if their attributes satisfy the existing access policy. Security analysis and comparison indicate that the proposed scheme is secure and efficient.