An efficient PHR service system supporting fuzzy keyword search and fine-grained access control

Outsourcing of personal health record (PHR) has attracted considerable interest recently. It can not only bring much convenience to patients, it also allows efficient sharing of medical information among researchers. As the medical data in PHR is sensitive, it has to be encrypted before outsourcing. To achieve fine-grained access control over the encrypted PHR data becomes a challenging problem. In this paper, we provide an affirmative solution to this problem. We propose a novel PHR service system which supports efficient searching and fine-grained access control for PHR data in a hybrid cloud environment, where a private cloud is used to assist the user to interact with the public cloud for processing PHR data. In our proposed solution, we make use of attribute-based encryption (ABE) technique to obtain fine-grained access control for PHR data. In order to protect the privacy of PHR owners, our ABE is anonymous. That is, it can hide the access policy information in ciphertexts. Meanwhile, our solution can also allow efficient fuzzy search over PHR data, which can greatly improve the system usability. We also provide security analysis to show that the proposed solution is secure and privacy-preserving. The experimental results demonstrate the efficiency of the proposed scheme.     

Multi keyword searchable attribute based encryption for efficient retrieval of health Records in Cloud

Personal Health Record (PHR) is an online electronic application used by patients to store, retrieve and share their health information in a private and secure environment. While outsourcing the PHR into cloud environment, there exist issues in privacy while storing, searching and sharing of health information. To overcome these issues, an efficient retrieval of health records using Multi Keyword Searchable Attribute Based Encryption (MK-SABE) is proposed. To manage the increasing PHR data in the cloud, an Authorized File Level Deduplication technique is adopted. It eliminates redundant files, thereby reducing the communication overhead. Moreover, PHR data is encrypted before outsourcing and to perform searching over encrypted data, the proposed MK-SABE introduces Conjunctive Multi Keyword Searchable Attribute Based Encryption (CM-SABE). This maintains the searchable property after encryption for efficient retrieval of health files using range query. Further to ensure the trustworthiness while sharing the sensitive data, MK-SABE introduces the Location Based Encryption (LBE) and Dynamic Location Based ReEncryption (DLBRE) technique to provide additional security. From the experimental analysis, it is proved that the proposed MK-SABE reduces the storage complexity by 5%, keyword search time by 25% and improves the overall performance of PHR by 40% compared to the existing schemes.

     

A secure cloud-assisted urban data sharing framework for ubiquitous-cities

With the accelerated process of urbanization, more and more people tend to live in cities. In order to deal with the big data that are generated by citizens and public city departments, new information and communication technologies are utilized to process the urban data, which makes it more easier to manage. Cloud computing is a novel computation technology. After cloud computing was commercialized, there have been lot of cloud-based applications. Since the cloud service is provided by the third party, the cloud is semi-trusted. Due to the features of cloud computing, there are many security issues in cloud computing. Attribute-based encryption (ABE) is a promising cryptography technique which can be used in the cloud to solve many security issues. In this paper, we propose a framework for urban data sharing by exploiting the attribute-based cryptography. In order to fit the real world ubiquitous-cities utilization, we extend our scheme to support dynamic operations. In particular, from the part of performance analysis, it can be concluded that our scheme is secure and can resist possible attacks. Moreover, experimental results and comparisons show that our scheme is more efficient in terms of computation.     

A secure re‐encryption scheme for data services in a cloud computing environment

Cloud computing as a promising technology and paradigm can provide various data services, such as data sharing and distribution, which allows users to derive benefits without the need for deep knowledge about them. However, the popular cloud data services also bring forth many new data security and privacy challenges. Cloud service provider untrusted, outsourced data security, hence collusion attacks from cloud service providers and data users become extremely challenging issues. To resolve these issues, we design the basic parts of secure re‐encryption scheme for data services in a cloud computing environment, and further propose an efficient and secure re‐encryption algorithm based on the EIGamal algorithm, to satisfy basic security requirements. The proposed scheme not only makes full use of the powerful processing ability of cloud computing but also can effectively ensure cloud data security. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security model. Copyright © 2015 John Wiley & Sons, Ltd.     

云计算数据安全研究

进入新时期以来,国内科学技术得到较快的发展,人们日常生活中接触到的数据也不断增多.其中利用互联网络提供的便捷云计算模式已经逐步进入人们的生活,给人们日常共享软硬件资源以及相关信息提供了非常便捷的条件.本文中笔者结合自身多年对于云计算数据的研究工作,对云计算数据的安全性进行了全面的研究,供相关人士参考,以共同提高我国云计算数据的安全性.     

Proxy re-encryption architect for storing and sharing of cloud contents

Internet-based online cloud services provide enormous volumes of storage space, tailor-made computing resources and eradicate the obligation of native machines for data maintenance as well. Cloud storage service providers claim to offer the ability of secure and elastic data-storage services that can adapt to various storage necessities. Most of the security tools have a finite rate of failure, and intrusion comes with more complex and sophisticated techniques; the security failure rates are skyrocketing. Once we upload our data into the cloud, we lose control of our data, which certainly carries new security hazards toward integrity and privacy of our information. In this paper, we discuss a secure file sharing mechanism for the cloud with proxy re-encryption (PRE). PRE-scheme is implemented with the Disintegration Protocol to secure storage data in storage and in the flight. The paper introduces a new contribution of a seamless file sharing technique among different clouds without sharing an encryption key.     

云环境下组合电子健康记录访问控制框架

针对云环境下电子健康记录信息安全共享的需求提出云环境下组合电子健康记录访问控制框架.在该框架中基于多个CDA文档的逻辑关系,提出并构建组合电子健康记录结构,应用基于属性的多级安全访问控制策略实现组合电子健康记录的安全管理,应用基于XLINK技术的XML Web服务实现组合电子健康记录的下载和查看.通过对比分析可说明,与已有方案相比,本方案提出的框架更加适合云环境下的电子健康信息安全共享.     

一种基于任务角色的云计算访问控制模型

数据安全问题是云计算推广的一大阻碍,主要来源于数据共享带来的安全问题和云服务提供商的超级特权导致的潜在危险。为此,分析云计算中数据存储和用户群体的特点,提出一种基于任务角色的云计算访问控制模型,对不同访问主体采取不同访问控制策略,以提供分级的安全特性,使云服务提供商不再享有超级特权。分析结果表明,该访问控制模型使得云端数据访问安全无须依赖于服务器的绝对可信,为云计算提供了更为可靠的安全特性。     

云计算安全问题研究综述

随着云计算的蓬勃发展,越来越多的企业和个人将他们的存储和计算需求付诸于云端.然而云计算的安全仍不容忽视,是当前的一个研究热点.对近年来云计算安全相关的研究成果进行总结,主要集中于数据安全,身份认证以及访问控制策略方面.也介绍了与可信计算技术相结合的云计算安全的相关研究框架和项目.根据这些研究成果,认为将可信计算与云计算思想相结合,建立"可信云计算"是未来云计算安全研究的一个重要方向.并且在最后提出了"可信云计算"发展的几个可能的研究主题.     

基于可信虚拟域的政务云应用研究

云计算能够提升IT资源的利用率,提高服务的开通时间、可用性以及灾难恢复能力,是信息化应用的重要支撑。建立政务云,可以解决目前电子政务发展中面临的应用迅速扩充、数据共享、建设和运维成本的上升等问题,但同时也带来一些安全威胁。在分析电子政务云可能风险的基础上,提出采用可信计算技术在政务云数据中心虚拟层建立可信虚拟域,通过安全隔离策略满足政务云的安全需求,并提出采用同态加密的方法实现政务云的加密信息检索。     

个人健康档案的加密

个人健康档案(PHR)作为医疗卫生领域的一个新的关注对象,其在卫生信息化平台中的面向互联网应用的安全传输是当前需要解决的问题之一。本文首先给出基于XML格式的个人健康档案,然后针对个人健康档案具有跨平台、信息量大以及传输安全性高等要求,提出基于XML格式的加密技术解决个人健康档案的安全传输问题。结果表明该加密方式不仅保证了个人健康档案加密效率,更能为其提供较好的传输安全性。     

行业信息网络系统终端安全管理体系建设研究

时至今日,我们已经进入了云计算、云存储的时代,人们的所有数据信息都在云端进行计算和存储.很显然,对于云计算、云存储这个意味着数据信息共享与开放的云时代,传统的信息安全防护模式和思路已经不能够满足现有网络环境,特别是云环境下数据信息安全防护的需求.提出要建设完整的行业信息网络系统终端安全管理体系来满足上述安全需求,并从终...     

HDFS混合加密保护方案的设计

如何有效解决云计算中存在的安全问题是关系到云计算产业发展的关键。针对Hadoop云计算系统在数据共享中存在的安全问题,采用了一种基于RC4和RSA的混合加密保护方案,该方案在云存储数据共享过程中,紧密结合Hadoop云计算系统的特性,能够实现数据的安全共享,同时兼顾保密性与效率。     

Security-aware intermediate data placement strategy in scientific cloud workflows

Massive computation power and storage capacity of cloud computing systems allow scientists to deploy data-intensive applications without the infrastructure investment, where large application datasets can be stored in the cloud. Based on the pay-as-you-go model, data placement strategies have been developed to cost-effectively store large volumes of generated datasets in the scientific cloud workflows. As promising as it is, this paradigm also introduces many new challenges for data security when the users outsource sensitive data for sharing on the cloud servers, which are not within the same trusted domain as the data owners. This challenge is further complicated by the security constraints on the potential sensitive data for the scientific workflows in the cloud. To effectively address this problem, we propose a security-aware intermediate data placement strategy. First, we build a security overhead model to reasonably measure the security overheads incurred by the sensitive data. Second, we develop a data placement strategy to dynamically place the intermediate data for the scientific workflows. Finally, our experimental results show that our strategy can effectively improve the intermediate data security while ensuring the data transfer time during the execution of scientific workflows.     

云基础设施安全性研究综述

云计算是当今全球关注的热点,有可能引起信息技术新的变革,但同时也带来了新的安全问题。从云计算环境最基础的层次入手,对云基础设施的安全性进行研究,考察云基础设施安全性的研究状况,从全局角度分析云基础设施存在的安全问题,结合云基础设施的安全服务技术框架讨论云基础设施安全性的主要关键技术,旨在为云基础设施乃至整个云计算环境的安全问题的解决建立良好的基础。     

医疗云中高效安全的数据共享方案研究

随着云计算的快速发展,个人电子病历记录（Personal Health Record,PHR）作为一种新兴的健康信息交换模式,已经成为研究与应用领域的热点话题。为了实现医疗云中安全高效的数据共享,提出了可撤销的基于CP-ABE的数据共享方案。在该方案中,医疗用户被划分为个人区域（PSD）和公共区域（PUD）。在PSD中,采用改进的聚合加密（IKAE）和改进的属性签名方案分别来实现读和写访问权限。对于PUD的医疗用户来说,使用可撤销的外包加解密方案,在很大程度上减少了PHR用户的开销。该方案还可以实现及时的用户和属性撤销,并且引入多授权机构来降低密钥管理的复杂度。最后通过性能分析证明了该方案的高效性和安全性。     

Data damage assessment and recovery algorithm from malicious attacks in healthcare data sharing systems

In a data sharing system in a cloud computing environment, such as health care system, peers or data sources execute transactions on-the-fly in response to user queries without any centralized control. In this case confidential data might be intercepted or read by hackers. We cannot consider any centralized control for securing data since we cannot assume any central third party security infrastructure (e.g., PKI) to protect confidential data in a data sharing system. Securing health information from malicious attacks has become a major concern. However, securing the data from attacks sometimes fail and attackers succeed in inserting malicious data. Hence, this presents a need for fast and efficient damage assessment and recovery algorithms. In this paper, we present an efficient data damage assessment and recovery algorithm to delete malicious transactions and recover affected transactions in a data source in a health care system based on the concept of the matrix. We compare our algorithm with other approaches and show the performance results.     

Hybrid concurrency control protocol for data sharing among heterogeneous blockchains

With the development of information technology and cloud computing, data sharing has become an important part of scientific research. In traditional data sharing, data is stored on a third-party storage platform, which causes the owner to lose control of the data. As a result, there are issues of intentional data leakage and tampering by third parties, and the private information contained in the data may lead to more significant issues. Furthermore, data is frequently maintained on multiple storage platforms, posing significant hurdles in terms of enlisting multiple parties to engage in data sharing while maintaining consistency. In this work, we propose a new architecture for applying blockchains to data sharing and achieve efficient and reliable data sharing among heterogeneous blockchains. We design a new data sharing transaction mechanism based on the system architecture to protect the security of the raw data and the processing process. We also design and implement a hybrid concurrency control protocol to overcome issues caused by the large differences in blockchain performance in our system and to improve the success rate of data sharing transactions. We took Ethereum and Hyperledger Fabric as examples to conduct cross-blockchain data sharing experiments. The results show that our system achieves data sharing across heterogeneous blockchains with reasonable performance and has high scalability.     

CyberGuarder: A virtualization security assurance architecture for green cloud computing

As the sizes of IT infrastructure continue to grow, cloud computing is a natural extension of virtualisation technologies that enable scalable management of virtual machines over a plethora of physically connected systems. The so-called virtualisation-based cloud computing paradigm offers a practical approach to green IT/clouds, which emphasise the construction and deployment of scalable, energy-efficient network software applications (NetApp) by virtue of improved utilisation of the underlying resources. The latter is typically achieved through increased sharing of hardware and data in a multi-tenant cloud architecture/environment and, as such, accentuates the critical requirement for enhanced security services as an integrated component of the virtual infrastructure management strategy. This paper analyses the key security challenges faced by contemporary green cloud computing environments, and proposes a virtualisation security assurance architecture, CyberGuarder, which is designed to address several key security problems within the ‘green’ cloud computing context. In particular, CyberGuarder provides three different kinds of services; namely, a virtual machine security service, a virtual network security service and a policy based trust management service. Specifically, the proposed virtual machine security service incorporates a number of new techniques which include (1) a VMM-based integrity measurement approach for NetApp trusted loading, (2) a multi-granularity NetApp isolation mechanism to enable OS user isolation, and (3) a dynamic approach to virtual machine and network isolation for multiple NetApp’s based on energy-efficiency and security requirements. Secondly, a virtual network security service has been developed successfully to provide an adaptive virtual security appliance deployment in a NetApp execution environment, whereby traditional security services such as IDS and firewalls can be encapsulated as VM images and deployed over a virtual security network in accordance with the practical configuration of the virtualised infrastructure. Thirdly, a security service providing policy based trust management is proposed to facilitate access control to the resources pool and a trust federation mechanism to support/optimise task privacy and cost requirements across multiple resource pools. Preliminary studies of these services have been carried out on our iVIC platform, with promising results. As part of our ongoing research in large-scale, energy-efficient/green cloud computing, we are currently developing a virtual laboratory for our campus courses using the virtualisation infrastructure of iVIC, which incorporates the important results and experience of CyberGuarder in a practical context.     

Defense schemes for variants of distributed denial-of-service (DDoS) attacks in cloud computing: A survey

Cloud computing is a fast-growing and promising technology segment that aims to reduce maintenance and management costs by shifting high-quality computing infrastructure to the Internet. It is emerging as a dominant technology because it provides an on-demand, self-service, scalable, and pay-per-use business model. Despite its numerous benefits, it suffers from several security challenges. As a consequence of on-demand service, availability of computing resources is the crucial attribute of cloud computing among security necessities. In this work, a survey is presented on various issues related to the availability of resources in a cloud environment. Ensuring availability and security of computing/storage resources are still challenging tasks. The adversary class readily exploits the vulnerabilities in the cloud infrastructure for attack implementation. The article presents a study of various categories of distributed denial-of-service (DDoS) attacks in cloud computing and their defense mechanisms. It is believed that this is the first work which surveys all varieties of DDoS attacks in the cloud environment.