可验证的云存储安全数据删重方法

数据删重技术在云存储系统中得到了广泛的应用.如何在保证数据隐私的前提下,在半可信的云存储系统中实现高效的数据删重,是云计算安全领域的研究热点问题.现有方案在数据标识管理和用户数量统计方面普遍依赖于在线的可信第三方,执行效率有待提高,且容易造成系统瓶颈.提出了一种可验证的数据删重方法,无需可信第三方在线参与.基于双线性映射构造双文件标识方案进行流行度查询,确保标识不泄露数据的任何明文信息.采用改进的群签名方案,使用户可验证服务器返回的流行度标识,有效地防止云服务器伪造数据流行度的查询结果.设计了多层加密方案,可以根据数据的流行度,采用不同的加密方式.分析并证明了方案的安全性和正确性.通过仿真实验,验证了方案的可行性和高效性.     

基于Bloom Filter的混合云存储安全去重方案

针对现有云存储系统中数据去重采用的收敛加密算法容易遭到暴力破解以及猜测攻击等不足,提出一种基于布隆过滤器的混合云存储安全去重方案BFHDedup,改进现有混合云存储系统模型,私有云部署密钥服务器Key Server支持布隆过滤器认证用户的权限身份,实现了用户的细粒度访问控制。同时使用双层加密机制,在传统收敛加密算法基础上增加额外的加密算法并且将文件级别去重和块级别去重相结合实现细粒度去重。此外,BFHDedup采用密钥加密链机制应对去重带来的密钥管理难题。安全性分析及仿真实验结果表明,该方案在可容忍的时间开销代价下实现了较高的数据机密性,有效抵抗暴力破解以及猜测攻击,提高了去重比率并且减少了存储空间。     

Zero knowledge based client side deduplication for encrypted files of secure cloud storage in smart cities

As typical applications in the field of the cloud computing, cloud storage services are popular in the development of smart cities for their low costs and huge storage capacity. Proofs-of-ownership (PoW) is an important cryptographic primitive in cloud storage to ensure that a client holds the whole file rather than part of it in secure client side data deduplication. The previous PoW schemes worked well when the file is in plaintext. However, the privacy of the clients’ data may be vulnerable to honest-but-curious attacks. To deal with this issue, the clients tend to encrypt files before outsourcing them to the cloud, which makes the existing PoW schemes inapplicable any more. In this paper, we first propose a secure zero-knowledge based client side deduplication scheme over encrypted files. We prove that the proposed scheme is sound, complete and zero-knowledge. The scheme can achieve a high detection probability of the clients’ misbehavior. Then we introduced a proxy re-encryption based key distribution scheme. This scheme ensures that the server knows nothing about the encryption key even though it acts as a proxy to help distributing the file encryption key. It also enables the clients who have gained the ownership of a file to share the file with the encryption key generated without establishing secure channels among them. It is proved that the clients’ private key cannot be recovered by the server or clients collusion attacks during the key distribution phase. Our performance evaluation shows that the proposed scheme is much more efficient than the existing client side deduplication schemes.     

高效且可验证的多授权机构属性基加密方案

移动云计算对于移动应用程序来说是一种革命性的计算模式,其原理是把数据存储及计算能力从移动终端设备转移到资源丰富及计算能力强的云服务器.但是这种转移也引起了一些安全问题,例如,数据的安全存储、细粒度访问控制及用户的匿名性.虽然已有的多授权机构属性基加密云存储数据的访问控制方案,可以实现云存储数据的保密性及细粒度访问控制;但其在加密和解密阶段要花费很大的计算开销,不适合直接应用于电力资源有限的移动设备;另外,虽然可以通过外包解密的方式,减少解密计算的开销,但其通常是把解密外包给不完全可信的第三方,其并不能完全保证解密的正确性.针对以上挑战,本文提出了一种高效的可验证的多授权机构属性基加密方案,该方案不仅可以降低加密解密的计算开销,同时可以验证外包解密的正确性并且保护用户隐私.最后,安全分析和仿真实验表明了方案的安全性和高效性.     

A secure cloud storage system supporting privacy-preserving fuzzy deduplication

Deduplication is an important technology in the cloud storage service. For protecting user privacy, sensitive data usually have to be encrypted before outsourcing. This makes secure data deduplication a challenging task. Although convergent encryption is used to securely eliminate duplicate copies on the encrypted data, these secure deduplication techniques support only exact data deduplication. That is, there is no tolerance of differences in traditional deduplication schemes. This requirement is too strict for multimedia data including image. For images, typical modifications such as resizing and compression only change their binary presentation but maintain human visual perceptions, which should be eliminated as duplicate copies. Those perceptual similar images occupy a lot of storage space on the remote server and greatly affect the efficiency of deduplication system. In this paper, we first formalize and solve the problem of effective fuzzy image deduplication while maintaining user privacy. Our solution eliminates duplicated images based on the measurement of image similarity over encrypted data. The robustness evaluation is given and demonstrates that this fuzzy deduplication system is able to duplicate perceptual similar images, which optimizes the storage and bandwidth overhead greatly in cloud storage service.     

Secure deduplication with efficient user revocation in cloud storage

Secure deduplication is a promising solution to greatly reduce the storage space of the cloud. However, the encryption key is deterministically derived from the plaintext, such that who owns the plaintext has the derived key to decrypt the ciphertext. Therefore, how to revoke a user in deduplication schemes is a critical challenge. In the existing work, when updating the data authority, the data owner has to download the data from the cloud, decrypt, re-encrypt and finally upload them to the cloud. This process increases the communication and computation overheads. In this paper, we first propose a multi-user updatable encryption scheme. Specifically, the data owner can update the remote ciphertext under a new group key by sending an update token to the cloud. Then we adopt this technique to propose a new secure deduplication scheme supporting efficiently revoking an unauthorized user. In our scheme, the data owner just needs to send a token to the cloud to update the data authority, which saves the communication and computation costs. The security and efficiency analysis demonstrate that our proposed deduplication scheme can achieve the desired security properties with high efficiency.     

云存储中加密数据的自适应重复删除方法

为了保护个人隐私,用户倾向于在数据上传至云服务器之前将其加密. 相同的明文数据被加密成不同密文数据,使云服务器无法识别出重复的加密数据. 现存的解决方案多数倚赖可信第三方,且没有划分数据流行度,导致安全性与执行效率较低. 提出一种无需可信第三方的自适应重复删除方法.利用完美散列函数检查数据的流行度,使用口令认证密钥交换协议与同态加密安全传递数据的加密密钥,在保证用户数据隐私的前提下进行安全的重复数据删除. 与现有其它方案相比,安全性与实用性更强. 实验和仿真证明了方案的高效性.     

云计算中数据隐私的安全保护机制

在云计算中,用户所拥有的数据信息通常被存放在遥远的云端,而其它用户常常能够访问这些数据且这些数据通常不由数据拥有者自己控制和管理.在此状况下,如何在云计算中保护用户的数据隐私安全则是一个十分具有挑战性的问题.为了解决这个问题,本文提出了一种数据隐私的安全保护机制.在此安全保护机制中,针对用户数据上载和访问的过程,首先提出了一种数据隐私保护的安全流程.在此基础上,提出了用户数据安全存储算法和云端数据安全访问算法.为了证明这种保护机制的有效性,本文对其安全性能进行了一系列的分析.分析结果表明：在云计算中使用这种机制能够确保数据隐私的安全性.     

An improved secure file deduplication avoidance using CKHO based deep learning model in a cloud environment

Data deduplication is a process that gets rid of excessive duplicates of data and minimizes the storage capacity to a large extent. This process mainly optimizes redundancies without compromising the data fidelity or integrity. However, the major challenge faced by most data deduplication systems is secure cloud storage. Cloud computing relies on the ability and security of all information. In the case of distributed storage, data protection and security are critical. This paper presents a Secure Cloud Framework for owners to effectively handle cloud-based information and provide high security for information (SCF). Weaknesses, Cross-Site Scripting (XSS), SQL perfusion, adverse processing, and wrapping are all examples of significant attacks in the cloud. This paper proposes an improved Secure File Deduplication Avoidance (SFDA) algorithm for block-level deduplication and security. The deduplication process allows cloud customers to adequately manage the distributed storage space by avoiding redundant information and saving transfer speed. A deep learning classifier is used to distinguish the familiar and unfamiliar data. A dynamic perfect hashing scheme is used in the SFDA approach to perform convergent encryption and offer secure storage. The Chaotic krill herd optimization (CKHO) algorithm is used for the optimal secret key generation process of the Advanced Encryption Standard (AES) algorithm. In this way, the unfamiliar data are encrypted one more time and stored in the cloud. The efficiency of the results is demonstrated via the experiments conducted in terms of computational cost, communication overhead, deduplication rate, and attack level. For file sizes of 8 MB, 16 MB, 32 MB, and 64 MB, the proposed methodology yields a deduplication rate of 53%, 62%, 54%, and 44%, respectively. The dynamic perfect hashing and the optimal key generation using the CKHO algorithm minimizes the data update time and the time taken to update a total of 1024 MB data is 341.5 ms. The improved SFDA algorithm's optimal key selection approach reduces the impact of an attack by up to 12% for a data size of 50 MB, whereas the existing system is mostly impacted by data size, and its attack level rises by up to 19 percent for the same data size.

     

基于RCE的云存储动态所有权管理数据去重方案

数据去重技术在云存储中应用广泛,通过存储数据的一个副本节省存储空间、降低通信开销。为了实现安全的数据去重复,收敛加密以及其很多变体相应被提出,然而,很多方案没有考虑所有权改变和所有权证明（PoW）问题。提出一种安全高效的动态所有权管理去重方案,通过更新组密钥对密钥密文进行重加密实现云用户所有权撤销后的管理问题,阻止撤销所有权的用户正确解密密文,构造了基于布隆过滤器的所有权证明,提出延迟更新策略进一步降低计算开销。分析和实验表明,该方案具有较小的开销,在动态所有权管理中是有效的。     

基于TrustZone的可信移动终端云服务安全接入方案

可信云架构为云计算用户提供了安全可信的云服务执行环境,保护了用户私有数据的计算与存储安全. 然而在移动云计算高速发展的今天, 仍然没有移动终端接入可信云服务的安全解决方案. 针对上述问题, 提出了一种可信移动终端云服务安全接入方案, 方案充分考虑了移动云计算应用背景, 利用ARM TrustZone硬件隔离技术构建可信移动终端, 保护云服务客户端及安全敏感操作在移动终端的安全执行, 结合物理不可克隆函数技术, 给出了移动终端密钥与敏感数据管理机制. 在此基础之上, 借鉴可信计算技术思想, 设计了云服务安全接入协议, 协议兼容可信云架构, 提供云服务端与移动客户端间的端到端认证. 分析了方案具备的6种安全属性, 给出了基于方案的移动云存储应用实例, 实现了方案的原型系统. 实验结果表明, 可信移动终端TCB较小, 方案具有良好的可扩展性和安全可控性, 整体运行效率较高.     

Proxy re-encryption architect for storing and sharing of cloud contents

Internet-based online cloud services provide enormous volumes of storage space, tailor-made computing resources and eradicate the obligation of native machines for data maintenance as well. Cloud storage service providers claim to offer the ability of secure and elastic data-storage services that can adapt to various storage necessities. Most of the security tools have a finite rate of failure, and intrusion comes with more complex and sophisticated techniques; the security failure rates are skyrocketing. Once we upload our data into the cloud, we lose control of our data, which certainly carries new security hazards toward integrity and privacy of our information. In this paper, we discuss a secure file sharing mechanism for the cloud with proxy re-encryption (PRE). PRE-scheme is implemented with the Disintegration Protocol to secure storage data in storage and in the flight. The paper introduces a new contribution of a seamless file sharing technique among different clouds without sharing an encryption key.     

客户端密文去重方案的新设计

云存储可以使用户在不扩大自身存储的情况下保存更多数据,而客户端去重技术的引入使用户在本地对重复数据进行有效删除,极大提高云存储利用率,节省通信开销.本文利用文献[10]中基于盲签名随机化收敛密钥的思想,提出了一个新的基于客户端密文去重方案.新方案中重复验证标签和拥有权证明可有效抵抗暴力字典攻击,并利用三方密钥协商方案的思想设计了灵活的加密密钥管理方案.实验结果表明新方案能够有效降低用户存储和计算开销.     

基于离线密钥分发的加密数据重复删除方法

重复数据删除技术受到工业界和学术界的广泛关注.研究者致力于将云服务器中的冗余数据安全的删除,明文数据的重复删除方法较为简单.而用户为了保护隐私,会使用各自的密钥将数据加密后上传至云服务器,形成不同的加密数据.在保证安全性的前提下,加密数据的重复删除较难实现.目前已有的方案较多依赖在线的可信第三方.提出一种基于离线密钥分发的加密数据重复删除方案,通过构造双线性映射,在不泄露数据隐私的前提下,验证加密数据是否源自同一明文.利用广播加密技术实现加密密钥的安全存储与传递.任意数据的初始上传者能够借助云服务器,以离线方式验证后继上传者的合法性并传递数据加密密钥.无需可信第三方在线参与,实现云服务器对加密数据的重复删除.分析并证明了方案的安全性.仿真实验验证了方案的可行性与高效性.     

云加密数据安全重复删除方法

在云环境存储模式中,采用用户端数据加密虽然能够有效降低数据的存储安全风险,但同时会使云服务商丧失重复数据鉴别能力,导致存储开销随数据量增大而不断攀升.加密数据重复删除技术是解决该问题的方法之一,现有方案通常基于可信第三方设计,安全性假设过强,执行效率较低.基于椭圆曲线与密文策略属性加密两种高安全密码学原语,构造了重复加密数据识别与离线密钥共享两种安全算法,进而实现一种无需初始数据上传用户与可信第三方实时在线的加密数据重复删除方法.详细的安全性与仿真实验分析,证明该方法不仅实现数据的语义安全,同时能够保证系统的高效率运行.     

云存储安全网关关键技术研究

云存储安全网关能够提供安全、高效的数据存储备份服务,克服传统存储备份服务的不足。阐述了云存储网关的研究现状。总结了现有云存储网关研究相关的一些关键技术,其中包括多租户下的数据隔离和隐私保护,访问性能优化和重复数据删除技术,数据访问管理技术和透明加密技术。最后,总结全文并指出云存储网关未来的研究方向。     

Secure and efficient data collaboration with hierarchical attribute-based encryption in cloud computing

With the increasing trend of outsourcing data to the cloud for efficient data storage, secure data collaboration service including data read and write in cloud computing is urgently required. However, it introduces many new challenges toward data security. The key issue is how to afford secure write operation on ciphertext collaboratively, and the other issues include difficulty in key management and heavy computation overhead on user since cooperative users may read and write data using any device. In this paper, we propose a secure and efficient data collaboration scheme, in which fine-grained access control of ciphertext and secure data writing operation can be afforded based on attribute-based encryption (ABE) and attribute-based signature (ABS) respectively. In order to relieve the attribute authority from heavy key management burden, our scheme employs a full delegation mechanism based on hierarchical attribute-based encryption (HABE). Further, we also propose a partial decryption and signing construction by delegating most of the computation overhead on user to cloud service provider. The security and performance analysis show that our scheme is secure and efficient.     

工业互联网中增强安全的云存储数据访问控制方案

在工业互联网应用中,由于异构节点计算和存储能力的差异,通常采用云方案提供数据存储和数据访问服务.云存储中的访问控制如扩展多权限的云存储数据访问控制方案(NEDAC-MACS),是保证云存储中数据的安全和数据隐私的基石.给出了一种攻击方法来证明NEDAC_MACS中,被撤销的用户仍然可以解密NEDAC-MACS中的新密文;并提出了一种增强NEDAC-MACS安全性的方案,该方案可以抵抗云服务器和用户之间的合谋攻击;最后通过形式密码分析和性能分析表明,该方案能够抵抗未授权用户之间以及云服务器与用户之间的合谋攻击,保证前向安全性、后向安全性和数据保密性.     

A secure re‐encryption scheme for data services in a cloud computing environment

Cloud computing as a promising technology and paradigm can provide various data services, such as data sharing and distribution, which allows users to derive benefits without the need for deep knowledge about them. However, the popular cloud data services also bring forth many new data security and privacy challenges. Cloud service provider untrusted, outsourced data security, hence collusion attacks from cloud service providers and data users become extremely challenging issues. To resolve these issues, we design the basic parts of secure re‐encryption scheme for data services in a cloud computing environment, and further propose an efficient and secure re‐encryption algorithm based on the EIGamal algorithm, to satisfy basic security requirements. The proposed scheme not only makes full use of the powerful processing ability of cloud computing but also can effectively ensure cloud data security. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security model. Copyright © 2015 John Wiley & Sons, Ltd.     

轻量级的安全跨域去重方案

云存储为用户提供文件外包存储功能,然而随着数据外包数量的激增,数据去重复变得至关重要.目前数据压缩非常有效也是很常用的一个手段是去重,即识别数据中冗余的数据块,只存储其中的一份.以前的方案可以满足不同的用户将相同的文件加密为相同的密文,这样暴露了文件的一致性,随后的方案提出基于集中式服务器作为去重辅助的方案,随着用户的增加,数据去重效率也随之降低.针对目前云存储的安全性及数据去重效率低等问题,本文提出了跨区域的重复数据删除方案.所提方案为每个数据生成随机标签和固定长度的随机密文,确保多域重复数据消除下的数据机密性及抵抗暴力攻击、保护信息平等信息不被披露.同时,对所提方案的实施情况和功能比较进行了仔细分析,安全性分析表明,所提方案在抵抗蛮力攻击的同时,实现了数据内容、平等信息和数据完整性等隐私保护,性能分析表明,所提方案展示了优于现有方案的重复搜索计算成本及时间复杂度,可实现轻量级特色.