基于云计算的优化审计方案

针对目前完整性验证中第三方审计存在效率低、开销大、无法支持动态数据,以及哈希值对比验证、审计模型等方案无法满足云计算数据存储的安全问题,提出了一种基于云计算的优化审计方案.方案在数据存储阶段设计一个包括角色库访问控制、加密和签名验证的三层安全架构;在数据签名验证阶段基于双线性群的组密钥协议进行数据审计;并通过安全性分析...     

一种新的满足隐私性的云存储公共审计方案

在云存储网络环境中,数据的安全性、完整性和隐私性是用户最关心的问题之一.云存储服务中,用户将存储的数据和认证标识信息存储在云服务器中.为了保证存储数据的完整性,云存储服务提供者需要向用户或第三方审计者证明其正确地持有用户存储的数据.公共审计是指由用户以外的第三方代替用户完成审计工作,这对于计算资源比较有限的用户尤其重要.目前多数云存储审计方案没有考虑隐私性问题.本文提出了一种新的可聚合基于签名的广播加密(ASBB)方案,并在此基础上设计了新的满足隐私性的云存储公共审计方案.新方案在随机预言模型下是可证安全的,并且在计算开销方面更具有优势.     

基于区块链且可验证的智能电网多维数据聚合与分享方案

针对如何支持轻量级多维数据聚合,实现系统整体过程中多维数据的双端完整性验证,以及处理云服务器集中化等问题,提出了一种基于区块链且可验证的智能电网多维数据聚合与分享方案。首先,为了满足智能电网对电量数据细粒度分析的需求,利用掩蔽值和霍纳法则实现了隐私保护多维数据聚合。在此基础上,针对现有数据聚合方案在云存储数据与第三方分享方面存在的数据完整性验证问题,借用基于RSA的乘法同态承诺方案和同态哈希函数的同态性设计了一种新的签名算法,使云服务器不仅可以验证聚合数据的完整性,还可以验证数据分享阶段的完整性,即实现了云存储数据的双端可验证性,并且可以抵抗内部攻击。同时,提出了一种基于联盟链多链的聚合数据分享体系结构,有效地避免单机处理瓶颈和易受攻击等集中化问题。理论分析证明了所提方案的安全性。性能实验表明,所提方案比已有方案具有更低的计算和通信成本。     

基于区块链的多授权密文策略属性基等值测试加密方案

针对云环境下密文策略属性基加密方案中存在的密文检索分类困难与依赖可信第三方等问题,本文提出了一种基于区块链的多授权密文策略属性基等值测试加密方案．利用基于属性的等值测试技术,实现了支持属性级灵活授权的云端数据检索和分类机制,降低了数据用户对重复数据解密的计算开销．结合多授权属性基加密机制和区块链技术,实现了去中心化用户密钥生成．采用多属性授权机构联合分发密钥,有效抵抗用户和属性授权机构的合谋攻击．引入区块链和智能合约技术,消除了现有密文策略属性基密文等值测试方案中等值测试、数据存储与外包解密操作对可信云服务器的依赖．利用外包服务器执行部分解密计算,降低了用户本地的计算开销．将原始数据哈希和验证参数上传至区块链,保障外包服务器解密结果正确性和云端数据完整性．在随机预言模型下,基于判定性qparallel Bilinear Diffie-Hellman Exponent困难问题证明了本文方案在选择密文攻击下的单向性．与同类方案相比较,本文方案支持更多的安全属性,并具有较低的计算开销．     

基于半可信第三方的用户云数据安全存储协议

目前一些用户外包至云存储的数据面临着泄密风险,很多学者提出利用密钥管理员对数据加密后再外包,但相关协议并不能阻止密钥管理员截获并解密用户数据。针对该问题,将密钥管理员视为半可信第三方,构建了新的系统模型和安全模型,改进了利用密钥管理员加密数据的算法,提出基于半可信第三方的用户云数据安全存储协议(UKC),分别在单密钥管理员和多密钥管理员情形下设计了用户文件上传和下载的算法,有效地防止了来自密钥管理员的安全威胁,并节省运行时间开销。通过定理证明了本协议对密钥管理员攻击是IND-CCA安全的,性能仿真实验显示该协议的运行时间开销较低。     

基于多分支认证树的多用户多副本数据持有性证明方案

在云存储环境下,如何高效、动态地完成对多用户多副本数据的完整性验证是一个挑战性问题。基于双线性代数映射的签名机制和多分支认证树特性,提出了一种新的多用户多副本数据持有性证明方案。该方案通过使用随机掩码技术对密文进行处理确保数据隐私性,采用多分支认证树来提高数据分块的签名效率,能够支持数据动态更新操作。此外,引入第三方审计者对多用户多副本数据进行批量审计以减少计算开销。最后,分析表明本方案具有较高的安全性和效率。     

云计算中一种紧凑型的外包访问控制方案

密文策略的属性加密是实现云平台上安全的访问控制方案的最佳选择。然而,在大多数密文策略的属性加密方案中,用户密钥长度与属性的个数之间成线性关系;用户的解密时间与访问结构的复杂度成正比关系。为了减少用户密钥的存储和解密计算开销,本文提出一种面向云计算平台的紧凑型的外包访问控制方案。方案中的访问结构可以支持“与”、“或”以及“门限”三种策略。它仅采用简单的哈希和异或运算就可以验证用户外包解密返回的数据是否正确。在随机预言机模型中,基于aMSE-DDH难题,证明了方案是选择密文攻击安全的。分析表明,本文方案能够安全的实现云计算环境下的访问控制,尤其当用户终端设备受限时实现的访问控制。      

支持策略隐藏且密文长度恒定的可搜索加密方案

属性加密体制是实现云存储中数据灵活访问控制的关键技术之一,但已有的属性加密方案存在密文存储开销过大和用户隐私泄露等问题,并且不能同时支持云端数据的公开审计.为了解决这些问题,该文提出一个新的可搜索属性加密方案,其安全性可归约到q-BDHE问题和CDH问题的困难性.该方案在支持关键词搜索的基础上,实现了密文长度恒定;引入策略隐藏思想,防止攻击者获取敏感信息,确保了用户的隐私性;通过数据公开审计机制,实现了云存储中数据的完整性验证.与已有的同类方案相比较,该方案有效地降低了数据的加密开销、关键词的搜索开销、密文的存储成本与解密开销,在云存储环境中具有较好的应用前景.     

基于边缘计算的并行密钥隔离聚合签名方案

无线医疗传感器网络的出现为患者的治疗带来了极大的便利.但是,无线医疗传感器网络中往往都使用不可信的公共信道进行数据通信并且只有唯一的云服务器处理大量的医疗数据,这就导致了通信安全、隐私保护、密钥泄露、云服务器计算负担过大、延迟高等问题.此外,现有的大多数无证书聚合签名方案无法抵抗完全选择密钥攻击.针对上述问题,本文提出一种适用于无线医疗传感器网络基于边缘计算的无证书并行密钥隔离聚合签名方案.方案引入边缘计算的架构使得签名的验证和聚合过程在更靠近终端用户的边缘层进行,在降低中心云服务器计算负担的同时还能有效的保护患者的隐私.本文方案继承了无证书和密钥隔离技术的优点,同时避免了复杂的证书管理、密钥托管以及密钥暴露等问题.在随机预言模型下证明了本文方案可以抵抗完全选择密钥攻击、Type I攻击以及Type II攻击.性能分析表明,与相关无证书签名方案相比,本文方案的计算开销至少可降低74.03%,通信开销至少可降低25%.     

面向云服务的安全高效无证书聚合签名车联网认证密钥协商协议

针对目前车联网认证密钥协商协议效率低下以及车辆公私钥频繁更新的问题,提出一个基于无证书聚合签名的车联网匿名认证与密钥协商协议.本方案通过引入临时身份和预签名机制实现对车辆的隐私保护以及匿名认证,同时通过构建临时身份索引数据库,实现可信中心对可疑车辆的事后追查,满足车辆的条件匿名性要求.此外,本方案中车辆的公私钥不随其临时身份动态改变,有效避免了已有方案公私钥频繁更新带来的系统开销.同时,为了提供高效的批量认证,采用无双线性对的聚合签名技术,实现了车辆签名的动态聚合和转发,有效降低了签名传递的通信量和云服务器的验证开销.本文方案在eCK模型和CDH问题假设下被证明是形式化安全的.     

A secure regenerating code‐based cloud storage with efficient integrity verification

Cloud storage is gaining popularity as it relieves the data owners from the burden of data storage and maintenance cost. However, outsourcing data to third‐party cloud servers raise several concerns such as data availability, confidentiality, and integrity. Recently, regenerating codes have gained popularity because of their low repair bandwidth while ensuring data availability. In this paper, we propose a secure regenerating code‐based cloud storage (SRCCS) scheme, which utilizes the verifiable computation property of homomorphic encryption scheme to check the integrity of outsourced data. In this work, an error‐correcting code (ECC)–based homomorphic encryption scheme (HES) is employed to simultaneously provide data privacy as well as error correction while supporting efficient integrity verification. In SRCCS, server regeneration process is initiated on detection of data corruption events in order to ensure data availability. The ECC‐based HES significantly reduces the probability of server regeneration and minimizes the repair cost. Extensive theoretical analysis and simulation results validate the security, efficiency, and practicability of the proposed scheme.     

Cross-domain data cloud storage auditing scheme based on certificateless cryptography

With the development of Internet of things (IoT), more and more intelligent terminal devices outsource data to cloud servers (CSs). However, the CS is not fully trusted, and the heterogeneity among different domains makes it difficult for third-party auditor (TPA) to conduct an efficient integrity auditing of outsourced data. Therefore, the cross-domain data cloud storage auditing scheme based on certificateless cryptography is proposed, which can effectively avoid the big burden of certificate management or key escrow problems in identity-based cryptography. At the same time, TPA can effectively audit the integrity of outsourced data in different domains. Formal security proof and analysis show that the cloud storage auditing scheme satisfies the security and privacy requirements. Performance analysis demonstrates that the efficiency is acceptable.     

Lightweight integrity verification scheme for cloud based group data

In order to protect the security of the data stored in the cloud by group users,a data integrity verification scheme was designed which can protect the privacy of the group users.The scheme can efficiently detect the shared data in the cloud and support the dynamic updating of the data,and use the characteristic of the ring signature to hide the iden-tity of the signer corresponding to the data block.That is,the third-party verifier can not spy on the users identity and other private information when validating.The aggregated approach is used to generate data labels,which reduces the storage cost of labels and supports the dynamic operation of group data,so that the users in the group can easily modify the cloud group data.     

Privacy-Preserving Public Auditing for Non-manager Group Shared Data

By the widespread use of cloud storage service, users get a lot of conveniences such as low-price file remote storage and flexible file sharing. The research points in cloud computing include the verification of data integrity, the protection of data privacy and flexible data access. The integrity of data is ensured by a challenge-and-response protocol based on the signatures generated by group users. Many existing schemes use group signatures to make sure that the data stored in cloud is intact for the purpose of privacy and anonymity. However, group signatures do not consider user equality and the problem of frameability caused by group managers. Therefore, we propose a data sharing scheme PSFS to support user equality and traceability meanwhile based on our previous work HA-DGSP. PSFS has some secure properties such as correctness, traceability, homomorphic authentication and practical data sharing. The practical data sharing ensures that the data owner won’t loss the control of the file data during the sharing and the data owner will get effective incentive of data sharing. The effective incentive is realized by the technology of blockchain. The experimental results show that the communication overhead and computational overhead of PSFS is acceptable.     

一种基于同态Hash的数据持有性证明方法

在云存储服务中,为了让用户可以验证存储服务提供者正确地持有(保存)用户的数据,该文提出一种基于同态hash (homomorphic hashing)的数据持有性证明方法。因为同态hash算法的同态性,两数据块之和的hash值与它们hash值的乘积相等,初始化时存放所有数据块及其hash值,验证时存储服务器返回若干数据块的和及其hash值的乘积,用户计算这些数据块之和的hash值,然后验证是否与其hash值的乘积相等,从而达到持有性证明的目的。在数据生存周期内,用户可以无限次地验证数据是否被正确持有。该方法在提供数据持有性证明的同时,还可以对数据进行完整性保护。用户只需要保存密钥K,约520 byte,验证过程中需要传递的信息少,约18 bit,并且持有性验证时只需要进行一次同态hash运算。文中提供该方法的安全性分析,性能测试表明该方法是可行的。     

云环境下安全的可验证多关键词搜索加密方案

云计算的高虚拟化与高可扩展性等优势,使个人和企业愿意外包加密数据到云端服务器.然而,加密后的外包数据破坏了数据间的关联性.尽管能够利用可搜索加密(SE)进行加密数据的文件检索,但不可信云服务器可能篡改、删除外包数据或利用已有搜索陷门来获取新插入文件相关信息.此外,现有单关键词搜索由于限制条件较少,导致搜索精度差,造成带...     

Public integrity verification for data sharing in cloud with asynchronous revocation

Cloud data sharing service, which allows a group of people to access and modify the shared data, is one of the most popular and efficient working styles in enterprises. Recently, there is an uprising trend that enterprises tend to move their IT service from local to cloud to ease the management and reduce the cost. Under the new cloud environment, the cloud users require the data integrity verification to inspect the data service at the cloud side. Several recent studies have focused on this application scenario. In these studies, each user within a group is required to sign a data block created or modified by him. While a user is revoked, all the data previously signed by him should be resigned. In the existing research, the resigning process is dependent on the revoked user. However, cloud users are autonomous. They may exit the system at any time without notifying the system admin and even are revoked due to misbehaviors. As the developers in the cloud-based software development platform, they are voluntary and not strictly controlled by the system. Due to this feature, cloud users may not always follow the cloud service protocol. They may not participate in generating the resigning key and may even expose their secret keys after being revoked. If the signature is not resigned in time, the subsequent verification will be affected. And if the secret key is exposed, the shared data will be maliciously modified by the attacker who grasps the key. Therefore, forcing a revoked user to participate in the revocation process will lead to efficiency and security problems. As a result, designing a practical and efficient integrity verification scheme that supports this scenario is highly desirable. In this paper, we identify this challenging problem as the asynchronous revocation, in which the revocation operations (i.e., re-signing key generation and resigning process) and the user's revocation are asynchronous. All the revocation operations must be able to be performed without the participation of the revoked user. Even more ambitiously, the revocation process should not rely on any special entity, such as the data owner or a trusted agency. To address this problem, we propose a novel public data integrity verification mechanism in which the data blocks signed by the revoked user will be resigned by another valid user. From the perspectives of security and practicality, the revoked user does not participate in the resigning process and the re-signing key generation. Our scheme allows anyone in the cloud computing system to act as the verifier to publicly and efficiently verify the integrity of the shared data using Homomorphic Verifiable Tags (HVTs). Moreover, the proposed scheme resists the collusion attack between the cloud server and the malicious revoked users. The numerical analysis and experimental results further validate the high efficiency and scalability of the proposed scheme. The experimental results manifest that re-signing 10,000 data blocks only takes 3.815 ?s and a user can finish the verification in 300 ?ms with a 99% error detection probability.     

Secure and privacy-preserving DRM scheme using homomorphic encryption in cloud computing

Cloud computing provides a convenient way of content trading and sharing. In this paper, we propose a secure and privacy-preserving digital rights management （DRM） scheme using homomorphic encryption in cloud computing. We present an efficient digital rights management framework in cloud computing, which allows content provider to outsource encrypted contents to centralized content server and allows user to consume contents with the license issued by license server. Further, we provide a secure content key distribution scheme based on additive homomorphic probabilistic public key encryption and proxy re-encryption. The provided scheme prevents malicious employees of license server from issuing the license to unauthorized user. In addition, we achieve privacy preserving by allowing users to stay anonymous towards the key server and service provider. The analysis and comparison results indicate that the proposed scheme has high efficiency and security.     

一种基于ORAM的数据可恢复性证明与访问模式的隐藏

随着云计算的发展与应用,越来越多的客户选择云存储作为存储媒质,因此,数据的完整性和私密性成为客户关心的主要问题。基于无关RAM模型机提出一种新的结构,将客户文件分割成大小相等的数据块,每个数据块在云存储中有两个备份,且随机地存储在不同的文件中,以保证数据的完整性。利用同态散列算法验证数据的可持有性,通过无关RAM隐藏客户对服务器的访问模式,敌手无法从客户的数据访问模式中获取有用的信息,从而实现了数据的私密性。     

基于智能卡和密码保护的WSN远程用户安全认证方案

针对无线传感器网络（WSN）用户远程安全认证问题,分析现有方案的不足,提出一种新颖的基于智能卡的WSN远程用户认证方案。通过用户、网关节点和传感器节点之间的相互认证来验证用户和节点的合法性,并结合动态身份标识来抵抗假冒攻击、智能卡被盗攻击、服务拒绝攻击、字典攻击和重放攻击。同时对用户信息进行匿名保护,且用户能够任意修改密码。性能比较结果表明,该方案具有较高的安全性能,且具有较小的计算开销。