基于隐含格结构ABE算法的移动存储介质情境访问控制

doi:10.3969/j.issn.1000-436x.2014.04.007

摘要/Abstract

摘要：

研究了如何增强可信终端对移动存储介质的访问控制能力，以有效避免通过移动存储介质的敏感信息泄露。首先在隐含密文策略的属性加密方法的基础上，提出了基于格结构的属性策略描述方法。将每个属性构成线性格或子集格，属性集构造成一个乘积格，并利用基于格的多级信息流控制模型制定访问策略。证明了新方法的正确性和安全性。新方法在保持已有隐藏访问策略属性加密算法优点的同时，还能有效简化访问策略的表达，更符合多级安全中敏感信息的共享，能够实现细粒度的访问控制。进一步地，通过将移动存储设备和用户的使用情境作为属性构建访问策略，实现了动态的、细粒度的情境访问控制。最终设计了对移动存储介质进行接入认证、情境访问控制的分层安全管理方案。分析了方案的安全性和灵活性，并通过比较实验说明了应用情境访问控制的方案仍具有较好的处理效率。该方案同样适用于泛在环境下敏感信息的安全管理。

关键词: 属性加密, 移动存储介质, 隐藏访问结构, 格安全模型, 情境访问控制

Abstract:

To prevent data breaches via removable storage media, the way to enhance the access control capability of hosts within trusted zone with removable storage media attached was explored. Firstly, based on traditional Cipher-text-Policy hiding Attribute-Based Encryption (CP-ABE) schemes, an expression with lattice for attributes was proposed. Each attribute was described as a linear lattice or a subset lattice, and an attribute set was described as a product lattice. Furthermore, the lattice-based multi-level access control model was applied to construct access policies. The new scheme was proven fully secure under the standard model. It effectively simplifies the expression of access policies and satisfies fine-grained access control of sensitive information shared in the context of multi-level security. Secondly, considering the ubiquitous usage of removable storage media, some security attributes associating with the context of use were adopted to construct a lattice structure. Then a dynamic access control could be achieved. Finally, based on authorization and dynamic access control, a layered security solution providing multi-level protection for removable storage media was presented. Security and flexibility of proposed solution was analyzed, and a comparison experiment shows that it still has pretty good efficiency. It also can be applied to information security management in other ubiquitous environments.

Key words: attribute-based encryption, removable storage media, hidden access structures, lattice security model, con-textual access control

陈波,于泠,强小辉,王岩. 基于隐含格结构ABE算法的移动存储介质情境访问控制[J]. 通信学报, 2014, 35(4): 53-64.

Bo CHEN,Ling YU,Xiao-hui QIANG,Yan WANG. Contextual access control based on attribute-based encryption with hidden lattice structure for removable storage media[J]. Journal on Communications, 2014, 35(4): 53-64.

图/表 8

表1

表2

图1

图2

表3

表4

表5

表6

参考文献 28

[1]	IEEE Computer Society. IEEE Standard for Authentication in Host Attachments of Transient Storage Devices[S]. 2010.
[2]	HALSEY M . Beginning Windows 8[M]. Berkeley, CA: Apress, 2012.
[3]	TETMEYER A , SAIEDIAN H . Security threats and mitigating risk for USB devices[J]. IEEE Technology and Society Magazine, Zurich, Switzerland, 2010,29(4):44-49.
[4]	PHAM D V , SYED A , HALGAMUGE M N . Universal serial bus based software attacks and protection solutions[J]. Digital Investiga-tion, 2011,7(3):172-184.
[5]	GFI White Paper. Pod Slurpingan Easy Technique for Stealing Data[R]. 2011.
[6]	BERGHEL H . WikiLeaks and the matter of private manning[J]. Computer, 2012,45(3):70-73.
[7]	LANDAU S . Making sense from snowden: what's significant in the NSA surveillance revelations[J]. IEEE Security ＆ Privacy, 2013,11(4):54-63.
[8]	吴世忠，石超英 . 一种智能卡和U盘复合设备及其与计算机通信的方法[P]．中国专利200710000328.3， 2007. WU S Z , SHI C Y . Smart Card and USB Combined Equipment and Method for Communication with Computer[P]. Chinese Patent 200710000328.3, 2007.
[9]	马俊，王志英，任江春等． TRSF：一种移动存储设备主动防护框架[J]．电子学报， 2012,40(2): 376-383. MA J , WANG Z Y , REN J C , et al. TRSF: a positive protection framework for removable storage devices[J]. Acta Electronic Sinica, 2012,40(2): 376-383.
[10]	张功萱，沈创业，王平立等．移动存储信息的信任链动态跟踪技术研究[J]．计算机研究与发展， 2011,48(S1): 37-42. ZHANG G X , SHEN C Y , WANG P L , et al. The research of dynamic track technology for removable storage information's trusted chain[J]. Journal of Computer Research and Development, 2011,48(S1): 37-42.
[11]	DeviceLock[J]. Endpoint DLP suite[EB/OL]. , 2013.
[12]	VRV SpecSEC[EB/OL]. , 2013.
[13]	中兴通信股份有限公司．一种实现接入认证的方法、装置及一种移动终端[P]．中国专利200910133730.8, 2009.ZTE CORPORATION. Method to Implement Access Authentication, Equipment and a Mobile Terminal[P]. Chinese Patent 200910133730.8, 2009.
[14]	廖洪其，凌捷，郝彦军等． USB移动存储设备的惟一性识别方法研究[J]. 计算机工程与设计， 2010,31(12): 2778-2780. LIAO H Q , LING J , HE Y J , et al. The research of unique identifica-tion for USB removable storage devices[J]. Computer Engineering and Design, 2010,31(12): 2778-2780.
[15]	YANG F Y , WU T D , CHIU S H . A secure control protocol for USB mass storage devices[J]. IEEE Transactions on Consumer Electronics, 2010,56(4):2339-2343.
[16]	CHEN B , QIN C F , YU L . A secure access authentication scheme for removable storage media[J]. Journal of Information ＆ Computational Science, 2012,9(15):4353-4363.
[17]	LEE K , YIM K , SPAFFORD E H . Reverse-safe authentication proto-col for secure USB memories[J]. Security and Communication Net-works, 2012,5(8):834-845.
[8]	孙国梓，陈丹伟，吴登荣等．一种安全移动存储系统的研究与实现[J]. 计算机工程， 2009,35(11): 116-119. SUN G Z , CHEN D W , WU D R , et al. The research and implementa-tion of secure removable storage system[J]. Computer Engineering, 2009,35(11): 116-119.
[19]	伟利迅半导体有限公司．基于同步用户和主机认证的加密可移动存储设备[P]．中国专利201110184775.5， 2011.SuperSpeed Semiconductors Co Ltd． The Encryption of Removable Storage Devices Based on Synchronization of User and Master Au-thentication[P]. Chinese Patent 201110184775.5, 2011.
[20]	SAHAI A , WATERS B . Fuzzy identity-based encryption[A]. 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2005)[C]. Aarhus, Berlin, GER, 2005. 457-473.
[21]	苏金树，曹丹，王小峰等．属性基加密机制[J]. 软件学报， 2011,22(6): 1299-1315. SU J S , CAO D , WANG X F , et al． Attributes radical encryption mechanism[J]. Journal of Software, 2011,22(6): 1299-1315.
[22]	GOYAL V , PANDEY O , SAHAI A , et al. Attribute-Based encryption for fine-grained access control of encrypted data[A]. 2006 ACM Conf on Computer and Communications Security (CCS'06)[C]. Alexandria, New York, USA, 2006.89-98.
[23]	BETHENCOURT J , SAHAI A , WATERS B . Ciphertext-Policy attrib-ute-based encryption[A]. 2007 IEEE Symposium on Security and Pri-vacy (SP'07)[C]. Berkeley, California, USA, 2007.321-334.
[24]	NISHIDE T , YONEYAMA K , OHTA K . Attribute-based encryption with partially hidden encryptor-specified access structures[A]. 26th In-ternational Conference on Applied Cryptography and Network Security (ACNS'08)[C]. New York, Berlin, GER, 2008.111-129.
[25]	LAI J , DENG R H , LI Y . Fully secure cipertext-policy hiding CP-ABE[A]. 7th International Conference on Information Security Practice and Experience (ISPEC 2011)[C]. Guangzhou, Berlin, GER, 2011.24-39.
[26]	LI J , REN K , ZHU B , et al. Privacy-aware attribute-based encryption with user accountability[A]. 12th International Conference on Infor-mation Security (ISC'09)[C]. Pisa, Berlin, GER, 2009.347-362.
[27]	于泠，陈波，肖军模．多策略的工作流管理系统访问控制模型[J]. 系统工程理论与实践， 2009,29(2): 151-158. YU L , CHEN B , XIAO J M ． The access control model of multiple strategies workflow management system[J]. Systems Engineering-theory ＆ Practice, 2009,29(2): 151-158.
[28]	BONEH D , FRANKLIN M . Identity-Based encryption from the Weil pairing[A]. 21st Annual International Cryptology Conference on Ad-vances in Cryptology (CRYPTO 2001)[C]. Santa Barbara , Berlin, GER, 2001.213-229.

	策略长度	初始阶段		加密		生成密钥		解密
	策略长度	指数运算	Pair	指数运算	Pair	指数运算	Pair	指数运算	Pair
文献[24]	\|W\|	2\|V\|+1	1	2\|W\|+2	0	3\|A\|+1	0	0	3\|A\|+1
文献[25]	\|W\|	\|V\|+1	1	\|V\|+2	0	\|V\|+\|A\|+1	0	0	\|A\|+1
文献[26]	\|W\|	0	1	2\|W\|+1	0	4\|A\|	0	0	4\|A\|
本文	\|A\|	\|V\|+1	1	\|A\|+2	0	\|A\|×\|V\|+1	1	0	2\|A\|+1

情境参数	取值
用户安全级A_u	0(普通),1(秘密),2(机密),3(绝密)
接入主机安全级A_l	0(公开),1(秘密),2(机密),3(绝密)
使用时间安全级A_t	0(业余),1(加班),2(上班)

用户id	安全级别	时间戳
908	2	1377151510
123	2	1376962830
…	…	…

文件名	用户id	时间戳
abc.doc	123	1378174815
…	…	…

MAC	安全级别	时间戳
F0-DE-F1-5F-18-5A	1	1373851233
44-45-53-54-00-00	2	1373934790
…	…	…