基于代理重加密的云端多要素访问控制方案

doi:10.11959/j.issn.1000-436x.2018028

通信学报 ›› 2018, Vol. 39 ›› Issue (2): 96-104.doi: 10.11959/j.issn.1000-436x.2018028

基于代理重加密的云端多要素访问控制方案

苏铓¹,史国振²,付安民¹,俞研¹,金伟³

¹ 南京理工大学计算机科学与工程学院，江苏南京 210094
² 北京电子科技学院信息安全系，北京 100070
³ 中国科学院信息工程研究所，北京 100093

修回日期:2018-01-10 出版日期:2018-02-01 发布日期:2018-03-28
作者简介:苏铓（1987-），女，内蒙古赤峰人，博士，南京理工大学讲师，主要研究方向为云安全、访问控制、隐私保护等。|史国振（1974-），男，河南济源人，博士，北京电子科技学院副教授、硕士生导师，主要研究方向为嵌入式系统、网络安全、访问控制等。|付安民（1981-），男，湖北通城人，博士，南京理工大学副教授，主要研究方向为云安全、隐私保护等。|俞研（1972-），男，吉林长春人，博士，南京理工大学副教授，主要研究方向为无线网络、网络空间安全等。|金伟（1994-），女，北京人，中国科学院信息工程研究所博士生，主要研究方向为访问控制。
基金资助:
国家重点研发计划基金资助项目(2016YFB0800303);国家自然科学基金资助项目(61702266);国家自然科学基金资助项目(61572255);江苏省自然科学基金资助项目(BK20150787);江苏省自然科学基金资助项目(BK20141404);北京市自然科学基金资助项目(4152048)

Proxy re-encryption based multi-factor access control scheme in cloud

Mang SU¹,Guozhen SHI²,Anmin FU¹,Yan YU¹,Wei JIN³

¹ School of Computer Science and Engineering,Nanjing University of Science and Technology,Nanjing 210094,China
² School of Information Security,Beijing Electronic Science and Technology Institute,Beijing 100070,China
³ Institute of Information Engineering,CAS,Beijing 100093,China

Revised:2018-01-10 Online:2018-02-01 Published:2018-03-28
Supported by:
The National Key Research and Development Program of China(2016YFB0800303);The National Natural Science Foundation of China(61702266);The National Natural Science Foundation of China(61572255);The Natural Science Foundation of Jiangsu Province(BK20150787);The Natural Science Foundation of Jiangsu Province(BK20141404);The Natural Science Foundation of Beijing(4152048)

摘要/Abstract

摘要：

云服务是天地一体化信息网络的重要应用形式之一，用户可以通过云快捷、方便地获取信息和服务。云端数据的机密性、完整性直接关系到天地一体化信息网络的数据安全，所以云端数据多以密文形式进行流通。云端访问控制技术的研究则需要面向密文数据，同时兼顾复杂环境下的多要素描述需求。以此为背景，结合代理重加密技术，提出一种云端多要素访问控制（PRE-MFAC,proxy re-encryption based multi-factor access control）方案，首先，明确设计目标和前提假设；其次，构造具体方案，描述PRE-MFAC系统模型和相关算法；最后，对PRE-MFAC的安全性、特点进行比较分析。PRE-MFAC通过将代理重加密技术和多要素访问控制融合，实现云端密文数据的多要素化授权管理，同时，充分发挥云端服务器的运算和存储能力，降低个人用户加解密运算量和密钥管理难度。

关键词: 代理重加密, 多要素, 访问控制, 云计算, 天地一体化信息网络

Abstract:

Cloud computing is one of the space-ground integration information network applications.Users can access data and retrieve service easily and quickly in cloud.The confidentiality and integrity of the data cloud have a direct correspondence to data security of the space-ground integration information network.Thus the data in cloud is transferred with encrypted form to protect the information.As an important technology of cloud security,access control should take account of multi-factor and cipher text to satisfy the complex requirement for cloud data protection.Based on this,a proxy re-encryption based multi-factor access control (PRE-MFAC) scheme was proposed.Firstly,the aims and assumptions of PRE-MFAC were given.Secondly,the system model and algorithm was defined.Finally,the security and properties of PRE-MFAC were analyzed.The proposed scheme has combined the PRE and multi-factor access control together and realized the multi-factor permission management of cipher text in cloud.Meanwhile,it can make the best possible use of cloud in computing and storing,then reduce the difficulty of personal user in cryptographic computing and key managing.

Key words: proxy re-encryption, multi-factor, access control, cloud computing, space-ground integration information network

中图分类号:

TP393

苏铓,史国振,付安民,俞研,金伟. 基于代理重加密的云端多要素访问控制方案[J]. 通信学报, 2018, 39(2): 96-104.

Mang SU,Guozhen SHI,Anmin FU,Yan YU,Wei JIN. Proxy re-encryption based multi-factor access control scheme in cloud[J]. Journal on Communications, 2018, 39(2): 96-104.

图/表 6

表1

图1

图2

图3

表2

表3

参考文献 16

[14]	SU M , LI F , SHI G ,et al. A user-centric data secure creation scheme in cloud computing[J]. Chinese Journal of Electronics, 2016,25(4): 753-760.
[15]	TANG Q , . Type-based proxy re-encryption and its construction[C]// International Conference on Cryptology in India:Progress in Cryptology. 2008: 130-144.
[1]	李凤华, 殷丽华, 吴巍 ,等. 天地一体化信息网络安全保障技术研究进展及发展趋势[J]. 通信学报, 2016,37(11): 156-168.
	LI F H , YIN L H , WU W ,et al. Research status and development trends of security assurance for space-ground integration information network[J]. Journal on Communications, 2016,37(11): 156-168.
[2]	JHA S , SURAL S , VAIDYA J ,et al. Security analysis of temporal RBAC under an administrative model[J]. Computers ＆ Security, 2014(46): 154-172.
[3]	杨柳, 唐卓, 李仁发 ,等. 云计算环境中基于用户访问需求的角色查找算法[J]. 通信学报, 2011,32(7): 169-175.
	YANG L , TANG Z , LI R F ,et al. Roles query algorithm in cloud computing environment based on user require[J]. Journal on Communications, 2011,32(7): 169-175.
[4]	LUO J , WANG H , GONG X ,et al. A novel role-based access control model in cloud environments[J]. International Journal of Computational Intelligence Systems, 2016,9(1): 1-9.
[5]	LI J W , SQUICCIARINI A , LIN D J ,et al. SecLoc:securing location-sensitive storage in the cloud[C]// The 20th ACM Symposium on Access Control Models and Technologies. 2015: 51-61.
[6]	ZHOU L , VARADHARAJAN V , HITCHENS M . Trust enhanced cryptographic role-based access control for secure cloud data storage[J]. IEEE Transactions on Information Forensics and Security, 2015,10(11): 2381-2395.
[7]	ZHOU L , VARADHARAJAN V , GOPINATH K . A secure role-based cloud storage system for encrypted patient-centric health records[J]. Computer Journal, 2016,59(11): 1593-1611.
[8]	XU P , JIAO T , WU Q ,et al. Conditional identity-based broadcast proxy re-encryption and its application to cloud email[J]. IEEE Transactions on Computers, 2015,65(1): 66-79.
[9]	ZHANG Y , LI J , CHEN X ,et al. Anonymous attribute based proxy re-encryption for access control in cloud computing[J]. Security and Communication Networks, 2016,9(14): 2397-2411.
[10]	LI J , ZHAO X , ZHANG Y ,et al. Provably secure certificate-based conditional proxy re-encryption[J]. Journal of Information Science ＆Engineering, 2016,32(4): 813-830.
[11]	LIU Q , WANG G , WU J . Time-based proxy re-encryption scheme for secure data sharing in a cloud environment[J]. Information Sciences, 2014,258(3): 355-370.
[12]	YANG Y , LU H , WENG J ,et al. Fine-grained conditional proxy re-encryption and application[C]// International Conference on Provable Security. 2014: 206-222.
[13]	苏铓, 史国振, 谢绒娜 ,等. 面向移动云计算的多要素代理重加密方案[J]. 通信学报, 2015,36(11): 73-79.
	SU M , SHI G Z , XIE R N ,et al. Multi-element based on proxy re-encryption scheme for mobile cloud computing[J]. Journal on Communications, 2015,36(11): 73-79.
[16]	YANG K , LIU Z , JIA X ,et al. Time-domain attribute-based access control for cloud-based video content sharing:a cryptographic approach[J]. IEEE Transactions on Multimedia, 2016,18(5): 940-950.

名称	说明
p _ik	用户i的公钥
s _ik	用户i的私钥
K(M)	对称密钥K加密产生的消息M的密文
E(K)_i	用户i私钥可以解密的密文
Cert _i	用户i的公钥证书
con _i	用户i的访问控制条件
P_MFAC	访问控制策略
rk _i→j	用户i到j的代理重加密密钥

函数	开销
Enc	3t₁+t₂
ReEnc	2t₁+3t₂
Dec₁	3t₁+3t₂
Dec₂	3t₁+4t₂

属性模型	密文访问控制	细粒度	多要素	用户密钥管理量	加解密运算执行方
TAAC	×	×	√	—	—
JBE	√	×	×	较小	用户
CPRE	√	×	√	较大	用户
Type-PRE	√	√	×	较大	用户
ACC-PRE	√	×	×	较小	用户＆云服务器
PRE-MFAC	√	√	√	较小	用户＆云服务器
注：TAAC并未针对密文进行访问控制，因此，不涉及密钥管理问题。

基于代理重加密的云端多要素访问控制方案

Proxy re-encryption based multi-factor access control scheme in cloud

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 16

相关文章 15

Metrics

推荐阅读 0

[1]	马玲, 樊漆亮, 许婷, 郭冠琛, 张圣林, 孙永谦, 张玉志. 基于强化学习的在线离线混部云环境下的调度框架[J]. 通信学报, 2023, 44(6): 90-102.
[2]	金伟, 李凤华, 余铭洁, 郭云川, 周紫妍, 房梁. 面向HDFS的密钥资源控制机制[J]. 通信学报, 2022, 43(9): 27-41.
[3]	梁晓艳, 杜瑞忠. IoT下CapBAC规则语义表示及其时间间隔粗糙性分析[J]. 通信学报, 2021, 42(9): 43-53.
[4]	张玲翠, 许瑶冰, 李凤华, 房梁, 郭云川, 李子孚. 天地一体化信息网络安全动态赋能架构[J]. 通信学报, 2021, 42(9): 87-95.
[5]	董江涛, 闫沛文, 杜瑞忠. 雾计算中基于无配对CP-ABE可验证的访问控制方案[J]. 通信学报, 2021, 42(8): 139-150.
[6]	王化群, 刘哲, 何德彪, 李继国. 公有云中身份基多源IoT终端数据PDP方案[J]. 通信学报, 2021, 42(7): 52-60.
[7]	彭长根, 彭宗凤, 丁红发, 田有亮, 刘荣飞. 具有可撤销功能的属性协同访问控制方案[J]. 通信学报, 2021, 42(5): 75-86.
[8]	应作斌, 斯元平, 马建峰, 刘西蒙. 基于区块链的分布式EHR细粒度可追溯方案[J]. 通信学报, 2021, 42(5): 205-215.
[9]	张键红, 武梦龙, 王晶, 刘沛, 姜正涛, 彭长根. 云环境下安全的可验证多关键词搜索加密方案[J]. 通信学报, 2021, 42(4): 139-149.
[10]	李瑞琪, 贾春福, 王雅飞. 基于NTRU的多密钥同态代理重加密方案及其应用[J]. 通信学报, 2021, 42(3): 11-22.
[11]	杜瑞忠, 闫沛文, 刘妍. 雾计算中细粒度属性更新的外包计算访问控制方案[J]. 通信学报, 2021, 42(3): 160-170.
[12]	杨小东, 席婉婷, 王嘉琪, 陈艾佳, 王彩芬. 基于签密和区块链的车联网电子证据共享方案[J]. 通信学报, 2021, 42(12): 236-246.
[13]	张嘉伟, 马建峰, 马卓, 李腾. 云计算中基于时间和隐私保护的可撤销可追踪的数据共享方案[J]. 通信学报, 2021, 42(10): 81-94.
[14]	王文娟, 杜学绘, 单棣斌. 基于动态概率攻击图的云环境攻击场景构建方法[J]. 通信学报, 2021, 42(1): 1-17.
[15]	田有亮,骆琴. 基于改进Merkle-Tree认证方法的可验证多关键词搜索方案[J]. 通信学报, 2020, 41(9): 118-129.