云环境下基于环签密的用户身份属性保护方案

doi:10.3969/j.issn.1000-436x.2014.09.010

摘要/Abstract

摘要：

身份属性泄漏是最严重的云计算安全威胁之一，为解决该问题，提出了一种基于环签密的身份属性保护方案。该方案以云服务的数字身份管理为研究对象，论述了去中心化的用户密钥分割管理机制，用户自主选择算子在本地生成并存储密钥，从而令注册管理者(registrar)无法获得用户完全私钥，达到消除证书管理负载的目的。另外，本方案以用户访问权限为中心设计身份属性盲环签密验证机制，令用户和CSP组成环，基于环和自身属性用户可对消息子线性盲签密以及非交互公开密文验证，用以阻止多个CSP共谋导致的身份属性泄露场景，从而保护身份属性的完整性和机密性。最后，给出密文和属性强不可伪造、盲性机制的证明结果，在DBDH困难问题假设和适应性选择密文攻击下，方案中的用户可生成3个完全私钥组件，成功阻止环成员身份伪装。为验证系统有效性，围绕身份属性保护方案的综合负载问题对盲环签密算法进行性能评估，并对比同类算法以证实系统优化结果。

关键词: 数字身份管理, 无证书, 强不可伪造性, 盲性

Abstract:

Identity attribute leak as the most severe security threat of cloud computing,in order to solve this problem,a protection scheme of identity attributes based on ring signcryption was proposed.Focused on digital identity management in cloud service,which discusses user key parting management with decentralization.Users can choose some seeds for generation and storage of key,then integrated user key cannot be acquired by registrar,based on this payload on certifica-tion management is reduced.In addition,access-centric blindness ring signcryption verification for identity attribute is designed,which constitutes ring of users and CSP,combined with own attribute users can accomplish ring-oriented sub-linear blindness signcryption and non-interactive public ciphertext verifiability for messages so that integrity and confidentiality of identity attribute can be protected avoiding identity attribute leakage in collusion of multi-CSP.At last,strong blindness and unforgeability of ciphertext and attribute is proved in proposed model,three private key components can be generated by users and identity forgeability of ring member can be prevented successfully on the condition of DBDH difficult assumption and adaptive chosen-ciphertex tattacking.Effectiveness of proposed mechanism is verified via performance evaluation of blindness ring signcryption algorithm based on comprehensive payload in identity attribute protection,and optimization is confirmed compared with similar algorithms.

Key words: digital identity management, certificateless, strong unforgeability, blindness

李拴保,傅建明,张焕国,陈晶,王晶,任必军. 云环境下基于环签密的用户身份属性保护方案[J]. 通信学报, 2014, 35(9): 99-111.

Shuan-bao LI,Jian-ming FU,Huan-guo ZHANG,Jing CHEN,Jing WANG,Bi-jun REN. Scheme on user identity attribute preserving based on ring signcryption for cloud computing[J]. Journal on Communications, 2014, 35(9): 99-111.

图/表 8

图1

图2

表1

表2

表3

图3

表4

图4

参考文献 31

[1]	MICHAEL A , ARMANDO F , REAN G . Above the Clouds: a Berkeley View of Cloud Computing[R]. Berkeley:University of California,UC Berkeley Reliable Adaptive Distributed Systems Laboratory, 2009.
[2]	童晓渝，张云勇，徐雷．智能普适网络[J]．通信学报， 2011,32(7):182-188. TONG X Y , ZHANG Y Y , XU L . Intelligent ubiquitous network[J]. Journal on Communications, 2011,32(7):182-188.
[3]	ANGEL J M , INY K . Spontaneous task composition in urban computing environments based on social,spatial and temporal aspects[J]. En-gineering Applications of Artificial Intelligence, 2011,24:1446-1460.
[4]	ZHANG H G , LI C L , TANG M . Evolutionary cryptography against multidimensional linear cryptanalysis[J]. Sci China InfSci, 2011,54(12):2565-2577.
[5]	WANG H Z , ZHANG H G , et al. Extended multivariate public key crypto systems with secure encryption function[J]. Sci China InfSci, 2011,54(6):1161-1171.
[6]	ZHANG H G , LI C L , TANG M . Capability of evolutionary crypto-systems against differential cryptanalysis[J]. Sci China InfSci, 2011,54(10):1991-2000.
[7]	TANG M , ZHANG H G , et al. Evolutionary chipers against differential power analysis and differential fault analysis[J]. Sci China InfSci, 2012,55(4):911-920.
[8]	彭长根，田有亮，张豹等．基于同态加密体制的通用可传递签名方案[J]．通信学报， 2013,34(11):18-25. PENG C G , TIAN Y L , ZHANG B , et al. General transitive signature scheme based on homomorphism encryption[J]. Journal on Communications, 2013,34(11):18-25.
[9]	FENG D G , ZHANG M , et al. Study on cloud computing security[J]. Journal of Software, 2011,22(1):71-83.
[10]	MARK D R . Cloud computing security: the scientific challenge,and a survey of solutions[J]. The Journal of Systems and Software, 2013,86:2263-2268.
[11]	HASSAN T , JAMES B D , et al. Security and privacy challenges incloud computing environments[J]. IEEE Security and Privacy, 2010,10:24-31.
[12]	SHAREEFULI , HARALAMBOS M , et al. Model based process to support security and privacy requirements engineering[J]. International Journal of Secure Software Engineering, 2012,3:1-3.
[13]	NIR K . Privacy and security issues in cloud computing: the role of institutions and institutional evolution[J]. Telecommunications Policy, 2013,37:372-386.
[14]	ALLIANCE C S . The notorious nine cloud computing top threats in 2013[EB/OL]. .
[15]	BERTINO E , PACI F , et al. Privacy preserving digital identity man-agement for cloud computing[J]. IEEE Data Eng Bull, 2009,32(1):21-27.
[16]	PELIN A , BHARAT B , et al. An entity-centric approach for privacy and identity management in cloud computing[A]. Proc of 29th IEEE Symposium on Reliable Distributed Systems[C]. 2010.177-183.
[17]	HUSSAIN M . The Design and Applications of a Privacy-Preserving Identity and Trust-Management System[D]. Canada:School of Computing,Queen's University, 2010.
[18]	CELESTI A , TUSA F , et al. Security and cloud computing: intercloud identity management infrastructure[A]. Proc of 2010 Workshops on Enabling Technologies[C]. 2010.263-265.
[19]	ROHIT R , BHARAT B , et al. Protection of identity information in cloud computing without trusted third party[A]. Proc of the 29th IEEE Symposium on Reliable Distributed Systems[C]. 2010.368-372.
[20]	GOVINDA K , SATHIYAMOORTHY D E . Identity anonymization and secure data storage using group signature in private cloud[J]. Procedia Technology, 2012,4:495-499.
[21]	HARALAMBOS M , SHAREEFUL I , et al. A framework to support selection of cloud providers based on security and privacy require-ments[J]. The Journal of Systems and Software, 2013,86:2276-2293.
[22]	WANG H . Privacy preserving data sharing in cloud computing[J]. Journal of Computer Science and Technology, 2010,25(3):401-414.
[23]	CHUANG I-HSUN , LI S H , et al. An effective privacy protection scheme for cloud computing[A]. Proc of 13th International Conference on Advanced Communication Technology[C]. PyeongChang, 2011.260-265.
[24]	SHERMAN S M C , HE Y J , et al. Simple privacy-preserving identity-management for cloud environment[A]. Proc of ACNS 2012[C]. Berlin Heidelberg, 2012.526-543.
[25]	WEI L F , ZHU H J , et al. Security and privacy for storage and computa-tion in cloud computing[J]. Information Sciences, 2014,258:371-386.
[26]	ADEELA W , ASAD R , et al. A framework for preservation of cloud users' data privacy using dynamic reconstruction of metadata[J]. Journal of Network and Computer Applications, 2013,36:235-248.
[27]	GUO Z Z , LI M C , FAN X X . Attribute-based ring signcryption scheme[J]. Security and Comm Networks, 2013,6:790-796.
[28]	LIU Z H , HU Y P , et al. Certificatelesssigncryption scheme in the standard model[J]. Information Sciences, 2010,180:452-464.
[29]	ESSAM G . Sub-linear Blind Ring Signatures without Random Ora-cles[R]. Cryptology ePrint Archive,Report 2013/612, 2013.
[30]	SHARMILA S D S , SREE V , et al. ID Based Signcryption Scheme in Standard Model[R]. Cryptology ePrint Archive,Report 2012/392, 2013.
[31]	DAN B , MATT F . Identity-based encryption from the weil pairing[A]. Proc of CRYPTO 2001[C]. Berlin Heidelberg, 2001,213:229-464.

记号	含义	记号	含义
PKG	公共参数和密钥生成器	SK_ωs	用户私钥
m	消息	SK_ωR	CSP私钥
ω_s	用户属性集	PK_ωs	用户公钥
ω_R	CSP属性集	PK_ωR	CSP公钥
C1	环	CT	签密文

通信成本	本文方案	文献[24]方案	文献[25]方案
用户和PKG	3\|g\|	\|g+2n_a\|g\|	2\|g\|+n_a\|g\|
源CSP和PKG	3\|g\|+\|g_T\|	2\|g\|+\|p\|	2\|g\|+2\|p\|
用户和源CSP	\|g_T\|+n_a\|g\|	\|g_T\|+\|p\|\|g\|	\|g_T\|+n_u\|p\|

实体	本文方案	文献[24]方案	文献[25]方案
PKG	(2+n_a)\|p\|	n_u\|g\|+2\|p\|	n_u\|g\|+log_nup
用户	(3+n_a) \|g\|	(2n_u+1)\|g\|+log_nup	n_u\|p\|+3\|g\|
源CSP	3\|g\|+\|g_T\|	2\|g_T\|+3\|g\|	2\|g_T\|+n_u\|g\|

指标	本文方案	文献[24]方案	文献[25]方案
对运算	5p_a	6p_a	5p_a
指数运算	3Exp_G+Exp_GT	2Exp_G+2 Exp_GT	5Exp_G+Exp_GT
散列计算	2H_a	4H_a	5H_a
密文规模	4\|G\|+\|G_T\|	5\|G\|+2\|G_T\|	4\|G\|+\|G_T\|
模型	标准	RO	RO