计算机科学与探索 ›› 2020, Vol. 14 ›› Issue (11): 1865-1878.DOI: 10.3778/j.issn.1673-9418.1911020

• 网络与信息安全 • 上一篇    下一篇

云环境中的多授权机构访问控制方案

郑良汉,何亨,童潜,杨湘,陈享   

  1. 1. 武汉科技大学 计算机科学与技术学院,武汉 430065
    2. 武汉科技大学 湖北省智能信息处理与实时工业系统重点实验室,武汉 430065
  • 出版日期:2020-11-01 发布日期:2020-11-09

Multi-authority Access Control Scheme in Cloud Environment

ZHENG Lianghan, HE Heng, TONG Qian, YANG Xiang, CHEN Xiang   

  1. 1. College of Computer Science and Technology, Wuhan University of Science and Technology, Wuhan 430065, China
    2. Hubei Province Key Laboratory of Intelligent Information Processing and Real-Time Industrial System, Wuhan University of Science and Technology, Wuhan 430065, China
  • Online:2020-11-01 Published:2020-11-09

摘要:

密文策略属性加密(CP-ABE)十分适用于云环境中的数据访问控制。现有的CP-ABE算法未考虑多个文件的访问结构具有层次关系,需要对每个文件分别加密实现其访问控制需求,导致较大的开销;此外,大多数方案只有单个授权机构管理密钥,对授权机构的安全性与可靠性要求极高。提出一种云环境中基于区块链的多授权机构访问控制方案(BMAC)。在BMAC中,设计了一种层次化CP-ABE算法,对于具有层次关系的多个文件,仅需加密一次,访问者在满足部分访问条件时能解密得到部分文件,满足全部条件时得到全部文件;设计了一种基于区块链的多授权机构密钥管理方法,通过区块链技术使得所有授权机构能够诚实并行地进行私钥分发。安全性与性能分析验证了BMAC能够有效保障数据机密性,抵抗串谋攻击,实现安全高效的细粒度数据访问控制以及去中心化的私钥分发。

关键词: 云计算, 访问控制, 属性加密, 多授权机构, 区块链

Abstract:

Ciphertext-policy attribute-based encryption (CP-ABE) is very suitable for data access control in cloud environment. The existing CP-ABE algorithm does not consider that the access structure of multiple files has a hierarchical relationship, and it needs to encrypt each file to realize its access control requirements, which leads to large costs. In addition, most schemes only have a single authorized institution to manage the key, which has high requirements on the computing power and honesty of the authorized institution. This paper proposes a cloud data access control scheme based on blockchain with multi-authority (BMAC). In BMAC, this paper designs a hierarchical CP-ABE algorithm, for multiple data files with hierarchical access structure, one encryption only, then visitors can decrypt part of the files when meeting some access conditions and get all files when meeting all conditions. This paper also designs a multi-authority key management method based on blockchain, which enables all authorized institutions to distribute private keys honestly and concurrently through blockchain technology. Performance and security analysis show that BMAC can effectively protect data confidentiality, resist collusion attack, achieve secure and efficient fine-grained data access control and decentralized private key distribution.

Key words: cloud computing, access control, attribute-based encryption, multi-authority, blockchain