计算机科学与探索 ›› 2011, Vol. 5 ›› Issue (09): 835-844.

• 学术研究 • 上一篇    下一篇

云存储密文访问控制方案

吕志泉, 张 敏, 冯登国   

  1. 中国科学院 软件研究所 信息安全国家重点实验室, 北京 100190
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2011-09-01 发布日期:2011-09-01

Cryptographic Access Control Scheme for Cloud Storage

LV Zhiquan, ZHANG Min, FENG Dengguo   

  1. State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
  • Received:1900-01-01 Revised:1900-01-01 Online:2011-09-01 Published:2011-09-01

摘要: 提出了一种在基于密文策略的属性加密(ciphertext-policy attribute-based encryption, CP-ABE)应用场景下, 在云存储中实现高效、精细、灵活的密文访问控制的方案。新方案通过引入密钥分割技术和代理重加密技术, 在权限撤销时将部分重加密工作转移给云服务提供商执行, 大大降低了数据属主的计算代价。与现有方案相比, 新方案不仅能够支持多种门限的精细的访问控制策略, 而且在权限撤销时, 既可以属性集为单位, 又可以同一属性集下不同用户为单位。最后分析了方案的安全性, 并测试了运行效率。实验结果表明, 新方案明显优于一般方案, 特别是考虑云存储及多用户情况下, 新方案的优势更加明显。

关键词: 云存储, 密文访问控制, 基于密文策略的属性加密, 代理重加密, 密钥分割

Abstract: This paper presents an efficient, fine-grained and flexible access control scheme for the cloud storage at a scenario of the ciphertext-policy attribute-based encryption (CP-ABE). This scheme combines the techniques of segmentation of secret key and proxy re-encryption, and cloud service provider (CSP) will do most of re-encryption computing when the permission is revoked, which greatly reduces the computational cost of data owner (DO). Compared with existing schemes, this new scheme not only supports a variety of threshold gates access control pol-icy, but also supports two different revoking units including attributes set and different user having the same attrib-utes set when the permission is revoked. Finally the paper analyzes the security and runtime efficiency of the scheme. Experimental results show that the proposed scheme is superior to general schemes, especially considering cloud storage and the more users, the new scheme shows the more obvious advantages.

Key words: cloud storage, cryptographic access control, ciphertext-policy attribute-based encryption (CP-ABE), proxy re-encryption, segmentation of secret key