云环境中的多授权机构访问控制方案

doi:10.3778/j.issn.1673-9418.1911020

摘要/Abstract

摘要：

密文策略属性加密（CP-ABE）十分适用于云环境中的数据访问控制。现有的CP-ABE算法未考虑多个文件的访问结构具有层次关系，需要对每个文件分别加密实现其访问控制需求，导致较大的开销；此外，大多数方案只有单个授权机构管理密钥，对授权机构的安全性与可靠性要求极高。提出一种云环境中基于区块链的多授权机构访问控制方案（BMAC）。在BMAC中，设计了一种层次化CP-ABE算法，对于具有层次关系的多个文件，仅需加密一次，访问者在满足部分访问条件时能解密得到部分文件，满足全部条件时得到全部文件；设计了一种基于区块链的多授权机构密钥管理方法，通过区块链技术使得所有授权机构能够诚实并行地进行私钥分发。安全性与性能分析验证了BMAC能够有效保障数据机密性，抵抗串谋攻击，实现安全高效的细粒度数据访问控制以及去中心化的私钥分发。

关键词: 云计算, 访问控制, 属性加密, 多授权机构, 区块链

Abstract:

Ciphertext-policy attribute-based encryption (CP-ABE) is very suitable for data access control in cloud environment. The existing CP-ABE algorithm does not consider that the access structure of multiple files has a hierarchical relationship, and it needs to encrypt each file to realize its access control requirements, which leads to large costs. In addition, most schemes only have a single authorized institution to manage the key, which has high requirements on the computing power and honesty of the authorized institution. This paper proposes a cloud data access control scheme based on blockchain with multi-authority (BMAC). In BMAC, this paper designs a hierarchical CP-ABE algorithm, for multiple data files with hierarchical access structure, one encryption only, then visitors can decrypt part of the files when meeting some access conditions and get all files when meeting all conditions. This paper also designs a multi-authority key management method based on blockchain, which enables all authorized institutions to distribute private keys honestly and concurrently through blockchain technology. Performance and security analysis show that BMAC can effectively protect data confidentiality, resist collusion attack, achieve secure and efficient fine-grained data access control and decentralized private key distribution.

Key words: cloud computing, access control, attribute-based encryption, multi-authority, blockchain

郑良汉，何亨，童潜，杨湘，陈享. 云环境中的多授权机构访问控制方案[J]. 计算机科学与探索, 2020, 14(11): 1865-1878.

ZHENG Lianghan, HE Heng, TONG Qian, YANG Xiang, CHEN Xiang. Multi-authority Access Control Scheme in Cloud Environment[J]. Journal of Frontiers of Computer Science and Technology, 2020, 14(11): 1865-1878.

参考文献

[1] Wang Y, Li J, Wang H H. Cluster and cloud computing frame-work for scientific metrology in flow control[J]. Cluster Computing, 2019, 22(1): 1-10.
[2] Uma M S, Vasanthanayaki C. Secure medical health care content protection system (SMCPS) with watermark detection for multi cloud computing environment[J]. Multimedia Tools and Applications, 2019(1): 1-23.
[3] Luo H. A distributed management method based on the artificial fish-swarm model in cloud computing environment[J]. International Journal of Wireless Information Networks, 2018, 25(3): 1-7.
[4] Wikipedia. 2018 Google data breach[EB/OL]. (2019-11-05)[2019-11-07]. https://en.wikipedia.org/wiki/2018_Google_ data_breach.
[5] Wikipedia. Facebook-Cambridge analytica data scandal[EB/OL]. (2019-10-25)[2019-11-07]. https://en.wikipedia.org/wiki/ Facebook%E2%80%93Cambridge_Analytica_data_ scandal.
[6] Wikipedia. Yahoo! data breaches[EB/OL]. (2019-10-22)[2019-11-07]. https://en.wikipedia.org/wiki/Yahoo!_data_breaches.
[7] Sahai A, Waters B. Fuzzy identity-based encryption[C]//LNCS 3494: Proceedings of the 24th Annual International Confer-ence on the Theory and Applications of Cryptographic Tech-niques, Aarhus, May 22-26, 2005. Berlin, Heidelberg: Spr-inger, 2005: 457-473.
[8] Bethencourt J, Sahai A, Waters B. Ciphertext-policy attribute-based encryption[C]//Proceedings of the 2007 IEEE Symposium on Security and Privacy, Oakland, May 20-23, 2007. Wash-ington: IEEE Computer Society, 2007: 321-334.
[9] Waters B. Ciphertext-policy attribute-based encryption: an exp-ressive, efficient, and provably secure realization[C]//LNCS 6571: Proceedings of the 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Mar 6-9, 2011. Berlin, Heidelberg: Springer, 2011: 53-70.
[10] Nakamoto S. Bitcoin: a peer-to-peer electronic cash system[EB/OL]. [2019-11-07]. https://bitcoin.org/bitcoin.pdf.
[11] Goyal V, Jain A, Pandey O, et al. Bounded ciphertext policy attribute based encryption[C]//LNCS 5126: Proceedings of the 35th International Colloquium on Automata, Languages, and Programming, Reykjavik, Jul 7-11, 2008. Berlin, Heidelberg: Springer, 2008: 579-591.
[12] He H, Li R X, Dong X H, et al. Secure, efficient and fine-grained data access control mechanism for p2p storage cloud[J]. IEEE Transactions on Cloud Computing, 2014, 2(4): 471-484.
[13] Li J G, Yao W, Zhang Y C, et al. Flexible and fine-grained attribute-based data storage in cloud computing[J]. IEEE Transactions on Services Computing, 2017, 10(5): 785-796.
[14] He H, Zhang J, Gu J, et al. A fine-grained and lightweight data access control scheme for WSN-integrated cloud com-puting[J]. Cluster Computing, 2017, 20(2): 1457-1472.
[15] Zhang Y, Zheng D, Deng R H. Security and privacy in smart health: efficient policy-hiding attribute-based access control[J]. IEEE Internet of Things Journal, 2018, 5: 2130-2145.
[16] Chase M. Multi-authority attribute based encryption[C]//LNCS 4392: Proceedings of the 4th Theory of Cryptography Conference Amsterdam, The Netherlands, Feb 21-24, 2007.Berlin, Heidelberg: Springer, 2007: 515-534.
[17] Lin H, Cao Z F, Liang X H, et al. Secure threshold multi authority attribute based encryption without a central auth-ority[C]//LNCS 5365: Proceedings of the 9th International Conference on Cryptology in India, Kharagpur, Dec 14-17, 2008. Berlin, Heidelberg: Springer, 2008: 426-436.
[18] Jung T, Li X Y, Wan Z G, et al. Privacy preserving cloud data access with multi-authorities[C]//Proceedings of the IEEE INFOCOM 2013, Turin, Apr 14-19, 2013. Piscataway: IEEE, 2013: 2625-2633.
[19] Wang Y C, Li F H, Xiong J B, et al. Achieving lightweight and secure access control in multi-authority cloud[C]//Proc-eedings of the 2015 IEEE Trustcom/BigDataSE/ISPA, Helsinki, Aug 20-22, 2015. Piscataway: IEEE, 2015: 459-466.
[20] Yuan C, Xu M X, Si X M, et al. Blockchain with accountable CP-ABE: how to effectively protect the electronic docu-ments[C]//Proceedings of the 2017 IEEE International Conf-erence on Parallel and Distributed Systems, Shenzhen, Dec 15- 17, 2017. Washington: IEEE Computer Society, 2017: 800-803.
[21] Zhang Y R, He D B, Raymond C K. BaDS: Blockchain-based architecture for data sharing with ABS and CP-ABE in IoT[J]. Wireless Communications and Mobile Computing, 2018: 1-9.
[22] Wang H, Song Y J. Secure cloud-based EHR system using attribute-based cryptosystem and blockchain[J]. Journal of Medical Systems, 2018, 42(8): 152.
[23] Beimel A. Secure schemes for secret sharing and key distribution[D]. Haifa: Israel Institute of Technology, 1996.
[24] Yu S C, Wang C, Ren K, et al. Achieving secure, scalable, and fine-grained data access control in cloud computing[C]//Proceedings of the 29th IEEE International Conference on Computer Communications, San Diego, Mar 15-19, 2010. Piscataway: IEEE, 2010: 534-542.
[25] PeerCoin. Proof-of-stake[EB/OL]. [2020-01-05]. https://docs. peercoin.net/#/proof-of-stake.
[26] Larimer D. Delegated proof-of-stake white paper[EB/OL]. [2020-01-05]. http://www.bts.hk/dpos-baipishu.html.
[27] Lewko A B, Waters B. Decentralizing attribute-based encr-yption[C]//LNCS 6632: Proceedings of the 30th Annual Inter-national Conference on the Theory and Applications of Cry-ptographic Techniques, Tallinn, May 15-19, 2011. Berlin, Heidelberg: Springer, 2011: 568-588.
[28] Caro A D, Iovino V. jPBC: Java pairing based cryptography[C]//Proceedings of the 16th IEEE Symposium on Computers and Communications, Kerkyra, Jun 28-Jul 1, 2011. Washington: IEEE Computer Society, 2011: 850-855.