应用属性基加密实现访问控制的研究与分析

发布时间：2018-03-03 16:22

本文选题：访问控制技术　切入点：基于属性的加密方法　出处：《电子科技大学》2014年硕士论文　论文类型：学位论文

【摘要】：云计算,现如今已经成为了一种非常具有发展前景的技术,其极大地改变了现代的IT产业。云存储是云计算的一项重要服务,其允许数据拥有者将繁重的数据管理外包给云存储端,进而从本地的管理系统中解脱出来。在云存储系统当中,数据拥有者往往会担心他们的数据会被运用错误,或者被未授权的用户访问。因此,在云存储系统中对数据实施访问控制是一个严峻的挑战。访问控制技术是用户数据的机密性以及隐私防护的重要手段。在传统形式的访问控制模型当中,数据以明文的形式被存放在云存储服务器上。当用户对数据发起访问申请时,就会将自己的认证消息发送给访问控制器。当访问控制器确认该用户是合法信任的,就会将用户所申请的数据从服务器上搜寻出来,然后发送给用户。但是该访问存储结构存在一定的安全隐患,迫使人们对其进行进一步深入研究,比如在云计算环境下,如何通过使用非传统的、基于密码算法来实现访问控制。本文的主要研究成果如下:(1)概述了传统形式访问控制技术的定义、模型构建以及基于属性的访问控制模型,然后介绍了属性基加密体制,包括两种算法:KP-ABE和CP-ABE,为后续方案的设计提供理论框架模型。(2)对一个应用属性基加密技术实现访问控制的方案进行了安全性分析,其方案当中引入可信第三方key manager,实现了数据的可确认删除,却不能保证数据的安全性。我们对此提出了3种攻击方案,分别为中间人攻击、合谋攻击、策略篡改攻击。通过对其方案的分析以及借鉴,在第五章中我们提出了一个访问控制方案。(3)通过结合属性基加密体制的CP-ABE算法,以及基于属性的访问控制模型框架,借助于一个现实应用场景,提出了一个适用于一般场景的访问控制方案。本方案在确保数据的机密性与完整性的同时,实现了对外包数据的细粒度、灵活的访问控制。(4)借鉴攻击方案的模型,引入属性版本号的概念,提出了另一个访问控制方案。该方案实现了属性的动态撤销、密钥的更新、密文的更新等操作,并对方案进行了安全性分析。其核心思想是:首先,采用AES对称加密算法对数据加密,CP-ABE算法对对称密钥进行加密操作,符合条件的用户依次解密密钥密文和数据密文;而密钥的更新是通过引入一个属性版本号来实现动态更新。本文在提出详细的方案之后,从安全性上对其进行了分析,能够确保数据的安全性以及实现细粒度的访问控制。
[Abstract]:Cloud computing, which has become a very promising technology, has greatly changed the modern IT industry. Cloud storage is an important service of cloud computing. It allows data owners to outsource onerous data management to cloud storage, freeing them from local management systems, where data owners often fear that their data will be misused. Or accessed by unauthorized users. Therefore, Data access control in cloud storage system is a severe challenge. Access control technology is an important means of privacy protection and confidentiality of user data. In the traditional access control model, The data is stored in clear text on the cloud storage server. When the user initiates an access request for the data, he sends his own authentication message to the access controller. The data requested by the user will be searched from the server and sent to the user. However, there are some security risks in the access storage structure, which forces people to further study it, such as in the cloud computing environment. The main research results of this paper are as follows: 1) the definition of traditional access control technology, model construction and attribute-based access control model are summarized. Then it introduces the attribute-base encryption system, including two algorithms: KP-ABE and CP-ABE, which provide a theoretical framework model for the design of subsequent schemes. In this scheme, a trusted third party, key manager, is introduced, which can confirm and delete the data, but it can not guarantee the security of the data. We propose three attack schemes, namely, man-in-the-middle attack, collusion attack, etc. Policy tampering attack. Through the analysis and reference of its scheme, in Chapter 5th, we propose an access control scheme. We propose an access control scheme. We combine the CP-ABE algorithm based on attribute base encryption system and the access control model framework based on attributes. With the help of a practical application scenario, an access control scheme suitable for general scenarios is proposed, which ensures the confidentiality and integrity of the data, and realizes the fine granularity of the outsourced data. Using the model of attack scheme for reference and introducing the concept of attribute version number, another access control scheme is proposed, which realizes the dynamic revocation of attributes, the update of key, the update of ciphertext, and so on. The key idea of the scheme is as follows: firstly, the AES symmetric encryption algorithm is used to encrypt the symmetric key, and the user who meets the requirements decrypts the key ciphertext and the data cipher text in turn; The key update is realized by introducing an attribute version number. After putting forward a detailed scheme, this paper analyzes the security of the key, which can ensure the security of the data and realize the fine-grained access control.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】