云计算环境下基于属性的访问控制方法研究

发布时间：2018-06-05 00:45

本文选题：云安全 + 访问控制　；参考：《山东师范大学》2017年硕士论文

【摘要】：近年来云计算的发展趋势让人瞩目,其用户数量正日益增加,被认为是继微型计算机、Internet后的第三次革命。云计算:就是以“网络”为中心,通过链接分布在不同地理位置的软、硬件资源,并屏蔽底层资源的异构性;为用户提供透明的、按需存取的服务。云计算在高速发展的同时带来了云安全问题。目前在云环境中,云安全问题已成为云计算发展的瓶颈;其中最关键的云安全问题之一就是访问控制问题。目前,解决云安全最有效的技术方法就是把传统的访问控制技术与现在改进、拓展的密码技术相结合,争取进一步解决云安全的新需求。有学者提出了基于密文策略的属性加密机制(CP-ABE)。该算法虽然具有灵活性、高效性、动态性、隐私性等特点,然而在CP-ABE算法应用到云平台中的过程中,在属性撤销与访问策略灵活性方面还有待进一步发展。本文对基于属性加密的密文策略访问控制机制进行了重点研究,主要完成的研究工作如下:(1)基于属性的密文策略访问控制方案虽然提供了双重验证机制,在一定程度上保证了云端服务器数据的安全性,但当云服务器出现宕机或者被攻陷时,将导致密钥的泄露,会造成非法用户的合谋攻击。本文在基于可信第三方的基础上,通过引入多权威中心,由各个权威分发属性的私钥,有效地防止了非法用户的合谋攻击,从而进一步加强了云端数据的安全性,并且有效地解决了用户密钥管理与分发、负载过大等问题。(2)为了解决云环境下基于属性的密文策略动态变更开销大的问题,引入了融合属性的概念,提出了基于融合属性的密文策略访问控制方案。该方案通过已有的基于属性的密文策略访问控制方案为基础,将普通的访问结构树转化为SAS访问结构树,然后把SAS访问结构树中,同时出现频率较高的属性融合在一起。使访问树中终端节点的个数有效地减少了,从而有效地降低了数据拥有者进行密文更新的负担。(3)通过理论分析与相关实验说明了属性的数量是衡量密文进行加密的重要时间性能指标,并证明了以上方案的提出,一方面可以有效地减少策略属性变更时用户的计算开销,另一方面有效地保护了云环境下数据的安全性和细粒度地访问控制,并降低了数据拥有者的负载量。
[Abstract]:In recent years, the development trend of cloud computing is attracting people's attention, and the number of users is increasing day by day, which is considered to be the third revolution after microcomputer. Cloud computing: is "network" as the center, through the link in different geographical location of software, hardware resources, and shield the underlying resources of heterogeneous; provide users with transparent, on-demand access services. Cloud computing in the rapid development of the cloud security problems at the same time. At present, cloud security has become the bottleneck of cloud computing development in cloud environment, and access control is one of the most critical cloud security problems. At present, the most effective way to solve cloud security is to combine the traditional access control technology with the improved and extended cryptographic technology to further solve the new demand of cloud security. Some scholars have proposed an attribute encryption mechanism based on ciphertext policy. Although the algorithm has the characteristics of flexibility, efficiency, dynamic and privacy, however, in the process of applying CP-ABE algorithm to cloud platform, the flexibility of attribute revocation and access strategy needs to be further developed. This paper focuses on the ciphertext policy access control mechanism based on attribute encryption. The main research work is as follows: 1) although the attribute-based ciphertext policy access control scheme provides a dual verification mechanism, To a certain extent, the security of cloud server data is guaranteed, but when the cloud server is down or is attacked, it will lead to the disclosure of the key, which will result in the collusion attack of illegal users. On the basis of trusted third party, by introducing multi-authority center and distributing the private key of each authority attribute, this paper effectively prevents the collusion attack of illegal user, and further strengthens the security of cloud data. In order to solve the problem of large cost of dynamic change of attribute based ciphertext policy in cloud environment, the concept of fusion attribute is introduced. In order to solve the problem of user key management and distribution, excessive load and so on, this paper introduces the concept of fusion attribute in order to solve the problem of large dynamic change overhead of attribute based ciphertext policy. A ciphertext policy access control scheme based on fused attributes is proposed. Based on the existing attribute-based ciphertext policy access control scheme, the common access structure tree is transformed into the SAS access structure tree, and then the SAS access structure tree is merged with the high frequency attributes. Effectively reduces the number of terminal nodes in the access tree, Thus effectively reducing the data owner's burden of updating ciphertext. (3) through theoretical analysis and related experiments, it is proved that the number of attributes is an important time performance index to measure ciphertext encryption, and it is proved that the above scheme is proposed. On the one hand, it can effectively reduce the computing overhead of the user when the policy attribute changes, on the other hand, it can effectively protect the data security and fine-grained access control in the cloud environment, and reduce the load of the data owner.
【学位授予单位】：山东师范大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP309

【参考文献】