基于多授权密文策略属性加密的云存储安全系统研究

发布时间：2018-03-22 16:20

本文选题：访问控制　切入点：基于密文策略属性加密　出处：《国防科学技术大学》2013年硕士论文　论文类型：学位论文

【摘要】：随着云存储技术的不断发展,云存储服务的广泛应用,越来越多的用户将自己的数据外包到云存储中。通过存储虚拟化整合不同的存储资源,用户可以通过单一的用户界面访问云中的数据资源,而不会显露底层基础设施的物理细节。云存储能够提供几乎无限的存储容量,同时明显地降低开发和维护的成本。然而用户在使用云存储应用时,存在重大的数据安全和用户隐私泄漏风险。CP-ABE(Cipher Policy-Attribute Based Encryption)是一种模糊身份加密算法,将访问控制内嵌到加密数据中,这种特性特别适合云存储环境,但是CP-ABE在实际中的限制主要是效率和可扩展性不高。再者,在实际的云存储环境中有多个授权中心,其中每一个都可管理其统治域内的用户属性,用户也可以持有不同授权中心颁发的属性。在之前研究的基础上Lewko等人提出了改进后的MA-CP-ABE(Multi-Authority Policy-Attibute Based Encryption)方案,该方案不需要全局性授权中心,系统中的授权中心都可以相互独立地管理系统内的用户属性,并且可以为其颁发私钥。但是为了防止串谋攻击,该方案需要对双线性顺序组进行大量的计算,对于用户属性撤销的问题Lewko方案依然没有解决。针对以上的问题,本文在对CP-ABE与Lewko的MA-CP-ABE方案分析的基础上设计了自己的MA-CP-ABE数据访问控制模型,本文的主要创新点有两个:1.本文增加了第三方认证中心。它的作用是为系统中的每个用户和授权中心负责颁发唯一标识,可以防止串谋攻击。2.本文采用了密钥分割技术代替了代理重加密技术。对于现有的CP-ABE与MA-CP-ABE方案中普遍存在的用户属性撤销问题,常用的解决方案是代理重加密技术,其缺点在于实时性与重加密运算消耗过大。本文通过密钥分割技术减小用户属性撤销运算的消耗,并实现用户的动态管理。最后,本文将MA-CP-ABE数据访问控制模块加入到Openstack中,实现了Swift云存储系统的数据访问控制功能。
[Abstract]:With the continuous development of cloud storage technology, wide application of cloud storage services, more and more users will outsource their data to the cloud storage. The integration of storage resources through different storage virtualization, users can through a single user interface to access the cloud data resources, physical details and does not reveal the underlying infrastructure of cloud storage. Can provide almost unlimited storage capacity, and obviously reduce the cost of development and maintenance. However, users in the use of cloud storage applications, there are significant data security and privacy risk.CP-ABE (Cipher Policy-Attribute Based Encryption) is a kind of fuzzy identity based encryption algorithm, access control to embed the encrypted data, this kind of special characteristics suitable for cloud storage environment, but CP-ABE is the main limit in the actual efficiency and scalability is not high. Moreover, in the actual cloud storage ring There are more than one authorized exit, each of which can manage user attributes in the domain of its rule, users can also hold different attributes issued by the authorization center. On the basis of the previous studies of Lewko et al. Proposed the improved MA-CP-ABE (Multi-Authority Policy-Attibute Based Encryption) scheme, this scheme does not require global authority in the system, the authorization center can independently manage user attributes within the system, and can be awarded for their private key. But in order to prevent collusion attacks, this scheme requires a large amount of computation of bilinear order group, for the problem of Lewko scheme with user attributes revocation is still not resolved. In view of the above problems, this paper analysis in the MA-CP-ABE scheme of CP-ABE and Lewko on the design of MA-CP-ABE data access control model, this paper has two main innovations: 1. this paper. With the third party certification center. Its role is in the system of each user and the authorization center responsible for the issue of identification, can prevent collusion attacks.2. the key segmentation technology instead of proxy re encryption technology. User attributes for CP-ABE and MA-CP-ABE scheme in the existing ubiquitous revoked, the common solution is a proxy re encryption technology, the disadvantage is that the real-time encryption and heavy consumption is too large. In this paper, through the key technology to reduce user segmentation attributes revocation operation consumption, and realize the dynamic management of users. Finally, the MA-CP-ABE data access control module is added to the Openstack, to achieve the Swift cloud storage system data access control function.

【学位授予单位】：国防科学技术大学
【学位级别】：硕士
【学位授予年份】：2013
【分类号】：TP309;TP333

【参考文献】