基于属性加密的数据访问控制方法研究
发布时间:2018-07-26 14:56
【摘要】:随着云计算、物联网、大数据等新型计算技术的兴起与发展,全球信息化引发了世界范围的深刻变化,国民经济、社会发展、人民生活等各个层面对信息技术的依赖达到了前所未有的程度。同时,互联网的开放性和信息共享给全球信息安全带来了严重威胁,信息安全上升为国家安全主要内容之一。访问控制是保护数据机密性、完整性、可用性和合法使用性的重要基础,是网络安全防范和资源保护的关键策略之一。然而,网络规模不断扩大,分布式网络环境中用户量和数据量剧增,用户对数据、个人隐私需求和权限粒度需求不断提升,迫切需要实现对大规模用户的细粒度动态授权;安全需求方式已经由通信双方均是单用户向至少有一方是多用户的多方通信模式转变,由“同域”通信转为“跨域”通信,传统访问控制面临新的挑战。近年来,国内外学者广泛开展了基于属性加密访问控制方法研究,并取得了大量研究成果。但是,诸如多样化权限问题、面向用户组的访问控制问题、隐藏访问控制策略问题等还亟待进一步研究。针对上述问题,本文开展了基于属性加密的访问控制方法研究,主要研究工作包括:1.针对用户多样化权限需求问题,设计了一个具有用户权限区分的多属性权威的访问控制方案。重点解决了以下问题:(1)由于单一用户权限无法满足当前用户多样化权限需求,提供了不同用户权限,使得拥有不同属性集的用户获得不同的权限;(2)采用一个中心权威和多个属性权威结合的方式,解决单属性权威的属性密码系统无法满足大规模分布式应用对不同机构协作的需求,且容易受到集中攻击问题;(3)数据所有者在生成密文的同时,产生了一个短签名,该签名确保了数据的完整性和数据源的真实性;(4)在选择属性集安全模型下证明了方案的安全性,且与同类方案对比得出增加的信息和计算量更少。2.针对用户权限过度集中产生滥用问题,提出一个面向用户组可验证的访问控制方案和安全模型,并证明了方案的安全性。该方案主要功能为:(1)方案中引入用户组,不仅分散了用户权限,而且每个参与者只需存储少量信息;(2)利用Schoenmaker可验证秘密共享机制,建立对中心权威CA的非交互的监督机制,减少对中心权威的依赖性,所以该方案中可以采用半可信或不可信的中心权威;(3)每个参与者通过检查同一个用户组里其他参与者提供的信息,可以验证合作用户的诚实性;(4)将本方案与现有方案进行比较得出,本方案的用户权限管理更细化,验证属性钥时的计算量更少。3.针对访问策略泄密问题,设计了一个完全隐藏访问策略的加密方案,进而构造了一个云存储中完全隐藏访问策略的访问控制机制,实现了对存放在半可信云端数据的安全性和机密性保护。具体实现了:(1)对云存储服务提供者CSP完全隐藏了访问策略,解决了云存储环境中特权用户导致的数据机密性和完整性受威胁问题;(2)对所有用户完全隐藏了访问策略,即使一个合法用户对加密的共享数据成功解密,他也不能确定他遵守的访问策略;(3)增加了用户属性变更功能,在方案中引入代理重加密机制,CSP在不知道访问策略和存储数据内容的前提下独自完成重加密任务,避免了数据所有者重新加密的负担;(4)对方案的安全性进行了证明,且通过与同类方案比较得出,本方案中的访问策略隐藏的更彻底。4.以智能配电网作为典型应用场景,设计了一个智能配电网通信系统数据聚合和访问控制模型,将基于属性的访问控制应用于智能配电网通信环境。具体完成了以下工作:(1)针对智能配电网中的海量数据收集工作,采用Paillier同态机制收集多维数据且保证数据的机密性,而签名实现批验证,使得对计算的个数从3t降到3;(2)采用基于属性的访问控制方法加密反馈命令,避免了数量庞大的智能终端获取相同命令并产生相应安全攻击的问题;(3)在数据收集和命令反馈阶段都提供了签名,保证了数据的完整性和资源认证;(4)通过与已有方案在计算量、通信量、功能等方面进行分析和仿真,实验表明在聚合数据种类比较少、智能终端数目庞大、而且需要分类授权的情况下,本方案在计算开销方面和反馈命令访问控制方面具有明显优势。
[Abstract]:With the rise and development of new computing technologies such as cloud computing, Internet of things and large data, global information has brought about profound changes in the world. The dependence of information technology on the various layers of national economy, social development and people's life has reached an unprecedented level. At the same time, the openness of the Internet and the sharing of information to the global information security It poses a serious threat, and information security is one of the main contents of national security. Access control is an important basis for protecting data confidentiality, integrity, availability and legitimate use. It is one of the key strategies for network security prevention and resource protection. However, the scale of the network is not broken and the amount of users and data in the distributed network environment are not broken. The increasing demand for data, personal privacy demand and granularity is increasing, and it is urgent to realize fine dynamic authorization for large-scale users. The security requirement mode has changed from the single user to the multiuser communication mode of at least one party to the multiuser, and the communication from "the same domain" to "cross domain" communication. Traditional access control is facing new challenges. In recent years, scholars at home and abroad have carried out a wide range of research based on attribute encryption access control methods, and a large number of research results have been achieved. However, such problems as diverse rights, access control and hidden access control strategies are still needed to be further studied. The study of access control based on attribute encryption is carried out in this paper. The main research work is as follows: 1. a multi attribute authority access control scheme with user privileges is designed to solve the user's diverse rights requirement. The following problems are solved: (1) it is impossible to satisfy the current user's right of diversification from a single user authority. Limited requirements, provide different user rights, make users with different attribute sets get different privileges. (2) using a central authority and multiple attribute authority combination, the solution of the attribute cryptosystem of single attribute authority can not meet the needs of large-scale distributed application to different organizations, and easy to be attacked by centralized attack. (3) (3) the data owner produces a short signature while generating the ciphertext, which ensures the integrity of the data and the authenticity of the data source; (4) the security of the scheme is proved under the selection of the attribute set security model, and the increase of information and less computation with the same scheme is compared with that of the excessive concentration of user rights. Abuse problem, propose a user group verifiable access control scheme and security model, and prove the security of the scheme. The main function of the scheme is: (1) the user group is introduced in the scheme, not only the user rights are dispersed, but each participant only needs to store a small amount of information; (2) the secret sharing mechanism can be verified by Schoenmaker. The non interactive supervision mechanism of the central authority CA reduces the dependence on the authority of the central authority, so the scheme can adopt a semi trusted or untrusted central authority; (3) each participant can verify the integrity of the user by checking the information provided by other participants in the same user group; (4) the scheme is entered with the existing scheme. According to the comparison, the user rights management of this scheme is more detailed, and the computation of the property key is less than.3.. A complete hidden access strategy is designed, and an access control mechanism is constructed to fully hide the access strategy in the cloud storage, and the data is stored in the semi trusted cloud number. According to security and confidentiality protection, it is realized: (1) the access strategy is completely hidden from the cloud storage service provider CSP, which solves the problem of data confidentiality and integrity caused by privileged users in the cloud storage environment; (2) the access strategy is completely hidden for all users, even if a legitimate user has encrypted shared data. Work decryption, he can not determine the access strategy he observes; (3) add the user property change function, introduce the agent rescipher mechanism in the scheme, CSP complete the re encryption task alone without knowing the access strategy and the content of the data, and avoid the burden of the re encryption of the data owner; (4) the security of the scheme is carried out. It is proved that, by comparing with the similar scheme, the more thorough.4. hidden in this scheme is a typical application scene with intelligent distribution network, and a data aggregation and access control model of the intelligent distribution network communication system is designed, and the communication environment of Yu Zhineng distribution network based on attribute access control is applied. The following is completed. The work is: (1) aiming at the collection of massive data in the intelligent distribution network, the Paillier homomorphic mechanism is used to collect multidimensional data and ensure the confidentiality of the data, and the signature is verified by batch verification, making the number of the calculated numbers from 3T to 3. (2) using the attribute based access control method to encrypt the feedback command, avoiding the large number of intelligent terminal acquisition. The same command and the corresponding security attacks; (3) the signature is provided in the data collection and command feedback phase, which ensures the integrity of the data and resource authentication; (4) through the analysis and Simulation of the amount, traffic and function of the existing schemes, the experiment shows that the number of aggregated data is relatively small and the number of intelligent terminals is Pang. In the case of large and classified authorization, this scheme has obvious advantages in terms of computation cost and feedback command access control.
【学位授予单位】:兰州理工大学
【学位级别】:博士
【学位授予年份】:2016
【分类号】:TP309
本文编号:2146379
[Abstract]:With the rise and development of new computing technologies such as cloud computing, Internet of things and large data, global information has brought about profound changes in the world. The dependence of information technology on the various layers of national economy, social development and people's life has reached an unprecedented level. At the same time, the openness of the Internet and the sharing of information to the global information security It poses a serious threat, and information security is one of the main contents of national security. Access control is an important basis for protecting data confidentiality, integrity, availability and legitimate use. It is one of the key strategies for network security prevention and resource protection. However, the scale of the network is not broken and the amount of users and data in the distributed network environment are not broken. The increasing demand for data, personal privacy demand and granularity is increasing, and it is urgent to realize fine dynamic authorization for large-scale users. The security requirement mode has changed from the single user to the multiuser communication mode of at least one party to the multiuser, and the communication from "the same domain" to "cross domain" communication. Traditional access control is facing new challenges. In recent years, scholars at home and abroad have carried out a wide range of research based on attribute encryption access control methods, and a large number of research results have been achieved. However, such problems as diverse rights, access control and hidden access control strategies are still needed to be further studied. The study of access control based on attribute encryption is carried out in this paper. The main research work is as follows: 1. a multi attribute authority access control scheme with user privileges is designed to solve the user's diverse rights requirement. The following problems are solved: (1) it is impossible to satisfy the current user's right of diversification from a single user authority. Limited requirements, provide different user rights, make users with different attribute sets get different privileges. (2) using a central authority and multiple attribute authority combination, the solution of the attribute cryptosystem of single attribute authority can not meet the needs of large-scale distributed application to different organizations, and easy to be attacked by centralized attack. (3) (3) the data owner produces a short signature while generating the ciphertext, which ensures the integrity of the data and the authenticity of the data source; (4) the security of the scheme is proved under the selection of the attribute set security model, and the increase of information and less computation with the same scheme is compared with that of the excessive concentration of user rights. Abuse problem, propose a user group verifiable access control scheme and security model, and prove the security of the scheme. The main function of the scheme is: (1) the user group is introduced in the scheme, not only the user rights are dispersed, but each participant only needs to store a small amount of information; (2) the secret sharing mechanism can be verified by Schoenmaker. The non interactive supervision mechanism of the central authority CA reduces the dependence on the authority of the central authority, so the scheme can adopt a semi trusted or untrusted central authority; (3) each participant can verify the integrity of the user by checking the information provided by other participants in the same user group; (4) the scheme is entered with the existing scheme. According to the comparison, the user rights management of this scheme is more detailed, and the computation of the property key is less than.3.. A complete hidden access strategy is designed, and an access control mechanism is constructed to fully hide the access strategy in the cloud storage, and the data is stored in the semi trusted cloud number. According to security and confidentiality protection, it is realized: (1) the access strategy is completely hidden from the cloud storage service provider CSP, which solves the problem of data confidentiality and integrity caused by privileged users in the cloud storage environment; (2) the access strategy is completely hidden for all users, even if a legitimate user has encrypted shared data. Work decryption, he can not determine the access strategy he observes; (3) add the user property change function, introduce the agent rescipher mechanism in the scheme, CSP complete the re encryption task alone without knowing the access strategy and the content of the data, and avoid the burden of the re encryption of the data owner; (4) the security of the scheme is carried out. It is proved that, by comparing with the similar scheme, the more thorough.4. hidden in this scheme is a typical application scene with intelligent distribution network, and a data aggregation and access control model of the intelligent distribution network communication system is designed, and the communication environment of Yu Zhineng distribution network based on attribute access control is applied. The following is completed. The work is: (1) aiming at the collection of massive data in the intelligent distribution network, the Paillier homomorphic mechanism is used to collect multidimensional data and ensure the confidentiality of the data, and the signature is verified by batch verification, making the number of the calculated numbers from 3T to 3. (2) using the attribute based access control method to encrypt the feedback command, avoiding the large number of intelligent terminal acquisition. The same command and the corresponding security attacks; (3) the signature is provided in the data collection and command feedback phase, which ensures the integrity of the data and resource authentication; (4) through the analysis and Simulation of the amount, traffic and function of the existing schemes, the experiment shows that the number of aggregated data is relatively small and the number of intelligent terminals is Pang. In the case of large and classified authorization, this scheme has obvious advantages in terms of computation cost and feedback command access control.
【学位授予单位】:兰州理工大学
【学位级别】:博士
【学位授予年份】:2016
【分类号】:TP309
【相似文献】
相关期刊论文 前10条
1 付艳艳;张敏;冯登国;陈开渠;;基于节点分割的社交网络属性隐私保护[J];软件学报;2014年04期
2 马秀琴;冯百明;秦红武;;属性集重要性的研究[J];计算机应用;2010年07期
3 李勇;曾振宇;张晓菲;;支持属性撤销的外包解密方案[J];清华大学学报(自然科学版);2013年12期
4 林蓉;史开泉;;函数P-集合与信息规律的属性控制[J];计算机科学;2012年07期
5 陈源;曾德胜;谢冲;;基于聚类的属性约简方法[J];计算机系统应用;2009年05期
6 于海燕;乔晓东;;一种完备的最小属性约简方法[J];计算机工程;2012年04期
7 张春英;王立亚;;基于属性集合幂集的区间概念格L_α~β的渐进式生成算法[J];计算机应用研究;2014年03期
8 杨祥茂;黄涛;周启海;;基于效用的结构语法的属性学习[J];计算机科学;2008年09期
9 孟庆全;梅灿华;;一种新的属性集依赖度[J];计算机应用;2007年07期
10 刘明吉;王秀峰;饶一梅;;一个混合特征属性选择算法[J];计算机科学;2000年11期
相关会议论文 前2条
1 黄威;靳亚辉;;面向评论挖掘的产品属性集合构建[A];第六届(2011)中国管理学年会——信息管理分会场论文集[C];2011年
2 张秀廷;;“偶有属性”发微[A];逻辑今探——中国逻辑学会第五次代表大会暨学术讨论会论文集[C];1996年
相关博士学位论文 前6条
1 刘西蒙;基于属性密码体制的关键技术研究[D];西安电子科技大学;2015年
2 陈燕俐;基于属性的加密体制及应用研究[D];南京邮电大学;2014年
3 刘雪艳;基于属性加密的数据访问控制方法研究[D];兰州理工大学;2016年
4 汪文义;认知诊断评估中项目属性辅助标定方法研究[D];江西师范大学;2012年
5 杨淑群;基于属性层次结构的FCA及其在认知诊断中的应用研究[D];南京航空航天大学;2009年
6 黄九鸣;面向舆情分析和属性发现的网络文本挖掘技术研究[D];国防科学技术大学;2011年
相关硕士学位论文 前10条
1 刘文超;云计算中基于属性的访问控制研究[D];电子科技大学;2015年
2 白冬辉;基于属性拓扑的并行概念计算算法研究[D];燕山大学;2016年
3 刘慧娟;基于图数据的关键字覆盖集合问题研究[D];燕山大学;2016年
4 李慧;属性拓扑与概念格双向转化研究[D];燕山大学;2016年
5 贾红;移动云环境下基于属性解密的外包技术研究[D];西安电子科技大学;2014年
6 张良奥;云计算环境下基于属性加密的访问控制方案研究[D];南京信息工程大学;2016年
7 何明君;策略隐藏的属性基加密在医疗云中的研究和应用[D];南京邮电大学;2016年
8 张赛;云计算中支持属性撤销的策略隐藏与层次化访问控制[D];南京邮电大学;2016年
9 王梓莹;基于属性的分层加密算法的研究与应用[D];南京航空航天大学;2016年
10 吴祥龙;多属性权威云存储系统中安全数据存储、接入和共享机制研究[D];东南大学;2016年
,本文编号:2146379
本文链接:https://www.wllwen.com/shoufeilunwen/xxkjbs/2146379.html
