中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 信息安全国家重点实验室  > 学位论文
Subject: 计算机科学技术基础学科::数据安全与计算机安全
Title:
基于属性的数据共享保护方案研究
Author: 黄杜煜
Issued Date: 2013-05
Supervisor: 张振峰
Major: 信息安全
Degree Grantor: 中国科学院大学
Place of Degree Grantor: 北京
Degree Level: 硕士
Keyword: 数据共享 ; 基于属性的加密 ; 私钥撤销 ; 解密外包
Abstract:

随着云计算的迅速发展,云环境下数据共享的需求日益增大。在目前的公有云环境下,用户的数据由云服务商来管理,合法用户对数据的共享是在云服务商的控制下进行的。明文形式的数据存储面临着许多潜在的安全威胁,可能导致数据的非法泄露。因此,对于敏感数据需要以加密的形式存储,以保证即使数据不幸泄露也不会造成泄密。

       对加密数据共享的保护方式包括传统的加密数据共享机制和基于密码学的加密数据共享手段。传统的加密数据共享机制要么需要数据提供者对服务器赋予完全的信任,要么要求数据提供者长期在线执行加、解密操作,这在安全性和效率上都无法适应目前资源量巨大的云计算环境。因此,研究人员开始考虑利用密码学手段来实现加密数据的共享。基于属性的加密(ABE, Attribute-Based Encryption)方案能够达到更细粒度的访问控制,并且具有一条密文可以对应到一组合法用户等性质,成为实现加密数据共享方案的一种有效手段。

在基于属性的数据共享方案的应用中,用户的私钥可能面临着泄露或丢失的风险;而且基于用户管理方面的原因,也需要在应用中提供对用户私钥撤销的功能。目前,基于属性的加密方案中的用户私钥撤销模式包括间接撤销模式和直接撤销模式。间接撤销模式通过更新用户私钥实现撤销,所有合法用户的私钥都要受到影响,撤销代价较大;直接撤销模式在密文中嵌入撤销信息,无需更新用户私钥,但目前支持直接撤销模式的ABE方案只能达到选择性安全,这并不能很好地描述敌手在现实中的攻击能力。

       另一方面,在基于属性的数据共享方案中,由于数据以加密的形式存储,用户要获取明文信息必须先对加密数据执行解密操作。ABE中,由于密文的长度受到访问结构和属性数量的影响,导致解密时间较长,用户访问数据的效率也因此而降低。

       针对上述两个问题,我们首先提出了一个适应性安全的支持用户私钥撤销的ABE方案,实现了权限撤销的直接撤销模式,并证明了方案的适应性安全;其次,为了提高解密效率,我们在所提出的ABE方案的基础上,给出了一个支持解密外包的ABE方案;最后,我们将上述两个工作结合起来,提出了一个基于属性的数据共享保护框架,该框架既支持用户权限撤销的直接撤销模式,也支持解密外包功能。

English Abstract:

The rapid development of cloud computing makes data sharing in cloud environment an urgent need. In the public cloud environment, the data is managed by the cloud service providers and the authorized users can access the data under the control of the cloud service providers. But the data stored in clear text faces many potential security threats, and may result in the unauthorized disclosure of data. Thus it needs to keep the sensitive data stored in encrypted form, in order to ensure that the disclosure of data will not cause the leakage of effective information.

       There are two ways to protect the encrypted data sharing, one is the sharing mechanisms for encrypted data, the other is the cryptography methods for data sharing. The traditional sharing mechanisms for encrypted data either need to completely trust a server, either require data owners always online to perform encryption and decryption operations. These defects make data sharing unable to adapt to the situation of huge amount of resources in cloud computing environment both in security and efficiency. Therefore, researchers began to consider the use of the cryptography methods to achieve secure sharing of encrypted data. An attribute-based encryption scheme can reach a more fine-grained access control, and has some other good properties like ciphertext can be decrypted by a group of authorized users, and becomes an effective method to achieve secure and efficient data sharing.

       In practical use of data sharing scheme with ABE, user's private key will face the risk of leaking or missing. In addition, based on the consideration of user management, it is necessary to provide the functionality of user's private key revocation. Currently, user’s private key revocation for ABE includes indirect revocation mode and direct revocation mode. Indirect mode realizes revocation through updating user’s private key, so all the user's private keys will be affected by the revocation operation, and the cost of the operation is high. However, until now, revocation in direct mode realized by inserting the revocation information in the ciphertexts can only reach selective security which can not capture the attacker’s ability in reality.

       On the other hand, in attribute-based data sharing scheme, the data is stored in encrypted-form, so users must execute decryption operation before they access the data. The length of ABE ciphertexts is impacted by the access structure and the number of attributes, which may result in the increase of the decryption time for users. So, data access operation is made inefficient.

       In response to these two problems, we first propose an adaptively secure ABE scheme supporting user’s private key revocation to realize the direct mode of user privilege revocation and then prove its security. Secondly, in order to improve the efficiency of decryption, we give an ABE scheme supporting decryption outsourcing based on the foregoing ABE scheme. Finally, we combine both schemes to give an attribute-based data sharing framework in which direct mode of user privilege revocation and decryption outsourcing operation are provided.

Language: 中文
Content Type: 学位论文
URI: http://ir.iscas.ac.cn/handle/311060/14887
Appears in Collections:信息安全国家重点实验室_学位论文

Files in This Item:
File Name/ File Size Content Type Version Access License
毕业论文_最终版.docx(3194KB)----限制开放 联系获取全文

Recommended Citation:
黄杜煜. 基于属性的数据共享保护方案研究[D]. 北京. 中国科学院大学. 2013-05-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[黄杜煜]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[黄杜煜]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2019  中国科学院软件研究所 - Feedback
Powered by CSpace