西安电子科技大学学报 ›› 2023, Vol. 50 ›› Issue (4): 194-205.doi: 10.19665/j.issn1001-2400.2023.04.019

• 网络空间安全专栏 • 上一篇    下一篇

可信执行环境赋能的云数据动态群组访问控制

李玥1,2(),宋祁朋1,2(),贾皓1(),邓鑫3(),马建峰1,2()   

  1. 1.西安电子科技大学 网络与信息安全学院,陕西 西安 710071
    2.西安电子科技大学 空天地一体化综合业务网全国重点实验室,陕西 西安 710071
    3.华北电力大学 控制与计算机工程学院,北京 102206
  • 收稿日期:2023-01-16 出版日期:2023-08-20 发布日期:2023-10-17
  • 通讯作者: 宋祁朋
  • 作者简介:李玥(1988—),女,讲师,E-mail:liyue@xidian.edu.cn;|贾皓(2000—),男,西安电子科技大学硕士研究生,E-mail:corvus10086@163.com;|邓鑫(2001—),男,华北电力大学本科生,E-mail:dengxin0922@126.com;|马建峰(1963—),男,教授,E-mail:jfma@mail.xidian.edu.cn
  • 基金资助:
    国家重点研发计划(2021YFB3101304);陕西省自然科学基础研究计划资助项目(2022JQ-658);陕西省自然科学基础研究计划资助项目(2022JQ-621);陕西省自然科学基础研究计划资助项目(2021JQ-207);国家自然科学基金青年项目(62002278);中央高校基本科研业务费专项资金资助(XJS211508);中央高校基本科研业务费专项资金资助(XJS211507);中央高校基本科研业务费专项资金资助(ZYTS23165)

Trusted execution environment enabled dynamic group access control for data in cloud

LI Yue1,2(),SONG Qipeng1,2(),JIA Hao1(),DENG Xin3(),MA Jianfeng1,2()   

  1. 1. School of Cyber Engineering,Xidian University,Xi’an 710071,China
    2. State Key Laboratory of Integrated Services Networks,Xidian University,Xi’an 710071,China
    3. School of Control and Computer Engineering,North China Electric Power University,Beijing 102206,China
  • Received:2023-01-16 Online:2023-08-20 Published:2023-10-17
  • Contact: Qipeng SONG

摘要:

云存储服务的普及,吸引着众多用户将数据外包存储至云平台。出于个人隐私保护的需要,云外包数据多以密文形式存在,为用户通过云平台共享数据带来极大的不便。其关键挑战在于,如何设计基于密码学的群组访问控制方案,以合理的计算/存储开销,支持用户安全便捷地进行密文数据共享。针对该问题,在既有文献基础之上,提出了一种基于可信计算环境的低开销、细粒度云存储数据动态群组访问控制机制。该方案以一种融合了身份基广播加密、属性加密以及代理重加密的既有方案为基础,通过引入可信执行环境,如英特尔®软件防护扩展(Intel® SGX),对原方案中密码学进行了计算简化,同时通过引入子群划分的思想,近一步优化了动态群组访问控制的管理开销。仿真结果表明,与原方案相比,本方案在有效保护数据隐私、提供细粒度密文数据动态访问控制能力的同时,极大地降低了计算复杂度。

关键词: 身份基广播加密, SGX, 动态群组访问控制

Abstract:

The prevalence of cloud storage service has attracted many users to outsource their data to cloud platforms.In order to protect personal privacy,data are encrypted before being outsourced to the cloud,which brings great inconvenience for data sharing through the cloud platforms.The key challenge lies in how to design a cryptography-based group access control scheme to support users to share ciphertext data safely and conveniently with reasonable computing/storage overhead.To this end,by considering the existing research efforts,and based on an existing scheme that combines identity-based broadcast encryption,attribute encryption and proxy re-encryption,a low-overhead,fine-grained cloud storage data dynamic group access control mechanism based on trusted computing environment is proposed.By introducing a trusted execution environment,such as Intel® software guard extensions (SGX),the cryptographic operation within the original scheme is significantly simplified.At the same time,by introducing the idea of subgroup partition,the management overhead of dynamic group access control is further optimized.Simulation results show that,compared with the original scheme,this scheme not only effectively protects data privacy,but also provides dynamic access control capabilities for fine-grained ciphertext data,which greatly reduces computational complexity.

Key words: identity based broadcast encryption, SGX, dynamic group access control

中图分类号: 

  • TP309.2