可信执行环境赋能的云数据动态群组访问控制

doi:10.19665/j.issn1001-2400.2023.04.019

西安电子科技大学学报 ›› 2023, Vol. 50 ›› Issue (4): 194-205.doi: 10.19665/j.issn1001-2400.2023.04.019

可信执行环境赋能的云数据动态群组访问控制

李玥^1,²(),宋祁朋^1,²(),贾皓¹(),邓鑫³(),马建峰^1,²()

1.西安电子科技大学网络与信息安全学院,陕西西安 710071
2.西安电子科技大学空天地一体化综合业务网全国重点实验室,陕西西安 710071
3.华北电力大学控制与计算机工程学院,北京 102206

收稿日期:2023-01-16 出版日期:2023-08-20 发布日期:2023-10-17
作者简介:李玥(1988—),女,讲师,E-mail:liyue@xidian.edu.cn;|贾皓(2000—),男,西安电子科技大学硕士研究生,E-mail:corvus10086@163.com;|邓鑫(2001—),男,华北电力大学本科生,E-mail:dengxin0922@126.com;|马建峰(1963—),男,教授,E-mail:jfma@mail.xidian.edu.cn
基金资助:
国家重点研发计划(2021YFB3101304);陕西省自然科学基础研究计划资助项目(2022JQ-658);陕西省自然科学基础研究计划资助项目(2022JQ-621);陕西省自然科学基础研究计划资助项目(2021JQ-207);国家自然科学基金青年项目(62002278);中央高校基本科研业务费专项资金资助(XJS211508);中央高校基本科研业务费专项资金资助(XJS211507);中央高校基本科研业务费专项资金资助(ZYTS23165)

Trusted execution environment enabled dynamic group access control for data in cloud

LI Yue^1,²(),SONG Qipeng^1,²(),JIA Hao¹(),DENG Xin³(),MA Jianfeng^1,²()

1. School of Cyber Engineering,Xidian University,Xi’an 710071,China
2. State Key Laboratory of Integrated Services Networks,Xidian University,Xi’an 710071,China
3. School of Control and Computer Engineering,North China Electric Power University,Beijing 102206,China

Received:2023-01-16 Online:2023-08-20 Published:2023-10-17

摘要/Abstract

摘要：

云存储服务的普及,吸引着众多用户将数据外包存储至云平台。出于个人隐私保护的需要,云外包数据多以密文形式存在,为用户通过云平台共享数据带来极大的不便。其关键挑战在于,如何设计基于密码学的群组访问控制方案,以合理的计算/存储开销,支持用户安全便捷地进行密文数据共享。针对该问题,在既有文献基础之上,提出了一种基于可信计算环境的低开销、细粒度云存储数据动态群组访问控制机制。该方案以一种融合了身份基广播加密、属性加密以及代理重加密的既有方案为基础,通过引入可信执行环境,如英特尔^®软件防护扩展(Intel^® SGX),对原方案中密码学进行了计算简化,同时通过引入子群划分的思想,近一步优化了动态群组访问控制的管理开销。仿真结果表明,与原方案相比,本方案在有效保护数据隐私、提供细粒度密文数据动态访问控制能力的同时,极大地降低了计算复杂度。

关键词: 身份基广播加密, SGX, 动态群组访问控制

Abstract:

The prevalence of cloud storage service has attracted many users to outsource their data to cloud platforms.In order to protect personal privacy,data are encrypted before being outsourced to the cloud,which brings great inconvenience for data sharing through the cloud platforms.The key challenge lies in how to design a cryptography-based group access control scheme to support users to share ciphertext data safely and conveniently with reasonable computing/storage overhead.To this end,by considering the existing research efforts,and based on an existing scheme that combines identity-based broadcast encryption,attribute encryption and proxy re-encryption,a low-overhead,fine-grained cloud storage data dynamic group access control mechanism based on trusted computing environment is proposed.By introducing a trusted execution environment,such as Intel^® software guard extensions (SGX),the cryptographic operation within the original scheme is significantly simplified.At the same time,by introducing the idea of subgroup partition,the management overhead of dynamic group access control is further optimized.Simulation results show that,compared with the original scheme,this scheme not only effectively protects data privacy,but also provides dynamic access control capabilities for fine-grained ciphertext data,which greatly reduces computational complexity.

Key words: identity based broadcast encryption, SGX, dynamic group access control

中图分类号:

TP309.2

李玥,宋祁朋,贾皓,邓鑫,马建峰. 可信执行环境赋能的云数据动态群组访问控制[J]. 西安电子科技大学学报, 2023, 50(4): 194-205.

LI Yue,SONG Qipeng,JIA Hao,DENG Xin,MA Jianfeng. Trusted execution environment enabled dynamic group access control for data in cloud[J]. Journal of Xidian University, 2023, 50(4): 194-205.

图/表 9

图1

图2

图3

图4

图5

图6

图7

图8

表1

参考文献 21

[1]	GOH E J, SHACHAM H, MODADYGU N, et al. SiRiUS:Securing Remote Untrusted Storage[C]// Proceedings of the Network and Distributed System Security Symposium (NDSS). San Diego: NDSS, 2003:131-145.
[2]	KIM J, SUSILO W, AU M H, et al. Adaptively Secure Identity-Based Broadcast Encryption with A Constant-Sized Ciphertext[J]. IEEE Transactions on Information Forensics and Security, 2015, 10(3):679-693. doi: 10.1109/TIFS.2014.2388156
[3]	DELERABLEE C. Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys[C]// International Conference on the Theory and Application of Cryptology and Information Security.Heidelberg:Springer, 2007:200-215.
[4]	GOYAL V, PANDEY O, SAHAI A, et al. Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data[C]// Proceedings of the 13th ACM Conference on Computer and Communications Security. New York: ACM, 2006:89-98.
[5]	BLAZE M, BLEUMER G, STRAUSS M. Divertible Protocolsand Atomic Proxy Cryptography[C]// International Conference on the Theory and Applications of Cryptographic Techniques.Heidelberg:Springer, 1998:127-144.
[6]	GE C, LIU Z, XIA J, et al. Revocable Identity-Based Broadcast Proxy Re-Encryption for Data Sharing in Clouds[J]. IEEE Transactions on Dependable and Secure Computing, 2019, 18(3):1214-1226. doi: 10.1109/TDSC.2019.2899300
[7]	WENG J, DENG R H, DING X, et al. Conditional Proxy Re-Encryption Secure Against Chosen-ciphertext Attack[C]// Proceedings of the 4th International Symposium on Information,Computer,and Communications Security. New York: ACM, 2009:322-332.
[8]	GE C, SUSILO W, WANG J, et al. Identity-Based Conditional Proxy Re-Encryption with Fine Grain Policy[J]. Computer Standards & Interfaces, 2017, 52:1-9. doi: 10.1016/j.csi.2016.12.005
[9]	GE C, ZHOU L, XIA J, et al. A Secure Fine-Grained Identity-Based Proxy Broadcast Re-Encryption Scheme for Micro-Video Subscribing System in Clouds[C]// International Symposium on Security and Privacy in Social Networks and Big Data.Heidelberg:Springer, 2019:139-151.
[10]	DENG H, ZHANG J, QIN Z, et al. Policy-Based Broadcast Access Authorization for Flexible Data Sharing in Clouds[J]. IEEE Transactions on Dependable and Secure Computing, 2021, 19(5):3024-3037. doi: 10.1109/TDSC.2021.3080282
[11]	GE C, WILLY S, JOONASNG B, et al. A Verifiable and Fair Attribute-Based Proxy Re-Encryption Scheme for Data Sharing in Clouds[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 19(5):2907-2919. doi: 10.1109/TDSC.2021.3076580
[12]	MD A I, MADRIA S K. Attribute-Based Encryption Scheme for Secure Multi-Group Data Sharing in Cloud[J]. IEEE Transactions on Services Computing, 2022, 15(4):2158-2172. doi: 10.1109/TSC.2020.3038836
[13]	曾辉祥, 习宁, 谢晴晴, 等. 抗属性篡改的去中心化密文数据安全共享[J]. 西安电子科技大学学报, 2022, 49(2):135-145.
	ZENG Huixiang, XI Ning, XIE Qingqing, et al. Decentralized Ciphertext Sharing Based on Blockchain[J]. Journal of Xidian University, 2022, 49(2):135-145.
[14]	牛淑芬, 杨平平, 谢亚亚, 等. 区块链上基于云辅助的密文策略属性基数据共享加密方案[J]. 电子与信息学报, 2021, 43(7):1864-1871.
	NIU Shufen, YANG Pingping, XIE Yaya, et al. Cloud-Assisted Ciphertext Policy Attribute Based Encryption Data Sharing Encryption Scheme Based on BlockChain[J] Journal of Electronics & Information Technology, 2021, 43(7):1864-1871.
[15]	邱云翔, 张红霞, 曹琪, 等. 基于CP-ABE算法的区块链数据访问控制方案[J]. 网络与信息安全学报, 2020, 6(3):88-98.
	QIU Yunxiang, ZHANG Hongxia, CAO Qi, et al. Blockchain Data Access Control Scheme Based on CP-ABE Algorithm[J]. Chinese Journal of Network and Information Security, 2020, 6(3):88-98.
[16]	GAO S, PIAO G, ZHU J, et al. Trustaccess:A Trustworthy Secure Ciphertext-Policy And Attribute Hiding Access Control Scheme Based on Blockchain[J]. IEEE Transactions on Vehicular Technology, 2020, 69(6):5784-5798. doi: 10.1109/TVT.25
[17]	LI T, ZHANG J, LIN Y, et al. Blockchain-Based Fine-Grained Data Sharing For Multiple Groups in Internet of Things[J]. Security and Communication Networks, 2021, 2021:1-13.
[18]	SUN J, XU G, ZHANG T, et al. Verifiable,Fairand Privacy-Preserving Broadcast Authorization for Flexible Data Sharing in Clouds[J]. IEEE Transactions on Information Forensics and Security, 2022, 18:683-698. doi: 10.1109/TIFS.2022.3226577
[19]	SUN J, XIONG H, LIU X, et al. Lightweightand Privacy-aware Fine-grained Access Control for IoT-oriented Smart Health[J]. IEEE Internet of Things Journal, 2020, 7(7):6566-6575. doi: 10.1109/JIoT.6488907
[20]	GARRISON W C, SHULL A, MYERS S, et al. On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud[C]// 2016 IEEE Symposium on Security and Privacy (SP).Piscataway:IEEE, 2016:819-838.
[21]	赵波, 袁安琪, 安杨. SGX在可信计算中的应用分析[J]. 网络与信息安全学报, 2021, 7(6):126-142.
	ZHAO Bo, YUAN Anqi, AN Yang. Application Progress of SGX in Trusted Computing Area[J]. Chinese Journal of Network and Information Security, 2021, 7(6):126-142.

操作	PBAA	PBAA-SGX
系统设置阶段	O(\|S\|)	O(\|p\|)
用户注册阶段	O(1)	O(1)
加密阶段	O(\|S\|²)	O(\|p\|)
委托密钥生成阶段	O(\|S'\|²)	O(\|p\|)
重加密阶段	O(\|S'\|²)	O(\|p\|)
原始密文解密阶段	O(\|S\|²)	O(\|p\|²)
重加密密文解密阶段	O(\|S'\|²)	O(\|p\|²)

可信执行环境赋能的云数据动态群组访问控制

Trusted execution environment enabled dynamic group access control for data in cloud

RichHTML

PDF (PC)

赞

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 21

相关文章 15

Metrics

本文评价

推荐阅读 0

[1]	曹来成, 后杨宁, 冯涛, 郭显. 面向动态博弈的k-匿名隐私保护数据共享方案[J]. 西安电子科技大学学报, 2024, 51(4): 170-179.
[2]	何欣枫, 杨琴琴. 面向云存储的数据流行度去重方案[J]. 西安电子科技大学学报, 2024, 51(1): 187-200.
[3]	曹来成,吴文涛,冯涛,郭显. 面向数据质量的隐私保护多分类LR方案[J]. 西安电子科技大学学报, 2023, 50(5): 188-198.
[4]	晏燕,董卓越,徐飞,冯涛. 一种Hilbert编码的本地化位置隐私保护方法[J]. 西安电子科技大学学报, 2023, 50(2): 147-160.
[5]	苗美霞,武盼汝,王贇玲. 密码累加器研究进展及应用[J]. 西安电子科技大学学报, 2022, 49(1): 78-91.
[6]	司成祥,高峰,祝烈煌,巩国鹏,张璨,陈卓,李锐光. 一种支持动态标签的区块链数据隐蔽传输机制[J]. 西安电子科技大学学报, 2020, 47(5): 94-102.
[7]	马卓然, 马建峰, 苗银宾, 孙聪. 无人机网络中基于状态迁移的访问控制模型[J]. 西安电子科技大学学报, 2018, 45(6): 44-50.
[8]	张红斌;裴庆祺;王超;王美华. 利用访问向量的内部威胁感知方法[J]. J4, 2014, 41(1): 110-115.
[9]	李慧贤. 轻量级RFID双向认证协议设计与分析[J]. J4, 2012, 39(1): 172-178.
[10]	周华;孟相如;张立;乔向东. 分布式入侵容忍系统的主动恢复算法研究 [J]. J4, 2009, 36(2): 378-384.
[11]	李慧贤1;蔡皖东1;裴庆祺2. 可验证秘密共享方案的设计与分析 [J]. J4, 2008, 35(1): 148-151.
[12]	张帆;马建峰. WAPI实施方案的安全性分析[J]. J4, 2005, 32(4): 545-548.
[13]	韦宝典;刘景伟;王新梅. 求解域元素分量表达式的两种新方法[J]. J4, 2004, 31(4): 518-522.
[14]	韦宝典1;2;刘景伟;1王新梅1. NESSIE分组密码及其安全性分析[J]. J4, 2004, 31(3): 377-382.
[15]	韦宝典;刘东苏;王新梅. Square-6攻击的修正方案[J]. J4, 2004, 31(1): 67-71.