本文選題：訪問控制技術(shù)　切入點(diǎn)：基于屬性的加密方法　出處：《電子科技大學(xué)》2014年碩士論文　論文類型：學(xué)位論文

【摘要】：云計(jì)算,現(xiàn)如今已經(jīng)成為了一種非常具有發(fā)展前景的技術(shù),其極大地改變了現(xiàn)代的IT產(chǎn)業(yè)。云存儲(chǔ)是云計(jì)算的一項(xiàng)重要服務(wù),其允許數(shù)據(jù)擁有者將繁重的數(shù)據(jù)管理外包給云存儲(chǔ)端,進(jìn)而從本地的管理系統(tǒng)中解脫出來。在云存儲(chǔ)系統(tǒng)當(dāng)中,數(shù)據(jù)擁有者往往會(huì)擔(dān)心他們的數(shù)據(jù)會(huì)被運(yùn)用錯(cuò)誤,或者被未授權(quán)的用戶訪問。因此,在云存儲(chǔ)系統(tǒng)中對(duì)數(shù)據(jù)實(shí)施訪問控制是一個(gè)嚴(yán)峻的挑戰(zhàn)。訪問控制技術(shù)是用戶數(shù)據(jù)的機(jī)密性以及隱私防護(hù)的重要手段。在傳統(tǒng)形式的訪問控制模型當(dāng)中,數(shù)據(jù)以明文的形式被存放在云存儲(chǔ)服務(wù)器上。當(dāng)用戶對(duì)數(shù)據(jù)發(fā)起訪問申請時(shí),就會(huì)將自己的認(rèn)證消息發(fā)送給訪問控制器。當(dāng)訪問控制器確認(rèn)該用戶是合法信任的,就會(huì)將用戶所申請的數(shù)據(jù)從服務(wù)器上搜尋出來,然后發(fā)送給用戶。但是該訪問存儲(chǔ)結(jié)構(gòu)存在一定的安全隱患,迫使人們對(duì)其進(jìn)行進(jìn)一步深入研究,比如在云計(jì)算環(huán)境下,如何通過使用非傳統(tǒng)的、基于密碼算法來實(shí)現(xiàn)訪問控制。本文的主要研究成果如下:(1)概述了傳統(tǒng)形式訪問控制技術(shù)的定義、模型構(gòu)建以及基于屬性的訪問控制模型,然后介紹了屬性基加密體制,包括兩種算法:KP-ABE和CP-ABE,為后續(xù)方案的設(shè)計(jì)提供理論框架模型。(2)對(duì)一個(gè)應(yīng)用屬性基加密技術(shù)實(shí)現(xiàn)訪問控制的方案進(jìn)行了安全性分析,其方案當(dāng)中引入可信第三方key manager,實(shí)現(xiàn)了數(shù)據(jù)的可確認(rèn)刪除,卻不能保證數(shù)據(jù)的安全性。我們對(duì)此提出了3種攻擊方案,分別為中間人攻擊、合謀攻擊、策略篡改攻擊。通過對(duì)其方案的分析以及借鑒,在第五章中我們提出了一個(gè)訪問控制方案。(3)通過結(jié)合屬性基加密體制的CP-ABE算法,以及基于屬性的訪問控制模型框架,借助于一個(gè)現(xiàn)實(shí)應(yīng)用場景,提出了一個(gè)適用于一般場景的訪問控制方案。本方案在確保數(shù)據(jù)的機(jī)密性與完整性的同時(shí),實(shí)現(xiàn)了對(duì)外包數(shù)據(jù)的細(xì)粒度、靈活的訪問控制。(4)借鑒攻擊方案的模型,引入屬性版本號(hào)的概念,提出了另一個(gè)訪問控制方案。該方案實(shí)現(xiàn)了屬性的動(dòng)態(tài)撤銷、密鑰的更新、密文的更新等操作,并對(duì)方案進(jìn)行了安全性分析。其核心思想是:首先,采用AES對(duì)稱加密算法對(duì)數(shù)據(jù)加密,CP-ABE算法對(duì)對(duì)稱密鑰進(jìn)行加密操作,符合條件的用戶依次解密密鑰密文和數(shù)據(jù)密文;而密鑰的更新是通過引入一個(gè)屬性版本號(hào)來實(shí)現(xiàn)動(dòng)態(tài)更新。本文在提出詳細(xì)的方案之后,從安全性上對(duì)其進(jìn)行了分析,能夠確保數(shù)據(jù)的安全性以及實(shí)現(xiàn)細(xì)粒度的訪問控制。
[Abstract]:Cloud computing, which has become a very promising technology, has greatly changed the modern IT industry. Cloud storage is an important service of cloud computing. It allows data owners to outsource onerous data management to cloud storage, freeing them from local management systems, where data owners often fear that their data will be misused. Or accessed by unauthorized users. Therefore, Data access control in cloud storage system is a severe challenge. Access control technology is an important means of privacy protection and confidentiality of user data. In the traditional access control model, The data is stored in clear text on the cloud storage server. When the user initiates an access request for the data, he sends his own authentication message to the access controller. The data requested by the user will be searched from the server and sent to the user. However, there are some security risks in the access storage structure, which forces people to further study it, such as in the cloud computing environment. The main research results of this paper are as follows: 1) the definition of traditional access control technology, model construction and attribute-based access control model are summarized. Then it introduces the attribute-base encryption system, including two algorithms: KP-ABE and CP-ABE, which provide a theoretical framework model for the design of subsequent schemes. In this scheme, a trusted third party, key manager, is introduced, which can confirm and delete the data, but it can not guarantee the security of the data. We propose three attack schemes, namely, man-in-the-middle attack, collusion attack, etc. Policy tampering attack. Through the analysis and reference of its scheme, in Chapter 5th, we propose an access control scheme. We propose an access control scheme. We combine the CP-ABE algorithm based on attribute base encryption system and the access control model framework based on attributes. With the help of a practical application scenario, an access control scheme suitable for general scenarios is proposed, which ensures the confidentiality and integrity of the data, and realizes the fine granularity of the outsourced data. Using the model of attack scheme for reference and introducing the concept of attribute version number, another access control scheme is proposed, which realizes the dynamic revocation of attributes, the update of key, the update of ciphertext, and so on. The key idea of the scheme is as follows: firstly, the AES symmetric encryption algorithm is used to encrypt the symmetric key, and the user who meets the requirements decrypts the key ciphertext and the data cipher text in turn; The key update is realized by introducing an attribute version number. After putting forward a detailed scheme, this paper analyzes the security of the key, which can ensure the security of the data and realize the fine-grained access control.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前2條

1 鄧集波,洪帆;基于任務(wù)的訪問控制模型[J];軟件學(xué)報(bào);2003年01期

2 蘇金樹;曹丹;王小峰;孫一品;胡喬林;;屬性基加密機(jī)制[J];軟件學(xué)報(bào);2011年06期

，

本文編號(hào)：1561778