本文選題：訪問控制　切入點：基于密文策略屬性加密　出處：《國防科學技術大學》2013年碩士論文　論文類型：學位論文

【摘要】：隨著云存儲技術的不斷發(fā)展,云存儲服務的廣泛應用,越來越多的用戶將自己的數(shù)據(jù)外包到云存儲中。通過存儲虛擬化整合不同的存儲資源,用戶可以通過單一的用戶界面訪問云中的數(shù)據(jù)資源,而不會顯露底層基礎設施的物理細節(jié)。云存儲能夠提供幾乎無限的存儲容量,同時明顯地降低開發(fā)和維護的成本。然而用戶在使用云存儲應用時,存在重大的數(shù)據(jù)安全和用戶隱私泄漏風險。CP-ABE(Cipher Policy-Attribute Based Encryption)是一種模糊身份加密算法,將訪問控制內(nèi)嵌到加密數(shù)據(jù)中,這種特性特別適合云存儲環(huán)境,但是CP-ABE在實際中的限制主要是效率和可擴展性不高。再者,在實際的云存儲環(huán)境中有多個授權中心,其中每一個都可管理其統(tǒng)治域內(nèi)的用戶屬性,用戶也可以持有不同授權中心頒發(fā)的屬性。在之前研究的基礎上Lewko等人提出了改進后的MA-CP-ABE(Multi-Authority Policy-Attibute Based Encryption)方案,該方案不需要全局性授權中心,系統(tǒng)中的授權中心都可以相互獨立地管理系統(tǒng)內(nèi)的用戶屬性,并且可以為其頒發(fā)私鑰。但是為了防止串謀攻擊,該方案需要對雙線性順序組進行大量的計算,對于用戶屬性撤銷的問題Lewko方案依然沒有解決。針對以上的問題,本文在對CP-ABE與Lewko的MA-CP-ABE方案分析的基礎上設計了自己的MA-CP-ABE數(shù)據(jù)訪問控制模型,本文的主要創(chuàng)新點有兩個:1.本文增加了第三方認證中心。它的作用是為系統(tǒng)中的每個用戶和授權中心負責頒發(fā)唯一標識,可以防止串謀攻擊。2.本文采用了密鑰分割技術代替了代理重加密技術。對于現(xiàn)有的CP-ABE與MA-CP-ABE方案中普遍存在的用戶屬性撤銷問題,常用的解決方案是代理重加密技術,其缺點在于實時性與重加密運算消耗過大。本文通過密鑰分割技術減小用戶屬性撤銷運算的消耗,并實現(xiàn)用戶的動態(tài)管理。最后,本文將MA-CP-ABE數(shù)據(jù)訪問控制模塊加入到Openstack中,實現(xiàn)了Swift云存儲系統(tǒng)的數(shù)據(jù)訪問控制功能。
[Abstract]:With the continuous development of cloud storage technology, wide application of cloud storage services, more and more users will outsource their data to the cloud storage. The integration of storage resources through different storage virtualization, users can through a single user interface to access the cloud data resources, physical details and does not reveal the underlying infrastructure of cloud storage. Can provide almost unlimited storage capacity, and obviously reduce the cost of development and maintenance. However, users in the use of cloud storage applications, there are significant data security and privacy risk.CP-ABE (Cipher Policy-Attribute Based Encryption) is a kind of fuzzy identity based encryption algorithm, access control to embed the encrypted data, this kind of special characteristics suitable for cloud storage environment, but CP-ABE is the main limit in the actual efficiency and scalability is not high. Moreover, in the actual cloud storage ring There are more than one authorized exit, each of which can manage user attributes in the domain of its rule, users can also hold different attributes issued by the authorization center. On the basis of the previous studies of Lewko et al. Proposed the improved MA-CP-ABE (Multi-Authority Policy-Attibute Based Encryption) scheme, this scheme does not require global authority in the system, the authorization center can independently manage user attributes within the system, and can be awarded for their private key. But in order to prevent collusion attacks, this scheme requires a large amount of computation of bilinear order group, for the problem of Lewko scheme with user attributes revocation is still not resolved. In view of the above problems, this paper analysis in the MA-CP-ABE scheme of CP-ABE and Lewko on the design of MA-CP-ABE data access control model, this paper has two main innovations: 1. this paper. With the third party certification center. Its role is in the system of each user and the authorization center responsible for the issue of identification, can prevent collusion attacks.2. the key segmentation technology instead of proxy re encryption technology. User attributes for CP-ABE and MA-CP-ABE scheme in the existing ubiquitous revoked, the common solution is a proxy re encryption technology, the disadvantage is that the real-time encryption and heavy consumption is too large. In this paper, through the key technology to reduce user segmentation attributes revocation operation consumption, and realize the dynamic management of users. Finally, the MA-CP-ABE data access control module is added to the Openstack, to achieve the Swift cloud storage system data access control function.

【學位授予單位】：國防科學技術大學
【學位級別】：碩士
【學位授予年份】：2013
【分類號】：TP309;TP333

【參考文獻】

相關期刊論文 前1條

1 ;A Method for Trust Management in Cloud Computing: Data Coloring by Cloud Watermarking[J];International Journal of Automation & Computing;2011年03期

，

本文編號：1649427