【作者】 王谦；

【导师】 熊书明；

【作者基本信息】 江苏大学 ， 计算机应用技术， 2016， 硕士

【摘要】 云存储服务模型中,用户利用互联网将存储外包给云服务提供商,由强大的计算和数据中心来完成海量数据存储。然而,数据的外包存储使得用户失去了对自己数据的实际控制,数据安全成为用户关注的重要问题。访问控制是保护数据安全的方式之一,能够实现数据授权访问。在复杂的云存储环境下,传统访问控制方法已经不再适用,基于属性加密具有灵活、可扩展等优点,能够实现细粒度的访问控制。因此,本文以云存储系统基于属性数据访问控制为研究主题,展开以下研究工作:针对移动云存储系统中移动设备计算能力、电池能量不足和数据存储容量有限等问题,提出了一个安全高效的基于属性访问控制方案。在系统模型中,我们引入加密和解密服务器,通过添加批准属性来实现加密计算的安全外包;加密服务器为密文数据生成对应的验证标签,在解密数据前,挑战者向云服务器发起完整性验证,云服务器根据验证标签进行数据的完整性验证;解密服务器为请求访问数据的用户进行数据解密计算,鉴于只有用户自己持有用户私钥,能够实现解密计算的安全外包。进一步地,面向多授权机构云存储系统,提出了一个基于属性的多授权机构云存储系统数据访问控制方案。在方案中,通过中间密文将部分加密计算外包给授权中心,以此降低用户加密计算的开销;在数据解密阶段,由云服务器生成解密标识,将解密计算中的大部分计算量外包给云服务器,同时能够保证云存储服务器无法知道加密数据内容,从而降低用户的解密开销;该方案还实现了用户属性的高效撤销,并且能够保证密钥的前向和后向安全;同时,通过引入用户访问控制列表结构,实现加密数据用户层次的访问控制。本文将基于属性加密与云存储系统结合,分别针对移动云存储和多授权机构系统提出了安全高效的基于属性访问控制方案,分析结果表明,在保证数据安全访问的同时,两个方案都能够有效降低用户的计算开销。仿真实验表明,与现有方案相比,本文提出的两个方案用户端的计算开销都有所降低。在保证数据安全的基础上,用户计算开销的降低可以避免计算能力较弱用户成为云存储系统的性能瓶颈,提高系统的整体运行效率。更多还原

【Abstract】 In the cloud storage service model, the users can outsource data storage to the cloud storage service provider through the Internet, and the mass data are performed by a powerful computing and data center. However, the outsourcing of data storage makes users lose the direct control over their own data, and data security has become an important issue for users. As a way to protect data security, the access control can enable authorized access to data. The traditional access control methods are no longer applied for the complex cloud storage environments, and the attribute-based encryption mechanism that has the characteristics of flexibility and extensibility can achieve fine-grained access control. Therefore, the attribute based access control data for cloud-based storage systems becomes the research subject of this dissertation, and it is carried out as follows.In order to solve the issues of mobile devices’ s limited computing capacity, less battery power and poor storage space, we propose a secure and efficient attribute-based access control scheme. In the system model, we introduce encryption and decryption servers and implement secure computation outsourcing by adding the permission attribute. The encryption server will generate the verification tag for the corresponding ciphertext, and the challenger initiates the verification of data integrity before decryption. The cloud server wil perform the verification based on the the verification tag. The decryption server does most decryption computing for users who request access to the data, and the security of outsourcing decrypt computing is ensured due to users’ holding their own private key. Furthermore, we propose a multi-authority attribute-based data access control scheme for cloud storage systems. In the scheme, the encryption computation is outsoured to the attribute authority center by the intermediate ciphertext and the overhead of users is reduced. The scheme implements the efficient attribute revocation, and the backward and forward security of secret keys are ensured. Moreover, it achieves the specified user access control by introducing the structure of the user access control list.We combine the attribute based encryption and cloud storage systems in this dissertation, and propose two attribute based access control schemes for mobile cloud storage systems and multi-authority systems respectively. The results of analysis shows that the computation overheads of two schemes are reduced while ensuring secure access to data. The simulation experiment indicates that two schemes can reduce the computation cost of the user compared with exsiting schems. On the basis of data security, the reduction of user’s computation can avoid users with less power being a performance bottleneck of the cloud storage system, and improve the efficiency of overall system.更多还原