ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2016, Vol. 53 ›› Issue (4): 904-920.doi: 10.7544/issn1000-1239.2016.20150158

• 系统结构 • 上一篇    下一篇

一种面向云存储的动态授权访问控制机制

王晶,黄传河,王金海   

  1. (武汉大学计算机学院 武汉 430072) (wjing@whu.edu.cn)
  • 出版日期: 2016-04-01
  • 基金资助: 
    国家自然科学基金项目(61373040,61173137);高等学校博士学科点专项科研基金项目(20120141110002);湖北省自然科学基金重点项目(2010CDA004)

An Access Control Mechanism with Dynamic Privilege for Cloud Storage

Wang Jing, Huang Chuanhe, Wang Jinhai   

  1. (Computer School, Wuhan University, Wuhan 430072)
  • Online: 2016-04-01

摘要: 云存储是一种新型的数据存储体系结构,云存储中数据的安全性、易管理性等也面临着新的挑战.首先,云存储系统需要为用户提供安全可靠的数据访问服务,并确保云端数据的安全性.为此,研究者们针对云存储中数据结构复杂、数据存储量大等特点提出了属性加密(attribute-based encryption, ABE)方案,为云储存系统提供细粒度的密文访问控制机制.在该机制中,数据所有者使用访问策略表示数据的访问权限并对数据进行加密.但数据的访问权限常会因各种原因发生改变,从而导致云中存储密文的频繁更新,进而影响数据的易管理性.为避免访问权限管理造成大量的计算和通信开销,提出了一种高效、安全、易管理的云存储体系结构:利用ABE加密机制实现对密文的访问控制,通过高效的动态授权方法实现访问权限的管理,并提出了不同形式的访问策略之间的转换方法,使得动态授权方法更为通用,不依赖于特定的访问策略形式;针对授权执行者的不同,制定了更新授权、代理授权和临时授权3种动态授权形式,使得动态授权更为灵活、快捷;特别地,在该动态授权方法中,授权执行者根据访问策略的更改计算出最小增量集合,并根据该增量集合更新密文以降低密文更新代价.理论分析和实验结果表明,该动态授权方法能减小资源的耗费、优化系统执行效率、提高访问控制机制灵活性.

关键词: 云存储体系结构, 数据安全, 动态授权, 属性加密, 访问控制系统

Abstract: Cloud storage is a novel data storage architecture. There are some challenges about data security and manageability in cloud. Cloud needs to provide secure and reliable data access service for users. Because of the variety and volume of the data in cloud, a fine-grained access control mechanism named attribute-based encryption (ABE) has been proposed to ensure data security. In ABE mechanism, data owner describes access privileges of data by access policies and encrypts the data with the policy. User can recover the data if and only if he matches with the policy. Due to various reasons, the access privilege is dynamic and changeable, which increases the difficulty of data management and costs lot of system resource in cloud. Thus, we construct a cloud storage architecture provided by fine-grained ciphertext access control mechanism by use of utilizing ABE which supports efficient, security and manageable data access service. Firstly, we propose a transformation method amongst the common types of access policy, such that the access policy is expressed more generaly. Secondly, we provide three methods to manage access policy: updating privilege, agency privilege and temporary privilege. All of the methods can reduce a lot of computation and communication cost brought by policy updating. Finally, we give the analysis and simulation about our scheme. The results show that our cloud storage architecture is security, efficient and manageable.

Key words: cloud storage architecture, data security, dynamic privilege, attribute-based encryption (ABE), access control system

中图分类号: