高级检索
    王晶, 黄传河, 王金海. 一种面向云存储的动态授权访问控制机制[J]. 计算机研究与发展, 2016, 53(4): 904-920. DOI: 10.7544/issn1000-1239.2016.20150158
    引用本文: 王晶, 黄传河, 王金海. 一种面向云存储的动态授权访问控制机制[J]. 计算机研究与发展, 2016, 53(4): 904-920. DOI: 10.7544/issn1000-1239.2016.20150158
    Wang Jing, Huang Chuanhe, Wang Jinhai. An Access Control Mechanism with Dynamic Privilege for Cloud Storage[J]. Journal of Computer Research and Development, 2016, 53(4): 904-920. DOI: 10.7544/issn1000-1239.2016.20150158
    Citation: Wang Jing, Huang Chuanhe, Wang Jinhai. An Access Control Mechanism with Dynamic Privilege for Cloud Storage[J]. Journal of Computer Research and Development, 2016, 53(4): 904-920. DOI: 10.7544/issn1000-1239.2016.20150158

    一种面向云存储的动态授权访问控制机制

    An Access Control Mechanism with Dynamic Privilege for Cloud Storage

    • 摘要: 云存储是一种新型的数据存储体系结构,云存储中数据的安全性、易管理性等也面临着新的挑战.首先,云存储系统需要为用户提供安全可靠的数据访问服务,并确保云端数据的安全性.为此,研究者们针对云存储中数据结构复杂、数据存储量大等特点提出了属性加密(attribute-based encryption, ABE)方案,为云储存系统提供细粒度的密文访问控制机制.在该机制中,数据所有者使用访问策略表示数据的访问权限并对数据进行加密.但数据的访问权限常会因各种原因发生改变,从而导致云中存储密文的频繁更新,进而影响数据的易管理性.为避免访问权限管理造成大量的计算和通信开销,提出了一种高效、安全、易管理的云存储体系结构:利用ABE加密机制实现对密文的访问控制,通过高效的动态授权方法实现访问权限的管理,并提出了不同形式的访问策略之间的转换方法,使得动态授权方法更为通用,不依赖于特定的访问策略形式;针对授权执行者的不同,制定了更新授权、代理授权和临时授权3种动态授权形式,使得动态授权更为灵活、快捷;特别地,在该动态授权方法中,授权执行者根据访问策略的更改计算出最小增量集合,并根据该增量集合更新密文以降低密文更新代价.理论分析和实验结果表明,该动态授权方法能减小资源的耗费、优化系统执行效率、提高访问控制机制灵活性.

       

      Abstract: Cloud storage is a novel data storage architecture. There are some challenges about data security and manageability in cloud. Cloud needs to provide secure and reliable data access service for users. Because of the variety and volume of the data in cloud, a fine-grained access control mechanism named attribute-based encryption (ABE) has been proposed to ensure data security. In ABE mechanism, data owner describes access privileges of data by access policies and encrypts the data with the policy. User can recover the data if and only if he matches with the policy. Due to various reasons, the access privilege is dynamic and changeable, which increases the difficulty of data management and costs lot of system resource in cloud. Thus, we construct a cloud storage architecture provided by fine-grained ciphertext access control mechanism by use of utilizing ABE which supports efficient, security and manageable data access service. Firstly, we propose a transformation method amongst the common types of access policy, such that the access policy is expressed more generaly. Secondly, we provide three methods to manage access policy: updating privilege, agency privilege and temporary privilege. All of the methods can reduce a lot of computation and communication cost brought by policy updating. Finally, we give the analysis and simulation about our scheme. The results show that our cloud storage architecture is security, efficient and manageable.

       

    /

    返回文章
    返回