高级检索

    支持访问行为身份追踪的跨域密文共享方案

    A Cross-Domain Ciphertext Sharing Scheme Supporting Access Behavior Identity Tracing

    • 摘要: 作为在云环境下被广泛应用的密文数据授权访问机制,密文策略属性基加密(ciphertext-policy attribute-based encryption, CP-ABE)具有细粒度、1对多和拥有者可控的特点. 由于多个用户可能拥有相同属性集合,传统属性基加密机制难以追溯到滥用解密权限的恶意授权用户身份. 虽然现有研究解决了恶意用户的特定解密权限滥用行为(白盒攻击与黑盒攻击)的身份追踪问题,但仍难以实现针对授权用户访问行为的身份追踪,这将导致潜在的安全风险和数据访问知情权合规性问题. 为了在现实应用场景中实现密文数据访问行为身份追踪,方案基于密文策略属性基加密机制构造跨域密文共享方法,通过数字签名和交互式外包解密流程将可追踪密钥和授权用户访问行为绑定为访问请求,并利用区块链的不可篡改性实现访问请求的完整性保护. 为了解决引入区块链所导致的访问行为身份追踪效率低下问题,方案引入加密倒排索引结构以优化区块遍历效率,并通过BLS签名和隐私集合交集思想实现索引查询的隐私保护. 理论分析和实验验证表明所提方案是实用与高效的.

       

      Abstract: As a widely used ciphertext authorization access mechanism in cloud environments, ciphertext-policy attribute-based encryption (CP-ABE) has fine-grained, one-to-many and owner-controlled properties. However, the traditional CP-ABE mechanism is difficult to obtain the identities of authorized users who maliciously abuse their decryption privileges since multiple users may have the same attribute set. Although numerous existing studies achieve the identity tracking for some specific decryption privilege abuses (i.e., white-box attacks and black-box attacks), they are challenging to audit authorized users’ identities for ciphertext access behaviors, which may lead to potential data security and owners’ right-to-be-informed compliance issues. Based on CP-ABE mechanism, to realize identity tracing of ciphertext data access behavior in real application scenarios, this scheme designs a cross-domain ciphertext data sharing method, which generates the access request by binding the traceable decryption key with the authorized user’s access behavior. The integrity of access requests is protected by blockchain. Meanwhile, this scheme introduces an encrypted inverted index structure to address the inefficiency of the identity traceability caused by blockchain traversal. The privacy-preserving of index queries is achieved through the BLS signature and privacy set intersection. Theoretical analysis and experimental results demonstrate that the proposed cross-domain ciphertext sharing scheme with authorized users’ access behaviors audit trail is efficient and practical.

       

    /

    返回文章
    返回