联盟链高效存储访问控制方案

doi:10.19678/j.issn.1000-3428.0064936

摘要/Abstract

摘要：

联盟链平台上的超级账本Hyperledger Fabric提供了通道机制对数据进行隔离保护，但通道内部节点可随意获取链上数据且存在管理中心化的问题，使得联盟链面临数据泄露、访问权限无法更新等安全问题。为了解决以上问题，提出基于密文-策略属性基加密算法的联盟链高效存储访问控制方案。针对访问策略及节点权限更新问题，创建数据链和属性集链，实现数据链上所有节点的属性更新，利用数据库进行访问策略更新并存储访问策略的历史修改记录。修改Hyperledger Fabric提供的Fabric-CA组件，提高节点属性私钥生成与分发过程中的安全性。设计星际文件系统的存储数据分块优化和数据请求协商机制，并使用SM4算法加密数据，实现数据的高效安全存储。测试结果表明，与TABE-DAC方案相比，该方案的访问控制和数据存储时间分别降低了100~200 ms和1~2 s，在保证较高安全性的同时具有更高的运行效率。

关键词: 联盟链, 属性基加密, 星际文件系统, 访问控制, SM4算法

Abstract:

The alliance chain platform Hyperledger Fabric provides a channel mechanism to isolate and protect data, but the nodes inside the channel can retrieve data on the chain at will and management is centralized, which means alliance chain faces security problems such as data leakage, confusion of node access rights, inability to update access rights, and centralization of data storage.To address the above issues, an efficient storage access control scheme for alliance chain based on Ciphertext-Policy Attribute-Based Encryption(CPABE) algorithm is proposed. To address the issue of updating access policies and node permissions, a data chain and attribute set chain are created to achieve attribute updates for all nodes on the data chain. A database is used to update access policies and store historical modification records of access policies.By modifying the Fabric-CA component provided by Hyperledger Fabric, the security of node attribute private key generation and distribution process is improved.In this scheme, the storage data partitioning optimization mechanism and data request negotiation mechanism of the Inter Planetary File System(IPFS)are designed, and the SM4 algorithm is used to encrypt the data, achieving efficient and secure storage of the data.The test results show that compared with the efficient Traceable Attribute-Based Encryption scheme with Dynamic Access Control based on blockchain(TABE-DAC) scheme, the access control and data storage time of this scheme are reduced by 100-200 ms and 1-2 s, respectively, ensuring greater security while maintaining higher operational efficiency.

Key words: alliance chain, Attribute-Based Encryption(ABE), Inter Planetary File System(IPFS), access control, SM4 algorithm

黄保华, 郑慧颖, 屈锡, 陈宁江. 联盟链高效存储访问控制方案[J]. 计算机工程, 2023, 49(8): 37-45.

Baohua HUANG, Huiying ZHENG, Xi QU, Ningjiang CHEN. Efficient Storage Access Control Scheme for Alliance Chain[J]. Computer Engineering, 2023, 49(8): 37-45.

http://www.ecice06.com/CN/Y2023/V49/I8/37

图/表 13

图1 Fabric交易流程

Fig.1 Fabric transaction process

图2 访问控制方案的系统模型

Fig.2 System model of access control scheme

图3 初始化阶段流程

Fig.3 Process of initialisation phase

图4 数据加密上链阶段流程

Fig.4 Process of data encryption upload phase

图5 数据存储阶段流程

Fig.5 Process of data storage phase

图6 访问控制阶段流程

Fig.6 Process of access control phase

图7 访问策略更新阶段流程

Fig.7 Process of access policy update phase

图8 属性集更新阶段流程

Fig.8 Process of attribute set update phase

图9 数据访问控制流程

Fig.9 Process of data access control

图10 数据上链的实验结果

Fig.10 Experimental result of data upload

图11 数据下载的实验结果

Fig.11 Experimental result of data download

图12 访问策略更新的实验结果

Fig.12 Experimental result of access policy update

图13 属性集更新的实验结果

Fig.13 Experimental result of attribute set update

参考文献 31

1	ANDROULAKI E, BARGER A, BORTNIKOV V, et al. Hyperledger Fabric: a distributed operating system for permissioned blockchains[C]//Proceedings of the 13th EuroSys Conference. New York, USA: ACM Press, 2018: 1-15.
2	SHEN J J, LI Y, ZHOU Y F, et al. Understanding I/O performance of IPFS storage: a client's perspective[C]//Proceedings of International Symposium on Quality of Service. New York, USA: ACM Press, 2019: 1-10.
3	张志威, 王国仁, 徐建良, 等. 区块链的数据管理技术综述. 软件学报, 2020, 31 (9): 2903- 2925. URL
	ZHANG Z W, WANG G R, XU J L, et al. Survey on data management in blockchain systems. Journal of Software, 2020, 31 (9): 2903- 2925. URL
4	JEMEL M, SERHROUCHNI A. Decentralized access control mechanism with temporal dimension based on blockchain[C]//Proceedings of the 14th International Conference on E-Business Engineering. Washington D. C., USA: IEEE Press, 2017: 177-182.
5	YAN Z, GAN G H, RIAD K. BC-PDS: protecting privacy and self-sovereignty through blockchains for OpenPDS[C]//Proceedings of IEEE Symposium on Service-Oriented System Engineering. Washington D. C., USA: IEEE Press, 2017: 138-144.
6	GAO S, PIAO G R, ZHU J M, et al. TrustAccess: a trustworthy secure ciphertext-policy and attribute hiding access control scheme based on blockchain. IEEE Transactions on Vehicular Technology, 2020, 69 (6): 5784- 5798. doi: 10.1109/TVT.2020.2967099
7	徐俊伟, 袁景凌, 向广利. 可更新属性的链上数据访问控制方法. 小型微型计算机系统, 2023, 44 (2): 429- 434.
	XU J W, YUAN J L, XIANG G L. Data access control based on updatable attributes encryption. Journal of Chinese Computer Systems, 2023, 44 (2): 429- 434.
8	汪金苗, 谢永恒, 王国威, 等. 基于属性基加密的区块链隐私保护与访问控制方法. 信息网络安全, 2020, (9): 47- 51. URL
	WANG J M, XIE Y H, WANG G W, et al. A method of privacy preserving and access control in blockchain based on attribute-based encryption. Netinfo Security, 2020, (9): 47- 51. URL
9	YU G S, ZHA X, WANG X, et al. Enabling attribute revocation for fine-grained access control in blockchain-IoT systems. IEEE Transactions on Engineering Management, 2020, 67 (4): 1213- 1230. doi: 10.1109/TEM.2020.2966643
10	邱云翔, 张红霞, 曹琪, 等. 基于CP-ABE算法的区块链数据访问控制方案. 网络与信息安全学报, 2020, 6 (3): 88- 98. URL
	QIU Y X, ZHANG H X, CAO Q, et al. Blockchain data access control scheme based on CP-ABE algorithm. Chinese Journal of Network and Information Security, 2020, 6 (3): 88- 98. URL
11	BENET J. IPFS-content addressed, versioned, P2P file system[EB/OL]. [2022-05-11]. https://arxiv.org/abs/1407.3561.
12	DANIEL E, TSCHORSCH F. IPFS and friends: a qualitative comparison of next generation peer-to-peer data networks. IEEE Communications Surveys & Tutorials, 2022, 24 (1): 31- 52.
13	HUANG H W, LIN J R, ZHENG B C, et al. When blockchain meets distributed file systems: an overview, challenges, and open issues. IEEE Access, 2020, 8, 50574- 50586. doi: 10.1109/ACCESS.2020.2979881
14	JOVOVIĆ I, HUSNJAK S, FORENBACHER I, et al. 5G, blockchain and IPFS: a general survey with possible innovative applications in industry 4.0[C]//Proceedings of the 3rd EAI International Conference on Management of Manufacturing Systems. Dubrovnik, Croatia: EAI Press, 2018: 157-158.
15	VAGHELA A, SUTHAR A. A review of bigdata analysis using smart contract[EB/OL]. [2022-05-11]. https://www.researchgate.net/publication/350048650_A_REVIEW_OF_BIGDATA_ANALYSIS_USING_SMART_CONTRACT.
16	TENORIO-FORNÉS A, HASSAN S, PAVÓN J. Open peer-to-peer systems over blockchain and IPFS: an agent oriented framework[C]//Proceedings of the 1st Workshop on Cryptocurrencies and Blockchains for Distributed Systems. New York, USA: ACM Press, 2018: 19-24.
17	REEN G S, MOHANDAS M, VENKATESAN S. Decentralized patient centric e-health record management system using blockchain and IPFS[C]//Proceedings of IEEE Conference on Information and Communication Technology. Washington D. C., USA: IEEE Press, 2020: 1-7.
18	BATTAH A A, MADINE M M, ALZAABI H, et al. Blockchain-based multi-party authorization for accessing IPFS encrypted data. IEEE Access, 2020, 8, 196813- 196825. doi: 10.1109/ACCESS.2020.3034260
19	PHAM V D, TRAN C T, NGUYEN T, et al. B-BOX: a decentralized storage system using IPFS, attributed-based encryption, and blockchain[C]//Proceedings of RIVF International Conference on Computing and Communication Technologies. Washington D. C., USA: IEEE Press, 2020: 1-6.
20	SUN J, YAO X M, WANG S P, et al. Blockchain-based secure storage and access scheme for electronic medical records in IPFS. IEEE Access, 2020, 8, 59389- 59401. doi: 10.1109/ACCESS.2020.2982964
21	TANG J, JIA T, CHEN H B, et al. Research on big data storage method based on IPFS and blockchain[C]//Proceedings of the 2nd International Conference on Video, Signal and Image Processing. New York, USA: ACM Press, 2020: 55-60.
22	SABERI M A, ADDA M, MCHEICK H. Break-glass conceptual model for distributed EHR management system based on blockchain, IPFS and ABAC. Procedia Computer Science, 2022, 198 (C): 185- 192.
23	UDDIN M N, HASNAT A H M, NASRIN S, et al. Secure file sharing system using blockchain, IPFS and PKI technologies[C]//Proceedings of the 5th International Conference on Electrical Information and Communication Technology. Washington D. C., USA: IEEE Press, 2022: 1-5.
24	TENORIO-FORNÉS Á, HASSAN S, PAVÓN J. Peer-to-peer system design trade-offs: a framework exploring the balance between blockchain and IPFS. Applied Sciences, 2021, 11 (21): 10012.
25	MANI V, MANICKAM P, ALOTAIBI Y, et al. Hyperledger healthchain: patient-centric IPFS-based storage of health records. Electronics, 2021, 10 (23): 3003.
26	HENNINGSEN S, FLORIAN M, RUST S, et al. Mapping the interplanetary file system[C]//Proceedings of IFIP Networking Conference. Washington D. C., USA: IEEE Press, 2020: 289-297.
27	GUIDI B, MICHIENZI A, RICCI L. Data persistence in decentralized social applications: the IPFS approach[C]//Proceedings of the 18th Annual Consumer Communications & Networking Conference. Washington D. C., USA: IEEE Press, 2021: 1-4.
28	LAJAM O A, HELMY T A. Performance evaluation of IPFS in private networks[C]//Proceedings of the 4th International Conference on Data Storage and Data Engineering. New York, USA: ACM Press, 2021: 77-84.
29	DOAN T V, PSARAS Y, OTT J, et al. Toward decentralized cloud storage with IPFS: opportunities, challenges, and future considerations. IEEE Internet Computing, 2022, 26 (6): 7- 15.
30	LIN Y F, ZHANG C Y. A method for protecting private data in IPFS[C]//Proceedings of the 24th International Conference on Computer Supported Cooperative Work in Design. Washington D. C., USA: IEEE Press, 2021: 404-409.
31	GUO L F, YANG X L, YAU W C. TABE-DAC: efficient traceable attribute-based encryption scheme with dynamic access control based on blockchain. IEEE Access, 2021, 9, 8479- 8490.

[1]	王春东, 王翔宇. 多层次实用拜占庭容错算法改进[J]. 计算机工程, 2023, 49(8): 29-36.
[2]	何建江, 陈玉玲. 基于DLIN加密的可监管联盟链隐私保护方案[J]. 计算机工程, 2023, 49(6): 170-179.
[3]	方子旋, 曹素珍, 闫俊鉴, 卢彦霏, 何启芝, 王彩芬. 智慧医疗环境下白盒可追溯的CP-ABE方案[J]. 计算机工程, 2023, 49(3): 142-150.
[4]	田秀霞, 杨明夷. 家庭物联网中基于智能合约的访问控制机制[J]. 计算机工程, 2023, 49(3): 18-28.
[5]	刘晶, 朱炳旭, 梁佳杭, 任女尔, 季海鹏. 基于主侧链合作的区块链访问控制策略[J]. 计算机工程, 2022, 48(3): 10-16,22.
[6]	张晓东, 陈韬伟, 余益民. 一种基于LWE‐CPABE的区块链数据共享方案[J]. 计算机工程, 2022, 48(10): 158-168,175.
[7]	黄志清, 解鲁阳, 张严心, 尹泽明. 基于区块链的物联网数据服务信誉评估模型[J]. 计算机工程, 2022, 48(1): 33-42.
[8]	纪文桃, 李媛媛, 秦宝东. 基于决策树的SM4分组密码工作模式识别[J]. 计算机工程, 2021, 47(8): 157-161,169.
[9]	王静宇, 周雪娟. 一种支持属性撤销的密文策略属性基加密方案[J]. 计算机工程, 2021, 47(7): 95-100.
[10]	方燚飚, 周创明, 雷晓莉, 宋亚飞, 高娜. 基于区块链技术的供应链交易系统设计[J]. 计算机工程, 2021, 47(6): 23-31.
[11]	张本宏, 吴浩浩, 俞磊. 车载自组织网络中基于竞争的时分多址MAC协议[J]. 计算机工程, 2021, 47(5): 154-159.
[12]	张建国, 胡晓辉. 基于以太坊的改进物联网设备访问控制机制研究[J]. 计算机工程, 2021, 47(4): 32-39,47.
[13]	张江徽, 崔波, 李茹, 史锦山. 基于智能合约的物联网访问控制系统[J]. 计算机工程, 2021, 47(4): 21-31.
[14]	詹长健, 雷磊, 沈高青, 李志林. 适用于水声传感网络的多链路传输MAC协议[J]. 计算机工程, 2021, 47(2): 194-200.
[15]	韩舒艳, 努尔买买提·黑力力. 选择性隐藏树型访问结构的CP-ABE方案[J]. 计算机工程, 2020, 46(7): 150-158.

选择文件类型/文献管理软件名称

选择包含的内容