云计算环境下基于属性加密的信息流控制及实现

doi:10.3969/j.issn.1000-3428.2018.03.005

摘要/Abstract

摘要： 传统的信息流控制技术受限于其基于单机环境的研究,难以有效保护云计算中数据的安全性。为此,提出一种基于属性加密的信息流控制机制。将基于属性的加密技术与信息流控制技术相结合,通过对用户私钥和访问树的生成方法重新设计,在减少用户制定访问策略工作的同时,使得该机制能够对云中数据进行有效的信息流控制,从而消除安全隐患。性能测试结果表明,该机制能够抵抗基于共享内存的侧通道攻击,保护静态虚拟域中敏感数据安全性。

关键词: 信息流控制, 基于属性加密, 云计算, 信息安全, 权限管理

Abstract: The traditional Information Flow Control(IFC) technology is limited by its stand-alone environment research,it is difficult to effectively protect the security of data in cloud computing.Therefore,this paper proposes an information flow control mechanism based on attribute encryption technology,which combines Attribute-Based Encryption(ABE) technology with IFC technology.By redesigning the user private key and access tree generation method,it reduces to access mechanism,making the mechanism to control the cloud data effective information flow,thus eliminates potential safety problems.Performance test results show that this mechanism can effectively resist the shared channel based attacks and protect the security of sensitive data in static virtual domains.

Key words: Information Flow Control(IFC), Attribute-based Encryption(ABE), cloud computing, information security, permission management

中图分类号:

TP391

杜远志,杜学绘,杨智. 云计算环境下基于属性加密的信息流控制及实现[J]. 计算机工程, doi: 10.3969/j.issn.1000-3428.2018.03.005.

DU Yuanzhi,DU Xuehui,YANG Zhi. Attribute-based Encryption Information Flow Control and Implementation in Cloud Computing Environment [J]. Computer Engineering, doi: 10.3969/j.issn.1000-3428.2018.03.005.

参考文献

参考文献［1］MYERS A C,LISKOV B.Protecting Privacy Using the Decentralized Label Model［J］.ACM Transactions on Software Engineering & Methodology,2003,9(4):410-442. ［2］吴泽智.信息流控制研究进展［J］.软件学报,2017,28(1):135-159. ［3］王庆飞.IaaS下虚拟机的安全存储和可信启动［J］.武汉大学学报(理学版),2014,60(3):231-236. ［4］PANDEY A,SRIVASTAVA S.An Approach for Virtual Machine Image Security［C］//Proceedings of IEEE International Conference on Signal Propagation and Computer Technology.Washington D.C.,USA:IEEE Press,2014:159-168. ［5］ZHOU W.Always Up-to-date:Scalable Offline Patching of VM Images in a Compute Cloud［C］//Proceedings of ACSAC’10.Austin,USA:［s.n.］,2010:6-10. ［6］ZHANG Q.Neon:System Support for Derived Data Management［C］//Proceedings of ACM Sigplan/Sigops International Conference on Virtual Execution Environments.New York,USA:ACM Press,2010:158-166. ［7］ERMOLINSKIY A.Design and Implementation of a Hypervisor-based Platform for Dynamic Information Flow Tracking in a Distributed Environment［D］.Berkeley,USA:University of California at Berkeley Berkeley,2011. ［8］MUNDADA Y,RAMACHANDRAN A,FEAMSTER N.Silverline:Data and Network Isolation for Cloud Services［C］//Proceedings of Usenix Conference on Hot Topics in Cloud Computing.Washington D.C.,USA:IEEE Press,2011:321-332. ［9］PRIEBE C.CloudSafetyNet:Detecting Data Leakage Between Cloud Tenants［C］//Proceedings of ACM Workshop on Cloud Computing Security.New York,USA:ACM Press,2014:117-128. ［10］BETHENCOURT J,SAHAI A,WATERS B.Ciphertext-policy Attribute-based Encryption［C］//Proceedings of IEEE Symposium on Security & Privacy.Washington D.C.,USA:IEEE Press,2007:321-334. ［11］PASQUIER T,BACON J,EYERS D.FlowK:Information Flow Control for the Cloud［C］//Proceedings of IEEE International Conference on Cloud Computing Technology & Science.Washington D.C.,USA:IEEE Press,2015:70-77. ［12］PASQUIER J M,BACON J,SHAND B.FlowR:Aspect Oriented Programming for Information Flow Control in Ruby［C］//Proceedings of ACM International Conference on Modularity.New York,USA:ACM Press,2014:64-77. ［13］SINGH J.Integrating Messaging Middleware and Information Flow Control［C］//Proceedings of IEEE International Conference on Cloud Engineering.Washington D.C.,USA:IEEE Press,2015:456-465. ［14］SINGH J,BACON J.SBUS:A Generic Policy-enforcing Middleware for Open Pervasive Systems:UCAM-CL-TR-847［D］.Cambridge,UK:University of Cambridge Computer Laboratory,2014. ［15］PASQUIER J M,SINGH J,BACON J.Information Flow Control for Strong Protection with Flexible Sharing in PaaS［C］//Proceedings of IEEE International Workshop on the Future of PaaS.Washington D.C.,USA:IEEE Press,2015:25-34. ［16］WU R.Information Flow Control in Cloud Computing［C］//Proceedings of International Conference on Collaborative Computing:Networking,Applications and Worksharing.Washington D.C.,USA:IEEE Press,2010:1-7. ［17］ELSAYED M,ZULKERNINE M.IFCaaS:Information Flow Control as a Service for Cloud Security［C］//Proceedings of International Conference on Availability.Washington D.C.,USA:IEEE Press,2016:211-216. ［18］SHAMIR A.Identity-based Cryptosystems and Signature Schemes［J］.Lecture Notes in Computer Science,1984,21(2):47-53. ［19］BONEH D,FRANKLIN M K.Identity Based Encryption from the Weil Pairing［J］.Siam Journal on Computing,2001,32(3):213-229. ［20］COCKS C.An Identity Based Encryption Scheme Based on Quadratic Residues［C］//Proceedings of IMA International Conference on Cryptography & Coding.Cirencester,UK:［s.n.］,2001:360-363. ［21］HORWITZ J.Toward Hierarchical Identity-based Encryption［C］//Proceedings of International Conference on Theory and Applications of Cryptographic Techniques.Amsterdam,the Netherlands:［s.n.］.2002:58-65. ［22］GENTRY C,SILVERBERG A.Hierarchical ID-based Cryptography［J］.Lecture Notes in Computer Science,2002,82(4):548-566. ［23］BONEH D,BOYEN X,Goh E J.Hierarchical Identity Based Encryption with Constant Size Ciphertext［C］//Proceedings of International Conference on Theory and Applications of Cryptographic Techniques.Berlin,Germany:Springer,2005:36-45. ［24］SAHAI A,WATERS B.Fuzzy Identity-based Encry-ption［C］//Proceedings of ACM International Conference on Theory and Applications of Cryptographic Techniques.New Yrok,USA:ACM Press,2005:212-222. ［25］GOYAL V.Attribute-based Encryption for Fine-grained Access Control of Encrypted Data［C］//Proceedings of ACM Conference on Computer and Communications Security.Alexandria,USA:ACM Press,2006:361-375. ［26］CHASE M.Multi-authority Attribute Based Encry-ption［M］.Berlin,Germany:Springer,2007. ［27］CHASE M,CHOW S S M.Improving Privacy and Security in Multi-authority Attribute-based Encryption［C］//Proceedings of ACM Conference on Computer and Communications Security.Chicago,USA:PCM Press, 2009:269-275. ［28］KATZ J,SAHAI A,WATERS B.Predicate Encryption Supporting Disjunctions,Polynomial Equations,and Inner Products［J］.Journal of Cryptology,2013,26(2):191-224. ［29］SHI E,WATERS B.Delegating Capabilities in Predicate Encryption Systems［C］//Proceedings of Automata,Languages & Programming,International Symposium.Reykjavik,Iceland:［s.n.］,2008:560-578. ［30］LI M.Securing Personal Health Records in Cloud Computing:Patient-centric and Fine-grained Data Access Control in Multi-owner Settings［C］//Proceedings of SECURECOMM’10.Singapore:［s.n.］,2010:7-9. ［31］YU S.Attribute Based Data Sharing with Attribute Revocation［C］//Proceedings of ASIACCS’10.Beijing,China:［s.n.］,2010:112-131. ［32］LI M.Scalable and Secure Sharing of Personal Health Records in Cloud Computing Using Attribute-based Encryption［J］.IEEE Transactions on Parallel & Distributed Systems,2013,24(24):131-143. ［33］李作辉,杨梦梦,陈性元.自适应安全与属性可重复的多授权机构ABE方案［J］.计算机工程,2015,41(12):21-25. ［34］ZHU Y.How to Use Attribute-based Encryption to Implement Role-based Access Control in the Cloud［C］//Proceedings of IEEE International Workshop on Security in Cloud Computing.Washington D.C.,USA:IEEE Press,2013:154-165. ［35］DENNING D E.A Lattice Model of Secure Information Flow［J］.Communications of the ACM,1976,19(5):236-243. 编辑索书志

[1]	王妍, 葛海波, 冯安琪. 云辅助移动边缘计算中的计算卸载策略[J]. 计算机工程, 2020, 46(8): 27-34.
[2]	周能, 张敏情, 林文兵. 基于秘密共享的可分离密文域可逆信息隐藏算法[J]. 计算机工程, 2020, 46(10): 112-119.
[3]	张继炎, 郑汉垣. 云环境下基于预算分配的科学工作流调度研究[J]. 计算机工程, 2019, 45(9): 40-48.
[4]	徐云涛, 许武军, 翟梦琳. 基于B/S架构的高并发虹膜识别系统[J]. 计算机工程, 2019, 45(8): 102-106,112.
[5]	许硕, 唐作其, 王鑫. 基于D-AHP与灰色理论的信息安全风险评估[J]. 计算机工程, 2019, 45(7): 194-202.
[6]	刘彪,王宝生,邓文平. 云环境下支持弹性伸缩的容器化工作流框架[J]. 计算机工程, 2019, 45(3): 7-13.
[7]	李建鹏, 史国振, 李莉, 孙德洋, 郑戈威. 异构云环境中的实时密码服务调度策略[J]. 计算机工程, 2019, 45(10): 1-7.
[8]	谭跃生,鲁黎明,王静宇. 基于安全三方计算的密文策略加密方案[J]. 计算机工程, 2019, 45(1): 115-120,128.
[9]	朱敏惠,陈燕俐,胡媛媛 . 支持代理重加密的基于身份可搜索加密方案[J]. 计算机工程, 2019, 45(1): 129-135,140.
[10]	刘雨潇,王毅,袁磊,吴钊. 基于期限约束与关键路径的云工作流调度[J]. 计算机工程, 2018, 44(8): 30-37.
[11]	毕小红,刘渊,陈飞. 微服务应用平台的网络性能研究与优化[J]. 计算机工程, 2018, 44(5): 53-59.
[12]	吴修国. 云环境下一种兼顾成本与存储空间的副本策略[J]. 计算机工程, 2018, 44(3): 19-26,36.
[13]	朱炜,王俊,周迅钊. 基于负载均衡的医院云计算系统资源调度方案[J]. 计算机工程, 2018, 44(3): 37-41,54.
[14]	纪鹏,吕旭明,苏善婷. 云环境下基于编码树的新型保序加密算法[J]. 计算机工程, 2018, 44(12): 288-293,300.
[15]	黄玉洁,唐作其,梁静. 基于信息熵与三参数区间的信息安全风险评估[J]. 计算机工程, 2018, 44(12): 178-183.