云计算环境下基于属性加密的信息流控制及实现

doi:10.3969/j.issn.1000-3428.2018.03.005

计算机工程

所属专题：云计算专题；

云计算环境下基于属性加密的信息流控制及实现

杜远志^1,2,3,杜学绘^1,2,3,杨智^1,2,3

(1.信息工程大学四院,郑州 450001; 2.河南省信息安全重点实验室,郑州 450001; 3.数学工程与先进计算国家重点实验室,郑州 450001)

收稿日期:2017-01-19 出版日期:2018-03-15 发布日期:2018-03-15
作者简介:杜远志(1992—),男,硕士研究生,主研方向为云计算、信息安全;杜学绘,教授、博士、博士生导师;杨智,副教授、博士。
基金资助:
国家高技术研究发展计划项目“多维控制的云计算信息流追责、管控技术”(2015AA016006);国家重点研发计划项目“协同精密定位云平台信息安全关键技术研究”(2016YFB0501900)。

Attribute-based Encryption Information Flow Control and Implementation in Cloud Computing Environment

DU Yuanzhi ^1,2,3,DU Xuehui ^1,2,3,YANG Zhi ^1,2,3

(1.The 4th College,Information Engineering University,Zhengzhou 450001,China;2.Henan Province Key Laboratory of Information Security,Zhengzhou 450001,China;3.State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China)

Received:2017-01-19 Online:2018-03-15 Published:2018-03-15

摘要/Abstract

摘要： 传统的信息流控制技术受限于其基于单机环境的研究,难以有效保护云计算中数据的安全性。为此,提出一种基于属性加密的信息流控制机制。将基于属性的加密技术与信息流控制技术相结合,通过对用户私钥和访问树的生成方法重新设计,在减少用户制定访问策略工作的同时,使得该机制能够对云中数据进行有效的信息流控制,从而消除安全隐患。性能测试结果表明,该机制能够抵抗基于共享内存的侧通道攻击,保护静态虚拟域中敏感数据安全性。

关键词: 信息流控制, 基于属性加密, 云计算, 信息安全, 权限管理

Abstract: The traditional Information Flow Control(IFC) technology is limited by its stand-alone environment research,it is difficult to effectively protect the security of data in cloud computing.Therefore,this paper proposes an information flow control mechanism based on attribute encryption technology,which combines Attribute-Based Encryption(ABE) technology with IFC technology.By redesigning the user private key and access tree generation method,it reduces to access mechanism,making the mechanism to control the cloud data effective information flow,thus eliminates potential safety problems.Performance test results show that this mechanism can effectively resist the shared channel based attacks and protect the security of sensitive data in static virtual domains.

Key words: Information Flow Control(IFC), Attribute-based Encryption(ABE), cloud computing, information security, permission management

中图分类号:

TP391

杜远志,杜学绘,杨智. 云计算环境下基于属性加密的信息流控制及实现[J]. 计算机工程, doi: 10.3969/j.issn.1000-3428.2018.03.005.

DU Yuanzhi,DU Xuehui,YANG Zhi. Attribute-based Encryption Information Flow Control and Implementation in Cloud Computing Environment[J]. Computer Engineering, doi: 10.3969/j.issn.1000-3428.2018.03.005.

http://www.ecice06.com/CN/Y2018/V44/I3/27

参考文献

参考文献［1］MYERS A C,LISKOV B.Protecting Privacy Using the Decentralized Label Model［J］.ACM Transactions on Software Engineering & Methodology,2003,9(4):410-442. ［2］吴泽智.信息流控制研究进展［J］.软件学报,2017,28(1):135-159. ［3］王庆飞.IaaS下虚拟机的安全存储和可信启动［J］.武汉大学学报(理学版),2014,60(3):231-236. ［4］PANDEY A,SRIVASTAVA S.An Approach for Virtual Machine Image Security［C］//Proceedings of IEEE International Conference on Signal Propagation and Computer Technology.Washington D.C.,USA:IEEE Press,2014:159-168. ［5］ZHOU W.Always Up-to-date:Scalable Offline Patching of VM Images in a Compute Cloud［C］//Proceedings of ACSAC’10.Austin,USA:［s.n.］,2010:6-10. ［6］ZHANG Q.Neon:System Support for Derived Data Management［C］//Proceedings of ACM Sigplan/Sigops International Conference on Virtual Execution Environments.New York,USA:ACM Press,2010:158-166. ［7］ERMOLINSKIY A.Design and Implementation of a Hypervisor-based Platform for Dynamic Information Flow Tracking in a Distributed Environment［D］.Berkeley,USA:University of California at Berkeley Berkeley,2011. ［8］MUNDADA Y,RAMACHANDRAN A,FEAMSTER N.Silverline:Data and Network Isolation for Cloud Services［C］//Proceedings of Usenix Conference on Hot Topics in Cloud Computing.Washington D.C.,USA:IEEE Press,2011:321-332. ［9］PRIEBE C.CloudSafetyNet:Detecting Data Leakage Between Cloud Tenants［C］//Proceedings of ACM Workshop on Cloud Computing Security.New York,USA:ACM Press,2014:117-128. ［10］BETHENCOURT J,SAHAI A,WATERS B.Ciphertext-policy Attribute-based Encryption［C］//Proceedings of IEEE Symposium on Security & Privacy.Washington D.C.,USA:IEEE Press,2007:321-334. ［11］PASQUIER T,BACON J,EYERS D.FlowK:Information Flow Control for the Cloud［C］//Proceedings of IEEE International Conference on Cloud Computing Technology & Science.Washington D.C.,USA:IEEE Press,2015:70-77. ［12］PASQUIER J M,BACON J,SHAND B.FlowR:Aspect Oriented Programming for Information Flow Control in Ruby［C］//Proceedings of ACM International Conference on Modularity.New York,USA:ACM Press,2014:64-77. ［13］SINGH J.Integrating Messaging Middleware and Information Flow Control［C］//Proceedings of IEEE International Conference on Cloud Engineering.Washington D.C.,USA:IEEE Press,2015:456-465. ［14］SINGH J,BACON J.SBUS:A Generic Policy-enforcing Middleware for Open Pervasive Systems:UCAM-CL-TR-847［D］.Cambridge,UK:University of Cambridge Computer Laboratory,2014. ［15］PASQUIER J M,SINGH J,BACON J.Information Flow Control for Strong Protection with Flexible Sharing in PaaS［C］//Proceedings of IEEE International Workshop on the Future of PaaS.Washington D.C.,USA:IEEE Press,2015:25-34. ［16］WU R.Information Flow Control in Cloud Computing［C］//Proceedings of International Conference on Collaborative Computing:Networking,Applications and Worksharing.Washington D.C.,USA:IEEE Press,2010:1-7. ［17］ELSAYED M,ZULKERNINE M.IFCaaS:Information Flow Control as a Service for Cloud Security［C］//Proceedings of International Conference on Availability.Washington D.C.,USA:IEEE Press,2016:211-216. ［18］SHAMIR A.Identity-based Cryptosystems and Signature Schemes［J］.Lecture Notes in Computer Science,1984,21(2):47-53. ［19］BONEH D,FRANKLIN M K.Identity Based Encryption from the Weil Pairing［J］.Siam Journal on Computing,2001,32(3):213-229. ［20］COCKS C.An Identity Based Encryption Scheme Based on Quadratic Residues［C］//Proceedings of IMA International Conference on Cryptography & Coding.Cirencester,UK:［s.n.］,2001:360-363. ［21］HORWITZ J.Toward Hierarchical Identity-based Encryption［C］//Proceedings of International Conference on Theory and Applications of Cryptographic Techniques.Amsterdam,the Netherlands:［s.n.］.2002:58-65. ［22］GENTRY C,SILVERBERG A.Hierarchical ID-based Cryptography［J］.Lecture Notes in Computer Science,2002,82(4):548-566. ［23］BONEH D,BOYEN X,Goh E J.Hierarchical Identity Based Encryption with Constant Size Ciphertext［C］//Proceedings of International Conference on Theory and Applications of Cryptographic Techniques.Berlin,Germany:Springer,2005:36-45. ［24］SAHAI A,WATERS B.Fuzzy Identity-based Encry-ption［C］//Proceedings of ACM International Conference on Theory and Applications of Cryptographic Techniques.New Yrok,USA:ACM Press,2005:212-222. ［25］GOYAL V.Attribute-based Encryption for Fine-grained Access Control of Encrypted Data［C］//Proceedings of ACM Conference on Computer and Communications Security.Alexandria,USA:ACM Press,2006:361-375. ［26］CHASE M.Multi-authority Attribute Based Encry-ption［M］.Berlin,Germany:Springer,2007. ［27］CHASE M,CHOW S S M.Improving Privacy and Security in Multi-authority Attribute-based Encryption［C］//Proceedings of ACM Conference on Computer and Communications Security.Chicago,USA:PCM Press, 2009:269-275. ［28］KATZ J,SAHAI A,WATERS B.Predicate Encryption Supporting Disjunctions,Polynomial Equations,and Inner Products［J］.Journal of Cryptology,2013,26(2):191-224. ［29］SHI E,WATERS B.Delegating Capabilities in Predicate Encryption Systems［C］//Proceedings of Automata,Languages & Programming,International Symposium.Reykjavik,Iceland:［s.n.］,2008:560-578. ［30］LI M.Securing Personal Health Records in Cloud Computing:Patient-centric and Fine-grained Data Access Control in Multi-owner Settings［C］//Proceedings of SECURECOMM’10.Singapore:［s.n.］,2010:7-9. ［31］YU S.Attribute Based Data Sharing with Attribute Revocation［C］//Proceedings of ASIACCS’10.Beijing,China:［s.n.］,2010:112-131. ［32］LI M.Scalable and Secure Sharing of Personal Health Records in Cloud Computing Using Attribute-based Encryption［J］.IEEE Transactions on Parallel & Distributed Systems,2013,24(24):131-143. ［33］李作辉,杨梦梦,陈性元.自适应安全与属性可重复的多授权机构ABE方案［J］.计算机工程,2015,41(12):21-25. ［34］ZHU Y.How to Use Attribute-based Encryption to Implement Role-based Access Control in the Cloud［C］//Proceedings of IEEE International Workshop on Security in Cloud Computing.Washington D.C.,USA:IEEE Press,2013:154-165. ［35］DENNING D E.A Lattice Model of Secure Information Flow［J］.Communications of the ACM,1976,19(5):236-243. 编辑索书志

[1]	刘志彬, 黄秋兰, 胡庆宝, 程耀东, 胡誉, 田浩来. Kubernetes异构资源细粒度调度策略的设计与实现[J]. 计算机工程, 2023, 49(2): 31-36,45.
[2]	张亮, 刘百祥. 区块链与秘密分享融合技术综述[J]. 计算机工程, 2022, 48(8): 1-11.
[3]	奚智雯, 蔡晶晶, 阳文敏, 柴志雷. 基于微服务架构FPGA云平台的并发请求调度机制[J]. 计算机工程, 2022, 48(7): 206-213.
[4]	贺小伟, 徐靖杰, 王宾, 吴昊, 张博文. 基于GRU-LSTM组合模型的云计算资源负载预测研究[J]. 计算机工程, 2022, 48(5): 11-17,34.
[5]	陈儒玉, 戴欢, 高玉建, 付保川, 陈洁. 基于区块链的电子学位证照数据保护共享方法[J]. 计算机工程, 2022, 48(4): 50-60,80.
[6]	赵宇峰, 雷晟, 张国钢, 耿英三. 基于容器技术的电力设备仿真云平台设计与开发[J]. 计算机工程, 2021, 47(9): 171-177,184.
[7]	施凌鹏, 朱征, 周俊松, 李鑫, 李静. 面向微服务架构的云系统负载均衡机制[J]. 计算机工程, 2021, 47(9): 44-50,58.
[8]	倪思源, 扈红超, 刘文彦, 梁浩. 基于轮换策略的异构云资源分配算法[J]. 计算机工程, 2021, 47(6): 44-51,67.
[9]	李凌书, 邬江兴. 面向云网融合SaaS安全的虚拟网络功能映射方法[J]. 计算机工程, 2021, 47(12): 30-39.
[10]	朱嵩, 王化群. 基于Paillier算法的智能电网数据聚合与激励方案[J]. 计算机工程, 2021, 47(11): 166-174.
[11]	夏高, 何成万. 一种基于异或运算的(k,n)门限秘密共享算法[J]. 计算机工程, 2021, 47(10): 111-115,124.
[12]	王妍, 葛海波, 冯安琪. 云辅助移动边缘计算中的计算卸载策略[J]. 计算机工程, 2020, 46(8): 27-34.
[13]	周能, 张敏情, 林文兵. 基于秘密共享的可分离密文域可逆信息隐藏算法[J]. 计算机工程, 2020, 46(10): 112-119.
[14]	张继炎, 郑汉垣. 云环境下基于预算分配的科学工作流调度研究[J]. 计算机工程, 2019, 45(9): 40-48.
[15]	徐云涛, 许武军, 翟梦琳. 基于B/S架构的高并发虹膜识别系统[J]. 计算机工程, 2019, 45(8): 102-106,112.

选择文件类型/文献管理软件名称

选择包含的内容

云计算环境下基于属性加密的信息流控制及实现

Attribute-based Encryption Information Flow Control and Implementation in Cloud Computing Environment

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

云计算环境下基于属性加密的信息流控制及实现

Attribute-based Encryption Information Flow Control and Implementation in Cloud Computing Environment

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价