摘要
可信云存储采用本地数据加解密来保证用户外包数据在网络传输和云端存储的安全性.该环境下数据拥有者通过对数据密钥的安全共享和管理来实现对不同用户的选择性数据访问授权控制.针对多数据拥有者可信云存储环境,以最小化用户的密钥安全传输/存储等密钥管理代价及其安全风险为目标,提出了一种新的基于全局逻辑层次图(global logical hierarchical graph,GLHG)的密钥推导机制的密钥管理方法.该方法通过GLHG密钥推导图来安全、等价地实施全局用户的数据访问授权策略,同时利用云服务提供商(半可信第三方)来执行GLHG密钥推导图结构的管理并引入代理重加密技术,从而进一步提高密钥管理执行效率.阐述了基于GLHG密钥推导图更新的动态访问控制支持策略,并对该方法进行安全性分析和实验对比分析.
In trusted cloud storage (TCS), for protecting the privacy of the sensitive outsourced cloud data, data owners locally encrypt their data before outsourcing. Through the secure management of the data keys, the selective access of outsourced data can be enforced in TCS scenarios. However, in TCS with multiple data owners, it remains a challenge to reduce users' security risk and costs of key management as much as possible. In this paper, we propose a novel key management scheme based on global logical hierarchical graph (GLHG) for key derivation, which is used to enforce correctly the global authorization policies of all users. Our solution can achieve high efficiency by delegating the management of GLHG structure to cloud and adopting proxy re-encryption (PRE) technology. Additionally, this paper states the update policies for supporting dynamic access control. Finally, we show the benefits of our solution by experimentally evaluating quantitative criterions of key management.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2013年第8期1613-1627,共15页
Journal of Computer Research and Development
基金
国家自然科学基金项目(61232002
61202034)
华为技术有限公司创新研究计划基金项目(YJCB201001078)
高等学校博士学科点专项科研基金项目(20110141120033)
软件工程国家重点实验室开放基金项目(SKLSE2010-08-20)
关键词
可信云存储
前端加密
密钥管理
访问控制
密钥推导
trusted cloud storage
local encryption
key management
access control
key derivation
