基于混合云架构的深度语义密文检索

针对传统的云环境下密文检索方案基于统计学模型来生成文件向量和检索向量,并没有考虑文件和请求的深层次语义信息,提出一种基于混合云架构的深层次语义密文检索模型。通过私有云联邦学习神经网络模型构建向量生成模型,通过公有云存储密文数据。另外,提出密倒排索引表来存放文件向量,在公有云的检索过程中,保证检索信息不被泄露的情况下提高检索的效率。对真实数据集的分析和实验表明,提出的方案在安全性和搜索效率方面都优于目前同类型的密文检索方案。     

一种云端信息安全字形的生成模型

提出了一种云端信息安全字形的生成模型。该模型将汉字的字形抽象为汉字结构模式和汉字的风格模式,然后通过定义有效的汉字结构输出和汉字笔画生成方案,动态地生成了可用于信息安全保护的信息安全字形。该模型实现了汉字字形的Web存储和在客户端的特征字形的输出的监控,克服了现代汉字由于整字编码而导致的汉字信息在云端安全服务方面的不足,为汉字信息的云端存储和云端数据安全服务保护提供了一种有效的策略和方法;同时,也为设计更深层次的云端汉字信息服务系统奠定了基础。     

Memory leakage-resilient searchable symmetric encryption

Along with the popularization and rapid development of cloud-computing, more and more individuals and enterprises choose to store their data in cloud servers. However, in order to protect data privacy and deter illegal accesses, the data owner has to encrypt his data before outsourcing it to the cloud server. In this situation, searchable encryption, especially searchable symmetric encryption (SSE) has become one of the most important techniques in cloud-computing area. In the last few years, researchers have presented many secure and efficient SSE schemes. Like traditional encryption, the security of all existing SSE schemes are based on the assumption that the data owner holds a secret key that is unknown to the adversary. Unfortunately, in practice, attackers are often able to obtain some or even all of the data owner’s secret keys by a great variety of inexpensive and fast side channel attacks. Facing such attacks, all existing SSE schemes are no longer secure. In this paper, we investigate how to construct secure SSE schemes with the presence of memory attack. We firstly propose the formal definition of memory leakage-resilient searchable symmetric encryption (MLR-SSE, for short). Based on that, we present one adaptive MLR-SSE scheme and one efficient non-adaptive dynamic MLR-SSE scheme based on physical unclonable functions (PUFs), and formally prove their security in terms of our security definitions.     

云存储中支持属性撤销的多关键词可搜索加密方案

云存储的便捷性和管理高效性使得越来越多的用户选择将数据存放在云端。为支持用户对云端加密数据进行检索,提出云存储中基于属性加密支持属性撤销的多关键词搜索方案。采用线性秘密共享矩阵来表示访问控制结构,实现密文细粒度访问控制,在属性撤销过程中不需要更新密钥,应对用户属性变更的情况,在此基础上构造基于多项式方程的搜索算法支持多关键词搜索,从而提高搜索精度。理论分析和实验结果表明,该方案具有陷门不可伪造性和关键词隐私性,能够保证用户数据的隐私和安全,相比CP-ABE方案,具有较高的存储性能和计算效率,功能性更强。     

一种保护云存储平台上用户数据私密性的方法

近年来,云存储被研究者和IT厂商广泛关注,许多应用程序都用云存储来存储数据.但是用户和厂商都对于云存储的安全性和私密性问题表示忧虑.云存储安全的核心是分布式文件系统的安全性和私密性.基于SSL安全连接和Daoli安全虚拟监控系统可以充分保护分布式文件系统中用户数据的安全性和私密性.安全虚拟监督系统可以阻止传统攻击及来自云管理员的攻击.针对用户的不同需求和数据存储系统的特点,有2种解决方案,分别针对分布式文件系统中用户文件的每一块进行保护,保障用户文件每一块的私密性及对整个用户文件进行保护,保证用户文件整体私密性.对于用户数据的私密性而言,SSL安全连接和虚拟监控系统引入的性能损失是可以被接受的.     

基于同态加密的可信云存储平台

基于全同态加密技术的数据检索方法可以直接对加密的数据进行检索,不但能保证被检索的数据不被统计分析,还能对被检索的数据做基本的加法和乘法运算而不改变对应明文的顺序,既保护了用户的数据安全,又提高了检索效率。文章就是针对上述问题提出的一个系统级解决方案,主要致力于解决云存储系统中信息的安全存储与管理问题。为实现此目标,该方案采用了同态加密算法,以及在这种算法基础上提出的一种密文检索算法,既保证了用户数据的安全性,又保证了服务器能够对存储的用户密文直接进行操作,实现了对密文的直接检索,平衡了云存储系统中保证用户数据的安全性和服务于云计算之间的关系。     

User Centric Block-Level Attribute Based Encryption in Cloud Using Blockchains

Cloud computing is a collection of distributed storage Network which can provide various services and store the data in the efficient manner. The advantages of cloud computing is its remote access where data can accessed in real time using Remote Method Innovation (RMI). The problem of data security in cloud environment is a major concern since the data can be accessed by any time by any user. Due to the lack of providing the efficient security the cloud computing they fail to achieve higher performance in providing the efficient service. To improve the performance in data security, the block chains are used for securing the data in the cloud environment. However, the traditional block chain technique are not suitable to provide efficient security to the cloud data stored in the cloud. In this paper, an efficient user centric block level Attribute Based Encryption (UCBL-ABE) scheme is presented to provide the efficient security of cloud data in cloud environment. The proposed approach performs data transaction by employing the block chain. The proposed system provides efficient privacy with access control to the user access according to the behavior of cloud user using Data Level Access Trust (DLAT). Based on DLAT, the user access has been restricted in the cloud environment. The proposed protocol is implemented in real time using Java programming language and uses IBM cloud. The implementation results justifies that the proposed system can able to provide efficient security to the data present in and cloud and also enhances the cloud performance.     

基于属性基加密的区块链数据共享模型

为确保当前区块链数据共享机制中的隐私保护及数据安全,受属性基加密技术能够有效实现云上数据安全共享与访问控制的启发,提出了基于属性基加密的区块链数据共享模型.该模型基于Waters所提出的密文策略属性基加密(CP-ABE)方案,首先,在私钥生成阶段,数据使用方委托多个节点参与联合计算并存储部分私钥,其他数据使用者则不可获取完整密钥,从而提升了私钥的生成效率;其次,为防止密钥滥用及算法中参数的管理,定义了一种密钥传递事务数据结构,实现了CP-ABE算法的可追责性;最后,通过构建具有链上链下协同计算与存储功能的共享链,实现了属性基加密与区块链系统的有效融合.安全性分析和实验仿真结果表明,所提模型在密钥生成计算效率和实际业务场景方面有一定的优化,满足工程应用的需要.     

抗密钥泄露的在线/离线身份基加密机制

目前已有的在线离线身份基加密（IBOOE）方案无法抵抗边信道攻击,引起密码系统秘密信息泄露问题。新方案通过将随机提取器嵌入在线加密算法来隐藏私钥泄露和密文之间的关系,提出首个有界泄露模型下安全的IBOOE方案;新方案基于合数阶双线性群上的三个静态假设,利用双系统加密技术在标准模型下抵抗选择明文攻击达到完全安全性和泄露弹性。此外,与传统的IBOOE方案相比较,新方案特别适用于敏感数据存储且资源受限的场景。     

云环境下基于秘密共享的海洋遥感影像认证方案

云存储模式的出现为海量海洋遥感影像的存储和管理带来了机遇,越来越多的用户选择将海洋遥感影像数据移植到云中,但云存储环境的开放性对海洋遥感影像数据的安全性提出了挑战。以保障云环境下海洋遥感敏感数据的安全性为前提,提出一种影像认证方案,将哈希函数与(k,n)门限秘密共享方法相结合,检测敏感区影像信息变化,并对加密前和恢复后的影像进行一致性验证,保护加密影像数据的机密性。同时,为避免n个子秘密中,因多于n-k个子秘密的篡改或丢失,造成敏感区影像不可恢复情况的发生,采用对敏感区影像进行分块的策略,对每个子影像块做进一步的秘密共享处理,以保证部分影像的无损恢复。实验对比分析表明,所提出的安全认证方案可以有效防止秘密恢复过程中的欺诈行为,同时可获得比传统方法更高的遥感影像云存储安全性。     

Secured Data Storage Using Deduplication in Cloud Computing Based on Elliptic Curve Cryptography

The tremendous development of cloud computing with related technologies is an unexpected one. However, centralized cloud storage faces few challenges such as latency, storage, and packet drop in the network. Cloud storage gets more attention due to its huge data storage and ensures the security of secret information. Most of the developments in cloud storage have been positive except better cost model and effectiveness, but still data leakage in security are billion-dollar questions to consumers. Traditional data security techniques are usually based on cryptographic methods, but these approaches may not be able to withstand an attack from the cloud server's interior. So, we suggest a model called multi-layer storage (MLS) based on security using elliptical curve cryptography (ECC). The suggested model focuses on the significance of cloud storage along with data protection and removing duplicates at the initial level. Based on divide and combine methodologies, the data are divided into three parts. Here, the first two portions of data are stored in the local system and fog nodes to secure the data using the encoding and decoding technique. The other part of the encrypted data is saved in the cloud. The viability of our model has been tested by research in terms of safety measures and test evaluation, and it is truly a powerful complement to existing methods in cloud storage.     

Responsive security for stored data

We present the design of a distributed store that offers various levels of security guarantees while tolerating a limited number of nodes that are compromised by an adversary. The store uses secret sharing schemes to offer security guarantees, namely, availability, confidentiality, and integrity. However, a pure secret sharing scheme could suffer from performance problems and high access costs. We integrate secret sharing with replication for better performance and to keep access costs low. The trade offs involved between availability and access cost on one hand and confidentiality and integrity on the other are analyzed. Our system differs from traditional approaches such as state machine or quorum-based replication that have been developed to tolerate Byzantine failures. Unlike such systems, we augment replication with secret sharing and offer weaker consistency guarantees. We demonstrate that such a hybrid scheme offers additional flexibility that is not possible with replication alone.     

一种基于双单向传输通道的网络隔离方案

针对现有网络隔离技术中存在数据传输完整性不能保证、高密级网系统安全性有待提高等问题,文章提出一种基于双单向传输通道的网络隔离方案。该方案采用双FIFO存储器,将网络隔离与虚拟机机制结合起来,有效提高了数据传输速率,避免了存储操作时造成的数据丢失,提升了高密级网的安全性能。     

DNACDS: Cloud IoE big data security and accessing scheme based on DNA cryptography

The Internet of Everything (IoE) based cloud computing is one of the most prominent areas in the digital big data world. This approach allows efficient infrastructure to store and access big real-time data and smart IoE services from the cloud. The IoE-based cloud computing services are located at remote locations without the control of the data owner. The data owners mostly depend on the untrusted Cloud Service Provider (CSP) and do not know the implemented security capabilities. The lack of knowledge about security capabilities and control over data raises several security issues. Deoxyribonucleic Acid (DNA) computing is a biological concept that can improve the security of IoE big data. The IoE big data security scheme consists of the Station-to-Station Key Agreement Protocol (StS KAP) and Feistel cipher algorithms. This paper proposed a DNA-based cryptographic scheme and access control model (DNACDS) to solve IoE big data security and access issues. The experimental results illustrated that DNACDS performs better than other DNA-based security schemes. The theoretical security analysis of the DNACDS shows better resistance capabilities.     

一种支持属性撤销的密文策略属性基加密方案

针对传统属性基加密方案中单授权中心计算开销大以及安全性较差等问题,通过引入多个授权中心以及安全两方计算协议等技术,提出一种支持细粒度属性级撤销和用户级撤销的密文策略属性基加密方案。引入多个属性授权中心以颁发并更新属性版本秘钥,同时秘钥生成中心与云存储服务器之间进行安全两方计算等操作,生成并更新用户密钥,从而进行细粒度属性级撤销。在云存储服务器中,对用户列表中的用户唯一秘值及唯一身份值进行操作以实现用户级撤销,同时通过多个授权中心抵抗合谋攻击,并将部分计算工作外包给云端。分析结果表明,与基于AND、访问树和LSSS策略的方案相比,该方案有效增强了系统的安全功能,同时显著降低了系统的计算复杂度。     

Security-aware intermediate data placement strategy in scientific cloud workflows

Massive computation power and storage capacity of cloud computing systems allow scientists to deploy data-intensive applications without the infrastructure investment, where large application datasets can be stored in the cloud. Based on the pay-as-you-go model, data placement strategies have been developed to cost-effectively store large volumes of generated datasets in the scientific cloud workflows. As promising as it is, this paradigm also introduces many new challenges for data security when the users outsource sensitive data for sharing on the cloud servers, which are not within the same trusted domain as the data owners. This challenge is further complicated by the security constraints on the potential sensitive data for the scientific workflows in the cloud. To effectively address this problem, we propose a security-aware intermediate data placement strategy. First, we build a security overhead model to reasonably measure the security overheads incurred by the sensitive data. Second, we develop a data placement strategy to dynamically place the intermediate data for the scientific workflows. Finally, our experimental results show that our strategy can effectively improve the intermediate data security while ensuring the data transfer time during the execution of scientific workflows.     

Secret sharing approach for securing cloud-based pre-classification volume ray-casting

With the evolution in cloud computing, cloud-based volume rendering, which outsources data rendering tasks to cloud datacenters, is attracting interest. Although this new rendering technique has many advantages, allowing third-party access to potentially sensitive volume data raises security and privacy concerns. In this paper, we address these concerns for cloud-based pre-classification volume ray-casting by using Shamir’s (k, n) secret sharing and its variant (l, k, n) ramp secret sharing, which are homomorphic to addition and scalar multiplication operations, to hide color information of volume data/images in datacenters. To address the incompatibility issue of the modular prime operation used in secret sharing technique with the floating point operations of ray-casting, we consider excluding modular prime operation from secret sharing or converting the floating number operations of ray-casting to fixed point operations – the earlier technique degrades security and the later degrades image quality. Both these techniques, however, result in significant data overhead. To lessen the overhead at the cost of high security, we propose a modified ramp secret sharing scheme that uses the three color components in one secret sharing polynomial and replaces the shares in floating point with smaller integers.     

同态公钥加密系统的图像可逆信息隐藏算法

同态加密技术在加密信息、对信息进行隐私保护的同时,还允许密文数据进行相应的算术运算(如云端可直接对同态加密后的企业经营数据进行统计分析),已成为云计算领域的一个研究热点.然而,由于云存在多种安全威胁,加密后信息的安全保护和完整性认证问题仍然突出.另外,信息在加密后丢失了很多特性,密文检索成为了云计算需要攻克的关键技术.为了实现对加密图像的有效管理及其安全保护,本文提出了一种基于同态加密系统的图像可逆信息隐藏算法.该算法首先在加密前根据密钥选择目标像素,并利用差分扩展DE(Difference Expansion)的方法将目标像素的各比特数据嵌入到其它像素中.然后,利用Paillier同态加密系统对图像进行加密得到密文图像.在加密域中,利用待嵌入信息组成伪像素,加密后替换目标像素,完成额外信息的嵌入.当拥有相应的密钥时,接收方可以分别在密文图像或明文图像中提取出已嵌入的信息.当图像解密后,通过提取出自嵌入目标像素的各比特数据来恢复原始图像.实验仿真结果表明,该算法能够在数据量保持不变的前提下完成同态加密域中额外信息的嵌入,信息嵌入快速高效,并可分别从加密域和明文域中提取出嵌入的信息.     

基于图像秘密共享的密文域可逆信息隐藏算法

针对当前密文域可逆信息隐藏算法嵌入秘密信息后的携密密文图像的容错性与抗灾性不强,一旦遭受攻击或损坏就无法重构原始图像与提取秘密信息的问题,提出了一种基于图像秘密共享的密文域可逆信息隐藏算法,并分析了该算法在云环境下的应用场景。首先,将加密图像分割成大小相同的n份不同携密密文图像。然后,在分割的过程中将拉格朗日插值多项式中的随机量作为冗余信息,并建立秘密信息与多项式各项系数间的映射关系。最后,通过修改加密过程的内置参数,实现秘密信息的可逆嵌入。当收集k份携密密文图像时,可无损地恢复原始图像与提取秘密信息。实验结果表明,所提算法具有计算复杂度低、嵌入容量大和完全可逆等特点。在（3,4）门限方案中,所提算法的最大嵌入率可达4 bpp;在（4,4）门限方案中,其最大嵌入率可达6 bpp。所提算法充分发挥了秘密共享方案的容灾特性,在不降低秘密共享安全性的基础上,增强了携密密文图像的容错性与抗灾性,提高了算法的嵌入容量与云环境应用场景下的容灾能力,保证了载体图像与秘密信息的安全。     

云计算中的数据安全存储和加密模型的设计

随着时代的快速发展,网络技术也正在进行着新的变革,现阶段最受到人们关注的热点无疑就是云计算,它已经成为计算机领域中最新兴的研究重点。然而,云计算中的安全问题已经成为制约云计算快速发展和推广的关键问题,如何快速、安全地存储和传输生成于云环境中的大量数据,也已成为新的研究重点。文中在分析云计算中数据不安全因素的基础上,通过对云端数据进行合理加密的技术手段,实现了一种有效的安全数据存储和加密的服务模型,达到了对云环境中的数据进行安全的数据存储和备份。