MASHED: Security and privacy-aware mutual authentication scheme for heterogeneous and distributed mobile cloud computing services

ABSTRACT

Rapid development in mobile devices and cloud computing technologies has increased the number of mobile services from different vendors on the cloud platform. However, users of these services are facing different security and access control challenges due to the nonexistence of security solutions capable of providing secure access to these services, which are from different vendors, using a single key. An effective security solution for heterogeneous Mobile Cloud Computing (MCC) services should be able to guarantee confidentiality and integrity through single key-based authentication scheme. Meanwhile, a few of the existing authentication schemes for MCC services require different keys to access different services from different vendors on a cloud platform, thus increases complexity and overhead incurred through generation and storage of different keys for different services.

In this paper, an efficient mutual authentication scheme for accessing heterogeneous MCC services is proposed. The proposed scheme combines the user’s voice signature with cryptography operations to evolve efficient mutual authentication scheme devoid of key escrow problem and allows authorized users to use single key to access the heterogeneous MCC services at a reduced cost.     

工业互联网中增强安全的云存储数据访问控制方案

在工业互联网应用中,由于异构节点计算和存储能力的差异,通常采用云方案提供数据存储和数据访问服务.云存储中的访问控制如扩展多权限的云存储数据访问控制方案(NEDAC-MACS),是保证云存储中数据的安全和数据隐私的基石.给出了一种攻击方法来证明NEDAC_MACS中,被撤销的用户仍然可以解密NEDAC-MACS中的新密文;并提出了一种增强NEDAC-MACS安全性的方案,该方案可以抵抗云服务器和用户之间的合谋攻击;最后通过形式密码分析和性能分析表明,该方案能够抵抗未授权用户之间以及云服务器与用户之间的合谋攻击,保证前向安全性、后向安全性和数据保密性.     

TraceChain: A blockchain-based scheme to protect data confidentiality and traceability

The risk of sharing data in cloud computing has gathered increasing attention. After the owner of some confidential data outsources the data to cloud storage services and shares it with others, the data owner lost the control to the data to a large extent. To achieve data sharing while keeping data confidentiality, attribute-based encryption (ABE) can be employed by cloud storage services. However, ABE can only guarantee that outsourced data on the cloud is decrypted by attribute-satisfying users but cannot restrict data from being accessed by dishonest users whose attributes also satisfy the access-control policy. It is impossible for the data owner to control the shared data after it has been decrypted by dishonest users, especially when a set of attribute-satisfying dishonest users may collude. To address this concern, we propose a traceable data sharing scheme called TraceChain. In TraceChain, data is encrypted over a new CP-ABE scheme called E-CP-ABE. Furthermore, the system parameters for generating the private key in E-CP-ABE are uploaded to the private blockchain and transactions are performed on the chain. The data owner can obtain the identity of users by monitoring system parameters simultaneously and control data sharing on the blockchain. To prove the security of our scheme, the security analysis is given in this paper. Meanwhile, experimental results also show that our system is viable and efficient.     

Comment on “Privacy-preserving public auditing for non-manager group shared data”

Using cloud storage, users can remotely store their data without the burden on complicated local storage management and maintenance. However, users will no longer physically possess the storage of their data after they upload the data to the cloud. It is very natural for users to suspect whether their data stored in the cloud is intact. To help users efficiently check the integrity of the outsourced data, many public auditing schemes have been proposed. Recently, Huang et al. have proposed a privacy-preserving public auditing scheme for non-manager group shared data. In this paper, we find a security flaw in their auditing scheme. Even if the cloud has deleted or polluted the whole outsourced data, it still can pass the verification of the verifier. And then, we overcome this shortcoming by improving their scheme, which prevents the cloud forging a valid proof to pass the integrity auditing. Last, we perform the concrete implementation of our improved scheme and Huang et al. ’s scheme.

     

基于身份的组用户数据完整性验证方案

云存储系统为用户提供大容量、高访问效率、价格合理的存储服务.然而,使用云存储服务的用户,一旦将文件上传至CSP （cloud server provider）,便失去了数据的绝对控制权.众所周知,CSP并不可靠.因此,云上存储的数据是否完整,成为值得深入探讨的问题.在公共云存储环境中,将公司、机构或组织定义为一个组,组内由负责人进行管理.组内用户为便于使用云存储服务,可借助于组负责人进行统一操作.这种场景下,为解决位于同一组内的用户数据完整性验证问题,提出了一个组用户数据完整性验证方案.为协助组内用户进行一系列操作,方案提出了代理这一实体.方案基于IBE （identity-based encryption）进行标签的设计,摆脱了复杂的证书管理问题.在数据完整性验证阶段,通过采用随机抽样的方式,减少了系统的性能开销.借助于随机预言机模型,该方案被证明是安全的.且通过的一系列的性能分析与评估,验证了该方案是可行的.     

基于代理重加密的云存储密文访问控制方案

针对在不可信的云存储中,数据的机密性得不到保证的情况,提出一种新的代理重加密(PRE)算法,并将其应用于云存储访问控制方案中,该方案将一部分密文存储云中共享,另一部分密文直接发送给用户。证明了该访问控制方案在第三方的不可信任的开放环境下云存储中敏感数据的机密性。通过分析对比,结果表明：发送方对密文的传递可控,该方案利用代理重加密的性质,在一对多的云存储访问控制方案中,密文运算量和存储不会随着用户的增长而呈线性增长,显著降低了通信过程中数据运算量和交互量,有效减少数据的存储空间。该方案实现了云存储中敏感数据的安全高效共享。     

基于同态加密的全文检索方案设计与实现

为了有效保障外包数据的安全性,满足用户高效检索储存在云中的数据。提出一种基于同态加密的云存储全文检索方案。该方案以整数向量加密技术为基础,建立向量空间模型,进而在密文下计算检索向量与文档向量的余弦相似度,进行检索。方案利用加密算法的同态性,在上传文件,检索以及下载文件的整个过程中,云服务器均无法获取明文数据,方案可进行多关键词检索。在第三方不可信云存储场景中具有准确和更高的检索效率,方案描述简单,保证了用户数据的机密性,在实际场景中具有良好的应用。     

Preferred search over encrypted data

Cloud computing provides elastic data storage and processing services. Although existing research has proposed preferred search on the plaintext files and encrypted search, no method has been proposed that integrates the two techniques to efficiently conduct preferred and privacy-preserving search over large datasets in the cloud.In this paper, we propose a scheme for preferred search over encrypted data (PSED) that can take users’ search preferences into the search over encrypted data. In the search process, we ensure the confidentiality of not only keywords but also quantified preferences associated with them. PSED constructs its encrypted search index using Lagrange coefficients and employs secure inner-product calculation for both search and relevance measurement. The dynamic and scalable property of cloud computing is also considered in PSED. A series of experiments have been conducted to demonstrate the efficiency of the proposed scheme when deploying it in real-world scenarios.     

云环境下的基于属性和重加密的密钥管理

在云计算环境中如何安全地存储数据是云计算面临的挑战之一。加密是解决云计算中数据存储安全问题最主要的方法,而加密的一个保密性问题是密钥管理。提出了云环境下的基于属性和重加密的密钥管理方案。云服务提供商对不同用户进行重加密时,可以一次为一组用户重加密,从而减少了重加密的个数。数据拥有者可以对组用户生成和发送重加密密钥,而数据请求者可以使用属性集对应的一个密钥解密多个数据拥有者的数据,从而能减少两者的密钥发送量,降低密钥管理的难度,提高方案的效率。最后,对方案的安全性和性能进行了分析     

云存储访问控制方案的安全性分析与改进

对Tang等（TANG Y,LEE P,LUI J,et al. Secure overlay cloud storage with access control and assured deletion. IEEE Transactions on Dependable and Secure Computing,2012,9（6)：903-916）提出的一种云存储的细粒度访问控制方案进行安全性分析,发现其存在不能抵抗合谋攻击的问题,并给出了具体的攻击方法。针对该方案安全性方面的不足,利用基于属性的加密算法抗合谋攻击的特性,对使用访问树结构的密文策略加密（CP-ABE）算法进行改进,使改进后的算法能够直接运用到云存储访问控制方案中而不需要对云存储服务器进行任何修改,同时可实现细粒度的访问控制和用户数据的彻底删除。最后基于判断双向性Deffie-Hellman（DBDH）假设,证明了该方案在选择明文攻击下的安全性,并通过将方案运用到实际的云环境中进行分析后证明改进后的方案能够抵抗合谋攻击。     

支持区间查询的基于位置服务外包数据隐私保护方案

随着云计算技术的迅猛发展,越来越多的LBS服务被外包到云上运行以减少本地的计算和存储成本。然而,外包环境下的云服务器通常被认为是一个半可信的实体,LBS提供商的数据安全和用户的个人隐私将会面临新的安全挑战。针对现有基于位置服务数据外包方案中不支持区间查询和隐私保护不足等问题,文章提出一种支持区间查询的LBS外包数据隐私保护方案,利用非对称向量积保值加密和公钥可搜索加密对LBS坐标和关键词进行加密,实现LBS数据的机密性和用户查询模式的隐私性;利用轻量级的矩阵运算使用户在不泄露查询区间的前提下准确获得所需LBS数据。在新用户注册方面,采用基于双线性配对运算实现用户身份认证。安全性和性能分析表明,文章方案较同类方案具有一定优势。     

高效且可验证的多授权机构属性基加密方案

移动云计算对于移动应用程序来说是一种革命性的计算模式,其原理是把数据存储及计算能力从移动终端设备转移到资源丰富及计算能力强的云服务器.但是这种转移也引起了一些安全问题,例如,数据的安全存储、细粒度访问控制及用户的匿名性.虽然已有的多授权机构属性基加密云存储数据的访问控制方案,可以实现云存储数据的保密性及细粒度访问控制;但其在加密和解密阶段要花费很大的计算开销,不适合直接应用于电力资源有限的移动设备;另外,虽然可以通过外包解密的方式,减少解密计算的开销,但其通常是把解密外包给不完全可信的第三方,其并不能完全保证解密的正确性.针对以上挑战,本文提出了一种高效的可验证的多授权机构属性基加密方案,该方案不仅可以降低加密解密的计算开销,同时可以验证外包解密的正确性并且保护用户隐私.最后,安全分析和仿真实验表明了方案的安全性和高效性.     

基于代理重加密的云数据访问授权确定性更新方案

有越来越多的用户选择云为其进行存储、运算、共享等数据处理工作，因此云端数据量与日俱增，其中不乏敏感数据和隐私信息.如何对用户托管于云端的数据进行授权管理，保证数据机密性、访问授权有效性等至关重要.为此，提出一种基于代理重加密（proxy re-encryption，简称PRE）的云端数据访问授权的确定性更新方案（proxy re-encryption based assured update scheme of authorization，简称PAUA）.首先将提出PAUA方案的前提假设和目标，其次论述系统模型和算法，最后对PAUA进行讨论和分析.PAUA方案将减轻用户在数据共享时的计算量，同时将重加密密钥进行分割管理，实现授权变更时，密钥的确定性更新.     

Efficient integrity verification of replicated data in cloud using homomorphic encryption

The cloud computing is an emerging model in which computing infrastructure resources are provided as a service over the internet. Data owners can outsource their data by remotely storing them in the cloud and enjoy on-demand high quality services from a shared pool of configurable computing resources. However, since data owners and the cloud servers are not in the same trusted domain, the outsourced data may be at risk as the cloud server may no longer be fully trusted. Therefore, data confidentiality, availability and integrity is of critical importance in such a scenario. The data owner encrypts data before storing it on the cloud to ensure data confidentiality. Cloud should let the owners or a trusted third party to check for the integrity of their data storage without demanding a local copy of the data. Owners often replicate their data on the cloud servers across multiple data centers to provide a higher level of scalability, availability, and durability. When the data owners ask the cloud service provider (CSP) to replicate data, they are charged a higher storage fee by the CSP. Therefore, the data owners need to be strongly convinced that the CSP is storing data copies agreed on in the service level contract, and data-updates have been correctly executed on all the remotely stored copies. To deal with such problems, previous multi copy verification schemes either focused on static files or incurred huge update costs in a dynamic file scenario. In this paper, we propose a dynamic multi-replica provable data possession scheme (DMR-PDP) that while maintaining data confidentiality prevents the CSP from cheating, by maintaining fewer copies than paid for and/or tampering data. In addition, we also extend the scheme to support a basic file versioning system where only the difference between the original file and the updated file is propagated rather than the propagation of operations for privacy reasons. DMR-PDP also supports efficient dynamic operations like block modification, insertion and deletion on replicas over the cloud servers. Through security analysis and experimental results, we demonstrate that the proposed scheme is secure and performs better than some other related ideas published recently.     

Storage allocation scheme for virtual instances of cloud computing

Cloud computing delivers resources and services through virtual machines on a pay-as-you-go basis. The allocation of storage space to users is usually determined by means of open allocation mechanisms that cannot guarantee an efficient allocation. Current allocation mechanisms do not consider user requests when making provisioning decisions. In other words, they assume that the storage spaces are fixed. In this study, we propose an algorithm for allocating storage spaces based on the requests of users. We present a unified storage allocation scheme (USAS) for cloud computing. USAS is a dynamic storage allocation framework for unlimited, limited, and free users. Our proposed approach is based on a storage partitioning policy, and we have compared our proposed scheme with open storage scheme and fixed storage scheme with common partition. We show through simulation study that USAS dynamically allocates space for different user requirements for all traffic loads.

     

Privacy-preserving public auditing for educational multimedia data in cloud computing

Nowadays, as distance learning is being widly used, multimedia data becomes an effective way for delivering educational contents in online educational systems. To handle the educational multimedia data efficiently, many distance learning systems adopt a cloud storage service. Cloud computing and storage services provide a secure and reliable access to the outsourced educational multimedia contents for users. However, it brings challenging security issues in terms of data confidentiality and integrity. The straightforward way for the integrity check is to make the user download the entire data for verifying them. But, it is inefficient due to the large size of educational multimedia data in the cloud. Recently many integrity auditing protocols have been proposed, but most of them do not consider the data privacy for the cloud service provider. Additionally, the previous schemes suffer from dynamic management of outsourced data. In this paper, we propose a public auditing protocol for educational multimedia data outsourced in the cloud storage. By using random values and a homomorphic hash function, our proposed protocol ensures data privacy for the cloud and the third party auditor (TPA). Also, it is secure against lose attack and temper attack. Moreover, our protocol is able to support fully dynamic auditing. Security and performance analysis results show that the proposed scheme is secure while guaranteeing minimum extra computation costs.     

面向云存储的多维球面门限秘密共享方案

近年来,云存储所提供的“数据存储即服务”为租户实现廉价高效共享资源.由于租户缺乏对云端数据的绝对控制,数据安全,尤其是机密数据的安全存储成为一大问题,这也是近年来云存储安全的研究热点.针对机密数据的云存储问题,提出了一种基于多维球面原理的分布式秘密共享方案.在分发阶段,结合分发者、云存储容器信息,将原始秘密转换为m维球心坐标,进而生成同球面的n个影子秘密坐标,并将这些影子秘密作为机密数据分布式存储在n个云存储容器中.在恢复阶段,通过证明任意k（k=m+1）个线性不相关的坐标可确定唯一球心,完成原始秘密的恢复.算法性能分析和仿真分析表明,该方案具备假数据攻击、共谋攻击防御能力,且密钥不需要额外的管理开销,租户对密钥有绝对控制权,加强了租户对云数据的控制,在运算性能、存储性能方面正确、有效.     

基于区块链的多关键字属性基可搜索加密方案

云存储服务的出现可将文件上传至云服务器,节约了本地的信息存储空间以及管理开销。文件以明文的形式存储显然无法满足隐私保护和安全需求,但若将加密后的文件上传至云服务器,将失去搜索原文件的能力。因此,可搜索加密技术的出现解决了用户如何在文件不解密的情况下搜索加密数据。目前现有的单关键字可搜索加密方案会产生许多与检索内容不符合的信息,没有考虑数据用户细粒度搜索权限和搜索效率,以及因云存储的集中化带来的数据安全和隐私保护等问题。针对以上问题,该文提出了基于区块链的多关键字属性基可搜索加密方案。该方案使用多关键字可搜索加密技术实现了加密数据的有效搜索;利用基于属性的加密技术实现加密数据的细粒度访问控制;结合区块链的智能合约技术,经过多笔交易获得搜索结果。并且利用区块链的不可篡改性,满足了方案中相关性质的公平性,保证了在方案中三方的公平性和安全性并进行了相关分析。在随机预言机模型下,基于困难问题假设证明了方案的关键字安全及陷门安全,即所提方案满足在选择关键字攻击下的关键字密文不可区分性安全和陷门不可区分性安全。最后通过数值分析表明该方案在关键字密文生成阶段和关键字搜索阶段具有较高的效率。并展望了在未...     

轻量级的安全跨域去重方案

云存储为用户提供文件外包存储功能,然而随着数据外包数量的激增,数据去重复变得至关重要.目前数据压缩非常有效也是很常用的一个手段是去重,即识别数据中冗余的数据块,只存储其中的一份.以前的方案可以满足不同的用户将相同的文件加密为相同的密文,这样暴露了文件的一致性,随后的方案提出基于集中式服务器作为去重辅助的方案,随着用户的增加,数据去重效率也随之降低.针对目前云存储的安全性及数据去重效率低等问题,本文提出了跨区域的重复数据删除方案.所提方案为每个数据生成随机标签和固定长度的随机密文,确保多域重复数据消除下的数据机密性及抵抗暴力攻击、保护信息平等信息不被披露.同时,对所提方案的实施情况和功能比较进行了仔细分析,安全性分析表明,所提方案在抵抗蛮力攻击的同时,实现了数据内容、平等信息和数据完整性等隐私保护,性能分析表明,所提方案展示了优于现有方案的重复搜索计算成本及时间复杂度,可实现轻量级特色.     

Privacy preserving security using biometrics in cloud computing

Cloud computing and the efficient storage provide new paradigms and approaches designed at efficiently utilization of resources through computation and many alternatives to guarantee the privacy preservation of individual user. It also ensures the integrity of stored cloud data, and processing of stored data in the various data centers. However, to provide better protection and management of sensitive information (data) are big challenge to maintain the confidentiality and integrity of data in the cloud computation. Thus, there is an urgent need for storing and processing the data in the cloud environment without any information leakage. The sensitive data require the storing and processing mechanism and techniques to assurance the privacy preservation of individual user, to maintain the data integrity, and preserve confidentiality. Face recognition has recently achieved advancements in the unobtrusive recognition of individuals to maintain the privacy-preservation in the cloud computing. This paper emphasizes on cloud security and privacy issues and provides the solution using biometric face recognition. We propose a biometrics face recognition approach for security and privacy preservation of cloud users during their access to cloud resources. The proposed approach has three steps: (1) acquisition of face images (2) preprocessing and extraction of facial feature (3) recognition of individual using encrypted biometric feature. The experimental results establish that our proposed recognition approach can ensure the privacy and security of biometrics data.