Data Placement in P2P Data Grids Considering the Availability, Security, Access Performance and Load Balancing

Data dependability is an important issue in data Grids. Replication schemes have been widely used in distributed systems to ensure availability and improve access performance. Alternatively, data partitioning schemes (secret sharing, erasure coding with encryption) can be used to provide availability and, in addition, to offer confidentiality protection. In peer-to-peer data Grids, such confidentiality protection is essential since the nodes hosting the data shares may not be trustworthy or may be compromised. However, difficulties in generating new shares and potential security concerns for share reallocation make a pure data partitioning scheme not easily adaptable to dynamic user access patterns. In this paper, we consider combining replication and data partitioning to assure data availability, confidentiality, load balance, and efficient access for data Grid applications. Data are partitioned and shares are dispersed. The shares may be replicated to achieve better performance, load balance, and availability. Models for assessing confidentiality, availability, load balance, and communication cost are developed and used as the metrics to guide placement decisions. Due to the nature of contradicting goals, we model the placement decision problem as a multi-objective problem and use a genetic algorithm to determine solutions that are approximate to the Pareto optimal placement solutions.     

Secure Data Objects Replication in Data Grid

Secret sharing and erasure coding-based approaches have been used in distributed storage systems to ensure the confidentiality, integrity, and availability of critical information. To achieve performance goals in data accesses, these data fragmentation approaches can be combined with dynamic replication. In this paper, we consider data partitioning (both secret sharing and erasure coding) and dynamic replication in data grids, in which security and data access performance are critical issues. More specifically, we investigate the problem of optimal allocation of sensitive data objects that are partitioned by using secret sharing scheme or erasure coding scheme and/or replicated. The grid topology we consider consists of two layers. In the upper layer, multiple clusters form a network topology that can be represented by a general graph. The topology within each cluster is represented by a tree graph. We decompose the share replica allocation problem into two subproblems: the Optimal Intercluster Resident Set Problem (OIRSP) that determines which clusters need share replicas and the Optimal Intracluster Share Allocation Problem (OISAP) that determines the number of share replicas needed in a cluster and their placements. We develop two heuristic algorithms for the two subproblems. Experimental studies show that the heuristic algorithms achieve good performance in reducing communication cost and are close to optimal solutions.     

Engineering of secure multi-cloud storage

This article addresses security and privacy issues associated with storing data in public cloud services. It presents an architecture based on a novel secure cloud gateway that allows client systems to store sensitive data in a semi-trusted multi-cloud environment while providing confidentiality, integrity, and availability of data. This proxy system implements a space-efficient, computationally-secure threshold secret sharing scheme to store shares of a secret in several distinct cloud datastores. Moreover, the system integrates a comprehensive set of security measures and cryptographic protocols to mitigate threats induced by cloud computing. Performance in practice and code quality of the implementation are analyzed in extensive experiments and measurements.     

一种安全存储软件的设计与实现

设计一种基于秘密共享算法的存储软件,它不同于传统的存储软件,而是依赖秘密共享算法来实现信息的机密性、可用性和完整性。该软件在用户指定的信任域内相互协作才能完成信息的分散、存储、恢复和销毁。由于其实现原理的特殊性,该存储软件可以应用于容忍入侵等应用系统中。     

Medical image security and EPR hiding using Shamir's secret sharing scheme

Medical applications such as telediagnosis require information exchange over insecure networks. Therefore, protection of the integrity and confidentiality of the medical images is an important issue. Another issue is to store electronic patient record (EPR) in the medical image by steganographic or watermarking techniques. Studies reported in the literature deal with some of these issues but not all of them are satisfied in a single method. A medical image is distributed among a number of clinicians in telediagnosis and each one of them has all the information about the patient's medical condition. However, disclosing all the information about an important patient's medical condition to each of the clinicians is a security issue. This paper proposes a (k, n) secret sharing scheme which shares medical images among a health team of n clinicians such that at least k of them must gather to reveal the medical image to diagnose. Shamir's secret sharing scheme is used to address all of these security issues in one method. The proposed method can store longer EPR strings along with better authenticity and confidentiality properties while satisfying all the requirements as shown in the results.     

P2P环境下安全的信息传递方法研究

本文介绍了P2P环境下目前保护信息传递方法的研究现状,在此基础上提出了采用数字签名、多路径信息传播、秘密共享的保护信息安全性的方法。通过分析,这三种密码技术的结合能够有效地保护信息的完整性、机密性、有效性,具有较高的安全性。     

一种基于秘密共享的容忍入侵安全软件系统构建方案

容忍入侵是数据安全领域的核心技术之一,其目标是在系统受到攻击时仍能对外继续提供服务。本文基于秘密共享的方法,针对操作系统和应用软件中需要实时保护的关键数据,提出了一种容忍入侵的安全软件系统构建方案,可以保证关键数据在系统运行期间的机密性、完整性和可用性,并对方案的计算复杂度、安全性等问题进行了分析和讨论。     

高效且可验证的多授权机构属性基加密方案

移动云计算对于移动应用程序来说是一种革命性的计算模式,其原理是把数据存储及计算能力从移动终端设备转移到资源丰富及计算能力强的云服务器.但是这种转移也引起了一些安全问题,例如,数据的安全存储、细粒度访问控制及用户的匿名性.虽然已有的多授权机构属性基加密云存储数据的访问控制方案,可以实现云存储数据的保密性及细粒度访问控制;但其在加密和解密阶段要花费很大的计算开销,不适合直接应用于电力资源有限的移动设备;另外,虽然可以通过外包解密的方式,减少解密计算的开销,但其通常是把解密外包给不完全可信的第三方,其并不能完全保证解密的正确性.针对以上挑战,本文提出了一种高效的可验证的多授权机构属性基加密方案,该方案不仅可以降低加密解密的计算开销,同时可以验证外包解密的正确性并且保护用户隐私.最后,安全分析和仿真实验表明了方案的安全性和高效性.     

Security-enhanced cloud-based image secret sharing and authentication using POB number system

Recently, the image secret sharing technique based on POB (Permutation Ordered Binary) number systems has drawn attention in academia. Thanks to Singh et al.’s pioneer in combining image confidentiality and authentication to form a cloud-based image cryptosystem using the POB number system. However, for image confidentiality and integrity, there are always two main concerns of a new image cryptosystem: the protection from unauthorized disclosure and the sensitivity of tampering. To claim confidentiality and integrity guaranty of secure image cryptosystems is meaningful only when the cryptanalysis is taken into consideration. In this article, Singh et al.’s scheme has undergone the scrutiny and potential security weaknesses found. First, the secret image may leak under chosen-plain-image attacks. Second, the partial secret key deducible under cipher/share-image-only attacks is shown unneglectable. Precisely, it is potentially problematic since the security of image authentication only relies on the secrecy of the parameter r of POB number systems, but the parameter is also learned to know by a heuristic method. The main weak design has been shown by means of introducing theoretical analyses and conducting some counter experiments. As a result, in this study we have focused on proposing a security-enhanced POB-based image secret sharing scheme with five primary advantages: (1) high security to confidentiality, (2) lossless reconstructed secret image, (3) high security to integrity, (4) high detection accuracy, and (5) low time complexity. The experimental results and the further analysis demonstrate that the simple and secure improvement does work.

     

基于秘密共享协议的移动数据存储研究

针对移动数据库各方面的资源和能力均受到限制的问题,提出了基于秘密共享协议的移动数据存储方案。在移动客户端的应用程序上采用轻量级内存数据库仅存储少量数据,将大部分移动客户端所需数据存储在数据库服务器上。对存储在数据加密服务器上的敏感数据利用AES加密,对密钥利用秘密共享技术进行拆分后存储在不同的数据存储服务器上,使除了移动客户端的任何一方都不能同时拥有密钥和密文,减轻了移动客户端的存储压力,实现了数据控制权限的分离,保证了移动客户端对数据的访问具有最高权限,提高了数据的安全性。测试实验结果表明,该方案是可行的,具有较好的性能和应用前景。     

基于区块链和密文属性加密的访问控制方案

随着数字社会的到来,使得数据成为了重要的生产要素,为了充分释放数据要素价值,作为数据安全共享的访问控制技术是实现数据安全应用与治理的关键。因此,围绕分布式架构下密文及密钥的安全性问题提出了一种基于区块链的密文访问控制方案。该方案利用密文生成算法与验证合约实现外包密文存储的真实性与完整性验证;设计了基于安全多方计算的属性密码,实现了用户私钥的链下安全多方计算并确保了私钥的唯一性,极大缓解了单属性权威的计算压力,可有效保护用户属性隐私、避免单点故障;定义了格式化的事务数据结构,实现了访问控制的全过程追责。通过安全性分析、性能分析和实验仿真分析表明,该方案在安全性和性能上均满足通用区块链的需求,为数据开放共享提供了一种通用的区块链访问控制方案。     

可验证医疗密态数据聚合与统计分析方案

随着移动通信网络的飞速发展,越来越多的可穿戴设备通过移动终端接入网络并上传大量医疗数据,这些医疗数据聚合后具有重要的医学统计分析与决策价值.然而,在医疗数据传输和聚合过程中会出现传输中断、信息泄露、数据篡改等问题.为了解决这些安全与隐私问题,同时支持高效而正确的医疗密态数据聚合与统计分析功能,提出了基于移动边缘服务计算的具有容错机制的可验证医疗密态数据聚合方案.该方案改进了BGN同态加密算法,并结合Shamir秘密共享机制,确保医疗数据机密性、密态数据的可容错聚合.该方案提出了移动边缘服务计算辅助无线体域网的概念,结合移动边缘计算和云计算,实现海量医疗大数据实时处理与统计分析.该方案通过边缘计算服务器和云服务器两层聚合,提高聚合效率,降低通信开销.同时,使用聚合签名技术实现医疗密态数据的批量验证功能,进而保障其在传输与存储过程中的完整性.性能比较与分析表明,该方案在计算与通信开销方面都具备突出优势.     

一种高安全性的私钥保护方案

CA私钥的安全是数字证书可信性及签名有效性的保证。为了增强CA私钥的安全保护,采用基于RSA的(t,n)秘密共享将CA私钥安全分发到t个签名服务器,每个签名服务器拥有不同的私钥份额,并使用先应式秘密技术周期性更新私钥份额,避免长期攻击可能带来的危险性;同时,对私钥份额进行恢复和有效性验证;签名时,使用基于RSA的分步签名机制,每个签名服务器先计算出部分签名,最后由签名代理合成最终签名。整个过程都无需对CA私钥进行重构,增强了CA私钥和签名过程的安全性。最后,对存储私钥份额的服务器采用异构平台。方案通过VC和OPENSSL进行了实现。理论上的分析和实验结果表明,本方案有较高的安全性和效率。     

Healing on the cloud: Secure cloud architecture for medical wireless sensor networks

There has been a host of research works on wireless sensor networks (WSN) for medical applications. However, the major shortcoming of these efforts is a lack of consideration of data management. Indeed, the huge amount of high sensitive data generated and collected by medical sensor networks introduces several challenges that existing architectures cannot solve. These challenges include scalability, availability and security. Furthermore, WSNs for medical applications provide useful and real information about patients’ health state. This information should be available for healthcare providers to facilitate response and to improve the rescue process of a patient during emergency. Hence, emergency management is another challenge for medical wireless sensor networks. In this paper, we propose an innovative architecture for collecting and accessing large amount of data generated by medical sensor networks. Our architecture overcomes all the aforementioned challenges and makes easy information sharing between healthcare professionals in normal and emergency situations. Furthermore, we propose an effective and flexible security mechanism that guarantees confidentiality, integrity as well as fine-grained access control to outsourced medical data. This mechanism relies on Ciphertext Policy Attribute-based Encryption (CP-ABE) to achieve high flexibility and performance. Finally, we carry out extensive simulations that allow showing that our scheme provides an efficient, fine-grained and scalable access control in normal and emergency situations.     

基于移动信息化的安全接入平台建设

为提高移动信息化接入的安全级别,保障组织内部业务的安全运作,在传统网络安全架构的基础上,使用第二层隧道协议和混合加密技术构建一个安全接入平台。根据平台的功能及其安全性,将移动信息化区域分为5类,并为每一类区域制定安全策略,使原本限制在内网中的业务系统可以安全地在移动终端上使用。实际应用结果表明,该平台可以保证用户身份的匿名性、数据机密性、数据完整性、数据新鲜性及不可抵赖性。     

基于ID的门限多重秘密共享方案

为了避免现有秘密共享方案中的秘密份额分发机制的不足,结合基于身份(ID)的公钥密码技术,提出了利用参与者私钥作为其主份额的秘密份额分发方法.首先,对Zheng提出的签密方案进行了安全分析,发现其不具备前向保密性,并针对该安全问题,提出了一个改进的签密方案.同时,在所提出的改进方案的基础上,结合基于ID的公钥密码系统,提出了一个新的门限多重秘密共享方案.该方案有效地解决了秘密份额的安全分发问题,不需要秘密分发者和参与者之间事先进行任何信息交互,能够在分发秘密的同时分发秘密份额.该方案还具有前向保密性,即使秘密分发者的私钥被泄漏,也不会影响之前所共享秘密的安全性.因此,所提出的基于身份的秘密共享方案具有更高的安全性和有效性,能够更好地满足应用需求.     

在线CA的安全增强方案研究

结合椭圆曲线密码体制、门限密码技术和主动秘密共享方案，提出一种基于椭圆曲线可验证门限数字签名的在线CA安全增强方案。该方案将在线CA的签名私钥分发给多个CA共享服务器,并保证任何少于门限值的在线CA共享服务器无法共谋获取、篡改和破坏CA的签名私钥，从而保护了CA签名私钥的机密性、完整性和可用性。     

不需要安全信道的空间有效秘密分享方案

高效的秘密分享方案在保护加解密密钥、门限密码系统、多方安全协议等方面发挥着重要作用.文中主要考虑空间有效的秘密分享问题.作者提出一个新的不需要安全信道的空间有效秘密分享方案.方案构造简捷、运行高效,并且在分发者和参与者之间发送信息不需要秘密信道的支持.文中给出了对新方案的安全性和性能的分析,同时给出了方案的工作流程图和一个简单的示例.由于安全性和性能方面的优点,新方案可广泛应用于诸如长期档案安全存储系统、资源受限环境(传感器网络、移动网络等)下机密信息的保护等方面.     

Secure Data Sharing with Confidentiality,Integrity and Access Control in Cloud Environment

Cloud storage is an incipient technology in today’s world. Lack of security in cloud environment is one of the primary challenges faced these days. This scenario poses new security issues and it forms the crux of the current work. The current study proposes Secure Interactional Proof System (SIPS) to address this challenge. This methodology has a few key essential components listed herewith to strengthen the security such as authentication, confidentiality, access control, integrity and the group of components such as AVK Scheme (Access List, Verifier and Key Generator). It is challenging for every user to prove their identity to the verifier who maintains the access list. Verification is conducted by following Gulliou-Quisquater protocol which determines the security level of the user in multi-step authentication process. Here, RSA algorithm performs the key generation process while the proposed methodology provides data integrity as well as confidentiality using asymmetric encryption. Various methodological operations such as time consumption have been used as performance evaluators in the proposed SIPS protocol. The proposed solution provides a secure system for firm data sharing in cloud environment with confidentiality, authentication and access control. Stochastic Timed Petri (STPN) Net evaluation tool was used to verify and prove the formal analysis of SIPS methodology. This evidence established the effectiveness of the proposed methodology in secure data sharing in cloud environment.     

基于区块链的智能家居认证与访问控制方案

智能家居运用物联网技术为用户提供自动化的智能服务,但传统的集中式架构存在机密性和完整性等安全性问题,而现有的分布式架构又存在重复认证、高延迟等问题。针对这些问题,基于区块链和椭圆曲线集成加密技术提出了一种智能家居认证与访问控制方案,同时还引入了边缘计算,降低系统的延迟。并将基于权能的访问控制与区块链相结合,在区块链上存储权能令牌并设计了相应的智能合约以实现安全的访问控制。安全性分析表明,该方案具有去中心化、不可窜改、机密性、完整性和可扩展性等安全特性。在以太坊区块链上进行仿真,并根据计算开销、通信开销和响应时间等指标对方案进行了性能评估。评估结果表明,相比其他方案,该方案计算开销和通信开销更小,响应时间更短,具有明显的优势。