基于CP-ABE算法的区块链数据访问控制方案

与公有链不同,联盟区块链超级账本Fabric额外集成了成员管理服务机制,能够提供基于通道层面的数据隔离保护。但这种数据隔离保护机制在通道内同步的仍是明文数据,因此存在一定程度的数据泄露风险。另外,基于通道的数据访问控制在一些细粒度隐私保护场景下也不适用。为了解决上述提及的联盟链超级账本中存在的数据隐私安全问题,提出了一种基于CP-ABE算法的区块链数据访问控制方案。结合超级账本中原有的Fabric-CA模块,提出的方案在实现用户级细粒度安全访问控制区块链数据的同时,还能够实现对CP-ABE方案中用户属性密钥的安全分发。对该方案进行的安全分析表明,该方案实现了ABE用户属性私钥安全分发和数据隐私性保护的安全性目标,性能分析部分也说明了所提方案具有良好的可用性。     

Timestamp-Based Digital Envelope for Secure Communication Using HECC

ABSTRACT

Secure communication in wireless network is necessary to access remote resources in a controlled and efficient way. For validation and authentication in e-banking and e-commerce transactions, digital signatures using public key cryptography is extensively employed. To maintain confidentiality, Digital Envelope, which is the combination of the encrypted message and signature with the encrypted symmetric key, is also used. In this paper we propose a timestamp-based authentication scheme with a modified Digital Envelope using hyperelliptic curve cryptosystem. HECC have advantages over the existing public key cryptosystems for its small key size and high security in wireless networks where resources are constrained. We have compared the performance of the proposed scheme with that of ECC and present a security analysis to show that our scheme can resist various attacks related to wireless networks.     

Hyperledger Fabric中基于层级结构的公钥广播加密方案

针对Hyperledger Fabric联盟链的公开账本上的安全群组通信问题,基于Fabric通道中成员管理的层级结构,提出使用子集覆盖框架下的CS方法和IBE算法相结合的方式构造出适用于联盟链的公钥广播加密方案。该方案改进了CS方法原有的完全二叉树结构,依据Fabric通道内部的组织结构建立了具有层级结构的二叉树;采用类哈夫曼编码方式唯一标志各节点在二叉树中的位置以提高查询速度;引入预留节点和弃用节点,设计了相应的二叉树更新算法以实现成员的动态加入和退出。分析和测试结果表明,该方案为联盟链系统提供了一种高效、安全、细粒度的数据隐私保护方案。     

Access control scheme with tracing for outsourced databases

To manage dynamic access control and deter pirate attacks on outsourced databases, a dynamic access control scheme with tracing is proposed. In our scheme, we introduce the traitor tracing idea into outsource databases, and employ a polynomial function and filter function as the basic means of constructing encryption and decryption procedures to reduce computation, communication, and storage overheads. Compared to previous access control schemes for outsourced databases, our scheme can not only protect sensitive data from leaking and perform scalable encryption at the server side without shipping the outsourced data back to the data owner when group membership is changed, but also provide trace-and-revoke features. When malicious users clone and sell their decryption keys for profit, our scheme can trace the decryption keys to the malicious users and revoke them. Furthermore, our scheme avoids massive message exchanges for establishing the decryption key between the data owner and the user. Compared to previously proposed publickey traitor tracing schemes, our scheme can simultaneously achieve full collusion resistance, full recoverability, full revocation, and black-box traceability. The proof of security and analysis of performance show that our scheme is secure and efficient.     

MASHED: Security and privacy-aware mutual authentication scheme for heterogeneous and distributed mobile cloud computing services

ABSTRACT

Rapid development in mobile devices and cloud computing technologies has increased the number of mobile services from different vendors on the cloud platform. However, users of these services are facing different security and access control challenges due to the nonexistence of security solutions capable of providing secure access to these services, which are from different vendors, using a single key. An effective security solution for heterogeneous Mobile Cloud Computing (MCC) services should be able to guarantee confidentiality and integrity through single key-based authentication scheme. Meanwhile, a few of the existing authentication schemes for MCC services require different keys to access different services from different vendors on a cloud platform, thus increases complexity and overhead incurred through generation and storage of different keys for different services.

In this paper, an efficient mutual authentication scheme for accessing heterogeneous MCC services is proposed. The proposed scheme combines the user’s voice signature with cryptography operations to evolve efficient mutual authentication scheme devoid of key escrow problem and allows authorized users to use single key to access the heterogeneous MCC services at a reduced cost.     

BlockU: Extended usage control in and for Blockchain

An electronic business transaction among untrusted bodies without consulting a mutually trusted party has remained widely accepted problem. Blockchain resolves this problem by introducing peer-to-peer network with a consensus algorithm and trusted ledger. Blockchain originally introduced for cryptocurrency that came with proof-of-work consensus algorithm. Due to some performance issues, scientists brought concept of permissioned Blockchain. Hyperledger Fabric is a permissioned Blockchain targeting business-oriented problems for industry. It is designed for efficient transaction execution over Blockchain with pluggable consensus model; however, there is limitation of rapid application development. Hyperledger introduced a new layer called Hyperledger Composer on top of the Fabric layer, which provides an abstract layer to model the business application readily and quickly. Composer provides a smart contract to extend the functionality and flexibility of Fabric layer and provides a way of communication with other systems to meet business requirements. Hyperledger Composer uses role-based access control (RBAC) model to secure access to its valuable assets. However, RBAC is not enough because many business deals require continuous assets monitoring. Our proposed model, BlockU, covers all possible access control models required by a business. BlockU can monitor assets continuously during transactions and updates attributes accordingly. Moreover, we incorporate hooks in Hyperledger Composer to implement extended permission model that provides extensive permission management capability on an asset. Subsequently, our proposed enhanced access control model is implemented with a minimal change to existing Composer code base and is backward compatible with the current security mechanism.     

计算机在电子商务物流管理教学中的应用

分析了传统教学模式下电子商务物流教学的现状,讨论了应用物流仿真软件和多媒体等电脑技术辅助教学的必要性.结合教学实践,阐述了如何运用物流仿真软件和多媒体辅助教学提高大学电子商务物流教学质量和培养大学生的创新精神.     

计算机在电子商务物流管理教学中的应用

分析了传统教学模式下电子商务物流教学的现状，讨论了应用物流仿真软件和多媒体等电脑技术辅助教学的必要性。结合教学实践，阐述了如何运用物流仿真软件和多媒体辅助教学提高大学电子商务物流教学质量和培养大学生的创新精神。     

云存储中基于代理重加密的CP-ABE访问控制方案

针对云存储中基于密文策略的属性加密（CP-ABE）访问控制方案存在用户解密开销较大的问题,提出了一种基于代理重加密的CP-ABE （CP-ABE-BPRE）方案,并对密钥的生成方法进行了改进。此方案包含五个组成部分,分别是可信任密钥授权、数据属主、云服务提供商、代理解密服务器和数据访问者,其中云服务器对数据进行重加密,代理解密服务器完成大部分的解密计算。方案能够有效地降低用户的解密开销,在保证数据细粒度访问控制的同时还支持用户属性的直接撤销,并解决了传统CP-ABE方案中因用户私钥被非法盗取带来的数据泄露问题。与其他CP-ABE方案比较,此方案对访问云数据的用户在解密性能方面具有较好的优势。     

On Security of Compressed Gray Scale Image Using Joint Encryption and Data Hiding

ABSTRACT

This paper proposes a novel scheme that integrates quality access control and tracking of illicit distribution of digital image(s) in a single platform. The goal is achieved by (1) modulating some of the valuable Discrete Cosine Transform (DCT) coefficients of the compressed data followed by (2) embedding a binary watermark (fingerprint) as tracking information using Quantization Index Modulation (QIM). The data modulation process serves the purpose of access control so that an unauthorized user is unable to enjoy proper visual quality. On the other hand, embedded watermark tracks illicit distribution. The coefficients to be modulated are selected pseudo randomly using a secret key (K). Before embedding, the watermark is encoded by applying convolution coding that reliably identifies colluder(s) involved in time varying (intelligent) collusion operation. Simulation results have shown the validity of the above claims without affecting compatibility with standard JPEG coding scheme.     

公共卫生事件中医疗数据访问控制与安全共享研究

随着新冠疫情的持续发展, 许多国家和地区都对确诊患者及密接者的个人信息数据和位置数据进行了严密的监管。与此同时, 如何在共享患者必要信息的同时, 确保患者及密接者的个人隐私不被泄露, 访问过程透明化、可溯源、数据不被篡改, 已成为当今亟需解决的关键问题。基于此, 本文提出了一种可追责的医疗属性通行证(AMAP)访问控制方案, 方案首先将区块链与基于属性的访问控制模型相结合, 在引入区块链对访问过程进行溯源的同时, 将访问控制策略和访问时系统中的关键步骤以智能合约的形式部署到区块链上, 使整个系统既能保障用户对数据的安全访问, 又能够对整个访问过程进行溯源。特别地, 方案引入了医疗属性通行证模块, 用户以通行证的方式申请访问, 避免了传统访问控制模型中主体属性与访问控制策略的多次匹配,在实现医疗数据细粒度访问控制的同时, 一定程度上提高了访问效率。最后, 通过安全性分析表明本方案可以抵抗拒绝服务攻击、恶意篡改攻击、单点失效攻击、主体伪装攻击、重放攻击等。实验及性能分析表明本方案与其他方案相比, 在相同访问控制策略的情况下访问次数越多, 本方案的优势越明显; 在相同访问次数情况下访问控制策略个数越多, 本方案的优势越明显。     

安全组播中密钥分配问题的研究

组播是面向组接收者的首选网络通信技术,其重要性随着Internet的发展日益突出.组管理协议IGMP不提供成员接入控制.为了保护通信机密性,安全组播使用仅为认证组成员所知的会话加密密钥(SEK)来加密业务数据.每当组成员关系发生变化时,都应动态更新SEK,密钥分配也就成为安全组播研究的关键问题.在设计密钥分配算法时,通信开销、存储开销、抗冲击性和计算开销被认为是4个重要因素.提出了一种利用多项式展开的组密钥分配方案,其特点是不使用传统加密和解密.分析表明,其在小型组播中可获得较好的性能.将基于多项式展开的该算法与逻辑密钥层次结合,又提出了一种PE-LKH方案,在保留通信开销随组规模呈对数增长的同时,其计算复杂度有效降低,可适用于大规模动态群组.     

A framework for a logistics e-commerce community network: the HongKong air cargo industry

E-commerce has brought new challenges as well as opportunities to the air cargo industry. With careful planning and cooperation among industry agents and with e-commerce as an enabler the air cargo industry can be transformed into one that can provide customized services to individual shippers at the cost level of mass production. The key component is in the setting up of a third-party e-commerce community network. In this paper, we present a frame work for such a network, which extends the traditional business-to-business e-commerce to e-commerce at the industry level. The proposed infrastructure differs from traditional portals in that it features the online integration of business transactions. It provides a virtual market for agents of the air cargo industry, enabling them to develop and engage in logistics integration. It also facilitates tracking and tracing, and minimizes unnecessary travel and inventory costs, thus achieving supply chain management at the industry level. We provide an implementation scenario for the air cargo industry in Hong Kong     

Decentralized data access control over consortium blockchains

Blockchain is an emerging data management technology that enables people in a collaborative network to establish trusted connections with the other participants. Recently consortium blockchains have raised interest in a broader blockchain technology discussion. Instead of a fully public, autonomous network, consortium blockchain supports a network where participants can be limited to a subset of users and data access strictly controlled. Access control policies should be defined by the respective data owner and applied throughout the network without requiring a centralized data administrator. As a result, decentralized data access control (DDAC) emerges as a fundamental challenge for such systems. However, we show from a trust model for consortium collaborative networks that current consortium blockchain systems provide limited support for DDAC. Further, the distributed, replicated nature of blockchain makes it even more challenging to control data access, especially read access, compared with traditional DBMSes. We investigate possible strategies to protect data from being read by unauthorized users in consortium blockchain systems using combinations of ledger partitioning and encryption strategies. A general framework is proposed to help inexperienced users determine appropriate strategies under different application scenarios. The framework was implemented on top of Hyperledger Fabric to evaluate feasibility. Experimental results along with a real-world case study contrasted the performance of different strategies under various conditions and the practicality of the proposed framework.     

Analysis and Protection of Dynamic Membership Information for Group Key Distribution Schemes

In secure group-oriented applications, key management schemes are employed to distribute and update keys such that unauthorized parties cannot access group communications. Key management, however, can disclose information about the dynamics of group membership, such as the group size and the number of joining and departing users. This is a threat to applications with confidential group membership information. This paper investigates techniques that can stealthily acquire group dynamic information from key management. We show that insiders and outsiders can successfully obtain group membership information by exploiting key establishment and key updating procedures in many popular key management schemes. Particularly, we develop three attack methods targeting tree-based centralized key management schemes. Further, we propose a defense technique utilizing batch rekeying and phantom users, and derive performance criteria that describe security level of the proposed scheme using mutual information. The proposed defense scheme is evaluated based on the data from MBone multicast sessions. We also provide a brief analysis on the disclosure of group dynamic information in contributory key management schemes     

Privacy-preserving conjunctive keyword search on encrypted data with enhanced fine-grained access control

Cloud storage over the internet gives opportunities for easy data sharing. To preserve the privacy of sharing data, the outsourced data is usually encrypted. The searchable encryption technique provides a solution to find the target data in the encrypted form. And the public-key encryption with keyword search is regarded as a major approach for the searchable encryption technique. However, there are still several privacy leakage challenges for the further adoption of these major schemes. One is how to resist the keyword guessing attack which still leaks data user’s keywords privacy. Another is how to construct the access control policy to prevent illegal access of outsourced data sharing since illegal access always leak the privacy of user’s attribute. In our paper, we firstly try to design a novel secure keyword index to resist the keyword guessing attack from access pattern and search pattern. Second, we propose an attribute-based encryption scheme which supports an enhanced fine-grained access control search. This allows the authenticated users to access different data although their searching request contains the same queried keywords, and meanwhile unauthenticated users cannot get any attribute privacy information. Third, we give security proofs to show that the construction of keyword index is against keyword guessing attack from the access pattern and search pattern, and our scheme is proved to be IND-CPA secure (the indistinguishability under chosen plaintext attack) under the standard model. Finally, theoretical analyses and a series of experiments are conducted to demonstrate the efficiency of our scheme.

     

A robust adaptive performance enhancement controller using setmembership identification

A robust direct adaptive control scheme is proposed to enhance the performance of a fixed nominal controller. The key idea lies in the introduction of a set membership constraint in the estimation process. The set membership constraint results in an adaptive scheme that has a built-in discriminator to discard incoming data that carry little or no information content on the actual plant. The proposed scheme, which uses only informative data to refine the parameter estimates, is more robust than conventional methods that continuously update the parameter estimates     

Smart grid data access control scheme based on blockchain

The smart grid communication parties need to process the data by the trusted central node, which will lead to security issues such as single-point attacks and data tampering. This paper proposes a smart grid data access control scheme based on blockchain, the user completes the registration of the smart meter by three encryptions. After the registration is completed, the registration information will be uploaded to the blockchain. In the data access phase, the verification center verifies the user's data access request, the database will accept the user's request for data if the verification is passed, and that will be broadcasted on the entire network and uploaded to the blockchain. The security of the scheme is analyzed by using a random oracle model. Analysis shows that this scheme can resist public key replacement attacks and malicious key generation center (KGC) attacks. Compared with the existing scheme, this scheme can more effectively resist more types of attacks. It shows that the smart grid data access control scheme proposed in this paper is safe, reliable and efficient.     

基于区块链和密文属性加密的访问控制方案

随着数字社会的到来,使得数据成为了重要的生产要素,为了充分释放数据要素价值,作为数据安全共享的访问控制技术是实现数据安全应用与治理的关键。因此,围绕分布式架构下密文及密钥的安全性问题提出了一种基于区块链的密文访问控制方案。该方案利用密文生成算法与验证合约实现外包密文存储的真实性与完整性验证;设计了基于安全多方计算的属性密码,实现了用户私钥的链下安全多方计算并确保了私钥的唯一性,极大缓解了单属性权威的计算压力,可有效保护用户属性隐私、避免单点故障;定义了格式化的事务数据结构,实现了访问控制的全过程追责。通过安全性分析、性能分析和实验仿真分析表明,该方案在安全性和性能上均满足通用区块链的需求,为数据开放共享提供了一种通用的区块链访问控制方案。     

Cryptographic key assignment schemes for any access control policy

The access control problem deals with the management of sensitive information among a number of users who are classified according to their suitability in accessing the information in a computer system. The set of rules that specify the information flow between different user classes in the system defines an access control policy. Akl and Taylor first considered the access control problem in a system organized as a partially ordered hierarchy. They proposed a cryptographic key assignment scheme, where each class is assigned an encryption key that can be used, along with some public parameters generated by a central authority, to compute the key assigned to any class lower down in the hierarchy. Subsequently, many researchers have proposed schemes that either have better performances or allow insertion and deletion of classes in the hierarchy.In this paper we show how to construct a cryptographic key assignment scheme for any arbitrary access control policy. Our construction uses as a building block a cryptographic key assignment scheme for partially ordered hierarchies. The security of our scheme holds with respect to adversaries of limited computing power and directly derives from the security of the underlying scheme for partially ordered hierarchies. Moreover, the size of the keys assigned to classes in our scheme is exactly the same as in the underlying scheme.