云存储中密文数据的客户端安全去重方案

云存储环境下,客户端数据去重能在本地进行文件重复性检测,有效地节约存储空间和网络带宽.然而,客户端去重仍面临着很多安全挑战.首先,由于将文件哈希值作为重复性检测的证据,攻击者很可能通过一个文件的哈希值获得整个文件;其次,为了保护数据隐私,收敛加密被广泛运用于数据去重方案,但是由于数据本身是可预测的,所以收敛加密仍不可避免地遭受暴力字典攻击.为了解决上述问题,本文首次利用盲签名构造了一个安全的密钥生成协议,通过引入一个密钥服务器,实现了对收敛密钥的二次加密,有效地预防了暴力字典攻击;并进一步提出了一个基于块密钥签名的拥有权证明方法,能够有效预防攻击者通过单一的哈希值来获取文件,并能同时实现对密文文件的文件级和块级去重.同时,安全分析表明本文方案在随机预言模型下是可证明安全的,并能够满足收敛密钥安全、标签一致性和抗暴力字典攻击等更多安全属性.此外,与现有方案相比,实验结果表明本文方案在文件上传和文件去重方面的计算开销相对较小.     

动态数据安全审计云存储系统研究

提出支持数据去重的数据持有性证明方案,该方案改进了原有数据去重中利用MD5值冒领原数据使用权的安全问题,并且引入可信第三方对不同文件的验证密钥进行管理,避免了文件标签的重复计算,同时利用额外的本地存储减少了时间消耗和通信代价。针对文件级云存储,设计了基于索引的动态数据持有性证明方案,并且针对之前方案中存在文件I/O对验证时间的影响,采用B+树多级索引对文件做查询优化。实验结果表明,该方案与传统方案相比,针对数据去重场景大幅度地减少了存储开销,降低了文件级的更新操作时间复杂度。     

基于区块链的多授权密文策略属性基等值测试加密方案

针对云环境下密文策略属性基加密方案中存在的密文检索分类困难与依赖可信第三方等问题,本文提出了一种基于区块链的多授权密文策略属性基等值测试加密方案．利用基于属性的等值测试技术,实现了支持属性级灵活授权的云端数据检索和分类机制,降低了数据用户对重复数据解密的计算开销．结合多授权属性基加密机制和区块链技术,实现了去中心化用户密钥生成．采用多属性授权机构联合分发密钥,有效抵抗用户和属性授权机构的合谋攻击．引入区块链和智能合约技术,消除了现有密文策略属性基密文等值测试方案中等值测试、数据存储与外包解密操作对可信云服务器的依赖．利用外包服务器执行部分解密计算,降低了用户本地的计算开销．将原始数据哈希和验证参数上传至区块链,保障外包服务器解密结果正确性和云端数据完整性．在随机预言模型下,基于判定性qparallel Bilinear Diffie-Hellman Exponent困难问题证明了本文方案在选择密文攻击下的单向性．与同类方案相比较,本文方案支持更多的安全属性,并具有较低的计算开销．     

基于LWE问题的关键词可搜索公钥加密方案

针对现有体制中用户生成关键词密文时的计算开销问题,引入全同态加密的思想,提出一种基于LWE问题,具备密文同态运算属性的关键词可搜索公钥加密方案,实现了计算开销由用户端向服务器端的转移。在随机谕示模型下,将体制的安全性归约到LWE问题难解性,并给出证明。     

基于同态MAC的无线传感网安全数据融合方案

数据融合是缓解无线传感网资源瓶颈的重要方法之一,但在开放环境中易受数据机密性和完整性攻击。针对此问题,该文提出一种基于同态MAC的无线传感网安全数据融合方案SDA-HMAC。通过同态MAC技术进行融合数据的完整性检测,利用同态加密算法保证了融合数据的机密性,使用杂凑函数和时间参数t计算密钥的MAC保证了数据的新鲜性。实验仿真和理论分析表明,相比于其它方案,SDA-HMAC方案在传感网数据融合过程中能提供较好的数据机密性、完整性和新鲜性保护,具有较高的数据传输效率和融合精度,同时花费较少的计算量和通信量。     

基于函数加密的密文卷积神经网络模型

目前,多数的外包卷积神经网络（CNN）模型采用同态加密、安全多方计算等方法来保护敏感数据的隐私性。然而,上述方法存在计算与通信开销过大而引起的系统效率较低的问题。利用函数加密的低开销特点,构建了基于函数加密的密文卷积神经网络模型。首先,设计了内积函数加密算法和基本运算函数加密算法,实现了密文数据的内积、乘法、减法等基本运算,降低了计算与通信开销;然后,设计了针对基本运算的安全卷积计算协议和安全损失优化协议,实现了卷积层的密文前向传播和输出层的密文反向传播;最后,给出了模型的安全训练和分类方法,通过将以上安全协议进行模块化顺序组合的方式实现CNN对密文数据的训练和分类,该方法可以同时保护用户数据和标签的机密性。理论分析和实验结果表明,所提模型能够在保证正确性和安全性的前提下实现密文数据的训练和分类。     

一种基于PoW的安全云存储数据去重方案

数据去重技术虽能提高云存储效率和节约网络通信带宽,但其安全问题备受学术界和产业界关注,成为研究热点。在用户对数据隐私性、机密性和完整性等的强烈需求下,安全云存储数据去重技术应运而生。文章给出云存储系统数据去重的系统模型和威胁模型,分析云存储系统数据去重的安全需求,介绍云存储系统数据去重方案的设计思路,提出云存储系统数据去重方案系统设置、数据上传、文件级所有权管理、数据块级所有权管理和数据下载的关键算法。     

基于f-mOPE的数据库密文检索方案

在云数据库环境下,为保证云存储数据的安全性,通常将数据加密存储。针对加密存储数据查询开销大,不支持密文排序,查询等缺点,该文提出一种 f-mOPE数据库密文检索方案。该方案基于可变保序编码(mOPE),采用二叉排序树数据结构思想,生成明文一一对应的保序编码;基于AES加密方案将数据明文转化为密文存储;采用改进的部分同态加密算法提升保序加密方案的安全性。通过安全性分析及实验结果表明,该方案在保证数据隐私的基础上,不但能抵御统计型攻击,而且能够有效地降低服务器计算开销,提高数据库处理效率。     

一种基于整数多项式环上的非对称全同态加密方案

大数据时代下用户数据的隐私安全面临着重大威胁。全同态加密因其满足云计算安全性需求的特性日益受到重视,所以同态加密算法成为保护云端数据的一种有效手段。基于整数多项式环构建了一种非对称的全同态加密方案,其中,包括密钥生成算法、加密算法、解密算法、重加密算法、解密正确性证明以及同态性证明。该方案运行一次KeyGen算法生成一次参数,即可以对批量的明文进行加密运算,也可以对批量的密文进行同态运算,加密效率和同态计算效率高,且该方案的安全性基于近似最大公约数问题。     

同态加密的发展及应用

认为密码学中的同态加密技术可以为分布式计算环境的用户隐私保护提供强有力的技术支撑。同态加密方案被分成3种类型:部分同态加密、浅同态加密和全同态加密。同态加密方案在分布式计算环境下的密文数据计算方面有着重要的应用,包括:安全云计算与委托计算、远程文件存储、密文检索等。指出目前全同态加密方案的构造还处于理论阶段,尚不能用于实际的密态数据计算问题,如何设计基于代数系统的(自然)全同态加密方案依然是未来研究的重点。     

Hybrid cloud approach for block-level deduplication and searchable encryption in large universe

Ciphertext-policy attribute-based searchable encryption (CP-ABSE) can achieve fine-grained access control for data sharing and retrieval, and secure deduplication can save storage space by eliminating duplicate copies. However, there are seldom schemes supporting both searchable encryption and secure deduplication. In this paper, a large universe CP-ABSE scheme supporting secure block-level deduplication are proposed under a hybrid cloud mechanism. In the proposed scheme, after the ciphertext is inserted into bloom filter tree (BFT), private cloud can perform fine-grained deduplication efficiently by matching tags, and public cloud can search efficiently using homomorphic searchable method and keywords matching. Finally, the proposed scheme can achieve privacy under chosen distribution attacks block-level (PRV-CDA-B) secure deduplication and match-concealing (MC) searchable security. Compared with existing schemes, the proposed scheme has the advantage in supporting fine-grained access control, block-level deduplication and efficient search, simultaneously.     

Key-exposure resilient integrity auditing scheme with encrypted data deduplication

For the problems of key-exposure,encrypted data duplication and integrity auditing in cloud data storage,a public auditing scheme was proposed to support key update and encrypted data deduplication.Utilizing Bloom filters,the proposed scheme could achieve client-side deduplication,and guaranteed that the key exposure in one time period didn’t effect the users’ private key in other time periods.The proposed scheme could solve the conflict between key-exposure resilient and encrypted data deduplication in public auditing scheme for the first time.Security analysis indicates that the proposed scheme is strong key-exposure resilient,confidentiality,detectability,and unforgeability of authentication tags and tokens under the computation Diffie-Hellman hardness assumption in the random oracle model.     

云存储下多用户协同访问控制方案

CP-ABE被认为是云存储下最适合的数据访问控制方法之一,但它仅适合用户分别读取或者分别修改不同数据的情况,而直接应用CP-ABE进行多用户协同数据访问时,会存在修改无序、密文文件大量冗余等问题。多用户协同访问云端数据时,应该在保证机密性、抗共谋的前提下控制合法用户有序地修改同一密文文件,同时云端尽可能减少密文文件副本。针对文件和文件逻辑分块,提出了2个多用户协同访问控制方案MCA-F和MCA-B。MCA-F满足单个数据文件作为最小控制粒度的访问控制需求,该方案采用层次加密结构,云服务器承担部分解密计算,以降低用户解密的计算代价;针对多用户同时写数据的访问控制,提出了对多个用户提交的暂存数据的管理方法。MCA-B用于文件的逻辑分块作为最小控制粒度的访问控制,该方案设计了文件的逻辑分块机制、基于索引矩阵的表示方法,提出了子数据掩码表示方法以描述多个用户对同一文件不同逻辑分块的写权限;MCA-B支持用户集合、文件逻辑分块结构的动态变化,而且数据的拥有者和修改者无需一直在线。与现有的方案相比,所提方案不仅具有云存储下多用户协同写数据的访问控制能力,而且读访问控制的用户端存储量和加解密计算量是较小的。     

Request Merging Based Cross-User Deduplication for Cloud Storage with Resistance Against App ending Chunks Attack

Cross-user deduplication is an emerging technique to eliminate redundant uploading in cloud storage. Its deterministic response indicating the existence of data creates a side channel to attackers, which makes the privacy in the cloud at risk. Such kind of attack as well as further appending chunks attack, still cannot be well resisted in current solutions, thus is becoming a big obstacle in using this technique. We propose a secure cross-user deduplication, called Request merging based deduplication scheme (RMDS), which takes the lead to consider resistance against appending chunks attack in a lightweight way, let alone side channel attack. We utilize the proposed XOR based chunk-level server-side storage structure together with a request merging strategy to obfuscate attackers in minimized communication overhead. The experiment results show that, with security guaranteed, the proposed scheme is more efficient comparing with the state of the art.     

Attribute-based fully homomorphic encryption scheme over rings

The fully homomorphic encryption has important applications in the area of data security and privacy security of cloud computing,but the size of secret keys and ciphertext in most of current homomorphic encryption schemes were too large,which restricted its practical.To improve these drawbacks,a recoding scheme and a attribute-based encryption scheme based on learning with errors problem over rings were provided,then a attribute-based fully homomorphic encryption was constructed.The new scheme overcame the above mentioned drawbacks,because it did't need public key certificate,meanwhile,it can achieve the fine-grained access control to the ciphertext.Compared with similar results,proposed method decreases the size of keys and ciphertext greatly.     

Key storage management scheme based on keyed hash tree with state

To solve the problem of massive keys storage caused by multi-source data encryption in ciphertext retrieval system,a key storage scheme based on keyed hash tree with state was proposed.The scheme computes encryption key according to the root key and key derivation tree,and just needs to store the root key and the tree structure,which greatly reduces the key storage costs.In addition,the scheme manages key revocation according to the revocation state value,thereby solving the problem of key revocation and structure update.Strict security analysis shows that the partial data key disclosure does not leak the data confidentiality of remaining data,and the performance analysis using real-world dataset shows that the proposed key storage management scheme is acceptable in ciphertext retrieval system.     

基于分布式代理的云资源调度中可信数据获取机制

Nowadays , an increasing number of persons choose to outsource their computing demands and storage demands to the Cloud. In order to ensure the integrity of the data in the untrusted Cloud, especially the dynamic files which can be updated online, we propose an improved dynamic provable data possession model. We use some homomorphic tags to verify the integrity of the file and use some hash values generated by some secret values and tags to prevent replay attack and forgery attack. Compared with previous works , our proposal reduces the computational and communication complexity from O (logn ) to O (1). We did some experiments to ensure this improvement and extended the model to file sharing situation.     

降低可证明存储的计算和通信复杂度

Nowadays , an increasing number of persons choose to outsource their computing demands and storage demands to the Cloud. In order to ensure the integrity of the data in the untrusted Cloud, especially the dynamic files which can be updated online, we propose an improved dynamic provable data possession model. We use some homomorphic tags to verify the integrity of the file and use some hash values generated by some secret values and tags to prevent replay attack and forgery attack. Compared with previous works , our proposal reduces the computational and communication complexity from O (logn ) to O (1). We did some experiments to ensure this improvement and extended the model to file sharing situation.     

支持策略隐藏且密文长度恒定的可搜索加密方案

属性加密体制是实现云存储中数据灵活访问控制的关键技术之一,但已有的属性加密方案存在密文存储开销过大和用户隐私泄露等问题,并且不能同时支持云端数据的公开审计。为了解决这些问题,该文提出一个新的可搜索属性加密方案,其安全性可归约到q-BDHE问题和CDH问题的困难性。该方案在支持关键词搜索的基础上,实现了密文长度恒定;引入策略隐藏思想,防止攻击者获取敏感信息,确保了用户的隐私性;通过数据公开审计机制,实现了云存储中数据的完整性验证。与已有的同类方案相比较,该方案有效地降低了数据的加密开销、关键词的搜索开销、密文的存储成本与解密开销,在云存储环境中具有较好的应用前景。