云存储系统中支持用户隐私保护的细粒度访问控制

从云存储实际需求出发,设计了一个云存储环境下支持用户隐私保护和用户属性撤销的多属性权威的属性加密机制,为了保证系统实现的效率和减轻数据持有者的负担,在属性撤销中,复杂的计算任务都委托给可信第三方或云服务器完成。所提方案在DBDH假设下被证明是安全的。     

雾计算中细粒度属性更新的外包计算访问控制方案

针对基于密文策略的属性加密(CP-ABE)在低时延需求较高的雾计算环境中,存在加解密开销大、属性更新效率低的问题,提出了一种雾计算中细粒度属性更新的外包计算访问控制方案,使用模加法一致性秘密(密钥)分享技术构建访问控制树,将加解密计算操作外包给雾节点,降低用户加解密开销;结合重加密机制,在雾节点建立组密钥二叉树对密文进...     

基于访问树的策略隐藏属性加密方案

已有的策略隐藏属性加密（ABE,attribute-based encryption）方案只支持受限的访问结构,策略表达能力弱,基于此提出一种新的访问树结构,使属性隐藏和秘密共享能够应用到“与”门、“或”门和“门限”门中。并且,利用合数阶双线性群构造了一种基于访问树的策略隐藏方案,并通过双系统加密的概念证明了方案的安全性。分析和实验验证表明,方案在实现复杂访问结构的策略隐藏的同时,并没有过多地增加计算开销,在实际应用过程中更加灵活和有效。     

Fine-grained data access control for distributed sensor networks

Distributed sensor networks are becoming a robust solution that allows users to directly access data generated by individual sensors. In many practical scenarios, fine-grained access control is a pivotal security requirement to enhance usability and protect sensitive sensor information from unauthorized access. Recently, there have been proposed many schemes to adapt public key cryptosystems into sensor systems consisting of high-end sensor nodes in order to enforce security policy efficiently. However, the drawback of these approaches is that the complexity of computation increases linear to the expressiveness of the access policy. Key-policy attribute-based encryption is a promising cryptographic solution to enforce fine-grained access policies on the sensor data. However, the problem of applying it to distributed sensor networks introduces several challenges with regard to the attribute and user revocation. In this paper, we propose an access control scheme using KP-ABE with efficient attribute and user revocation capability for distributed sensor networks that are composed of high-end sensor devices. They can be achieved by the proxy encryption mechanism which takes advantage of attribute-based encryption and selective group key distribution. The analysis results indicate that the proposed scheme achieves efficient user access control while requiring the same computation overhead at each sensor as the previous schemes.     

Implementation of smart-card access control with threshold scheme

We describe an electronic implementation of a security scheme to control access to a building. Access to the building by a person alone is not possible but access by a group of authorized people whose number satisfies a prescribed threshold is permissible. The scheme makes use of the shared-secret symmetry cryptography together with smart-card technology. The access key of a person is carefully encoded and stored on a smart card which can also be used for many other purposes. Access records are kept on these smart cards in a distributive fashion and with duplication. Innocent people are able to present information regarding their recent accesses to the building and yet practically cannot be accused of fabricating these records. The scheme permits the use of a standalone controller and eliminates the need for expensive wiring to a remote central database of authorized users.     

面向多维数字媒体的访问控制机制

在多维数字媒体场景中,用户期望利用环境、时态等因素实现访问权限的自我约束。针对该需求,综合环境、时态、角色定义授权属性,提出面向多维数字媒体的访问控制机制,该机制定义用户—授权属性分配关系和授权属性—访问权限分配关系,根据用户的ID、属性信息、所处环境和时态、角色,用户—授权属性分配关系为用户分配相应授权属性;根据用户所赋予的授权属性,授权属性—访问权限分配关系为用户分配相应访问权限。引入约束条件,用户通过设置约束条件进行访问权限的自我约束,实现访问权限随环境、时态、角色等因素的变化而动态缩减。使用Z符号对该机制进行形式化描述,通过实例分析验证其可行性,与现有工作的比较表明所提机制支持最小权限、职责分离、数据抽象等安全原则,支持访问权限的动态缩减。     

Dynamic cooperative media access control for wireless networks

Cooperative communications can obtain spatial diversity, high channel capacity, and reliable transmission without multiple antennas, and thus, it has become a hot topic in recent years. Different from existing research, this paper pays attention on cooperative media access control (MAC) mechanism, which considers both physical gain and MAC overhead caused by cooperation. To this end, a dynamic cooperative MAC mechanism for wireless networks, called DCMAC, is proposed. DCMAC can obtain the useful channel state information through broadcasting characteristic of wireless channel, choose the suitable helpers to relay data with our proposed helpers selection algorithm, and reserve wireless channel efficiently and dynamically. Numerical results show the effectiveness of DCMAC to improve the system performance.     

QoS-aware cooperative medium access control for MIMO ad-hoc networks

To exploit multiuser diversity and achieve QoS requirements in MIMO ad hoc networks, we propose an optimal scheduling policy which utilizes stream control schemes. We also present a medium access control (MAC) protocol to implement the optimal scheduling policy. Simulation results show that our implementation achieves higher network throughput and provides better QoS support than the existing solutions.     

Congestion control policies for IP-based CDMA radio access networks

As CDMA-based cellular networks mature, the current point-to-point links used in connecting base stations to network controllers evolve to an IP-based radio access network (RAN) for reasons of lower cost due to statistical multiplexing gains, better scalability and reliability, and the projected growth in data applications. In this paper, we study the impact of congestion in a best-effort IP RAN on CDMA cellular voice networks. We propose and evaluate three congestion control mechanisms, admission control, diversity control, and router control, to maximize network capacity while maintaining good voice quality. We first propose two new enhancements to CDMA call admission control that consider a unified view of both IP RAN and air interface resources. Next, we introduce a novel technique called diversity control that exploits the soft-handoff feature of CDMA networks and drops selected frames belonging to multiple soft-handoff legs to gracefully degrade-voice quality during congestion. Finally, we study the impact of router control where an active queue management technique is used to reduce delay and minimize correlated losses. Using simulations of a large mobile network, we show that the three different control mechanisms can help gracefully manage 10-40 percent congestion overload in the IP RAN.     

New dual-game-based cooperative bandwidth control scheme for ultra-dense networks

Wireless Networks - Future 5G cellular networks are being designed to address the explosive traffic growth of mobile users. In emerging new wireless system paradigms, the ultra-dense network (UDN)...     

云存储下多用户协同访问控制方案

CP-ABE被认为是云存储下最适合的数据访问控制方法之一,但它仅适合用户分别读取或者分别修改不同数据的情况,而直接应用CP-ABE进行多用户协同数据访问时,会存在修改无序、密文文件大量冗余等问题。多用户协同访问云端数据时,应该在保证机密性、抗共谋的前提下控制合法用户有序地修改同一密文文件,同时云端尽可能减少密文文件副本。针对文件和文件逻辑分块,提出了2个多用户协同访问控制方案MCA-F和MCA-B。MCA-F满足单个数据文件作为最小控制粒度的访问控制需求,该方案采用层次加密结构,云服务器承担部分解密计算,以降低用户解密的计算代价;针对多用户同时写数据的访问控制,提出了对多个用户提交的暂存数据的管理方法。MCA-B用于文件的逻辑分块作为最小控制粒度的访问控制,该方案设计了文件的逻辑分块机制、基于索引矩阵的表示方法,提出了子数据掩码表示方法以描述多个用户对同一文件不同逻辑分块的写权限;MCA-B支持用户集合、文件逻辑分块结构的动态变化,而且数据的拥有者和修改者无需一直在线。与现有的方案相比,所提方案不仅具有云存储下多用户协同写数据的访问控制能力,而且读访问控制的用户端存储量和加解密计算量是较小的。     

面向敏感数据共享环境下的融合访问控制机制

为解决敏感数据共享应用中的数据分发问题和提高数据共享的安全性,将属性基加密机制和使用控制技术相结合,提出一种融合访问控制机制。该机制一方面采用属性基加密机制保证了数据在存储和分发过程中的机密性,通过灵活且可扩展的访问控制策略控制敏感数据的共享范围;另一方面,通过使用控制技术实现对用户的权限控制,防止合法用户对敏感数据进行非法操作,解决共享用户中的权限滥用问题。最后,对机制的安全性和性能进行了分析,显著地降低了服务端的工作负荷,并通过实验测试了该机制的有效性。     

An improved cooperative spectrum sensing of femtocells with hybrid TDD access scheme in massive MIMO system

To improve the sensing performance and achieve higher throughput of the femtocells (FCs) while alleviating the influence to the macrocell in the cognitive massive multiple‐input and multiple‐output system (MIMO), we propose in this paper a hybrid time‐division duplex (TDD) access scheme of the FCs with confidence factor–based weighted cooperative spectrum sensing (CSS). A first, we present an efficient hybrid TDD access scheme for better spectrum reuse of the FCs based on the typical TDD and reversed TDD schemes. Furthermore, confidence factor–based weighted CSS has been used for better spectrum sensing and interference alleviation. In the cognitive massive MIMO system, FC base stations will form dynamical clustering based on the channel conditions, sense the spectrum through cooperative scheme, and decide whether to access the spectrum or not. After information exchange within each FC cluster, the FC base stations can obtain and update their confidence factors and weight factors based on the sensing results and reliability. Numerical results and theoretical analysis show that the proposed scheme can get more accurate sensing results, increase the throughput and the spectrum access opportunity of the FCs, and efficiently alleviate the interference to the macrocell tier.     

Multi-objective cooperative medium access control protocols in wireless Ad-Hoc networks

Wireless Networks - Relay-based cooperative communications have been emerging as a novel paradigm in many wireless protocols. The IEEE 802.11 medium access control (MAC) protocols have attracted...     

具有细粒度访问控制的隐藏关键词可搜索加密方案

针对现有的可搜索加密算法在多用户环境中密钥管理难度大并且缺乏细粒度访问控制机制的问题,利用基于密文策略的属性加密机制(CP-ABE, ciphertext-policy attribute based encryption)实现了对隐藏关键词可搜索加密方案的细粒度访问控制。数据拥有者可以为其在第三方服务器中存储的加密指定灵活的访问策略,只有自身属性满足该访问策略的用户才有权限对数据进行检索和解密。同时还能够实现对用户的增加与撤销。安全性分析表明方案不仅可以有效地防止隐私数据的泄露,还可以隐藏关键词的信息,使得第三方服务器在提供检索功能的同时无法窃取用户的任何敏感信息。方案的效率分析表明,该系统的检索效率仅为数十微秒,适合在大型应用系统中使用。     

Optimal power and retransmission control policies for random access systems

We consider in this study dynamic control policies for slotted Aloha random access systems. New performance bounds are derived when random access is combined with power control for system optimization, and we establish the existence of optimal control approaches for such systems. We analyze throughput and delay when the number of backlogged users is known, where we can explicitly obtain optimal policies and analyze their corresponding performance using Markov Decision Process (MDP) theory with average cost criterion. For the realistic unknown-backlog case, we establish the existence of optimal backlog-minimizing policies for the same range of arrival rates as the ideal known-backlog case by using the theory of MDPs with Borel state space and unbounded costs. We also propose suboptimal control policies with performance close to the optimal without sacrificing stability. These policies perform substantially better than existing "Certainty Equivalence" controllers.     

基于属性的安全增强云存储访问控制方案

为了保证云存储中用户数据和隐私的安全,提出了一种基于属性的安全增强云存储访问控制方案。通过共用属性集,将基于属性的加密体制(ABE)与XACML框架有机结合,在XACML框架上实现细粒度的基于属性的访问控制并由ABE保证数据的机密性。考虑到数据量很大时ABE的效率较低,因此,云存储中海量敏感数据的机密性用对称密码体制实现,ABE仅用于保护数据量较小的对称密钥。实验分析表明,该方案不仅能保证用户数据和隐私的机密性,而且性能优于其他同类系统。     

基于信息覆盖的无线传感器网络访问控制机制

通过周期性地信息扩散,设计THC(two-hop cover)算法,使传感器节点能够在用户移动过程中及时得到用户的认证信息.基于THC算法,引入Merkle散列树和单向链等安全机制,采用分布式的访问控制模式,提出了适用于随机移动用户的传感器网络访问控制机制.分析和实验表明,本机制既适用移动用户,也适用静止用户,计算、通信、存储开销低,能够抵制节点捕获、重放、DoS等攻击.     

Proxy re-encryption based multi-factor access control scheme in cloud

Cloud computing is one of the space-ground integration information network applications.Users can access data and retrieve service easily and quickly in cloud.The confidentiality and integrity of the data cloud have a direct correspondence to data security of the space-ground integration information network.Thus the data in cloud is transferred with encrypted form to protect the information.As an important technology of cloud security,access control should take account of multi-factor and cipher text to satisfy the complex requirement for cloud data protection.Based on this,a proxy re-encryption based multi-factor access control (PRE-MFAC) scheme was proposed.Firstly,the aims and assumptions of PRE-MFAC were given.Secondly,the system model and algorithm was defined.Finally,the security and properties of PRE-MFAC were analyzed.The proposed scheme has combined the PRE and multi-factor access control together and realized the multi-factor permission management of cipher text in cloud.Meanwhile,it can make the best possible use of cloud in computing and storing,then reduce the difficulty of personal user in cryptographic computing and key managing.