| With the increasing of data scale, the cloud storage service has been an important trend for data outsourcing. The cloud storage is a distributed data center that consists of a large amount of storage nodes. Cloud can provide users with storage and access services of high efficiency, diversity and stability by using virtualization technology. However, the data security issues are critical throughout the design of system architecture and service portfolio in the cloud. This is due to the essence of adopted virtualization and multi-tenant technologies, which divide the cloud resources into multiple logic units and allow different users to share the same host. Thus, adversaries could spy, modify and delete the sensitive data by invading the host. Besides, the outsourced data and the corresponding duplications are stored in distributed cloud nodes, so that the deletion of data cannot be assured and may cause the data remanence problem. Therefore, the applicable security models for cloud storage are critical to user privacy and data security.This thesis addresses modeling and analysis methods for several critical issues of data security in cloud storage, which include encrypted storage, integrity verification, access control and assured deletion. The data fragmentation and rule refinement algorithms are used to optimize the access policy. The tags are generated to verify the data integrity in the cloud while the multi-replicas scheme is adopted to ensure data availability. The identity verification is added to enhance the security of attribute based encryption, and the signcryption technique is used to reduce the algorithm complexity. The time based encryption is combined with the DHT network to realize assured deletion of both ciphertext and corresponding decryption keys. Consequently, we build the privacy preserving security scheme which is applicable to cloud storage.The main contributions of this thesis are as follows.(1) A hierarchical data structure and the corresponding security levels are proposed to categorize the data into a logical resource view for cloud computing framework. The data fragmentation algorithm is adopted to divide intersecting resources of the access policy into disjoint data blocks, where the anomalies and conflicts of rules are resolved. Thus, the policy decision efficiency is improved by fine-grained access control.(2) A remote data checking and fast recovery scheme is proposed, which achieves integrity verification and data recovery with low computation and communication overhead in cloud storage. During the verification, the cloud cannot forge the integrity proof, while the verifiers can neither decrypt the ciphertext nor acquire the user privacy. When a data block is corrupted or modified, our proposal can locate the errors and perform fast recovery by taking the duplications on other cloud nodes.(3) A multi-authority based encryption scheme is proposed to reduce the complexity of attribute key management in cloud environment. Based on the establishment of user domains, the sub attribute authorities are authenticated to issue time specific secret keys for legal users, in order to achieve load balance of key management. This scheme can effectively perform attribute update and user revocation with low costs. Collusion attacks by users and compromised authorities are prevented in this proposal. Further, the attribute-based signcryption (ABSC) scheme is presented, which can integrate both signature and encryption phases into a single function. Besides, the ABSC is optimized to enhance the security of outsourced sensitive data. In PHR scenarios, the methods of ABS, ABE and ABSC are selectively adopted to share data of different security levels, so as to satisfy the security and efficiency requirements.(4) The lifecycle-based time specific encryption is proposed, which cooperates with a secure overlay to achieve data assured deletion for both ciphertext and data decryption keys. The scheme transforms the data lifecycle into a time-tree and combines attributes with time by node coloring so as to generate the encryption keys. The proposed scheme encapsulates the ciphertext by time key to enhance the security of outsourced data, and prevents the DHT network from Sybil attacks by adopting the attribute-based encryption on data key via the secure overlay.
|
PDF Full Text Request