Research On Key Thchniques Of Sensitive Data Security In Open Environment

With the rapid development of network, the security demands of E-docuements in the multi-domain environment become to appear. However, due to the characteristics of E-document which is easy to copy, spread and modify, the sensitive information may be subject to the potential risk of leaking. At present, more E-document security management systems are based on C/S structure, which sensitive data are stored by third-party server and shared between users with the control of the third-party server. The foreign and domestic experts are focused on the research of protection in the application layer for the documents, key management, and access control technology for the plain text. In other words, they neglect the research of real-time encryption within the life time of the document, ciphertext recourse sharing in multi-domain, and technology of usage control on the ciphertext. Therefore, the technology of the E-document management in the multi-domain environment will be shown in the paper.The trusted model for E-document management supporting with time and space constraint, identity_based domain key distribution protocol, a distribution protocol based on proxy re-encryption, and cryptographic access control based on attribute-based encryption (ABE) for E-document management will be shown in this dissertation. The research will ensure that the sensitive data is always in the form of ciphertext within the life time including creating, storage, transfer and distribution, etc. In addition, the research will solve that how to share the ciphertext resource and it provides a fine-grained access control for ciphertext. The major innovations of this dissertation are as follows:Ⅰ. Identity based domain key distribution protocol in the E_document security managementIn order to create a security domain environment in the E_document management, an identity domain key distribution scheme using bilinear pairings for large and dynamic domain is proposed in this paper. The scheme can handle the joining and leaving of domain members efficiently, and update the domain key in the manner of broadcast, which avoids the complex protocols of key agreement. In addition, the distribution protocol based sharing_domain for E_document is also given in the paper, which aims to realize the function of sharing the documents in a domain and distributing the documents between different domains securely. With the protocol, the E_documents obtained by a domain member can be transmitted to other domain members seamlessly. On the opposite, the E_document which is distributed to another domain need to be upload to the server, which will verify the identity of the domain member and encrypt the documents with the specified domain key.II. A distribution protocol based on proxy re-encryption for E-document managementIn view of the domain environment in E-documents management, a CCA-secure (Chosen ciphertext attack) and interoperable cross-domain distribution protocol for E-document will be proposed in the paper. Based on proxy re-encryption, the scheme uses a semi-trusted entity called proxy server to re-encrypt the document ciphertext without decrypting the ciphertext such that only users can decrypt the data with his private key. Compared with the existing system, our scheme relieves the server from intense encryption/decryption processing, and achieves reliable decentralized encryption/decryption with good scalability and efficiency. Additionally, our scheme enjoys the advantages of both higher efficiency and stronger security. Therefore, the distribution protocol based on proxy re-encryption can be widely used in the domain interoperability environment.III. Cryptographic access control based on attribute-based encryption (ABE) for E-document managementTo keep the E-document confidential in the n the open network enviroment, a cryptographic access control based on attribute-based encryption (ABE) was introduced. This scheme combines the techniques of ciphertext policy attribute based encryption (CP-ABE) and proxy re-encryption, and the E-document will be stored and operated in the form of ciphertext through CP-ABE, while the server will supports dynamic and fine-grained access control for ciphertext. Comparing with the traditional way, the scheme alleviates the administering burdens on the data owner, and supports dynamic and fine-grained access policies.