Research On User Permission Management And Privacy Protection In Cloud Computing

With widespread adoption of big data, cloud computing and mobile Internet, cloud computing service mode takes on new development with adapting to the big data and mobile service environment. However, the large-scale data, large-scale users and resource dynamic management and flexible configuration technical supporting, which have brought efficiency gains, convenient services and low costs, but also have brought identity security and data security issues by duing to resource sharing for cloud platform and uncertainty logical boundaries. For the big data and hybrid cloud environment, a lot of organization deployed the different physical networks which are virtualized to the unified logical virtual network, and replaced by it. The computing resource sharing model should achieve network resource with highly integrating and efficient utilization and network traffic with centralized distribution, but also bring user privacy leakage, key information lekage, data access control for security issues, and so on. So, how to overcome the security threat challenge by uncertain boundary virtual network bringing, which ensure users security, data security of cloud services system and become an important problems to be solved in the domain of information security.Encryption, signature, authentication and other cryptology technologies which provide a new way for user security and data security in cloud platform. Encryption performs data confidentiality, signature resist identity camouflage, authentication ensures data authority access. Identity-based cryptology eliminate digital certificate, attribute-based cryptology performs fine-grained access control. However, it is difficult to form a three-dimensional protection archtecture only by relying on single technology, while is difficult to guarantee identity security, key security and data security. In addition, cloud computing platform have performed ciphertext data fine-grained access, which user identity protection and permission controllability are performed by attribute updating, key updating and policy tree updating. On the basis, further researches on user permission upgrading and degrading, key revocation and identity attribute protection, which are suitable for different application scenarios to provide data protection for cloud service platform by achieving dynamic management authorization, privacy and key of users.In this paper, the core goal is users security for cloud platform. Focusing on versatility and controllability for identity management and permission control, confi-dentiality and integrity for ciphertext access and privacy protection in cloud service environment, as well as group and ring signing and signcrypt application, research works are started by the following four domains, specifically content including:1) user permission upgrading and degrading for Single-CSP environmentUser permission updating includes access permission fully upgrading and partial upgrading, access permission complete degrading and partial degrading, which performs primarily through identity set updating, attribute set updating and key updating for single CSP environment. Focusing on other users not normally access by permission updating and identity security, data security issues for attribute updating, key updating need to be sloved, this paper presents an attribute-based group signature permission updagrading scheme and broadcast CP-ABE permission degrading scheme. When the user apply signature key to verify identity attribute truth by using of group attribute set reconfiguration, and control key distribution; It design fine-grained access so that the ciphertext cannot be leaked by using CP-ABE and permission controll-ability of revocation group. Meanwhile, in terms of data sharing permission downgrading, when the user can revoke the sub-user permissions, and control user's private key share allocating by using attribute segmentation of threshold CP-ABE. It directly revokes users full perimission of department by identity set management advantage of broadcast. The scheme implements the dual system with the user per-mission upgrading and degrading, scale revocation and immediate revocation.2) partial attribute protection for Single-CSP environmentUser partial attribute privacy protection includes attribute set updating leakage and attribute set leakage of key for Single-CSP environment, which performs mainly through proxy authentication, zero-knowledge proof, the trusted third party and anonymous signature. Focusing on partial attribute protection heavily dependent on third-party key distribution and attribute authority, this paper presents a ciphertext policy attribute-based group signcrypt partial attribute protection scheme, when a user can calculate the key factor, the scheme control CSP getting key associated attribute information by using group signcrypt connectless cross-validation; it reduces the minimal number of attribute set for signcrypt need by using certificateless signcrypt and sign key and encryption key mutual independent for ciphertext policy signcrypt; It resists an attacker forged signatures of attribute set updating by using identity-based signcrypt non-counterfeiting features; in key service-centric, it designs the identity verifying mechanism of group signcrypt, and controls masquerading as other user. The scheme implements the protection of the random partial attribute security, attribute set updating and message privacy.3) user key revocation for Multi-CSP environmentUser key updating includes key attribute revocation, group key updating, certificate attribute revocation for Multi-CSP environment, performs mainly through certificate and attribute sets lifecycle setting, policy tree controlling key updating. Focusing on attribute leakage of sharing key attribute revocation and key maintenance upgrading and system performance degradation of key regeneration, this paper presents an attribute-based ring signature user key revocation scheme. User attributes set mapping matrix row variable, which control CSP obtaining associated attributes of user key by Zhang Cheng matrix monotone mapping; it protects attribute security by using of distributed attribute-based encryption multi-authority independent; it controls PKG updating system parameters to achieve the sharing attribute revocation does not affect other users normal access by using noninteractive anonymous of revocation ring; in the center of ciphertext access, it designs the ring signature verifying mechanism, which prevents CSP, user collusion. The scheme implements the key attribute revocation, attribute protection and ciphertext verifying access.4) Identity attribute protection for Multi-CSP environmentUser identity attribute protection includes prevention key associated attribute leakage and attribute set update leakage for Multi-CSP environment, performs mainly through multi-party computation, attribute division and attribute combining, the source certification and authentication certification. Focusing on associated attributes leakage of certification updating and key maintenance upgrading and system performance degradation of key regeneration, this paper presents a attribute-based blind ring signcryption identity attribute protection scheme. It designs the centerless of the user key local generation to prevent the PKG getting the key associated whole attribute by certificateless signature key division; it prevent CSP collusion obtaining signatures associated with whole attribute and user identity camouflage by signcrypt verifying of the attribute-base ring signcrypt; it resists on the fake of attribute set, ciphertext and protection message privacy by blind signature unforgeability. In the center of user access perimission, it designs ring signcrypt verifying mechanism to protect the confidentiality and integrity of the whole attribute. The scheme performs the user identity attribute protection, message privacy protection and key-related information protection.