Access Control Methods Supporting Dynamic Authority Management And Collaborative Edit In Cloud Storage

Cloud storage allows owners to host their data in the cloud,and provides users with online access anywhere and anytime.As a key issue,data access control is the bottleneck restricting the widespread use of cloud storage services.Ciphertext-policy attribute-based encryption(CP-ABE)removes the coupling between data owners and users in time,space and synchronization.Thus,it is a suitable method of data access control in data outsourcing environments,such as cloud storage.However,it is extremely hard to revoke a user's attribute in an efficient way on the premise of confidentiality,collusion resistance,forward security and backward security,and it is hard to resolve key escrow problem in CP-ABE as well.The key reason for low-efficient attribute revocation lies in two associations of an attribute:on one hand,it is associated with multiple users' private keys;on the other hand,it is associated with multiple ciphertexts encrypted with it.Thus,when an attribute of a user is revoked,all ciphertexts associated with the revoked attribute must be re-encrypted,and all users' private keys associated with the revoked attribute must be re-issued.The low efficiency of dynamic change of an attribute has always been one of the hottest issues.In addition,encryption of plaintext costs owners excessive computation,and decryption of ciphertext costs users excessive computation.The high computation cost at end users has become a bottleneck for many applications.Finally,secure collaborative edit control on out-sourced data needs to be designed in cloud storage,when multiple users edit the same ciphertext at the same time.Under the above background,current research progress is analyzed and summed up.In this dissertation,a series of in-depth studies have been carried out on three issues:low efficiency of dynamic change of user's authority,High Computation Cost at End-user,and Lack of Access Control on Multi-user Collaborative Edit.The main work includes as follows:1)This dissertation proposes an access control method supporting dynamic authority management.When CP-ABE is used to realize fine-grained access control,some low efficiency problems have been arisen:(i)low efficiency of dynamic change of a user or his attribute;(ii)high computation cost at end-user.Focusing on these low efficiency problems,this work proposes an access control method with dynamic authority management using the concept of version key.It especially realizes direct cloud-aided attribute revocation without updating another user's key or re-encrypting ciphertexts.This work also presents a cloud-aided decryption method with which most of decrypting work can be transferred onto cloud.Compared with the existing methods,this access control method causes less computation cost at user end and supports efficient dynamic change of a user or his attribute.Analysis and simulation indicates that the direct cloud-aided attribute revocation method takes less time.2)This dissertation proposes two collaborative access control methods supporting multi-user reading and modifying.CP-ABE was considered as one of most suitable methods of data access control in cloud storage.However,it was just fit to read or modify different data files respectively.When CP-ABE was applied directly for data access collaborative control by multiple users,there would be such problems as data being modified disorderly and a large number of redundant storage of ciphertext files,etc.When multiple users access collaboratively the data stored on the cloud,legitimate users should modify the same ciphertext file orderly on the premise of confidentiality and collusion-resistance.The copies of ciphertext file should be generated as few as possible.This work proposes a collaborative access control method MCA-F supporting multi-user reading and modifying by taking each file as the minimal granularity of control.In MCA-F,hierarchical encryption is adopted;a part of decrypting computation is transferred to a cloud server to decrease the computational cost on users when decrypting;in allusion to the simultaneous write-data access control of multiple users,a method is designed to manage semi-stored modified data submitted by Menders.With the requirements of refinement in the control granularity and dynamic change of control objects,there would be such problems as the computation and storage costs of end-user being optimization,control objects being managed flexibly,and the proposed method being compatible with existing access control methods.This work comes up with a collaborative access control method MCA-B supporting multi-user reading and modifying by taking a logical block of a file as the minimal granularity of control.This MCA-B designs a mechanism of logical blocking of the file and a representing method based on Index Matrix.The representation of Sub Data Mask is put forward to describe writing permission of multiple users on different logical blocks of the same file.MCA-B supports the dynamic change of the structure of logical blocks of the file,and the owners or menders do not need to be online always.Compared with the existing methods,not only do the proposed methods provide multi-user collaborative access control in cloud storage,but also the client storage of reading access control and the computation of encrypting and decrypting are both lesser.This work expands the application scenarios of the CP-ABE method.3)This dissertation proposes a collaborative access control method with cloud-aided edit authority control.With the limited capabilities of computation and storage,data owner may transfer the process of matching writing permission policy onto cloud.There are some weaknesses emerged as the leakage of data content,the leakage of matching content,and cloud may predict the result of next matching.In cloud-aided edit authority control scene,challenges have emerged:1)A data owner would like cloud to aid him with writing permission control,but would not like it to know the content of data,or get what is matched,or even predict the users' writing permission either.2)Boolean formula cannot describe the writing permission policy.3)Bilinear pairing operations bring great computational costs.In this work,a collaborative edit access control method is presented in cloud storage.That is,a data owner defines writing permission policy represented by a circuit,and semi-trusted cloud decides whether or not the writing succeeds by matching writing policy without the prediction of acceptability of the next edit request.Analyses and simulations show that this method is provided the ability of multi-user collaborative access control for cloud storage.The storage cost and the computation cost of encrypting and decrypting are both lesser at user end in reading permission control with cloud-aided decryption.This dissertation pays special attentions to three issues:dynamic authority management,multi-user access control,and cloud-aided editing authority control.It proposes a method of direct cloud-aided attribute revocation based on a concept of a version key and cloud-aided decryption.It puts forward two collaborative access methods MCA-F and MCA-B.MCA-F takes each file as the minimal granularity of control.MCA-B takes a logical block of a file as the minimal granularity of control.It constructs a collaborative access control method with cloud-aided editing authority control.It will afford reference and support for the follow-up study on data access control in cloud storage.