Research On Key Technologies Of Cloud Environment Oriented Cryptographic Access Control

The cryptographic access control is to encrypt the data by the user,and define which users have access to the data by controlling the distribution range of the decryption key.In the cryptographic access control system,users can no longer rely on the Cloud Service Provider(CSP)to protect the security of data content,and it also prevents CSP from illegally obtaining data content.In the current research,Ciphertext-Policy Attribute Based Encryption(CP-ABE)is generally considered as the best method to implement cryptographic access control mechanism.However,although various CP-ABE schemes have been proposed,there are still some problems in CP-ABE systems,which makes that a satisfactory practical application of CP-ABE access control for the cloud environment has not yet been achieved.This paper analyzes the main obstacles which hinder the implementation of CP-ABE scheme in the cloud.That can be summarized as two aspects: on the one hand,there is no guarantee for internal security,that is,if an internal legitimate user performs maliciously sharing of access rights,the system cannot identify the user;on the other hand,the cryptographic access control system in the cloud environment needs to support the user dynamics.At present,the research of the user's attribute revocation is not mature,and few schemes can provide a practical and safe solution.In addition,most of the researches ignore the problem of file re-encryption caused by revocation or the change of the access policy.In fact,the re-encryption of large file will sharply increase the dynamic overhead of the cloud access control system,thus,it is still difficult to realize user dynamics in the cloud environment.In order to solve the above problems and make that the cryptographic access control scheme can be effectively applied to data protection scenarios of various cloud environments,the related research has been carried out in this paper,and the specific needs of various application scenarios for cloud environments are analyzed by using formal representation in modeling.The access control models suitable for the different scenarios are designed according to the distinct security requirements and security participants in those scenarios.On this basis,the paper focus on the key obstacles of the implementation for cryptographic access control system.The main innovations are:1.Two lightweight black-box traceable CP-ABE schemes are proposed.The existing traceable CP-ABE schemes usually have the deficiencies such as the limited tracing ability,non-scalability,high computational cost,and high tracing cost.To solve the inner security problem of the cryptographic access control system,the defects of the existing black-box tracing schemes are studied,we handle the inefficiency of computation based on the structure of the prime order bilinear group;and because of the different frame of tracing method,the schemes are scalable;at the same time,the tracing algo-rithm overhead in the two schemes can be reduced to O(1),and the requirements of compulsory tracing are met,which can suppress the anti-tracing behavior to a certain extent.So they are very practical.2.The construction of the alert black box and its tracing technology are proposed.Based on the above research,this paper further proposes a new black box structure: Alert Decryption Black-box(ADB),and it is proved that ADB can frustrate the black box tracking algorithm in all known schemes,rendering its tracing method useless.The analysis of the structural reasons that why existing solutions cannot trace ADB is presented,and it is proposed to add a Decryption Monitor(DM)in the system to overcome this structural deficiency.The safety requirements of the CP-ABE scheme with DM are analyzed and summarized,and a formal definition is proposed for each safety requirement.Finally,an ADB traceable CP-ABE scheme is presented to meet the security requirements.Thus,the most critical security obstacle for the implementation of cryptographic access control is overcome,and the security of the scheme is proved by formal methods.3.A privilege revocation scheme that can serve the dynamic cryptographic access control system is proposed.It is difficult to realize the dynamic cancellation of users for the cryptographic access control system in the cloud environment.Aiming at this problem,the revocation of user attribute is studied.On the basis of previous research about the traceability,the security requirements of the black-box traceable and user revocable scheme are summarized.A secure and efficient scheme with the ability of user attribute revocation is proposed,it supports the revocation of user attributes and the tracing of black-box.The solution has been proven to satisfy the relevant security requirements,and any type of the black-box can be traced in this system,including ADB black boxes,and it also achieves high computation efficiency.This provides a theoretical basis for truly realizing a dynamic,practical and black-box traceable access control system.4.This paper proposes a re-encryption optimization technology for privilege revocation in cloud environment.Aiming at the problem that the overhead of file re-encryption in cloud data could be very expensive when a user privilege is revoked,the concept of ordered encryption mode is presented,and the OBC(Orderly Block Chaining,OBC)encryption mode which meets the definition of ordered encryption mode is proposed.Based on OBC,the Partial Re-permutation As Re-encryption(PRaR)method is given.With this method and the support of semi-trusted cloud proxy server,a cryptographic access control system can reduce the communication and computational cost of file re-encryption to an acceptable level,thus overcomes the major performance obstacles of dynamic access control in cloud utility.The above research results provide powerful support for efficient and secure implementation of the cryptographic access control scheme in the data protection of various cloud environments,and enable the cloud data management system to realize trac-ing and dynamic user privilege management when a new cryptographic access control scheme is deployed.Thus,two critical issues which hinder the application of cryptographic access control are both solved in this paper.