Research On Key Technologies Of Data Security And Access Control In Cloud Computing

Cloud computing technology has been widely adopted in the fields of military,government,enterprise and person,but its security issues are gradually prominent with the frequent happened data leakage events.Since the cloud service providers are not fully trusted,data security and privacy has become a major concern of users who do not have physical control of their outsourced data.Although encrypting the data with traditional symmetric or asymmetric encryption algorithms before uploading can effectively protect data confidentiality,it is quite inefficient and inflexible for data sharing and management.As an emerging one-to-many encryption primitive,attribute-based encryption(ABE)enables data owners to achieve fine-grained access control on their outsourced data.However,existing data access control schemes based on ABE have limitations on functional completeness,computational and storage cost,design complexity and privacy protection strength,etc.This thesis mainly focuses on the issues of data confidentiality and privacy preservation during its whole life cycle.Specifically,to achieve user privilege update,policy privacy preservation,authorized ciphertext retrieval and trusted data deletion,we propose a series of flexible,efficient,fine-grained and secure data access control schemes based on ABE.The main works and contributions of this thesis are summarized as follows:1.Considering the deficiencies of coarse granularity and redundant overhead in existing user revocation schemes,we propose a secure and fine-grained data access control scheme with flexible user access privilege update.Specifically,the proposed scheme takes key-policy ABE as the basic building block,and utilizes proxy re-encryption and key blinding techniques to empower the cloud server to re-encrypt the ciphertext affected by revocation and update keys for unrevoked users.In addition,adding attributes for users to extend their access rights is realized only based on few key components stored in cloud without entirely re-computing and re-issuing keys for them.We formally define two security models to simulate the potential adversarial attacks in data sharing and privilege revocation,and prove the security of the proposed scheme based on common cryptographic hardness assumptions accordingly.Functional analysis and algorithm simulation results demonstrate that the proposed scheme could simultaneously achieve fine-grained data access control and flexible user privilege update with low computational and storage cost.2.Considering the issues of weak privacy preservation and huge computational cost in existing policy hiding schemes,we proposed an offline-dictionary-attack-resistant and fine-grained data access control scheme supporting expressive access policy with fully attribute hidden.Specifically,we remove the attribute mapping function from the access policy,and utilize randomizable technique to hide the relationship between attributes and access matrix.In addition,a fuzzy attribute positioning mechanism based on garbled Bloom filter is designed to help the authorized users locate their attributes efficiently and decrypt the ciphertext successfully.Since the validity of the attribute information queried from the filter could only be verified through successful decryption,no valuable attribute privacy would be compromised by those unauthorized users.Security analysis and performance evaluation demonstrate that the proposed scheme could simultaneously achieve fine-grained data access control and effective policy privacy preservation with low storage and computational overheads.3.Considering the deficiencies of lack of authorization,limited flexibility and significant computational and storage cost for ciphertext retrieval in existing schemes,we propose an efficient attribute-based access control with authorized search scheme.The proposed scheme first utilizes the attribute value hiding and linear splitting techniques to construct an anonymous key-policy ABE algorithm with partially hidden attributes.With this algorithm,the key delegation technique enables data users to customize search policies based on their access policies and generate the corresponding trapdoor using only the secret key granted by the data owner.In addition,a virtual attribute with no semantic meaning is embedded in data encryption and trapdoor generation to empower the cloud server to perform attribute-based search on the outsourced ciphertext without knowing the underlying attributes or contents.Analysis results demonstrate that the proposed scheme can achieve secure and fine-grained data sharing with flexible and authorized ciphertext retrieval with low computational and storage overheads.4.Considering the problems of coarse granularity,non-immediacy and third-party dependencies in existing data deletion schemes,we propose a secure and fine-grained self-controlled outsourced data deletion scheme.We first utilize the policy transition method and key delegation technique to construct an enhanced policy-based puncturable encryption(P-PUN-ENC)primitive,such that the keys can be punctured in a fine-grained way.Then,the constructions are applied to enable the data owner to specify flexible deletion policies and update his secret key accordingly,such that the ciphertext satisfying the policies cannot be decrypted with the updated key.Additionally,to address the issue of growing key storage and decryption cost in the basic construction,we combine the key and decryption outsource technique with P-PUN-ENC to transfer most of the storage and decryption cost to the cloud,which significantly reduces the burden for the data owner.Formal proof based on common cryptographic hardness assumptions guarantees the security and reliability of the proposed scheme,and comprehensive comparison and simulation results demonstrate that the scheme could better meet the outsourced data deletion requirements with relatively low cost.