| With the development of cloud storage technology, its derivative services have become more diversified. Data Sharing will become one of the mainstream service in the cloud storage. Through the analysis of the characteristics of cloud, it is found that the IBAC does not adapt to the huge number of user for data sharing, RBAC has the problem of expansibility and adaptability and it will be difficult to solve the role conflict while sharing data cross domain, ABAC using static authorization method has the attribute revocation problem. These passive access control is now not suitable for highly open and diversified needs of cloud environment.To meet different needs of the cloud storage, the cloud data is split into three logic area, that is private area, group area and public area. We design and implement an self-adapting and extendible multi-mode security access control system. It can choose the access control policy according to the characteristics of the data in different area. Using PKI mechanism to ensure the data's confidentiality. We first introduce the concept of dynamic attribute to expanded the adaptive of ABAC, and define a XACML based policy language to unify the three different access control mechanism. Through defining the cipher processing rule in token to update the cipher during the cloud, so as to immediate revoke user's authority by updating the confusion token.The test results show the overhead of authorize, comparing to the network delay and cost of data encrypt and decrypt, our system maintain the high performance of the cloud storage system while protecting the security. The performance overhead on cipher processing by using token rules is far more less than cipher text re-encryption. |
PDF Full Text Request