Research On Multi-Authority Access Control Mechanism

Due to the development of cloud computing technology and applications,more and more users store their corporate and personal data on the cloud servers.Because the abruption of users and their stored data,untrusted servers may be unauthorized access to users' sensitive information.User's privacy was under severe threat.In order to solve the problem of data privacy and access control,Ciphertext-Policy Attribute-based Encryption(CP-ABE)was proposed,which provides fine-grained access control.Subsequently,researchers proposed many access control schemes based on attribute encryption.Once the authorized server is compromised,users' privacy is easily leaked.Meanwhile,the system storage and computing resources consumption are large.In order to solve the above problems,this paper proposes multi-authorities access control scheme based on ciphertext-policy attribute-based encryption.The main work is as follows:(1)In order to reduce the storage space and computing resources of the system,and to decentralize the security problems of the single authority,this thesis proposes a multi-authorities access control scheme based on CP-ABE.Multi-authorities cannot know the complete information of users,and each authority only calculates users'partial keys.This scheme minimizes the grouping of the user attribute sets,and introduces the attribute manager to assign the attribute groups,and delegates the partial decryption to the cloud server.The scheme reduces the communication consumption between the authorities and the resource consumption of the user decryption.The security proof and simulation experiments show that the scheme is secure and efficient.(2)When the user leaves system and the attribute is revoked,if the key saved by the user is still valid,the users' data in the system will be threatened.This thesis also proposed a scheme which support user level and attribute level revocation.In this scheme,the Key Encryption Key(KEK)tree is introduced,which is combined with minimized grouping to extend a single attribute group to multiple disjoint groups.The KEK tree is used to update the user's private key.The user revocation list is constructed,and only the users who are not in the revocation list can access the privacy file;the security proof shows that the scheme has advantages of anti-collusion attack and anti-chosen plaintext attack;and the simulation experiment shows that the scheme reduces the update time of ciphertext and key in the revocation process.(3)With gradually increasing users scale in cloud computing,it is bound to increase the computing pressure of the single authority.Furthermore,in order to achieve a more granular access control scheme,this thesis proposes a scheme which supports controllable transfer of permissions.The user relationship network is constructed to connect the users in the system and the user privilege tree is introduced.By judging whether the access users meet the authorization distance threshold and the permission tree,the controllable authorization can be realized,which greatly reduces the communication and resources consumption between the multi-authorities in the system.The security analysis proves that the scheme can effectively protect the privacy data of users.