CACDP:适用于云存储动态策略的密文访问控制方法  被引量：14

作　　者：张浩[1,2] 赵磊[1,2] 冯博[1,2] 余荣威[1,2] 刘维杰[1,2] 

机构地区：[1]空天信息安全与可信计算教育部重点实验室(武汉大学),武汉430072 [2]武汉大学计算机学院,武汉430072

出　　处：《计算机研究与发展》2014年第7期1424-1435,共12页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(61373169;61103219;61303213);高等学校博士学科点专项科研基金项目(20110141130006)

摘　　要：数据的机密性是云存储环境下的难点问题,基于密文的访问控制技术是解决该问题的重要思路,在目前的基于密文的访问控制技术中,数据的高安全需求和频繁的策略更新使得数据拥有者(data owner,DO)端的权限更新代价过高,进而严重制约了系统的整体效率.针对此问题,提出一种适用于云存储动态策略的密文访问控制方法(cryptographic access control strategy for dynamic policy,CACDP),该方法提出了一种基于二叉Trie树的密钥管理机制,在此基础之上利用基于ELGamal的代理重加密机制和双层加密策略,将密钥和数据更新的部分开销转移到云端以减少DO权限管理负担,提高DO的处理效率.最后通过实验验证了该方案有效降低了策略更新为DO带来的性能开销.With the rapid development of cloud computing technology, many enterprises will gradually delegate confidential data to the cloud storage service providers. The confidentiality of data becomes a crucial issue in cloud storage environments, and the ciphertext-based access control technology is an important approach to resolve this issue. However, among the current access control schemes based on the ciphertext, the high security requirements of the cloud data and the high frequence of policy update make excessive cost on updating permissions, and then seriously restrict the overall efficiency of the system. To solve this problem, we propose a cryptographic access control strategy for dynamic policy in cloud storage （CACDP）, which presents a key management tree of binary Trie based on key derivation, enhancing the security of the key and reducing the number of keys maintained by data owner and user. Based on this, we use the proxy re-encryption mechanism based on ELGamal and double-encryption strategy to transfer partial mission of updating key and data to the cloud servers, in order to reduce the administrative burden of date owners. Finally, the experimental verification shows that the proposed solution significantly improves the processing efficiency and effectively lowers the performance overhead on policy update for data owners.

关 键 词：云存储 密文访问控制 代理重加密 双层加密策略 二叉Trie 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]