云存储下多用户协同访问控制方案  被引量：6

作　　者：史姣丽[1,2] 黄传河[1] 王晶[1] 覃匡宇[1,3] 何凯[1] 

机构地区：[1]武汉大学计算机学院,湖北武汉430072 [2]九江学院信息科学与技术学院,江西九江332005 [3]桂林电子科技大学信息与通信学院,广西桂林541004

出　　处：《通信学报》2016年第1期88-99,共12页Journal on Communications

基　　金：国家自然科学基金资助项目(No.61373040;No.61572370);教育部博士点基金资助项目(No.20120141110073)~~

摘　　要：CP-ABE被认为是云存储下最适合的数据访问控制方法之一,但它仅适合用户分别读取或者分别修改不同数据的情况,而直接应用CP-ABE进行多用户协同数据访问时,会存在修改无序、密文文件大量冗余等问题。多用户协同访问云端数据时,应该在保证机密性、抗共谋的前提下控制合法用户有序地修改同一密文文件,同时云端尽可能减少密文文件副本。针对文件和文件逻辑分块,提出了2个多用户协同访问控制方案MCA-F和MCA-B。MCA-F满足单个数据文件作为最小控制粒度的访问控制需求,该方案采用层次加密结构,云服务器承担部分解密计算,以降低用户解密的计算代价;针对多用户同时写数据的访问控制,提出了对多个用户提交的暂存数据的管理方法。MCA-B用于文件的逻辑分块作为最小控制粒度的访问控制,该方案设计了文件的逻辑分块机制、基于索引矩阵的表示方法,提出了子数据掩码表示方法以描述多个用户对同一文件不同逻辑分块的写权限;MCA-B支持用户集合、文件逻辑分块结构的动态变化,而且数据的拥有者和修改者无需一直在线。与现有的方案相比,所提方案不仅具有云存储下多用户协同写数据的访问控制能力,而且读访问控制的用户端存储量和加解密计算量是较小的。CP-ABE was considered as one of most suitable methods of data access control in cloud storage. However, it was just fit for reading or modifying different data files respectively. When CP-ABE was applied directly to data access collaborative control by multiple users, there would be such problems as data being modified disorderly. When multiple users access collaboratively the data stored on the cloud, legitimate users should modify the same ciphertext file orderly on the premise of confidentiality and collusion-resistance and the copies of ciphertext file should be generated as few as possible. Two multi-user collaborative access control schemes MCA-F and MCA-B for the file and its logical blocks each were proposed. The MCA-F scheme meets the requirement of access control in which the minimal granularity of control is a single data file. In MCA-F scheme, hierarchical encryption is adopted, a part of decrypting computation is transferred to a cloud server to decrease the computational cost on users when decrypting. In allusion to the simultaneous write-data access control of multiple users, a method is designed to manage semi-stored modified data submitted by menders. The MCA-B scheme is used for the access control in which a logical block of the file is the minimal granularity of control. This scheme designs a mechanism of logical blocking of the file and a representing method based on index matrix, and the representation of sub data mask is put forward to describe write permission of multiple users on different logical blocks of the same file. MCA-B scheme supports the dynamic change of the structure of logical blocks of the file, and the owners or menders do not need to be online always. Compared with the existing schemes, not only do proposed schemes provide multi-user collaborative access control in cloud storage, but also the client storage of reading access control and the computation of encrypting and decrypting are both lesser.

关 键 词：云存储 访问控制 属性加密 多用户协同访问 

分 类 号：TP393.0[自动化与计算机技术—计算机应用技术]