一种面向雾计算的可扩展访问控制方案  

作　　者：许建[1,2] 雷喆 戴华[1,2] 杨庚[1,2] XU Jian;LEI Zhe;DAI Hua;YANG Geng(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China;Jiangsu Key Laboratory of Big Data Security & Intelligent Processing,Nanjing University of Posts and Telecommunications,Nanjing 210023,China)

机构地区：[1]南京邮电大学计算机学院,江苏南京210023 [2]南京邮电大学江苏省大数据安全与智能处理重点实验室,江苏南京210023

出　　处：《南京邮电大学学报（自然科学版）》2019年第2期76-83,共8页Journal of Nanjing University of Posts and Telecommunications：Natural Science Edition

基　　金：国家自然科学基金(61572263;61872197);南京邮电大学校级科研基金(NY215097)资助项目

摘　　要：雾计算面临各种安全问题,其中在开放性雾环境下如何实现授权用户对资源的访问控制是关键问题之一。针对该问题,提出了一种适用于雾计算的可扩展访问控制方案,采用线性秘密分享矩阵(LSSS)作为访问结构实现基于属性的访问控制,利用雾节点作为边缘服务节点,通过合理分配访问控制中的加解密运算,降低终端用户在访问控制中的运算开销。该方案具有可扩展性,即可以在保持原有访问策略的基础上添加新的合法成员形成新的访问策略,同时还能够检测访问用户在上传新访问策略时是否对原始数据进行了篡改,实现对原始数据完整性的保护。理论分析和实验结果表明,方案能够在有效降低终端用户计算开销的同时,实现雾计算环境下访问控制策略的扩展以及数据的完整性检测。Fog computing faces various security challenges,of which access control is one of the fundamental requirements since it is concerned with authorizing users to access resources in the open fog environment.An extendable access control scheme for fog computing is proposed.The linear secret sharing scheme matrix (LSSS) is used as the access structure to implement attribute-based access control while the fog node is set as the edge service node.The encryption and decryption operations are allocated to reduce the computational overhead of the end user in the access control.Meanwhile,the proposed scheme can extend the access policy by adding a new item,including the new user.Moreover,it can achieve integrity protection by checking whether the access user has falsified the original data when uploading the new access policy.Theoretical analysis and experimental results show that the scheme can effectively reduce the computational overhead of end users,realize the extension of the access control strategy and data integrity protection in the fog computing environment.

关 键 词：雾计算 访问控制 访问策略扩展 完整性保护 基于属性的加密 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]