一种改进的多私钥生成中心云存储访问控制方案  被引量：3

作　　者：秦中元 韩尹 张群芳 朱雪金 QIN Zhongyuan;HAN Yin;ZHANG Qunfang;ZHU Xuejin(School of Cyberspace Security,Southeast University,Nanjing Jiangsu 210096,China;Artillery and Air-defence Institute Nanjing Campus,Nanjing Jiangsu 211132,China)

机构地区：[1]东南大学网络空间安全学院,江苏南京210096 [2]炮兵防空兵学院南京校区,江苏南京211132

出　　处：《信息网络安全》2019年第6期11-18,共8页Netinfo Security

基　　金：江苏省自然科学基金[bk20161099]

摘　　要：为提高云存储访问控制的安全性,文章设计了一种改进的多私钥生成中心(PKG)云存储访问控制方案。首先介绍了属性基加密,并研究了基于密文策略的属性基加密(CP-ABE)访问控制模型。随后提出一种改进的多PKG方案用于云存储访问控制,方案将一个PKG改进为一个主PKG和若干个子PKG,主PKG选择初始化参数,用于生成主PKG和各个子PKG的公钥参数和主密钥,进行数据加密;各个子PKG生成相关的私钥信息,并将其发送给客户端,只有客户端接收到所有子PKG的私钥信息后才能成功计算出私钥,进行数据解密。该方案可以在第三方服务器及PKG不可信的云存储环境下实现灵活、细粒度的访问控制,同时保证了用户数据的机密性。对于用户在云服务器上存储的密文数据,只有满足相应属性要求的用户才能成功解密得到明文数据,而任何不可信的第三方都无法独自非法获取用户隐私信息。In order to improve the security of cloud storage access control,an improved multiple private key generation center(PKG) cloud storage access control method based on attribute encryption is proposed. This paper first introduces the attribute encryption and access control model based on ciphertext-policy attribute-based encryption(CP-ABE). An improved multi-PKG scheme is then presented for cloud storage access control in this paper,which improves a single PKG to a primary PKG and several sub-PKGs. The primary PKG selects initialization parameters for generating a public key parameter and a master key of the primary PKG and each sub-PKG for data encryption. The sub-PKG then generates the relevant private key information and sends it to the client. Only the client receives the private key information of all the sub-PKGs to successfully calculate the private key for data decryption. This improved scheme can achieve flexible,fine-grained access control in the third-party server and the private key generation center(PKG) untrusted cloud storage scenario,while ensuring the confidentiality of user data. Ensure that for any ciphertext data stored by the user on the cloud server,only users who meet the corresponding attribute requirements can successfully decrypt to get the plaintext data,while any untrusted third party cannot illegally obtain the user’s private information independently.

关 键 词：属性基加密 云存储 访问控制 多私钥生成中心 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]