一种基于LDAP的属性加密模型  

作　　者：麻付强 徐峥 苏振宇 亓开元[1] MA Fu-qiang;XU Zheng;SU Zhen-yu;QI Kai-yuan(Inspur(Beijing)Electronic Information Industry Co.,Ltd.,Beijing 100085,China;Inspur Group Co.,Ltd.,Jinan 250101,China)

机构地区：[1]浪潮(北京)电子信息产业有限公司,北京100085 [2]浪潮集团,山东济南250101

出　　处：《计算机技术与发展》2023年第6期147-152,159,共7页Computer Technology and Development

基　　金：广东省重点领域研发计划资助(2020B010165002)。

摘　　要：现有的基于属性加密方案通常采用属性权威来进行属性认证和密钥管理,一旦属性权威不可信或者受到攻击则云计算系统的数据安全将无法得到保证。为了提高基于属性加密系统的整体安全性,提出了一种基于LDAP(轻型目录访问协议)的属性加密模型。该模型利用LDAP和密钥管理模块代替传统属性加密中的属性权威,LDAP部署在组织内部,与共享数据的云存储模块实现权限分离。组织内部的LDAP系统管理用户身份的安全认证和属性管理,密钥管理模块实现属性密钥的生成与存储。同时,密钥管理模块由密钥存储模块和属性判别点组成,用户将属性加解密操作安全的外包给密钥管理模块,且加解密操作在密钥管理模块的可信执行环境中进行。可信执行环境通过采用Intel SGX的内存加密来动态保护密钥和加解密过程。云存储模块由存储中心和访问决策点组成,为基于属性加密的密文提供存储。安全性分析表明该方案能够有效保障数据机密性,并有效降低了用户的计算量,实现了密钥的安全存储。The existing attribute-based encryption generally uses the authority to manage the attributes and keys.Once the authority is not trusted or attacked,the data security of cloud computing cannot be guaranteed.In order to improve the overall security of the attribute-based encryption,an attribute-based encryption model with LDAP(ABE-LDAP)is proposed.The authority in traditional ABE is replaced with the LDAP and key management module.LDAP is deployed within the organization and separated from the cloud storage module.The LDAP can implement the security authentication and attribute management of user’s identity,and key management module can realize the generation and storage of attribute keys.At the same time,key management module consists of the key storage module and attribute discrimination points which can outsource the encryption and decryption of attributes and can perform encryption and decryption operations in the trusted execution environment(TEE).The TEE uses memory encryption of Intel SGX to dynamically protect keys and cryptography processes.The cloud storage module consists of the storage center and access decision point which provide the storage for ciphertext.The security analysis shows that the scheme can effectively guarantee the confidentiality of data,reduce the computational complexity of users,and realize the secure storage of keys.

关 键 词：属性加密 轻型目录访问协议 密钥管理 数据共享 软件防护扩展 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]