支持恶意用户追踪的属性基云数据共享方案

Tracing Malicious Insider in Attribute-Based Cloud Data Sharing

云存储服务为互联网用户提供了更加灵活、可扩展的外包数据访问,获得学术界和工业界的关注.为防止用户数据被泄露到开放的网络中,数据所有者往往选择先将数据加密再上传到云存储服务器.与传统加密方式相比,属性基加密为云端加密数据提供更细粒度的数据访问控制机制,可实现“一对多”的访问策略模式.然而,传统属性基加密系统不具备同时“追踪”泄露解密密钥以及制造解密黑盒恶意用户的能力.本文重点研究在云存储服务的数据共享机制中部署密文策略属性基加密时出现的解密权限泄露问题.本文将白盒可追踪性和黑盒可追踪性作为一个整体集成到传统的密文策略属性基加密中,并提供两种追踪机制:白盒追踪机制和黑盒追踪机制.若泄露的解密权限为解密密钥,则可利用白盒追踪;若泄露的解密权限为解密设备,则需要利用黑盒追踪.本文所提出系统的主要特点包括:(1)云共享数据的授权访问.数据所有者的文件被加密并存储到云服务器上,满足指定访问策略的授权用户才能访问文件;(2)白盒可追踪性.若恶意内部人员故意泄露其解密密钥,则可基于白盒追踪机制执行追踪;(3)黑盒可追踪性.若泄露解密设备并被发现,则可通过黑盒追踪机制捕获共同构造该设备的恶意内部人员;(4)公开追踪性.白盒追踪算法是公开的,任何人都能运行该追踪算法而无需额外的秘密信息;(5)轻量级追踪代价.在白/黑盒追踪机制中,系统不需要额外增加与用户秘密信息相关的公共参数,且整个系统的公共参数与用户数量无关,这使得系统更为实用.本文所构造的方案既保证了对云加密共享数据的细粒度访问控制,又保证了对“泄露”解密权限的可追踪性.最后,安全分析和性能评估验证了本文所提出方案的安全性和效率.

Providing more flexibility and scalability on outsourced data access for Internet users,cloud-based storage service has drawn increasing interest from academia and industry.To protect user data from being leaked to an open network,end-to-end encryption technique may be leveraged.Compared to traditional encryption(e.g.,AES and RSA),a new cryptographic primitive called attribute-based encryption offers more fine-grained level on data sharing(one-to-many mode via access policy)which may be considered as a highly promising cloud-based data access control.However,traditional ciphertext-policy attribute-based encryption systems may not“catch”any malicious insiders who are keen to“leak”decryption privilege to an unauthorized party.In this paper,we investigate the decryption privilege leakage problem when deploying ciphertext-policy attribute-based encryption in data sharing mechanism for cloud storage service.We integrate white-box and black-box traceability as a whole into conventional ciphertext-policy attribute-based encryption,and two types of tracing(i.e.,white-box and black-box tracing mechanisms)are provided in our proposed system.In particular,if the leaked decryption privilege is advertised to be a decryption key,one may make use of the white-box tracing;but if the decryption privilege is in the form of a decryption device,the black-box tracing shall be leveraged.The main features of our proposed system include(1)Authorized access over shared data in the cloud.A data owner’s files are encrypted and stored in a cloud server,and only authorized cloud users satisfying a specified access policy can gain access to the files;(2)White-box Traceability.If a malicious insider deliberately leaks his decryption key and the key is found,the traitor who leaks the key will be traced by the white-box tracing mechanism;(3)Black-box Traceability.If a decryption device is leaked and found,the malicious insiders who jointly build the device can be caught with the black-box tracing mechanism;(4)Public tracing.The white-box tracing algorithm is public in the sense that anyone can run it without the need of“extra”secret information;and(5)Almost-no-storage for traceability.The proposed system does not need additional public parameters which are related to each of the user’s secret information in white/black-box traceability.The public parameters of the whole system are independent of the number of users,which makes the system more practical.Our novel construction guarantees fine-grained access control over cloud-based encrypted data but also the traceability of“leaked”decryption privilege.The security analysis and performance evaluation outline the security and efficiency of the construction.