基于区块链的云上数据访问控制模型研究

Study on Blockchain Based Access Control Model for Cloud Data

区块链和基于密文策略的属性加密(Ciphertext Policy Attribute Based Encryption,CP-ABE)相结合的方案已经被广泛应用于云上共享数据的访问控制,但是这些方案中数据用户的隐私保护问题并未得到妥善解决。一些研究引入分布式多属性授权中心的基于属性的签名方案(Distributed Multi-Authority Attribute Based Signature,DMA-ABS)来保护数据用户的隐私,但当数据用户多次访问数据时需要进行重复的权限验证,这会带来多余的时间消耗问题。并且,在数据用户的属性和访问控制策略保持相对稳定的情况下,数据用户无限制地重复访问共享数据,会导致系统过载,影响正常的请求处理。这可能会引起云端数据的泄露,给云端数据的安全带来隐患。为了解决这些问题,文中提出了一个基于区块链的云上个人隐私数据访问控制方案。该方案首先将智能合约和多属性授权中心的CP-ABE方案结合,实现了云上个人隐私数据的细粒度访问控制,并引入DMA-ABS方案完成了对数据用户的匿名性身份验证,保护了数据用户的身份隐私;其次,基于比特币UTXO(Unspent Transaction Output)机制,设计了一种数字令牌token,实现了一次授权、多次访问的功能,即缩短了访问时间,又限制了访问次数;最后,在Hyperledger Fabric上进一步实现了访问控制流程,并与现有方案进行了访问时间开销的比较。实验结果表明,所提方案能够有效降低访问时间开销,提高访问效率。

The combination of blockchain and ciphertext policy sttribute based rncryption(CP-ABE)schemes has been widely used in the access control of sharing data on the cloud,but the privacy protection of data users in these schemes has not been solved.Some studies introduce distributed multi-authority attribute based signature schemes(DMA-ABS)to protect the privacy of data users,but when the data user accesses the data multiple times,it is necessary to perform repeated permission verification,which will cause unnecessary time consumption.And when the attributes and access control policies of data users are relatively unchanged,data users can access shared data repeatedly and infinitely,system overload and affect normal request processing.This may cause the leakage of cloud data,posing a hidden danger to the security of cloud data.At the same time,the behavior of data users changes dynamically.A data user who once perform well may have some malicious behaviors such as frequent access to data,illegal access to data,which brings hidden dangers to data security.Firstly,the smart contract is combined with the CP-ABE scheme of multi-attribute authority center to realize the fine-grained access control of personal privacy data in the cloud,and the distributed multi-authority attribute based signature scheme is introduced.The anonymous identity verification of data users is completed to protect the identity privacy of data users.Secondly,based on the idea of unspent transaction output(UTXO)of Bitcoin,the digital token is designed to realize once authorization and multiple access.Finally,this scheme implements an access control process based on hyperledger fabric,and compares it with existing schemes in terms of access time overhead.The results indicate that the proposed scheme can effectively reduce access time overhead and improve access efficiency.