-
摘要: 针对大数据应用中用户共享数据的访问控制由半可信云服务商实施所带来的隐私泄露、策略和访问日志易被篡改等问题, 提出一种基于区块链的策略隐藏大数据访问控制方法 (A policy-hidden big data access control method based on blockchain, PHAC). 该方法采用区块链技术实施访问控制以减少对服务商的信任依赖, 引入属性基加密(Attribute-based encryption, ABE)以及双线性映射技术, 实现在不泄露访问控制策略的前提下, 通过智能合约正确执行访问控制策略. 同时, 解耦访问控制策略, 简化用户策略的发布、更新和执行. 并应用链上和链下存储相结合方式, 解决智能合约和访问控制策略占用区块链节点资源不断增大的问题. 最后, 对该方法进行了理论分析和HyperLedger Fabric环境下的实验评估, 结果表明该方法能在策略隐藏情况下有效实现访问控制, 但不会给数据拥有者、区块链节点增加过多额外计算和存储开销.Abstract: In the current big data application, the access control of user shared data is implemented by the incomplete trusted cloud service provider, which brings problems such as privacy disclosure, policy and access log easy to be tampered. To solve this problem, this paper presents a policy-hidden big data access control method based on blockchain (PHAC), which exploits blockchain technology to implement access control to reduce the reliance of data owners on cloud servers. Attribute-based encryption (ABE) and bilinear mapping are introduced to implement access control policies correctly through smart contracts without disclosing access control policies. Meanwhile, access control policies are decoupled to simplify their release, update and execution. The combination of on-chain and off-chain storage is applied to solve the problem that smart contracts and access control policies occupy too much blockchain node resources. Finally, theoretical analysis and comprehensive experiments in the HyperLedger Fabric environment have been conducted, which demonstrate the effectiveness of the proposed method. It can effectively implement access control while supporting access control policies hidden, however it does not impose too much extra computing and storage overhead on data owners and blockchain nodes.
-
Key words:
- Data sharing /
- access control /
- blockchain /
- policy-hidden /
- smart contract
-
图 1 基于区块链的数据安全共享通用场景
Fig. 1 General scenarios of secure data sharing based on blockchain
图 7 区块链平台存储的访问控制树示例
Fig. 7 Example of access control tree stored on the blockchain platform
图 10 基于HyperLedger Fabric的PHAC实验拓扑
Fig. 10 Experimental topology of PHAC based on HyperLedger Fabric
图 11 T末端内部节点固定时访问控制树的加密时间
Fig. 11 Access control tree encryption time when the internal node of T terminal is fixed
图 12 属性值总数固定时的访问控制树加密时间
Fig. 12 Access control tree encryption time when the total number of attribute values is fixed
图 15 访问者属性集对策略判决时间的影响
Fig. 15 Influence of visitor attribute sets on policy decision time
图 16 策略隐藏和策略未隐藏下的策略判决时间对比
Fig. 16 Comparison of policy decision times under policy hidden and without policy hidden
表 1 本文方法PHAC和其他文献方法的对比
Table 1 Comparison of the proposed PHAC with other literature methods
方案 群阶 访问结构 访问者密钥长度 数据存储开销 策略隐藏时加密开销 访问控制判决计算开销 文献[10] 合数 树 ${(2+k)|G|}$ ${(1+|a|+|a|\sum_{i=1}^{n}n_i)|G|\;+}$
$(1+{|a|)|G_T|}$${(2+2|a|+2|a|\sum_{i=1}^{n}n_i)G\;+}$
${(1+|a|)G_T}$${(1+|a|+k|a|)E\;+}$
${(2+|a|+k|a|)G_T}$文献[11] 素数 门 ${8|G|}$ ${(8+\sum_{i=1}^{n}n_i)|G|+|G_T|}$ ${(14+\sum_{i=1}^{n}n_i)G+2G_T}$ ${nG+8E+8G_T}$ 文献[24] 素数 门 ${k|G|}$ ${3|G|+|G_T|}$ ${(l+\sum_{i=1}^{n}n_i)G+3G_T}$ ${3E+2lG+B}$ 文献[29] 素数 LSSS ${(10\sum_{i=1}^{n}k_i)|G|}$ ${(2+|a|\sum_{i=1}^{n}n_i)|G|+n|G_T|}$ ${(2+\sum_{i=1}^{|a|}i+4\sum_{i=1}^{n}i\;+}$
${4\sum_{i=1}^{l}i)G+(1+\sum_{i=1}^{l}i)G_T}$${(3\sum_{i=1}^{n}i+\sum_{i=1}^{l}i)E\;+}$
${(1+\sum_{i=1}^{|a|}i)G_T+B}$文献[36] 素数 门 ${(1+2n)|G|}$ ${(1+n+\sum_{i=1}^{n}n_i)|G|+|G_T|}$ ${(n+\sum_{i=1}^{n}n_i)G+3G_T}$ ${(1+3n)E+(1+3n)G_T}$ 文献[37] 合数 门 ${(1+n)|G|}$ ${(1+\sum_{i=1}^{n}n_i)|G|+|G_T|}$ ${2(n+\sum_{i=1}^{n}n_i)G+2G_T}$ ${(1+n)E+(1+n)G_T}$ PHAC 素数 树 ${(2+k)|G|}$ ${(7+|a|+|a|\sum_{i=1}^{n}n_i)|G|\;+}$
${(3+|a|)|G_T|}$${(7+|a|+|a|\sum_{i=1}^{n}n_i)G\;+}$
${(3+|a|)G_T}$${(1+|a|+k|a|)E\;+}$
${(2+|a|+k|a|)G_T +B}$
下载: 导出CSV
-
[1] Berdik D, Otoum S, Schmidt N, Porter D, Jararweh Y. A survey on blockchain for information systems management and security. Information Processing & Management, 2021, 58(1): 102397 [2] 刘明达, 陈左宁, 拾以娟, 汤凌韬, 曹丹. 区块链在数据安全领域的研究进展. 计算机学报, 2021, 44(1): 1-27Liu Ming-Da, Chen Zuo-Ning, Shi Yi-Juan, Tang Ling-Tao, Cao Dan. Reseacrch progress of blockchain in data security. Chinese Journal of Computers, 2021, 44(1): 1-27 [3] 袁勇, 王飞跃. 可编辑区块链: 模型、技术与方法. 自动化学报, 2020, 46(5): 831-846Yuan Yong, Wang Fei-Yue. Editable blockchain: Models, techniques and methods. Acta Automatica Sinica, 2020, 46(5): 831-846 [4] Maesa D D F, Mori P, Ricci L. Blockchain based access control. In: Proceedings of the 17th IFIP International Conference on Distributed Applications and Interoperable Systems. Cham, Switzerland: Springer, 2017. 206−220 [5] Yang C, Tan L, Shi N, Xu B, Cao Y, Yu K. AuthPrivacyChain: A blockchain-based access control framework with privacy protection in cloud. IEEE Access, 2020, 8: 70604-70615 doi: 10.1109/ACCESS.2020.2985762 [6] 刘敖迪, 杜学绘, 王娜, 李少卓. 基于区块链的大数据访问控制机制. 软件学报, 2019, 30(9): 2636-2654Liu Ao-Di, Du Xue-Hui, Wang Na, Li Shao-Zhuo. A blockchain-based access control mechanism for big data. Journal of Software, 2019, 30(9): 2636-2654 [7] Maesa D D F, Mori P, Ricci L. Blockchain based access control services. In: Proceedings of the IEEE Conferences on Internet of Things, Green Computing and Communications, Cyber, Physical and Social Computing, Smart Data. New York, USA: IEEE, 2018. 1379−1386 [8] 王秀利, 江晓舟, 李洋. 应用区块链的数据访问控制与共享模型. 软件学报, 2019, 30(6): 1661-1669 doi: 10.13328/j.cnki.jos.005742Wang Xiu-Li, Jiang Xiao-Zhou, Li Yang. Model for data access control and sharing based on blockchain. Journal of Software, 2019, 30(6): 1661-1669 doi: 10.13328/j.cnki.jos.005742 [9] Maesa D D F, Mori P, Ricci L. A blockchain based approach for the definition of auditable access control systems. Computers & Security, 2019, 84: 93-119 [10] 宋衍, 韩臻, 刘凤梅, 刘磊. 基于访问树的策略隐藏属性加密方案. 通信学报, 2015, 36(9): 119-126 doi: 10.11959/j.issn.1000-436x.2015135Song Yan, Han Zhen, Liu Feng-mei, Liu Lei. Attribute-based encryption with hidden policies in the access tree. Journal on Communications, 2015, 36(9): 119-126 doi: 10.11959/j.issn.1000-436x.2015135 [11] 王海斌, 陈少真. 隐藏访问结构的基于属性加密方案. 电子与信息学报, 2012, 34(2): 457-461Wang Hai-Bin, Chen Shao-Zhen. Attribute-based encryption with hidden access structures. Journal of Electronics & Information Technology, 2012, 34(2): 457-461 [12] Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security. New York, USA: 2006. 89−98 [13] Boneh D, Franklin M. Identity-based encryption from the Weil pairing. SIAM Journal on Computing, 2003, 32(3): 586-615 doi: 10.1137/S0097539701398521 [14] Sahai A, Waters B. Fuzzy identity-based encryption. In: Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques. Berlin, Germany: Springer, 2005. 457−473 [15] Bethencourt J, Sahai A, Waters B. Ciphertext-policy attribute-based encryption. In: Proceedings of the 28th IEEE Symposium on Security and Privacy. Oakland, USA: IEEE, 2007. 321−334 [16] Ostrovsky R, Sahai A, Waters B. Attribute-based encryption with non-monotonic access structures. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. New York, USA: 2007. 195−203 [17] Zhou Z, Huang D, Wang Z. Efficient privacy-preserving ciphertext-policy attribute based-encryption and broadcast encryption. IEEE Transactions on Computers, 2015, 64(1): 126-128 doi: 10.1109/TC.2013.200 [18] 洪澄, 张敏, 冯登国. AB-ACCS: 一种云存储密文访问控制方法. 计算机研究与发展, 2010: 47(Suppl.): 259-265Hong Cheng, Zhang Min, Feng Deng-Guo. AB-ACCS: A cryptographic access control scheme for cloud storage. Journal of Computer Research and Development, 2010, 47(Suppl.): 259-265 [19] Wang Y, Li F, Xiong J, Niu B, Shan F. Achieving lightweight and secure access control in multi-authority cloud. In: Proceedings of the 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. Helsinki, Finland: IEEE, 2015. 459−466 [20] Jung T, Li X Y, Wan Z, Wan M. Privacy preserving cloud data access with multi-authorities. In: Proceedings of the 32nd IEEE Conference on Computer Communications. Turin, Italy: IEEE, 2013. 2625−2633 [21] 关志涛, 杨亭亭, 徐茹枝, 王竹晓. 面向云存储的基于属性加密的多授权中心访问控制方案. 通信学报, 2015, 36(6): 120-130 doi: 10.11959/j.issn.1000-436x.2015142Guan Zhi-Tao, Yang Ting-Ting, Xu Ru-Zhi, Wang Zhu-Xiao. Multi-authority attribute-based encryption access control model for cloud storage. Journal on Communications, 2015, 36(6): 120-130 doi: 10.11959/j.issn.1000-436x.2015142 [22] Lin H, Cao Z, Liang X, Shao J. Secure threshold multi authority attribute based encryption without a central authority. Information Sciences, 2010, 180(13): 2618-2632 doi: 10.1016/j.ins.2010.03.004 [23] Ding X, Yang J. An access control model and its application in blockchain. In: Proceedings of the International Conference on Communications, Information System and Computer Engineering. Haikou, China: IEEE, 2019. 163−167 [24] Ba Y, Hu X, Chen Y, Hao Z, Li X, Yan X. A Blockchain-based CP-ABE scheme with partially hidden access structures. Security and Communication Networks, 2021, 2021: 4132597 [25] Wang S, Zhang Y, Zhang Y. A blockchain-based framework for data sharing with fine-grained access control in decentralized storage systems. IEEE Access, 2018, 6: 38437-38450 doi: 10.1109/ACCESS.2018.2851611 [26] 张建标, 张兆乾, 徐万山, 吴娜. 一种基于区块链的域间访问控制模型. 软件学报, 2021, 32(5): 1547-1564Zhang Jian-Biao, Zhang Zhao-Qian, Xu Wan-Shan, Wu Na. Inter-domain access control model based on blockchain. Journal of Software, 2021, 32(5): 1547-1564 [27] Makhdoom I, Zhou I, Abolhasan M, Lipman J, Ni W. PrivySharing: A blockchain-based framework for privacy-preserving and secure data sharing in smart cities. Computers and Security, 2020, 88: 101653 doi: 10.1016/j.cose.2019.101653 [28] Gao S, Piao G, Zhu J, Ma X, Ma J. Trustaccess: A trustworthy secure ciphertext-policy and attribute hiding access control scheme based on blockchain. IEEE Transactions on Vehicular Technology, 2020, 69(6): 5784-5798 doi: 10.1109/TVT.2020.2967099 [29] Zhang Z, Zhang J, Yuan Y, Li Z. An expressive fully policy-hidden ciphertext policy attribute-based encryption scheme with credible verification based on blockchain. IEEE Internet of Things Journal, 2022, 9(11): 8681-8692 doi: 10.1109/JIOT.2021.3117378 [30] 夏清, 窦文生, 郭凯文, 梁赓, 左春, 张凤军. 区块链共识协议综述. 软件学报, 2021, 32(2): 277-299 doi: 10.13328/j.cnki.jos.006150Xia Qing, Dou Wen-Sheng, Guo Kai-Wen, Liang Geng, Zuo Chun, Zhang Feng-Jun. Survey of blockchain consensus protocols. Journal of Software, 2021, 32(2): 277-299 doi: 10.13328/j.cnki.jos.006150 [31] Zhang Y, Kasahara S, Shen Y, Jiang X, Wan J. Smart contract-based access control for the internet of things. IEEE Internet of Things Journal, 2018, 6(2): 1594-1605 [32] Shparlinski I E. Communication complexity and Fourier coefficients of the Diffie-Hellman key. In: Proceedings of the 4th Latin American Symposium on Theoretical Informatics. Berlin, Germany: Springer, 2000. 259−268 [33] Boneh D, Boyen X. Efficient selective identity-based encryption without random oracles. Journal of Cryptology, 2011, 24: 659-693 doi: 10.1007/s00145-010-9078-6 [34] 杨浩淼, 孙世新, 李洪伟. 双线性Diffie-Hellman问题研究. 四川大学学报(工程科学版), 2006, 38(2): 137-140 doi: 10.3969/j.issn.1009-3087.2006.02.028Yang Hao-Miao, Sun Shi-Xin, Li Hong-Wei. Research on bilinear Diffie-Hellman problem. Journal of Sichuan University (Engineering Science Edition), 2006, 38(2): 137-140 doi: 10.3969/j.issn.1009-3087.2006.02.028 [35] Ghayvat H, Pandya S, Bhattacharya P, Zuhair M, Rashid M, Hakak S, et al. CP-BDHCA: Blockchain-based confidentiality-privacy preserving big data scheme for healthcare clouds and applications. IEEE Journal of Biomedical and Health Informatics, 2021, 26(5): 1937-1948 [36] Nishide T, Yoneyama K, Ohta K. Attribute-based encryption with partially hidden encryptor-specified access structures. In: Proceedings of the 6th International Conference on Applied Cryptography and Network Security. Berlin, Germany: Springer, 2008. 111−129 [37] Lai J, Deng R H, Li Y. Fully secure cipertext-policy hiding CP-ABE. In: Proceedings of the 7th International Conference on Information Security Practice and Experience. Berlin, Germany: Springer, 2011. 24−39 [38] 徐恪, 凌思通, 李琦, 吴波, 沈蒙, 张智超, 等. 基于区块链的网络安全体系结构与关键技术研究进展. 计算机学报, 2021, 44(1): 55-83Xu Ke, Ling Si-Tong, Li Qi, Wu Bo, Shen Meng, Zhang Zhi-Chao, et al. Research progress of network security architecture and key technologies based on blockchain. Chinese Journal of Computers, 2021, 44(1): 55-83 -
图(17) / 表(1)
计量
- 文章访问数: 942
- HTML全文浏览量: 247
- PDF下载量: 242
- 被引次数: 0
