计算机工程与应用 ›› 2022, Vol. 58 ›› Issue (13): 112-118.DOI: 10.3778/j.issn.1002-8331.2102-0181

• 网络、通信与安全 • 上一篇    下一篇

高效可撤销的雾协同云访问控制方案

孙枭,王峥,李玲   

  1. 太原理工大学 信息与计算机学院,山西 晋中 030600
  • 出版日期:2022-07-01 发布日期:2022-07-01

Efficient and Revocable Fog-Assisted Cloud Access Control Scheme

SUN Xiao,  WANG Zheng,  LI Ling   

  1. College of Information and Computer, Taiyuan University of Technology, Jinzhong, Shanxi 030600, China
  • Online:2022-07-01 Published:2022-07-01

摘要: 密文策略属性加密技术在实现基于云存储的物联网系统中数据细粒度访问控制的同时,也带来了用户与属性的撤销问题。然而,在现有的访问控制方案中,基于时间的方案往往撤销并不即时,基于第三方的方案通常需要大量重加密密文,效率较低且开销较大。为此,基于RSA密钥管理机制提出了一种高效的支持用户与属性即时撤销的访问控制方案,固定了密钥与密文的长度,借助雾节点实现了用户撤销,同时将部分加解密工作从用户端卸载到临近的雾节点,降低了用户端的计算负担。基于aMSE-DDH假设的安全性分析结果表明,方案能够抵抗选择密文攻击。通过理论分析和实验仿真表明,所提方案能够为用户属性变更频繁且资源有限的应用场景提供高效的访问控制。

关键词: 雾计算, 访问控制, 用户与属性撤销, 密钥与密文定长, 外包

Abstract: Ciphertext-policy attribute-based encryption not only realizes the fine-grained access control of data in IoT system based on cloud storage, but also brings the problem of user and attribute revocation. However, in the existing access control schemes, the time-based schemes are difficult to achieve immediate revocation, and the third-party-based schemes usually require a large number of re-encrypted ciphertexts, the efficiency is low and the cost is large. Therefore, an efficient access control scheme supports immediate revocation of user and attribute based on RSA key management mechanism is proposed. The length of the keys and ciphertexts are fixed. With the help of fog nodes, user revocation is realized. At the same time, part of the encryption and decryption work is unloaded from the client to the nearby fog node, which reduces the computing burden of the client. The results of security analysis based on aMSE-DDH hypothesis show that the scheme can resist chosen-ciphertext attack. Theoretical analysis and experiments prove that the proposed scheme can provide efficient access control for application scenarios with frequent user and attribute changes and limited resources.

Key words: fog computing, access control, user and attribute revocation, constant-size keys and ciphertexts, outsourcing