Abstract: Aiming at the unreasonable access of private data in cloud database and the leakage of personal sensitive information, a cloud data access control model based on PBAC（Purpose-Based Access Control） and ABE（Attribute-Based Encryption） is proposed. Based on the original PBAC model, the concept of attribute destination set is added, and the original destination tree is extended to achieve full coverage, which solves the problem of detailed partitioning. The model also incorporates the attribute encryption technology to construct the public key according to the expected purpose of the data. Only when the authentication is successful and the matching of the destination is successful, can the limited privacy data information be accessed. In the process of achieving full coverage and matching of destination trees, the algorithm of destination tree construction and the purpose matching algorithm are designed, and the security of the algorithm is analyzed. Experimental results show that the combination of PBAC and ABE access control scheme in the encryption and decryption operation is more efficient.

Key words: attribute encryption, privacy protection, access control

摘要： 针对云计算环境下云数据库中个人隐私数据的不合理的访问以及关乎个人敏感信息泄露的问题，提出了一种基于PBAC（Purpose-Based Access Control）和ABE（Attribute-Based Encryption）相结合的云数据访问控制模型。该模型在原有的PBAC模型基础上，加入了属性目的集合的概念，对原有的目的树进行了扩展并实现全覆盖，解决了目的详细划分问题；模型还结合了属性加密的技术，根据数据的预期目的构造属性公钥，只有通过认证并且进行目的匹配成功才可以访问限定隐私数据信息。在实现目的树全覆盖以及目的匹配过程中，设计了目的树构建算法以及目的匹配算法，对算法安全性进行分析。实验结果表明，PBAC和ABE相结合的访问控制方案在加解密运算上效率更高。

关键词: 属性加密, 隐私保护, 访问控制