一种基于Fabric区块链的云端数据动态访问控制方案

doi:10.11871/jfdc.issn.2096-742X.2024.01.014

数据与计算发展前沿 ›› 2024, Vol. 6 ›› Issue (1): 150-161.

CSTR: 32002.14.jfdc.CN10-1649/TP.2024.01.014

doi: 10.11871/jfdc.issn.2096-742X.2024.01.014

一种基于Fabric区块链的云端数据动态访问控制方案

胡睿¹(),张功萱^2,^*(),寇小勇²

1.南京理工大学，网络空间安全学院，江苏南京 210094
2.南京理工大学，计算机科学与工程学院，江苏南京 210094

收稿日期:2023-07-26 出版日期:2024-02-20 发布日期:2024-02-21
通讯作者: * 张功萱（E-mail: gongxuan@njust.edu.cn）
作者简介:胡睿，南京理工大学网络空间安全学院，硕士研究生，主要研究方向为基于区块链的数据访问控制技术。负责论文初稿撰写、访问控制智能合约的开发。
Hu Rui is a master student at Nanjing University of Science and Technology. His main research direction is data access control technology based on blockchain. Responsible for the writing of the first draft of the paper and the development of access control smart contracts.
In this paper, he is responsible for the paper drafting and KEDS development.
E-mail: fengji0@qq.com|张功萱，南京理工大学计算机科学与工程学院，博士，教授，博士研究生导师，CCF杰出会员、ACM/IEEE-CS高级会员，中国计算机体系结构专委会委员、中国服务计算专委会委员、中国计算机安全专委会委员，江苏省网络空间安全高校联盟副理事长，主要研究领域为云计算、Web服务和分布式系统。
负责制定论文框架，论文修改、审定。
Zhang Gongxuan, School of Computer Science and Engineering, Nanjing University of Science and Technology, Ph.D., professor, doctoral supervisor, outstanding member of CCF, senior member of ACM/IEEE-CS, member of China Computer Architecture Special Committee, member of China Service Computing Special Committee, member of China Computer Security Special Committee, vice chairman of Jiangsu Cyberspace Security University Alliance, the main research areas are cloud computing, Web services and distributed systems
In this paper, he is responsible for formulating the framework of the thesis, revising and reviewing the thesis.
E-mail: gongxuan@njust.edu.cn
基金资助:
国家自然科学基金资助项目(62272232);IaaS可信虚拟化平台构建及其工作流任务调度

A Dynamic Access Control Scheme for Cloud Data Based on Fabric Blockchain

HU Rui¹(),ZHANG Gongxuan^2,^*(),KOU Xiaoyong²

1. School of Cyber Science and Engineering, Nanjing University of Science and Technology, Nanjing, Jiangsu 210094, China
2. School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing, Jiangsu 210094, China

Received:2023-07-26 Online:2024-02-20 Published:2024-02-21

摘要/Abstract

摘要：

【目的】云端存储数据的安全性是用户使用云存储服务的重要条件，一般用户与云服务提供商之间需要相互信任，而中心化的云服务器存在单点故障问题并且云端的数据存在泄露、丢失的风险。【方法】为解决上述问题，提出了一种基于Fabric区块链的云端数据动态访问控制方案。【结果】方案利用区块链难以篡改的特性解决了用户与云端的信任问题，使用去中心化云存储解决了云服务器的单点故障问题，利用智能合约实现了方案的自动执行，并采用属性基加密的方式实现了对云端数据的动态访问控制。【结论】通过对方案的安全分析与实验验证，方案具有良好的安全性与可用性。

关键词: 区块链, 属性基加密, 数据访问控制, 云存储, 智能合约

Abstract:

[Objective] The security of cloud storage is an important condition for users to use cloud storage services. Generally, mutual trust is required between users and cloud service providers, but centralized cloud servers have a single point of failure problem and cloud data has the risk of leakage and loss. [Methods] In order to solve the above problems, a dynamic access control scheme for cloud data based on Fabric blockchain is proposed. [Results] The scheme solves the trust problem between users and the cloud by using the characteristics of blockchains that are difficult to tamper with. The scheme also uses decentralized cloud storage to solve the single point of failure problem of cloud servers, uses smart contracts to realize the automatic execution of the solution, and uses attribute-based encryption to realize dynamic access control to cloud data. [Conclusions] Through the security analysis and experimental verification of the scheme, the scheme has shown good security and usability.

Key words: block chain, attribute-based encryption, data access control, cloud storage, smart contract

胡睿, 张功萱, 寇小勇. 一种基于Fabric区块链的云端数据动态访问控制方案[J]. 数据与计算发展前沿, 2024, 6(1): 150-161.

HU Rui, ZHANG Gongxuan, KOU Xiaoyong. A Dynamic Access Control Scheme for Cloud Data Based on Fabric Blockchain[J]. Frontiers of Data and Computing, 2024, 6(1): 150-161, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2024.01.014.

图/表 12

图1

图2

表1

算法1

算法2

算法3

算法4

属性私钥申请智能合约"

输入：DU的属性证书对应的属性集合attList[]，数据拥有者标识DOid
返回：DU对于DO的属性私钥SK

BEGIN
1. if(!query(attr,DOid))//如果没有申请过属性私钥
/*选取随机数t,生成属性私钥的部分结构*/
2. t = random_gen
3. 分别计算

D

、

D 0

4. for i = 0 to attList do
/*对用户属性列表中的每一个属性i计算

D i

*/
5.

D i

= GlobalParameter.hash(i)
6. end for
7. 将

D

、

D 0

加入状态变量中缓存
8.end if
/*直接查询属性私钥的部分结构*/
9.

D

= storage.value[DOid].value(attList).parameter_d
10.

D 0

= storage.value[DOid].value(attList).parameter_d_0
11. for i = 0 to attList do
/*对用户属性列表中的每一个属性i计算

D i

*/
12.

D i

= GlobalParameter.hash(i)
13. end for
14. return //返回SK
END

算法4

算法5

图3

图4

图5

表2

参考文献 19

[1]	WU J, PING L, GE X, et al. Cloud storage as the infrastructure of cloud computing[C]// 2010 International conference on intelligent computing and cognitive informatics. IEEE, 2010: 380-383.
[2]	冯小梅, 刘怡君. 云存储技术的现状分析与发展趋势[C]//. 广西计算机学会2014年学术年会论文集, 2014:275-282.
[3]	ZHANG X, DU H, CHEN J, et al. Ensure data security in cloud storage[C]// 2011 International Conference on Network Computing and Information Security. IEEE, 2011, 1: 284-287.
[4]	张瑜. 基于云链融合的数据安全访问控制系统设计与实现[D]. 武汉: 华中科技大学, 2020.
[5]	YLI-HUUMO J, KO D, CHOI S, et al. Where is current research on blockchain technology?—a systematic review[J]. PloS one, 2016, 11(10): e0163477. doi: 10.1371/journal.pone.0163477
[6]	WATERS B. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization[C]// International workshop on public key cryptography. Springer, Berlin, Heidelberg, 2011: 53-70.
[7]	SAHAI A, SEYALIOGLU H, WATERS B. Dynamic credentials and ciphertext delegation for attribute-based encryption[C]// Annual Cryptology Conference. Springer, Berlin, Heidelberg, 2012: 199-217.
[8]	田有亮, 杨科迪, 王缵, 等. 基于属性加密的区块链数据溯源算法[J]. 通信学报, 2019, 40(11): 101-111. doi: 10.11959/j.issn.1000-436x.2019222
[9]	于金刚, 张弘, 李姝, 等. 基于区块链的物联网数据共享模型[J]. 小型微型计算机系统, 2019, 40(11): 2324-2329.
[10]	LAI J, DENG R H, GUAN C, et al. Attribute-based encryption with verifiable outsourced decryption[J]. IEEE Transactions on information forensics and security, 2013, 8(8): 1343-1354. doi: 10.1109/TIFS.2013.2271848
[11]	MAESA D D F, MORI P, RICCI L. Blockchain Based Access Control[C]// 17th IFIP International Conference on Distributed Applications and Interoperable Systems (DAIS). Springer International Publishing, 2017: 206-220.
[12]	CHASE M. Multi-authority attribute based encryption[C]/ Theory of Cryptography: 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, The Netherlands, February 21-24, 2007. Proceedings 4. Springer Berlin Heidelberg, 2007: 515-534.
[13]	刘萌, 陈丹伟, 马圣东. 基于区块链可追溯的个人隐私数据共享技术研究[J]. 信息安全研究, 2023, 9(2): 109-119.
[14]	王栋, 李达, 冯景丽, 等. 基于区块链的数据要素资源共享及访问控制方案[J]. 信息安全研究, 2023, 9(2): 137-145.
[15]	邱云翔, 张红霞, 曹琪, 等. 基于CP-ABE算法的区块链数据访问控制方案[J]. 网络与信息安全学报, 2020, 6(3): 88-98.
[16]	NAKAMOTO S. Bitcoin: A peer-to-peer electronic cash system[J]. Decentralized Business Review, 2008: 21260.
[17]	ANDROULAKI E, BARGER A, BORTNIKOV V, et al. Hyperledger fabric: a distributed operating system for permissioned blockchains[C]// Proceedings of the thirteenth EuroSys conference. 2018: 1-15.
[18]	SAHAI A, WATERS B. Fuzzy identity-based encryption[C]// Advances in Cryptology-EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005. Proceedings 24. Springer Berlin Heidelberg, 2005: 457-473.
[19]	BENET J. Ipfs-content addressed, versioned, p2p file system[J]. arXiv preprint arXiv:1407.3561, 2014.

字段	字段含义	字段类型
gate	gate[0]为门限值， gate[1]为子节点个数	int[]
children att secretShare valid	子节点索引列表节点属性值节点对应的秘密值标识节点是否可以恢复秘密	int[] int[] Element boolean

方案	无单点故障	无需第三方可信CA	属性撤销	策略更新	去中心化云存储
文献[4]	√	×	×	×	√
文献[13]	×	×	×	√	√
文献[15]	√	√	×	×	√
本文	√	√	√	√	√

一种基于Fabric区块链的云端数据动态访问控制方案

A Dynamic Access Control Scheme for Cloud Data Based on Fabric Blockchain

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献 19

相关文章 15

编辑推荐

Metrics

本文评价

[1]	钟子岳, 朱长昊, 李浚哲, 张美慧. 基于区块链的数据要素可信流通技术综述[J]. 数据与计算发展前沿, 2023, 5(5): 46-62.
[2]	谢人强, 陈燕玉. 基于区块链智能节点的社交网络舆情传播探讨[J]. 数据与计算发展前沿, 2023, 5(3): 152-159.
[3]	赵鑫博,代闯闯,陆忠华. 一种改进的BMUF训练框架及联邦学习系统实现[J]. 数据与计算发展前沿, 2022, 4(6): 105-117.
[4]	郑歆凤,王建均,黄敬彬,饶强,潘金木,叶沁丹. 基于区块链技术的“三体五信”算网运营体系研究[J]. 数据与计算发展前沿, 2022, 4(6): 38-54.
[5]	王晶,张海明,温亮明,马卓然. 基于联盟链的科研云联邦计量系统研究设计[J]. 数据与计算发展前沿, 2022, 4(2): 109-120.
[6]	李浩,李新,陈远平. 区块链在电子发票报销中的创新应用模式[J]. 数据与计算发展前沿, 2021, 3(4): 116-125.
[7]	王嘉麒,杜义华,赵以霞. 基于综合影响力和情感特征的意见领袖发现方法[J]. 数据与计算发展前沿, 2021, 3(4): 126-139.
[8]	翟冉,陈学斌. 区块链的共识机制研究[J]. 数据与计算发展前沿, 2021, 3(3): 86-94.
[9]	袁勇,欧阳丽炜,王晓,王飞跃. 基于区块链的智能组件：一种分布式人工智能研究新范式[J]. 数据与计算发展前沿, 2021, 3(1): 1-14.
[10]	关建峰,牛晓彤,高先明,延志伟. SDN多控制器共识机制研究综述[J]. 数据与计算发展前沿, 2021, 3(1): 15-33.
[11]	闾海荣,姜楠,许瑞坤,周容辰. 区块链在物联网中的应用态势分析[J]. 数据与计算发展前沿, 2021, 3(1): 34-47.
[12]	王丽娟,刘佳,王姝,郭志斌,周园春. 基于区块链的工业互联网标识公共服务应用初探[J]. 数据与计算发展前沿, 2021, 3(1): 60-73.
[13]	庄丽婉,金韬,张晨,黄韬. 基于区块链的软件定义广域网系统研究与设计[J]. 数据与计算发展前沿, 2020, 2(5): 41-51.
[14]	张曼,李洪涛,董科军,延志伟. 基于区块链的网络空间标识服务[J]. 数据与计算发展前沿, 2020, 2(5): 52-64.
[15]	刘加梦,彭绍亮,李肯立,蒋洪波,龙承念. 基于区块链的中草药质量安全管理模型[J]. 数据与计算发展前沿, 2020, 2(5): 65-75.

输入：需要撤销的属性集合attRevokeList[]，数据使用者标识DOid 返回：新的密文、对称密钥密文CT、SKC
BEGIN /撤销DOid对应的属性证书/ 1. revoke_crt(DOid) /更换所有DO的对称密钥SKP/ 2. SKP = KeyGenerator.generateKey() //生成对称密钥 /重新加密明文M/ 3. CT = Aes_encrypt(M) /重新加密对称密钥/ 4. SKC = Abe_encrypt(CT) END