A Dynamic Access Control Scheme for Cloud Data Based on Fabric Blockchain

doi:10.11871/jfdc.issn.2096-742X.2024.01.014

Abstract

Abstract:

[Objective] The security of cloud storage is an important condition for users to use cloud storage services. Generally, mutual trust is required between users and cloud service providers, but centralized cloud servers have a single point of failure problem and cloud data has the risk of leakage and loss. [Methods] In order to solve the above problems, a dynamic access control scheme for cloud data based on Fabric blockchain is proposed. [Results] The scheme solves the trust problem between users and the cloud by using the characteristics of blockchains that are difficult to tamper with. The scheme also uses decentralized cloud storage to solve the single point of failure problem of cloud servers, uses smart contracts to realize the automatic execution of the solution, and uses attribute-based encryption to realize dynamic access control to cloud data. [Conclusions] Through the security analysis and experimental verification of the scheme, the scheme has shown good security and usability.

Key words: block chain, attribute-based encryption, data access control, cloud storage, smart contract

HU Rui, ZHANG Gongxuan, KOU Xiaoyong. A Dynamic Access Control Scheme for Cloud Data Based on Fabric Blockchain[J]. Frontiers of Data and Computing, 2024, 6(1): 150-161, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2024.01.014.

Figures/Tables 12

Fig.1

Fig.2

Table 1

Alg.1

Alg.2

Alg.3

Alg.4

Attribute private key application smart contract"

输入：DU的属性证书对应的属性集合attList[]，数据拥有者标识DOid
返回：DU对于DO的属性私钥SK

BEGIN
1. if(!query(attr,DOid))//如果没有申请过属性私钥
/*选取随机数t,生成属性私钥的部分结构*/
2. t = random_gen
3. 分别计算

D

、

D 0

4. for i = 0 to attList do
/*对用户属性列表中的每一个属性i计算

D i

*/
5.

D i

= GlobalParameter.hash(i)
6. end for
7. 将

D

、

D 0

加入状态变量中缓存
8.end if
/*直接查询属性私钥的部分结构*/
9.

D

= storage.value[DOid].value(attList).parameter_d
10.

D 0

= storage.value[DOid].value(attList).parameter_d_0
11. for i = 0 to attList do
/*对用户属性列表中的每一个属性i计算

D i

*/
12.

D i

= GlobalParameter.hash(i)
13. end for
14. return //返回SK
END

Alg.4

Alg.5

Fig.3

Fig.4

Fig.5

Table 2

References 19

[1]	WU J, PING L, GE X, et al. Cloud storage as the infrastructure of cloud computing[C]// 2010 International conference on intelligent computing and cognitive informatics. IEEE, 2010: 380-383.
[2]	冯小梅, 刘怡君. 云存储技术的现状分析与发展趋势[C]//. 广西计算机学会2014年学术年会论文集, 2014:275-282.
[3]	ZHANG X, DU H, CHEN J, et al. Ensure data security in cloud storage[C]// 2011 International Conference on Network Computing and Information Security. IEEE, 2011, 1: 284-287.
[4]	张瑜. 基于云链融合的数据安全访问控制系统设计与实现[D]. 武汉: 华中科技大学, 2020.
[5]	YLI-HUUMO J, KO D, CHOI S, et al. Where is current research on blockchain technology?—a systematic review[J]. PloS one, 2016, 11(10): e0163477. doi: 10.1371/journal.pone.0163477
[6]	WATERS B. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization[C]// International workshop on public key cryptography. Springer, Berlin, Heidelberg, 2011: 53-70.
[7]	SAHAI A, SEYALIOGLU H, WATERS B. Dynamic credentials and ciphertext delegation for attribute-based encryption[C]// Annual Cryptology Conference. Springer, Berlin, Heidelberg, 2012: 199-217.
[8]	田有亮, 杨科迪, 王缵, 等. 基于属性加密的区块链数据溯源算法[J]. 通信学报, 2019, 40(11): 101-111. doi: 10.11959/j.issn.1000-436x.2019222
[9]	于金刚, 张弘, 李姝, 等. 基于区块链的物联网数据共享模型[J]. 小型微型计算机系统, 2019, 40(11): 2324-2329.
[10]	LAI J, DENG R H, GUAN C, et al. Attribute-based encryption with verifiable outsourced decryption[J]. IEEE Transactions on information forensics and security, 2013, 8(8): 1343-1354. doi: 10.1109/TIFS.2013.2271848
[11]	MAESA D D F, MORI P, RICCI L. Blockchain Based Access Control[C]// 17th IFIP International Conference on Distributed Applications and Interoperable Systems (DAIS). Springer International Publishing, 2017: 206-220.
[12]	CHASE M. Multi-authority attribute based encryption[C]/ Theory of Cryptography: 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, The Netherlands, February 21-24, 2007. Proceedings 4. Springer Berlin Heidelberg, 2007: 515-534.
[13]	刘萌, 陈丹伟, 马圣东. 基于区块链可追溯的个人隐私数据共享技术研究[J]. 信息安全研究, 2023, 9(2): 109-119.
[14]	王栋, 李达, 冯景丽, 等. 基于区块链的数据要素资源共享及访问控制方案[J]. 信息安全研究, 2023, 9(2): 137-145.
[15]	邱云翔, 张红霞, 曹琪, 等. 基于CP-ABE算法的区块链数据访问控制方案[J]. 网络与信息安全学报, 2020, 6(3): 88-98.
[16]	NAKAMOTO S. Bitcoin: A peer-to-peer electronic cash system[J]. Decentralized Business Review, 2008: 21260.
[17]	ANDROULAKI E, BARGER A, BORTNIKOV V, et al. Hyperledger fabric: a distributed operating system for permissioned blockchains[C]// Proceedings of the thirteenth EuroSys conference. 2018: 1-15.
[18]	SAHAI A, WATERS B. Fuzzy identity-based encryption[C]// Advances in Cryptology-EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005. Proceedings 24. Springer Berlin Heidelberg, 2005: 457-473.
[19]	BENET J. Ipfs-content addressed, versioned, p2p file system[J]. arXiv preprint arXiv:1407.3561, 2014.

字段	字段含义	字段类型
gate	gate[0]为门限值， gate[1]为子节点个数	int[]
children att secretShare valid	子节点索引列表节点属性值节点对应的秘密值标识节点是否可以恢复秘密	int[] int[] Element boolean

方案	无单点故障	无需第三方可信CA	属性撤销	策略更新	去中心化云存储
文献[4]	√	×	×	×	√
文献[13]	×	×	×	√	√
文献[15]	√	√	×	×	√
本文	√	√	√	√	√