【摘要】：隨著云計算、物聯(lián)網(wǎng)、大數(shù)據(jù)等新型計算技術(shù)的興起與發(fā)展,全球信息化引發(fā)了世界范圍的深刻變化,國民經(jīng)濟、社會發(fā)展、人民生活等各個層面對信息技術(shù)的依賴達到了前所未有的程度。同時,互聯(lián)網(wǎng)的開放性和信息共享給全球信息安全帶來了嚴重威脅,信息安全上升為國家安全主要內(nèi)容之一。訪問控制是保護數(shù)據(jù)機密性、完整性、可用性和合法使用性的重要基礎,是網(wǎng)絡安全防范和資源保護的關(guān)鍵策略之一。然而,網(wǎng)絡規(guī)模不斷擴大,分布式網(wǎng)絡環(huán)境中用戶量和數(shù)據(jù)量劇增,用戶對數(shù)據(jù)、個人隱私需求和權(quán)限粒度需求不斷提升,迫切需要實現(xiàn)對大規(guī)模用戶的細粒度動態(tài)授權(quán);安全需求方式已經(jīng)由通信雙方均是單用戶向至少有一方是多用戶的多方通信模式轉(zhuǎn)變,由“同域”通信轉(zhuǎn)為“跨域”通信,傳統(tǒng)訪問控制面臨新的挑戰(zhàn)。近年來,國內(nèi)外學者廣泛開展了基于屬性加密訪問控制方法研究,并取得了大量研究成果。但是,諸如多樣化權(quán)限問題、面向用戶組的訪問控制問題、隱藏訪問控制策略問題等還亟待進一步研究。針對上述問題,本文開展了基于屬性加密的訪問控制方法研究,主要研究工作包括:1.針對用戶多樣化權(quán)限需求問題,設計了一個具有用戶權(quán)限區(qū)分的多屬性權(quán)威的訪問控制方案。重點解決了以下問題:(1)由于單一用戶權(quán)限無法滿足當前用戶多樣化權(quán)限需求,提供了不同用戶權(quán)限,使得擁有不同屬性集的用戶獲得不同的權(quán)限;(2)采用一個中心權(quán)威和多個屬性權(quán)威結(jié)合的方式,解決單屬性權(quán)威的屬性密碼系統(tǒng)無法滿足大規(guī)模分布式應用對不同機構(gòu)協(xié)作的需求,且容易受到集中攻擊問題;(3)數(shù)據(jù)所有者在生成密文的同時,產(chǎn)生了一個短簽名,該簽名確保了數(shù)據(jù)的完整性和數(shù)據(jù)源的真實性;(4)在選擇屬性集安全模型下證明了方案的安全性,且與同類方案對比得出增加的信息和計算量更少。2.針對用戶權(quán)限過度集中產(chǎn)生濫用問題,提出一個面向用戶組可驗證的訪問控制方案和安全模型,并證明了方案的安全性。該方案主要功能為:(1)方案中引入用戶組,不僅分散了用戶權(quán)限,而且每個參與者只需存儲少量信息;(2)利用Schoenmaker可驗證秘密共享機制,建立對中心權(quán)威CA的非交互的監(jiān)督機制,減少對中心權(quán)威的依賴性,所以該方案中可以采用半可信或不可信的中心權(quán)威;(3)每個參與者通過檢查同一個用戶組里其他參與者提供的信息,可以驗證合作用戶的誠實性;(4)將本方案與現(xiàn)有方案進行比較得出,本方案的用戶權(quán)限管理更細化,驗證屬性鑰時的計算量更少。3.針對訪問策略泄密問題,設計了一個完全隱藏訪問策略的加密方案,進而構(gòu)造了一個云存儲中完全隱藏訪問策略的訪問控制機制,實現(xiàn)了對存放在半可信云端數(shù)據(jù)的安全性和機密性保護。具體實現(xiàn)了:(1)對云存儲服務提供者CSP完全隱藏了訪問策略,解決了云存儲環(huán)境中特權(quán)用戶導致的數(shù)據(jù)機密性和完整性受威脅問題;(2)對所有用戶完全隱藏了訪問策略,即使一個合法用戶對加密的共享數(shù)據(jù)成功解密,他也不能確定他遵守的訪問策略;(3)增加了用戶屬性變更功能,在方案中引入代理重加密機制,CSP在不知道訪問策略和存儲數(shù)據(jù)內(nèi)容的前提下獨自完成重加密任務,避免了數(shù)據(jù)所有者重新加密的負擔;(4)對方案的安全性進行了證明,且通過與同類方案比較得出,本方案中的訪問策略隱藏的更徹底。4.以智能配電網(wǎng)作為典型應用場景,設計了一個智能配電網(wǎng)通信系統(tǒng)數(shù)據(jù)聚合和訪問控制模型,將基于屬性的訪問控制應用于智能配電網(wǎng)通信環(huán)境。具體完成了以下工作:(1)針對智能配電網(wǎng)中的海量數(shù)據(jù)收集工作,采用Paillier同態(tài)機制收集多維數(shù)據(jù)且保證數(shù)據(jù)的機密性,而簽名實現(xiàn)批驗證,使得對計算的個數(shù)從3t降到3;(2)采用基于屬性的訪問控制方法加密反饋命令,避免了數(shù)量龐大的智能終端獲取相同命令并產(chǎn)生相應安全攻擊的問題;(3)在數(shù)據(jù)收集和命令反饋階段都提供了簽名,保證了數(shù)據(jù)的完整性和資源認證;(4)通過與已有方案在計算量、通信量、功能等方面進行分析和仿真,實驗表明在聚合數(shù)據(jù)種類比較少、智能終端數(shù)目龐大、而且需要分類授權(quán)的情況下,本方案在計算開銷方面和反饋命令訪問控制方面具有明顯優(yōu)勢。
[Abstract]:With the rise and development of new computing technologies such as cloud computing, Internet of things and large data, global information has brought about profound changes in the world. The dependence of information technology on the various layers of national economy, social development and people's life has reached an unprecedented level. At the same time, the openness of the Internet and the sharing of information to the global information security It poses a serious threat, and information security is one of the main contents of national security. Access control is an important basis for protecting data confidentiality, integrity, availability and legitimate use. It is one of the key strategies for network security prevention and resource protection. However, the scale of the network is not broken and the amount of users and data in the distributed network environment are not broken. The increasing demand for data, personal privacy demand and granularity is increasing, and it is urgent to realize fine dynamic authorization for large-scale users. The security requirement mode has changed from the single user to the multiuser communication mode of at least one party to the multiuser, and the communication from "the same domain" to "cross domain" communication. Traditional access control is facing new challenges. In recent years, scholars at home and abroad have carried out a wide range of research based on attribute encryption access control methods, and a large number of research results have been achieved. However, such problems as diverse rights, access control and hidden access control strategies are still needed to be further studied. The study of access control based on attribute encryption is carried out in this paper. The main research work is as follows: 1. a multi attribute authority access control scheme with user privileges is designed to solve the user's diverse rights requirement. The following problems are solved: (1) it is impossible to satisfy the current user's right of diversification from a single user authority. Limited requirements, provide different user rights, make users with different attribute sets get different privileges. (2) using a central authority and multiple attribute authority combination, the solution of the attribute cryptosystem of single attribute authority can not meet the needs of large-scale distributed application to different organizations, and easy to be attacked by centralized attack. (3) (3) the data owner produces a short signature while generating the ciphertext, which ensures the integrity of the data and the authenticity of the data source; (4) the security of the scheme is proved under the selection of the attribute set security model, and the increase of information and less computation with the same scheme is compared with that of the excessive concentration of user rights. Abuse problem, propose a user group verifiable access control scheme and security model, and prove the security of the scheme. The main function of the scheme is: (1) the user group is introduced in the scheme, not only the user rights are dispersed, but each participant only needs to store a small amount of information; (2) the secret sharing mechanism can be verified by Schoenmaker. The non interactive supervision mechanism of the central authority CA reduces the dependence on the authority of the central authority, so the scheme can adopt a semi trusted or untrusted central authority; (3) each participant can verify the integrity of the user by checking the information provided by other participants in the same user group; (4) the scheme is entered with the existing scheme. According to the comparison, the user rights management of this scheme is more detailed, and the computation of the property key is less than.3.. A complete hidden access strategy is designed, and an access control mechanism is constructed to fully hide the access strategy in the cloud storage, and the data is stored in the semi trusted cloud number. According to security and confidentiality protection, it is realized: (1) the access strategy is completely hidden from the cloud storage service provider CSP, which solves the problem of data confidentiality and integrity caused by privileged users in the cloud storage environment; (2) the access strategy is completely hidden for all users, even if a legitimate user has encrypted shared data. Work decryption, he can not determine the access strategy he observes; (3) add the user property change function, introduce the agent rescipher mechanism in the scheme, CSP complete the re encryption task alone without knowing the access strategy and the content of the data, and avoid the burden of the re encryption of the data owner; (4) the security of the scheme is carried out. It is proved that, by comparing with the similar scheme, the more thorough.4. hidden in this scheme is a typical application scene with intelligent distribution network, and a data aggregation and access control model of the intelligent distribution network communication system is designed, and the communication environment of Yu Zhineng distribution network based on attribute access control is applied. The following is completed. The work is: (1) aiming at the collection of massive data in the intelligent distribution network, the Paillier homomorphic mechanism is used to collect multidimensional data and ensure the confidentiality of the data, and the signature is verified by batch verification, making the number of the calculated numbers from 3T to 3. (2) using the attribute based access control method to encrypt the feedback command, avoiding the large number of intelligent terminal acquisition. The same command and the corresponding security attacks; (3) the signature is provided in the data collection and command feedback phase, which ensures the integrity of the data and resource authentication; (4) through the analysis and Simulation of the amount, traffic and function of the existing schemes, the experiment shows that the number of aggregated data is relatively small and the number of intelligent terminals is Pang. In the case of large and classified authorization, this scheme has obvious advantages in terms of computation cost and feedback command access control.
【學位授予單位】：蘭州理工大學
【學位級別】：博士
【學位授予年份】：2016
【分類號】：TP309

【相似文獻】

相關(guān)期刊論文 前10條

1 付艷艷;張敏;馮登國;陳開渠;;基于節(jié)點分割的社交網(wǎng)絡屬性隱私保護[J];軟件學報;2014年04期

2 馬秀琴;馮百明;秦紅武;;屬性集重要性的研究[J];計算機應用;2010年07期

3 李勇;曾振宇;張曉菲;;支持屬性撤銷的外包解密方案[J];清華大學學報(自然科學版);2013年12期

4 林蓉;史開泉;;函數(shù)P-集合與信息規(guī)律的屬性控制[J];計算機科學;2012年07期

5 陳源;曾德勝;謝沖;;基于聚類的屬性約簡方法[J];計算機系統(tǒng)應用;2009年05期

6 于海燕;喬曉東;;一種完備的最小屬性約簡方法[J];計算機工程;2012年04期

7 張春英;王立亞;;基于屬性集合冪集的區(qū)間概念格L_α~β的漸進式生成算法[J];計算機應用研究;2014年03期

8 楊祥茂;黃濤;周啟海;;基于效用的結(jié)構(gòu)語法的屬性學習[J];計算機科學;2008年09期

9 孟慶全;梅燦華;;一種新的屬性集依賴度[J];計算機應用;2007年07期

10 劉明吉;王秀峰;饒一梅;;一個混合特征屬性選擇算法[J];計算機科學;2000年11期

相關(guān)會議論文 前2條

1 黃威;靳亞輝;;面向評論挖掘的產(chǎn)品屬性集合構(gòu)建[A];第六屆（2011）中國管理學年會——信息管理分會場論文集[C];2011年

2 張秀廷;;“偶有屬性”發(fā)微[A];邏輯今探——中國邏輯學會第五次代表大會暨學術(shù)討論會論文集[C];1996年

相關(guān)博士學位論文 前6條

1 劉西蒙;基于屬性密碼體制的關(guān)鍵技術(shù)研究[D];西安電子科技大學;2015年

2 陳燕俐;基于屬性的加密體制及應用研究[D];南京郵電大學;2014年

3 劉雪艷;基于屬性加密的數(shù)據(jù)訪問控制方法研究[D];蘭州理工大學;2016年

4 汪文義;認知診斷評估中項目屬性輔助標定方法研究[D];江西師范大學;2012年

5 楊淑群;基于屬性層次結(jié)構(gòu)的FCA及其在認知診斷中的應用研究[D];南京航空航天大學;2009年

6 黃九鳴;面向輿情分析和屬性發(fā)現(xiàn)的網(wǎng)絡文本挖掘技術(shù)研究[D];國防科學技術(shù)大學;2011年

相關(guān)碩士學位論文 前10條

1 劉文超;云計算中基于屬性的訪問控制研究[D];電子科技大學;2015年

2 白冬輝;基于屬性拓撲的并行概念計算算法研究[D];燕山大學;2016年

3 劉慧娟;基于圖數(shù)據(jù)的關(guān)鍵字覆蓋集合問題研究[D];燕山大學;2016年

4 李慧;屬性拓撲與概念格雙向轉(zhuǎn)化研究[D];燕山大學;2016年

5 賈紅;移動云環(huán)境下基于屬性解密的外包技術(shù)研究[D];西安電子科技大學;2014年

6 張良奧;云計算環(huán)境下基于屬性加密的訪問控制方案研究[D];南京信息工程大學;2016年

7 何明君;策略隱藏的屬性基加密在醫(yī)療云中的研究和應用[D];南京郵電大學;2016年

8 張賽;云計算中支持屬性撤銷的策略隱藏與層次化訪問控制[D];南京郵電大學;2016年

9 王梓瑩;基于屬性的分層加密算法的研究與應用[D];南京航空航天大學;2016年

10 吳祥龍;多屬性權(quán)威云存儲系統(tǒng)中安全數(shù)據(jù)存儲、接入和共享機制研究[D];東南大學;2016年

，

本文編號：2146379