摘要
针对云数据库租户隐私数据的加密和查询问题,提出并实现了一种面向云数据库的属性基加密(ABE)和查询转换服务中间件。首先,服务中间件的加解密部件对租户的对称密钥进行属性基加密,生成密文并保存;其次,服务中间件的查询转换部件对查询语句进行转换,使其可在加密后的数据库上正确执行;最后,租户的隐私数据经过对称加密后保存到云数据库。实验结果表明,与未加密数据库的数据写入和查询时间相比,加密数据库的写入时间与其相当,按照查询语句的复杂程度,查询时长增加10%~150%不等。理论分析表明,所采用的代理解密方案是安全的,与传统的基于密钥策略的属性基加密(CP-ABE)方案相比,代理解密方案在时间复杂度上更具优势。
Focusing on the problem of encryption and querying of tenant private data on cloud database,a cloud database oriented Attribute Based Encryption( ABE) and query transform service middleware was proposed and realized. Firstly,the tenant symmetric keys were encrypted in the encryption and decryption component of the service middleware through attribute based encryption,and the ciphertext was generated and saved. Secondly,the query statements were translated in the query translation component so that they can be correctly executed on the encrypted database. Finally,the tenant privacy data was stored in the cloud database after symmetric encryption. The experimental results show that compared with the unencrypted database,the write time of the encrypted database is equivalent,while the querying time is increased by 10% to 150%according to the complexity of the query statement. The theoretical analysis shows that the proposed proxy decryption method is secure,and it has superiority over traditional Key Policy Attribute Based Encryption( KP-ABE) algorithm in time complexity.
引文
[1]林子雨,赖永炫,林琛,等.云数据库研究[J].软件学报,2012,23(5):1148-1166.(LIN Z Y,LAI Y X,LIN C,et al.Research on cloud databases[J].Journal of Software,2012,23(5):1148-1166.)
[2]冯登国,张敏,张妍,等.云计算安全研究[J].软件学报,2011,22(1):71-83.(FENG D G,ZHANG M,ZHANG Y,et al.Study on cloud computing security[J].Journal of Software,2011,22(1):71-83.)
[3]田洪亮,张勇,李超,等.云环境下数据库机密性保护技术研究综述[J].计算机学报,2017,40(10):2245-2270.(TIAN H L,ZHANG Y,LI C,et al.A survey of confidentiality protection for cloud databases[J].Chinese Journal of Computers,2017,40(10):2245-2270.)
[4]田秀霞,王晓玲,高明,等.数据库服务——安全与隐私保护[J].软件学报,2010,21(5):991-1006.(TIAN X X,WANG X L,GAO M,et al.Database as a service—security and privacy preserving[J].Journal of Software,2010,21(5):991-1006.)
[5]YAISH H,GOYAL M.Multi-tenant database access control[C]//CSE'13:Proceedings of the 16th International Conference on Computational Science and Engineering.Washington,DC:IEEE Computer Society,2013:870-877.
[6]MYKLETUN E,NARASIMHA M,TSUDIK G.Authentication and integrity in outsourced databases[J].ACM Transactions on Storage,2006,2(2):107-138.
[7]沈晴霓,杨雅辉,禹熹,等.一种面向多租户云存储平台的访问控制策略[J].小型微型计算机系统,2011,32(11):2223-2229.(SHEN Q N,YANG Y H,YU X,et al.An access control policy for multi-tenancy cloud storage platform[J].Journal of Chinese Computer Systems,2011,32(11):2223-2229.)
[8]谭跃生,宁宁,王静宇.基于PBAC和ABE的云数据访问控制研究[J].计算机工程与应用,2018,54(13):117-122.(TAN Y S,NING N,WANG J Y.Research of cloud data access control based on PBAC and ABE[J].Computer Engineering and Applications,2018,54(13):117-122.)
[9]ION M,RUSSELLO G,CRISPO B.enforcing multi-user access policies to encrypted cloud databases[C]//POLICY'11:Proceedings of the 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.Washington,DC:IEEE Computer Society,2011:175-177.
[10]YOON J P.Access control and trustiness for resource management in cloud databases[M]//Grid and Cloud Database Management.Berlin:Springer-Verlag,2011:109-131.
[11]GREEN M,HOHENBERGER S,WATERS B.Outsourcing the decryption of ABE ciphertexts[C]//SEC'11:Proceedings of the20th USENIX conference on Security.Berkeley:USENIX Association,2011:34-34.
[12]ZHOU Z,HUANG D.Efficient and secure data storage operations for mobile cloud computing[C]//CNSM'12:Proceedings of the8th International Conference on Network and Service Management.Laxenburg,Austria:International Federation for Information Processing,2012:37-45.
[13]LAI J,DENG R H,GUAN C,et al.Attribute-based encryption with verifiable outsourced decryption[J].IEEE Transactions on Information Forensics&Security,2013,8(8):1343-1354.
[14]王皓,郑志华,吴磊,等.自适应安全的外包CP-ABE方案研究[J].计算机研究与发展,2015,52(10):2270-2280.(WANG H,ZHENG Z H,WU L,et al.Adaptively secure outsourcing ciphertext-policy attribute-based encryption[J].Journal of Computer Research and Development,2015,52(10):2270-2280.)
[15]蔡孟飞,何倩,程东生,等.面向移动云存储的属性基解密服务中间件[J].计算机应用,2016,36(7):1828-1833.(CAI M F,HE Q,CHENG D S,et al.Mobile cloud storage-oriented attribute based decryption service middleware[J].Journal of Computer Applications,2016,36(7):1828-1833.)
[16]WATERS B.Ciphertext-policy attribute-based encryption:an expressive,efficient,and provably secure realization[C]//PKC2011:Proceedings of the 14th International Conference on Practice and Theory in Public Key Cryptography,LNCS 6751.Berlin:Springer,2011:53-57.
[17]DENG H,WU Q,QIN B,et al.Ciphertext-policy hierarchical attribute-based encryption with short ciphertexts[J].Information Sciences,2014,275:370-384.