摘要
卫星网络具有信道开放、节点暴露、星上处理能力受限等独有特征,但现有的基于密文策略的属性加密(CP-ABE)的访问控制不支持策略完全隐藏且属性授权方式不适用于卫星网络,为此,提出支持策略隐藏的多授权访问控制方案。该方案采用更灵活的线性秘密共享(LSSS)矩阵访问结构,不仅能有效保证数据机密性,而且能通过混淆访问结构实现策略完全隐藏;采用多授权机构实现细粒度的属性管控,能消除中心授权机构的性能瓶颈;各属性授权机构独立工作且密钥生成分权,能有效抵抗合谋攻击。安全性及性能分析表明,所提方案满足数据机密性、抗合谋攻击和完全策略隐藏的安全需求,比对比方案更适合卫星网络。
Satellite network has unique characteristics that differ from traditional networks,such as channel openness,node exposure and limited onboard processing capability.However,existing Ciphertext-Policy Attribute-Based Encryption(CP-ABE)access control is not suitable for the satellite network due to its policy explosion and attribute-based authorization manner.To address this problem,a multi-authority access control scheme with policy hiding of satellite network was proposed.Linear Secret Sharing Scheme(LSSS)matrix access structure was adopted to guarantee data confidentiality and hide the access control policy completely by obfuscating the access structure.In addition,multi-authority was used to achieve fine-grained attribute management,eliminating the performance bottleneck of central authority.Each attribute authority worked independently and generated partial key of the user,which makes it resistant to collusion attacks.The security and performance analysis show that the proposed scheme can satisfy the security requirements of data confidentiality,collusion attack resistance and complete policy hiding,and is more suitable for satellite network than the comparison solutions.
引文
[1]李凤华,殷丽华,吴巍,等.天地一体化信息网络安全保障技术研究进展及发展趋势[J].通信学报,2016,37(11):156-168.(LI F H,YIN L H,WU W,et al.Research status and development trends of security assurance for space-ground integration information network[J].Journal on Communications,2016,37(11):156-168.)
[2]封孝生,刘德生,乐俊,等.临近空间信息资源访问控制策略初探[J].计算机应用研究,2008,25(12):3702-3704.(FENG XS,LIU D S,LE J,et al.Exploration on access control to near space information resources[J].Application Research of Computers,2008,25(12):3702-3704.)
[3]QI H,MA H,LI J,et al.Access control model based on role and attribute and its applications on space-ground integration networks[C]//Proceedings of the 4th International Conference on Computer Science and Network Technology.Piscataway,NJ:IEEE,2015:1118-1122
[4]SAHAI A,WATERS B.Fuzzy identity-based encryption[C]//Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques,LNCS 3494.Berlin:Springer,2005:457-473.
[5]BETHENCOURT J,SAHAI A,WATERS B.Ciphertext-policy attribute-based encryption[C]//Proceedings of the 2007 IEEE Symposium on Security and Privacy.Washington,DC:IEEE Computer Society,2007:321-334.
[6]YADAV U C,ALI S T.Ciphertext policy-hiding attribute-based encryption[C]//Proceedings of the 2015 International Conference on Advances in Computing,Communications and Informatics.Washington,DC:IEEE Computer Society,2015:2067-2071.
[7]PHUONG T V X,YANG G,SUSILO W.Hidden ciphertext policy attribute-based encryption under standard assumptions[J].IEEETransactions on Information Forensics and Security,2016,11(1):35-45.
[8]ZHOU Z,HUANG D,WANG Z.Efficient privacy-preserving ciphertext-policy attribute based encryption and broadcast encryption[J].IEEE Transactions on Computers,2014,64(1):126-138.
[9]XU R,LANG B.A CP-ABE scheme with hidden policy and its application in cloud computing[J].International Journal of Cloud Computing,2015,4(4):279-298.
[10]宋衍,韩臻,刘凤梅,等.基于访问树的策略隐藏属性加密方案[J].通信学报,2015,36(9):119-126.(SONG Y,HAN Z,LIU F M,et al.Attribute-based encryption with hidden policies in the access tree[J].Journal on Communications,2015,36(9):119-126.)
[11]孙国梓,董宇,李云.基于CP-ABE算法的云存储数据访问控制[J].通信学报,2011,32(7):146-152.(SUN G Z,DONG Y,LI Y.CP-ABE based data access control for cloud storage[J].Journal on Communications,2011,32(7):146-152.)
[12]雷蕾,蔡权伟,荆继武,等.支持策略隐藏的加密云存储访问控制机制[J].软件学报,2016,27(6):1432-1450.(LEI L,CAIQ W,JIN J W,et al.Enforcing access controls on encrypted cloud storage with policy hiding[J].Journal of Software,2016,27(6):1432-1450.)
[13]LAI J,DENG R H,LI Y.Expressive CP-ABE with partially hidden access structures[C]//Proceedings of the 7th ACM Symposium on Information,Computer and Communications Security.New York:ACM,2012:18-19.
[14]NISHIDE T,YONEYAMA K,OHTA K.Attribute-based encryption with partially hidden encryptor-specified access structures[C]//Proceedings of the 2008 International Conference on Applied Cryptography and Network Security,LNCS 5037.Berlin:Springer,2008:111-129.
[15]CHASE M.Multi-authority attribute based encryption[C]//Proceedings of the 2007 Conference on Theory of Cryptography,LNCS4392.Berlin:Springer,2007:515-534
[16]MLLER S,KATZENBEISSER S,ECKERT C.Distributed attribute-based encryption[C]//Proceedings of the 2008 International Conference on Information Security and Cryptology,LNCS5461.Berlin:Springer,2008:20-36.
[17]LIU Z,CAO Z,HUANG Q,et al.Fully secure multi-authority ciphertext-policy attribute-based encryption without random oracles[C]//Proceedings of the 2011 European Symposium on Research in Computer Security,LNCS 6879.Berlin:Springer,2011:278-297.
[18]DE S J,RUJ S.Decentralized access control on data in the cloud with fast encryption and outsourced decryption[C]//Proceedings of the 2015 IEEE Global Communications Conference.Piscataway,NJ:IEEE,2015:1-6.
[19]CHASE M,CHOW S S M.Improving privacy and security in multi-authority attribute-based encryption[C]//Proceedings of the 16th ACM Conference on Computer and Communications Security.New York:ACM,2009:121-130.
[20]LIN H,CAO Z,LAING X,et al.Secure threshold multi authority attribute based encryption without a central authority[C]//Proceedings of the 2008 International Conference on Cryptology in India,LNCS 5365.Berlin:Springer,2008:426-436.
[21]LEWKO A,WATERS B.Decentralizing attribute-based encryption[C]//Proceedings of the 2011 Annual International Conference on the Theory and Applications of Cryptographic Techniques,LNCS 6632.Berlin:Springer,2011:568-588.
[22]BEIMEL A.Secure schemes for secret sharing and key distribution[D].Technion:Israel Institute of Technology,1996.
[23]KATE A,ZAVERUCHA G,GOLDBERG I.Pairing-based onion routing[C]//Proceedings of the 7th International Conference on Privacy Enhancing Technologies,LNCS 4776.Berlin:Springer,2007:95-112.