Public Auditing for Encrypted Data with Client-Side Deduplication in Cloud Storage

Storage auditing and client-side deduplication techniques have been proposed to assure data integrity and improve storage efficiency, respectively. Recently, a few schemes start to consider these two different aspects together. However, these schemes either only support plaintext data file or have been proved insecure. In this paper, we propose a public auditing scheme for cloud storage systems, in which deduplication of encrypted data and data integrity checking can be achieved within the same framework. The cloud server can correctly check the ownership for new owners and the auditor can correctly check the integrity of deduplicated data. Our scheme supports deduplication of encrypted data by using the method of proxy re-encryption and also achieves deduplication of data tags by aggregating the tags from different owners. The analysis and experiment results show that our scheme is provably secure and efficient.     

基于签密技术的可认证密钥协商协议

对Zheng的可认证密钥协商协议进行改进,提出基于身份签密的可认证密钥协商协议。该协议具有签密技术的优点,在同一个逻辑步内同时实现了认证和加密两项密码功能,提高了协议的效率;基于身份的公钥密码系统的使用,降低了建立和管理公钥基础设施的代价,用户无需存储、管理和传输公钥及其证书;另外,椭圆曲线上双线性对使协议能以短的密钥和小的计算量实现同等安全要求。文中所提的可认证密钥协商协议具有计算量和传输量小,安全性高的特点。     

Key management for outsourced data security

This paper analyzes the efficiency and security of bilinear-map-based schemes and brings about an AAA based publicly auditable scheme for cloud computing,which is much more efficient.In this scheme,a trust model including four entities is designed to provide both integrity and confidentiality protection.The proposed scheme can be proved to achieve the security goals that no cheating cloud server can pass the auditing without storing users’data intact.The efficiency of the proposal is evaluated by analyzing the fulfillment of the design goals,including the computation cost,communication cost and storage cost of our scheme.This light weight publicly auditable Proof-of-storage scheme achieves security goals perfectly,and has an excellent efficiency performance superior to the current bilinear-map-based publicly auditable Proof-of-storage scheme.     

Public Auditing for Shared Data Utilizing Backups with User Revocation in the Cloud

With the advent of cloud storage, users can share their own data in the remote cloud as a group. To ensure the security of stored data and the normal operation of public auditing, once a user is revoked from the user group, the data files he signed should be resigned by other legal users in the group. In this paper, we propose a new re-signature scheme utilizing backup files to rebuild data which can resist the collusion between the cloud and revoked users, and we use Shamir Secret Sharing Scheme to encrypt data in the multi-managers system which can separate the authority of the group managers. Moreover, our scheme is more practical because we do not need managers to be online all the time. Performance evaluation shows that our mechanism can improve the efficiency of the process of data re-signature.     

Efficient Authenticated Key Agreement Protocol Using Self-Certified Public Keys from Pairings

An efficient authenticated key agreement protocol is proposed, which makes use of bilinear pairings and selfcertified public keys. Its security is based on the security assumptions of the bilinear Diffie-Hellman problem and the computational Diffic-Hellman problem. Users can choose their private keys independently. The public keys and identities of users can bc verified implicitly when the session key being generating in a logically single step. A trusted Key Generation Center is no longer required as in the ID-based authenticated key agreement protocols. Compared with existing authenticated key agreement protocols from pairings, the new proposed protocol is more efficient and secure.     

Improved fair and dynamic provable data possession supporting public verification

A number of proposals have been suggested to tackle data integrity and privacy concerns in cloud storage in which some existing schemes suffer from vulnerabilities in data dynamics. In this paper, we propose an improved fairness and dynamic provable data possession scheme that supports public verification and batch auditing while preserves data privacy. The rb23Tree is utilized to facilitate data dynamics. Moreover, the fairness is considered to prevent a dishonest user from accusing the cloud service provider of manipulating the data. The scheme allows a third party auditor (TPA) to verify the data integrity without learning any information about the data content during the auditing process. Furthermore, our scheme also allows batch auditing, which greatly accelerates the auditing process when there are multiple auditing requests. Security analysis and extensive experimental evaluations show that our scheme is secure and efficient.     

Another ID-Based Proxy Signature Scheme and Its Extension

So fur, the security of many proxy signatures has seldom been considered in a formal way and most of them cannot satisfy nonepudiation. In this work, a novel ID-based （Identity-based） proxy signature scheme is proposed by combining the proxy signature with ID-based public cryptography, and they formalize the notion of security for ID-based proxy signature schemes. And show that the security of the proposed scheme is secure. Compured with other proxy signature schemes, it does not need a secure channel. Thus, it is particularly suitable for the unreliable network computation environment. Finally, they extend proposed scheme to a proxy multi-signature which has the following advantages （1） the size of proxy multi- signature is independent of the number of delegating users; （2） the computation cost of proxy multi-signature only need two Weil paring.     

基于身份的移动网动态可认证群组密钥协商协议

群组密钥协商是保证无线网络群组安全通信的重要工具之一。2007年,Tseng等提出一种适合无线移动网络的高效群组密钥协商协议。对Tseng协议安全性进行分析,发现Tseng协议不具备认证性,不能抵御主动攻击。因此,通过改进Tseng协议,提出一种新的动态可认证群组密钥协商协议。该协议基于身份的公钥密码体制,降低了建立和管理公钥基础设施的代价;同时,协议支持节点间的相互认证。分析结果表明：协议满足群组密钥所要求的安全准则,降低了普通节点的计算和通信成本。     

A dynamic ID-based authenticated group key exchange protocol without pairings

So far, most of the proposed group key exchange (GKE) protocols do not consider the attack when the adversary reveals the parties’ephemeral private keys without their long-term private keys, so these GKE protocols are insecure on this attack. In this paper, for resisting above attack, we propose a dynamic authenticated group key exchange (AGKE) protocol in the ID-based setting. Different from previous ID-based protocols, our protocol does not utilize bilinear pairings, which makes it more efficient. At last, we analyze the security of the protocol in the eCK (enhanced Canetti-Krawczyk) security model.     

基于OwnCloud小型私有云存储系统设计与实现

为解决机密数据或私有数据放入公共云出现的安全问题,提出了一种基于OwnCloud二次开发构建私有云存储系统的新方法,在私有云上使用新的解决方案代替常规的FTP方案.该系统对开源的Own-Cloud进行二次开发后构建私有云存储服务器,用WebDAV协议将私有云存储服务器和客户端相连,将文件存储在自己的服务器上,解决了小型私有云的存储安全问题.     

Analysis and Improvement on a Mobile Payment Protocol with Outsourced Verification in Cloud Service

Mobile wallet is a very convenient means of mobile payment to allow the clients to conduct the payment via their mobile devices. To reduce the computation burden of resources-constraint mobile devices, a few mobile wallet protocols with outsourced verification in cloud computing were proposed. But in some of the protocols, there exist the risk of a colluding attack of the customer and the untrusted cloud server. In this paper, we propose an improved protocol, in which the payment information is protected by Hash function and random number. The malicious customer and cloud server cannot change the payment information to conduct a collusion forgery attack to defraud the merchant. The security analysis indicates that the proposed improved protocol can enhance the security in terms of correctness, unforgeability and traceability without increasing the computational burden.     

Towards comprehensive provable data possession in cloud computing

To check the remote data integrity in cloud computing,we have proposed an efficient and full data dynamic provable data possession(PDP) scheme that uses a SN(serial number)-BN(block number) table to support data block update.In this article,we first analyze and test its performance in detail.The result shows that our scheme is efficient with low computation,storage,and communication costs.Then,we discuss how to extend the dynamic scheme to support other features,including public auditability,privacy preservation,fairness,and multiple-replica checking.After being extended,a comprehensive PDP scheme that has high efficiency and satisfies all main requirements is provided.     

云计算中可验证的外包数据库加密搜索方案

云上外包数据库的安全问题已成为云计算安全的研究热点。给出两个具有数据保密性的云上外包数据库模型,可以验证查询完整性,并能有效保护数据搜索者的搜索隐私。这两个数据库模型支持单属性等值选择操作及其与投影的复合操作,支持数据的添加与删除。与已有的此类方案相比,在计算量相当的前提下,具有较高的安全性和较多的功能。     

An Improved ID-Based Group Key Agreement Protocol

ID-based constant-round group key agreement protocols are efficient in both computation and communication, but previous protocols did not provide valid message authentication. An improvement based on attack analysis is proposed in this paper. The improved method takes full advantage of the data transmitted at various stages of the protocol. By guaranteeing the freshness of authentication messages, the authenticity of the generator of authentication messages, and the completeness of the authenticator, the improved protocol can resist various passive and active attacks. The forward secrecy of the improved protocol is proved under a Katz-Yung （KY） model. Compared with existing methods, the improved protocol is more effective and applicable.     

多PKG环境下无双线性对的基于身份AKA协议

提出一种多PKG环境下无双线性对的基于身份AKA协议, 且在随机预言模型下, 将协议的安全性证明规约到标准的计算性CDH假设。提出了相应的基于身份XCR与DCR签名体制, 通过对两处体制进行安全性证明, 实现对新协议的安全性证明。通过与已有协议的相关性能比较体现了新协议的优点。     

云计算中存储数据安全性研究

针对云计算中存储数据安全性问题,提出了一种基于显式精确最小存储再生代码(explicit exact minimal storage regenerating code, EEMSR)的云存储数据安全性新方法,该方法采用EEMSR和哈希函数通过Challenge-Response协议实现云计算存储数据的可用性和完整性。该方法使用EEMSR代码对数据进行编码,再将此编码数据上传到云中,该编码有助于重新生成丢失的数据,以此确保数据的可用性。而加密哈希函数通过Challenge-Response协议可以验证云数据的完整性。EEMSR代码是一个再生代码,可以用较少的修复流量精确地恢复丢失的数据块,EEMSR代码由参数(n,k,d)定义,该参数允许从n个节点中的任意k个节点恢复数据,并且还具有通过连接到任何d个节点来修复故障节点的能力。实验表明,提出方法安全性能高,与其他方法相比,该方法的运行时间较少,而编码速率较高。     

Dynamic Measurement Protocol in Infrastructure as a Service

Infrastructure as a Service （laaS） has brought advantages to users because virtualization technology hides the details of the physical resources, but this leads to the problem of users being unable to perceive their security. This defect has obstructed cloud computing from wide-spread popularity and development. To solve this problem, a dynamic measurement protocol in laaS is presented in this paper. The protocol makes it possible for the user to get the real-time security status of the resources, thereby solving the problem of guaranteeing dynamic credibility. This changes the cloud service security provider from the operator to the users themselves. This study has verified the security of the protocol by means of Burrow-Abadi-Needham （BAN） logic, and the result shows that it can satisfy requirements for innovation, privacy, and integrity. Finally, based on different laaS platforms, this study has conducted a performance analysis to demonstrate that this protocol is reliable, secure, and efficient.     

一种具备原所有者无关性的无线射频识别标签所有权转换协议

针对标签所有权转换过程中的信息安全问题,提出了一种具备原所有者无关性的标签所有权转换协议。协议中主要包含原所有者、新所有者、标签和可信第三方四个通信实体。采用GNY逻辑对该协议的安全性进行了分析,结果表明该协议能够将原所有者对标签的所有权转交给新所有者;并能抵御跟踪攻击、重放攻击、中间人攻击和去同步化攻击,保护标签信息的前向安全和后向安全,提供原所有者无关性。对该协议进行了仿真实现,获取了标签计算耗时等数据。经过与其他协议的数据进行对比,该协议中标签的计算耗时较短,适用于低成本标签。     

一种高效的具有属性撤销的访问控制协议

采用外包计算技术构造一种基于密文策略的属性加密数据访问控制方法,具有高效的属性撤销功能,可以减少用户的计算量和通信量.其最大特点是将解密秘钥分为两部分,一部分发送给云服务器,另一部分发送给用户,使得云服务器可以帮助用户解密密文,减少了用户计算量,也减少了用户和云服务器的通信量.     

Lightweight and Compromise Resilient Storage Outsourcing with Distributed Secure Accessibility in Mobile Cloud Computing

Mobile Cloud Computing usually consists of front-end users who possess mobile devices and back-end cloud servers.This paradigm empowers users to pervasively access a large volume of storage resources with portable devices in a distributed and cooperative manner.During the period between up-loading and downloading files (data),the privacy and integrity of files need to be guaranteed.To this end,a family of schemes are proposed for different situations.All schemes are lightweight in terms of computational ove...