Zhang Jingchi, Datta Anwitaman
College of Computing and Data Science, Nanyang Technological University, Singapore, Singapore.
De Montfort University Leicester, Leicester, United Kingdom.
PeerJ Comput Sci. 2024 Dec 20;10:e2581. doi: 10.7717/peerj-cs.2581. eCollection 2024.
In traditional cloud storage systems, users benefit from the convenience of data accessibility but face significant risks related to security. Ciphertext-policy attribute-based encryption (CP-ABE) schemes are employed to achieve fine-grained access control in cloud services to ensure confidentiality while maintaining data-sharing capabilities. However, existing approaches are impaired by two critical issues: illegal authorization and privacy leakage. Despite extensive discussions in the literature on interoperability, performance, scalability, and stability, the security of ABE-based cloud storage and data-sharing systems against adversaries-particularly those involving adaptively corrupt attribute authorities gaining unauthorized access to users' data-has not been sufficiently explored. Notably, few existing works even address security in the presence of adversaries, raising concerns about the practicality of these systems in real-world scenarios where malicious behavior is a genuine threat. Another pressing issue is privacy leakage, where sensitive user information, such as medical histories in healthcare use cases, embedded within the access policies, may be exposed to all users. This problem is exacerbated in ABE schemes that integrate blockchain technology for enhanced decentralization and interoperability, as using a public ledger shared across multiple users can further compromise privacy. To address these, we propose an enhanced blockchain-based data governance system that employs blockchain technology and attribute-based encryption to prevent illegal authorization and privacy leakage. Our novel ABE encryption system supports multi-authority use cases while hiding access policy and ensuring identity privacy, which also protects data sharing against corrupt authorities. Utilizing the Advanced Encryption Standard (AES) for data encryption, our system is optimized for real-world efficiency. Notably, the encrypted data is stored in a decentralized storage system, like the InterPlanetary File System (IPFS), which does not rely on any centralized service provider and can, therefore, be leveraged to achieve resilience against single-point failures. With the integration of smart contracts and multi-authority attribute-based encryption, coupled with blockchain's inherent transparency and traceability, our system realizes a balanced solution for fine-grained access control with preserved privacy, further fortifying against credential misuse. Besides the system design, we also present security proofs to demonstrate the robustness of the proposed system.
在传统云存储系统中,用户受益于数据可访问性带来的便利,但面临与安全相关的重大风险。基于密文策略属性的加密(CP-ABE)方案被用于在云服务中实现细粒度访问控制,以确保机密性同时保持数据共享能力。然而,现有方法受到两个关键问题的影响:非法授权和隐私泄露。尽管文献中对互操作性、性能、可扩展性和稳定性进行了广泛讨论,但基于ABE的云存储和数据共享系统针对对手(特别是那些涉及自适应破坏属性授权机构从而未经授权访问用户数据的对手)的安全性尚未得到充分探索。值得注意的是,现有工作中很少有甚至涉及存在对手时的安全性,这引发了对这些系统在恶意行为构成真正威胁的现实场景中的实用性的担忧。另一个紧迫问题是隐私泄露,其中嵌入访问策略中的敏感用户信息(如医疗保健用例中的病史)可能会暴露给所有用户。在为增强去中心化和互操作性而集成区块链技术的ABE方案中,这个问题会更加严重,因为使用跨多个用户共享的公共账本会进一步损害隐私。为了解决这些问题,我们提出了一种基于区块链的增强型数据治理系统,该系统采用区块链技术和基于属性的加密来防止非法授权和隐私泄露。我们新颖的ABE加密系统支持多授权用例,同时隐藏访问策略并确保身份隐私,这也保护数据共享免受腐败授权机构的影响。利用高级加密标准(AES)进行数据加密,我们的系统针对实际效率进行了优化。值得注意的是,加密数据存储在去中心化存储系统中,如星际文件系统(IPFS),它不依赖于任何集中式服务提供商,因此可以用来实现对单点故障的弹性。通过集成智能合约和基于多授权属性的加密,再加上区块链固有的透明度和可追溯性,我们的系统实现了一个兼顾隐私保护的细粒度访问控制的平衡解决方案,进一步防范凭证滥用。除了系统设计,我们还给出了安全证明以展示所提出系统的稳健性。
