CN116204917A - Fog computing access control method based on attribute-based encryption and trust model - Google Patents

Fog computing access control method based on attribute-based encryption and trust model Download PDF

Info

Publication number
CN116204917A
CN116204917A CN202310054749.3A CN202310054749A CN116204917A CN 116204917 A CN116204917 A CN 116204917A CN 202310054749 A CN202310054749 A CN 202310054749A CN 116204917 A CN116204917 A CN 116204917A
Authority
CN
China
Prior art keywords
fog
trust
node
attribute
fog node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310054749.3A
Other languages
Chinese (zh)
Inventor
何泾沙
何海洋
朱娜斐
王虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN202310054749.3A priority Critical patent/CN116204917A/en
Publication of CN116204917A publication Critical patent/CN116204917A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a fog computing access control method based on attribute-based encryption and trust model, which comprises the following steps: constructing a fog node trust model: calculating the credit of the fog node through three dimensions of direct trust, audit trust and peer entity trust, and the trust value of the user terminal to the fog node; establishing a semantic optimization attribute-based encryption method: optimizing an attribute-based encryption method based on attribute mapping of semantic reasoning, and converting character attribute mapping of an access strategy tree and a user into semantic attribute mapping; access control in fog calculation is carried out based on a fog node trust model and a semantic optimization attribute-based encryption method: the data owner sets an access control strategy tree and a privacy threshold, selects a proxy fog node through a trust-based weight load balancing algorithm, and performs outsourcing encryption and ciphertext uploading through the proxy fog node; and the data visitor acquires the privacy threshold of the target information, calls the proxy fog node to perform outsourcing decryption to obtain an intermediate ciphertext, and decrypts the intermediate ciphertext to obtain a required plaintext.

Description

一种基于属性基加密和信任模型的雾计算访问控制方法A fog computing access control method based on attribute-based encryption and trust model

技术领域Technical Field

本发明涉及信息安全技术领域,具体涉及一种基于属性基加密和信任模型的雾计算访问控制方法。The present invention relates to the field of information security technology, and in particular to a fog computing access control method based on attribute-based encryption and a trust model.

背景技术Background Art

基于物联网的互联设备和应用程序正在并将持续以惊人的速度增长,带来了许多新型的设备和应用,它们需要更低的延迟、位置感知、移动性支持等等。集中式的云计算已经不满足物联网场景要求,雾计算应运而生。雾计算由大量雾结点构成,雾节点分布在用户终端附近,所以能为终端应用提供更快的请求响应速度、位置感知能力、实时分析功能等,满足了物联网设备及应用低延迟、位置感知、地理分布等需求。The number of connected devices and applications based on the Internet of Things is and will continue to grow at an astonishing rate, bringing many new devices and applications that require lower latency, location awareness, mobility support, etc. Centralized cloud computing no longer meets the requirements of the Internet of Things scenario, and fog computing has emerged. Fog computing consists of a large number of fog nodes, which are distributed near the user terminal. Therefore, it can provide terminal applications with faster request response speed, location awareness, real-time analysis functions, etc., meeting the requirements of low latency, location awareness, and geographical distribution of IoT devices and applications.

雾计算在提供很多好处的同时,也面临着各种安全和隐私问题。雾计算中的隐私保护更具挑战性,因为与处于核心网络的远程云服务器相比,与终端节点相邻的雾服务器节点可能会收集有关身份、位置、实用工具使用情况的敏感数据,同时不安全的边缘节点的破坏可能是入侵者进入网络的入口点。入侵者一旦进入网络,就可以挖掘和窃取用户在实体之间交换的隐私数据,雾架构之间的通信也会导致隐私泄露。虽然云计算环境中的一些现有解决方案可以解决雾计算中的许多安全和隐私问题,但由于雾计算具有自己独一无二的特性,如终端设备的移动性强、在数量规模上极其大、雾结点计算资源有限等,这些新的特点会带来新的安全和隐私挑战。因此,雾计算环境下用户的数据安全保护具有重要的研究意义。While fog computing provides many benefits, it also faces various security and privacy issues. Privacy protection in fog computing is more challenging because compared with remote cloud servers in the core network, fog server nodes adjacent to terminal nodes may collect sensitive data about identity, location, and utility usage. At the same time, the destruction of unsecured edge nodes may be an entry point for intruders to enter the network. Once an intruder enters the network, he can mine and steal the private data exchanged between users, and the communication between fog architectures will also lead to privacy leakage. Although some existing solutions in cloud computing environments can solve many security and privacy issues in fog computing, fog computing has its own unique characteristics, such as strong mobility of terminal devices, extremely large number scale, and limited computing resources of fog nodes. These new characteristics will bring new security and privacy challenges. Therefore, the data security protection of users in the fog computing environment has important research significance.

为了保障云雾计算中的数据安全,使用访问控制进行信息保护是一种常见的做法。访问控制方法是指采用各种技术限定外来客体对主体数据资源的访问。在云计算中传统的基于角色的访问控制方案中,在用户和权限之间设置了“角色”这一概念,首先设置角色的权限,然后通过给用户分配角色来进行授权,在终端数量巨大的物联网中,采用这种授权方式工作量将会非常之大,而且通过角色授予访问控制权限是粗粒度的,因此有必要设计一种适用于雾计算场景的高效、细粒度的访问控制方法。基于密文策略的属性加密(CP-ABE,ciphertext policy attribute)的访问控制是一种被广泛使用于分布式系统的访问控制方式,在CP-ABE系统中,数据拥有者使用通过属性集制定的相关策略进行加密,系统中每个数据访问者的私钥取决于自身所拥有的属性,当用户私钥中的属性与密文中的策略相匹配时,就可以成功解密得到信息,灵活地实现了细粒度的访问控制。然而,传统的基于属性加密技术不能直接应用到雾计算场景,主要存在以下问题:In order to ensure data security in cloud fog computing, it is a common practice to use access control for information protection. Access control methods refer to the use of various technologies to limit the access of external objects to the subject data resources. In the traditional role-based access control scheme in cloud computing, the concept of "role" is set between users and permissions. First, the permissions of the role are set, and then the authorization is performed by assigning roles to users. In the Internet of Things with a huge number of terminals, the workload of using this authorization method will be very large, and the access control permissions granted by roles are coarse-grained. Therefore, it is necessary to design an efficient and fine-grained access control method suitable for fog computing scenarios. Access control based on ciphertext policy attribute encryption (CP-ABE) is an access control method widely used in distributed systems. In the CP-ABE system, the data owner uses the relevant policies formulated by the attribute set for encryption. The private key of each data accessor in the system depends on the attributes it owns. When the attributes in the user's private key match the policies in the ciphertext, the information can be successfully decrypted, and fine-grained access control is flexibly implemented. However, traditional attribute-based encryption technology cannot be directly applied to fog computing scenarios. There are mainly the following problems:

(1)传统的基于属性的加密技术计算复杂,对于计算资源有限的物联网设备难以承担;(1) Traditional attribute-based encryption technology is computationally complex and difficult to bear for IoT devices with limited computing resources;

(2)基于属性的加密技术属性管理复杂,尤其对于物联网这种设备极多的场景,复杂度会大大加剧;(2) Attribute-based encryption technology has complex attribute management, especially for scenarios such as the Internet of Things where there are a large number of devices, the complexity will be greatly increased;

(3)访问策略构建困难,需要考虑属性全集中的所有属性以及各种组合方式;(3) It is difficult to construct access strategies, as all attributes in the attribute set and various combinations must be considered;

(4)雾计算设备是不完全可信的,无法确定它们会不会在数据传输过程中盗取隐私信息;(4) Fog computing devices are not completely trustworthy, and it is impossible to determine whether they will steal private information during data transmission;

(5)如何选择雾节点,在保护信息安全的前提下充分利用雾节点的计算能力也是一个值得关注的问题。(5) How to select fog nodes and make full use of the computing power of fog nodes while protecting information security is also an issue worthy of attention.

现在已经有一些使用雾节点进行外包计算的属性基加密研究,但是对于属性的管理、构建访问策略的复杂性、以及雾节点的可信度量、计算资源的合理分配等问题,这些研究方案关注较少。There are already some studies on attribute-based encryption using fog nodes for outsourced computing, but these research schemes pay little attention to issues such as attribute management, the complexity of building access policies, the trustworthiness of fog nodes, and the rational allocation of computing resources.

综上,设计一种适合云雾计算架构的安全高效访问控制方法具有重要意义。In summary, it is of great significance to design a secure and efficient access control method suitable for cloud fog computing architecture.

发明内容Summary of the invention

针对现有技术中存在的不足之处,本发明提供一种基于属性基加密和信任模型的雾计算访问控制方法。In view of the deficiencies in the prior art, the present invention provides a fog computing access control method based on attribute-based encryption and trust model.

本发明公开了一种基于属性基加密和信任模型的雾计算访问控制方法,包括:The present invention discloses a fog computing access control method based on attribute-based encryption and trust model, comprising:

构建雾节点信任模型:Building a fog node trust model:

将雾节点划分为雾群,雾群中的管理节点通过直接信任、审计信任和对等实体信任三个维度计算雾节点的信誉以及用户终端对雾节点的信任值;The fog nodes are divided into fog groups. The management nodes in the fog groups calculate the reputation of the fog nodes and the trust value of the user terminals on the fog nodes through three dimensions: direct trust, audit trust, and peer trust.

建立语义优化的属性基加密方法:Establishing a semantically optimized attribute-based encryption method:

基于语义推理的属性映射对属性基加密方法进行优化,将访问策略树和用户的字符属性映射转化为语义属性映射;The attribute-based encryption method is optimized based on the attribute mapping of semantic reasoning, and the access policy tree and the character attribute mapping of the user are converted into semantic attribute mapping;

基于雾节点信任模型和语义优化的属性基加密方法进行雾计算中的访问控制:Access control in fog computing based on fog node trust model and semantically optimized attribute-based encryption method:

数据拥有者设置访问控制策略树和隐私阈值,通过基于信任的权重负载均衡算法选择代理雾节点,由代理雾节点进行外包加密和密文上传;The data owner sets the access control policy tree and privacy threshold, selects the proxy fog node through the trust-based weight load balancing algorithm, and the proxy fog node performs outsourced encryption and ciphertext upload;

数据访问者先获取目标信息的隐私阈值,然后调用基于信任的权重负载均衡算法选择代理雾节点进行外包解密得到中间密文,最终对中间密文解密得到所需明文;The data accessor first obtains the privacy threshold of the target information, then calls the trust-based weighted load balancing algorithm to select the proxy fog node for outsourced decryption to obtain the intermediate ciphertext, and finally decrypts the intermediate ciphertext to obtain the required plaintext;

通过短签名算法对明文进行完整性验证,并将验证结果上传到雾管理节点作为信任评估依据之一。The integrity of the plaintext is verified through a short signature algorithm, and the verification result is uploaded to the fog management node as one of the bases for trust evaluation.

作为本发明的进一步改进,As a further improvement of the present invention,

雾节点k的信誉Reputationk的计算公式为:The calculation formula of the reputation k of fog node k is:

Figure BDA0004060075180000031
Figure BDA0004060075180000031

式中,wα和wβ为权重且wα+wβ=1,trustb(k)为雾节点k的审计信任值,trustb(i′)为雾节点k的推荐节点列表{node1,node2,...,nodep}的审计信任值;Where w α and w β are weights and w α +w β = 1, trust b (k) is the audit trust value of fog node k, trust b (i′) is the audit trust value of the recommended node list {node 1 ,node 2 ,...,node p } of fog node k;

用户终端i对雾节点k的综合信任值Ti,k为:The comprehensive trust value Ti ,k of user terminal i to fog node k is:

Ti,k=wa·trusta(i,k)+wb·trustb(k)+wc·trustc(i,k)T i,kwa ·trust a (i,k)+w b ·trust b (k)+w c ·trust c (i,k)

式中,wa、wb、wc为权重且wa+wb+wc=1,trusta(i,k)为用户终端i对雾节点k的直接信任,trustb(k)为雾节点k的审计信任值,trustc(i,k)为对等实体信任。Where wa , wb , and wc are weights and wa + wb + wc =1, trusta (i,k) is the direct trust of user terminal i in fog node k, trustb (k) is the audit trust value of fog node k, and trustc (i,k) is the peer entity trust.

作为本发明的进一步改进,As a further improvement of the present invention,

直接信任值trusta(i,k)的计算公式为:The calculation formula of direct trust value trust a (i, k) is:

trusta(i,k)=dim1·w1+dim2·w2+dim3·w3 trust a (i,k)=dim 1 ·w 1 +dim 2 ·w 2 +dim 3 ·w 3

式中,w1、w2、w3分别为可用性、可靠性、数据完整性的权重,且w1+w2+w3=1,dim1、dim2、dim3分别为雾节点k对于用户终端i的可用性、可靠性和数据完整性;Where w 1 , w 2 , w 3 are the weights of availability, reliability, and data integrity, respectively, and w 1 +w 2 +w 3 = 1, dim 1 , dim 2 , dim 3 are the availability, reliability, and data integrity of fog node k for user terminal i, respectively;

审计信任值trustb(k)的计算公式为:The calculation formula of the audit trust value trust b (k) is:

Figure BDA0004060075180000041
Figure BDA0004060075180000041

式中,L为雾节点k的访问设备列表;Where L is the access device list of fog node k;

对等实体信任trustc(i,k)的计算公式为:The calculation formula of peer entity trust trust c (i,k) is:

Figure BDA0004060075180000042
Figure BDA0004060075180000042

式中,n为与雾节点k交互次数最多的前n个终端。Where n is the first n terminals that interact with fog node k the most times.

作为本发明的进一步改进,dim1、dim2、dim3的计算公式分别为:As a further improvement of the present invention, the calculation formulas of dim 1 , dim 2 , and dim 3 are respectively:

Figure BDA0004060075180000043
Figure BDA0004060075180000043

Figure BDA0004060075180000044
Figure BDA0004060075180000044

Figure BDA0004060075180000045
Figure BDA0004060075180000045

式中,Acc为雾节点k接受终端i请求的次数,Sub为该终端提交的请求次数,Fin为雾节点完成该终端请求并返回结果的次数,Tru为雾节点返回的结果通过数据完整性验证的次数。Where Acc is the number of times fog node k accepts requests from terminal i, Sub is the number of requests submitted by the terminal, Fin is the number of times the fog node completes the terminal request and returns the result, and Tru is the number of times the result returned by the fog node passes the data integrity verification.

作为本发明的进一步改进,所述将访问策略树和用户的字符属性映射转化为语义属性映射,包括:As a further improvement of the present invention, the step of converting the access strategy tree and the character attribute mapping of the user into a semantic attribute mapping comprises:

对策略树中所要使用的属性进行语义映射,将属性通过语义推理转化为属性全集中的概念属性,然后用概念属性进行门限值访问策略树的设置;Perform semantic mapping on the attributes to be used in the strategy tree, transform the attributes into conceptual attributes in the attribute set through semantic reasoning, and then use the conceptual attributes to set the threshold value access strategy tree;

使用基于WordNet的语义推理将用户的属性列表中的属性映射到属性全集中的概念属性上,以用户的属性值x为起点,通过WordNet推理x的同义词集合和上位词集合,用WordNet将这些同义词集和上位词集的ID进行合并,得到用户的概念属性集。Use WordNet-based semantic reasoning to map the attributes in the user's attribute list to the conceptual attributes in the entire attribute set. Take the user's attribute value x as the starting point, infer the synonym set and hypernym set of x through WordNet, and use WordNet to merge the IDs of these synonym sets and hypernym sets to obtain the user's conceptual attribute set.

作为本发明的进一步改进,代理雾节点的选择方法,包括:As a further improvement of the present invention, the method for selecting a proxy fog node includes:

筛选雾节点列表L0中信誉值大于等于ε的节点,得到一个新的雾节点列表L;Filter the nodes whose reputation value is greater than or equal to ε in the fog node list L0 to obtain a new fog node list L;

根据雾节点信任模型计算用户终端设备对L中雾节点的综合信任值,结合雾节点的空闲资源情况计算雾节点的权重,然后使用权重随机负载均衡算法在列表L中选取代理雾节点;首先对L中雾节点的空闲资源量进行归一化处理,转化后的空闲资源量为{RS(1),RS(2),...,RS(n)},区间为[0,1];According to the fog node trust model, the comprehensive trust value of the user terminal device to the fog nodes in L is calculated, and the weight of the fog node is calculated in combination with the idle resource situation of the fog node. Then, the weighted random load balancing algorithm is used to select the proxy fog node in the list L. First, the idle resource amount of the fog node in L is normalized. The converted idle resource amount is {RS(1), RS(2), ..., RS(n)}, and the interval is [0, 1].

雾节点k的权重计算公式为:The weight calculation formula of fog node k is:

weight(k)=∝·Ti,k+β·RS(k)weight(k)=∝·T i,k +β·RS(k)

式中,∝、β是权重因子且∝+β=1。Where ∝ and β are weight factors and ∝+β=1.

作为本发明的进一步改进,使用BLS签名验证算法对解密后的信息进行完整性验证。As a further improvement of the present invention, the BLS signature verification algorithm is used to verify the integrity of the decrypted information.

与现有技术相比,本发明的有益效果为:Compared with the prior art, the present invention has the following beneficial effects:

本发明通过基于语义推理的属性映射对现有属性基加密方案进行优化,简化了属性管理,使用优化后的属性基加密技术实现了雾计算中隐私信息的细粒度访问控制;雾节点信任模型和节点状态评估机制使得设备可以选择更优质的雾计算节点,进一步保障了系统的可用性和安全性。The present invention optimizes the existing attribute-based encryption scheme through attribute mapping based on semantic reasoning, simplifies attribute management, and uses the optimized attribute-based encryption technology to achieve fine-grained access control of privacy information in fog computing; the fog node trust model and node status evaluation mechanism enable the device to select better fog computing nodes, further ensuring the availability and security of the system.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本发明一种实施例公开的实现雾计算访问控制方法的系统模型图;访问策略树示意图;FIG1 is a system model diagram of a method for implementing fog computing access control disclosed in an embodiment of the present invention; a schematic diagram of an access strategy tree;

图2为本发明一种实施例公开的访问策略树示意图。FIG. 2 is a schematic diagram of an access strategy tree disclosed in an embodiment of the present invention.

图中:In the figure:

CSP:云服务提供商,主要负责信息的储存,并提供接口供给用户访问;CSP: Cloud service provider, mainly responsible for information storage and providing interfaces for users to access;

FN:雾节点,具有地理位置特征,主要负责给附近的用户设备提供外包计算能力;FN: Fog node, which has geographical location characteristics and is mainly responsible for providing outsourced computing capabilities to nearby user devices;

FN Manage Node:雾管理节点,审计终端与雾节点的历史交互行为,并对雾节点的信任值进行评估与管理;FN Manage Node: Fog management node, audits the historical interaction between the terminal and the fog node, and evaluates and manages the trust value of the fog node;

Data Owner:数据拥有者;Data Owner: Data owner;

Data User:数据用户;Data User: Data user;

CA:中央授权机构,为整个系统生成公共参数和主密钥。CA: Central authority that generates public parameters and master keys for the entire system.

AA:属性授权机构,负责系统的属性管理和用户密钥生成。AA: Attribute Authority, responsible for the system's attribute management and user key generation.

具体实施方式DETAILED DESCRIPTION

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明的一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solution and advantages of the embodiments of the present invention clearer, the technical solution in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without making creative work are within the scope of protection of the present invention.

下面结合附图对本发明做进一步的详细描述:The present invention is further described in detail below in conjunction with the accompanying drawings:

本发明提供一种基于属性基加密和信任模型的雾计算访问控制方法,包括:The present invention provides a fog computing access control method based on attribute-based encryption and trust model, comprising:

1.系统初始化1. System initialization

设置系统公共参数PP和主密钥MK;属性授权机构设置属性全集S,并通过语义推理模块对属性全集进行优化处理,从而减少系统中的属性数量,之后为属性授权机构所管理的属性集合中的每一个属性生成属性公钥和属性私钥。Set the system public parameters PP and master key MK; the attribute authorization agency sets the attribute set S, and optimizes the attribute set through the semantic reasoning module to reduce the number of attributes in the system, and then generates an attribute public key and an attribute private key for each attribute in the attribute set managed by the attribute authorization agency.

语义推理模块对属性全集的优化处理具体为:通过语义知识库中的同义词集合对属性全集进行划分,将具有相同语义的属性进行合并,用同义词集合的唯一编号来表示合并结果,合并后的每个属性都代表语义知识库中的一个概念,这些概念属性组成了新的属性集合。The semantic reasoning module optimizes the entire set of attributes as follows: the entire set of attributes is divided by the synonym set in the semantic knowledge base, attributes with the same semantics are merged, and the merged result is represented by the unique number of the synonym set. Each merged attribute represents a concept in the semantic knowledge base, and these concept attributes constitute a new attribute set.

2.雾节点注册、物联网设备注册2. Fog node registration, IoT device registration

雾节点注册具体为:The specific registration of fog nodes is as follows:

雾节点进行雾节点注册,为雾节点生成唯一标识nid,记录节点信息并为其初始化信誉值。雾节点注册可由系统中已注册的其他雾节点推荐,推荐雾节点最多为m个,且雾节点的初始信誉值CFN与推荐雾节点的信誉值相关。The fog node registers the fog node, generates a unique identifier nid for the fog node, records the node information and initializes its reputation value. The fog node registration can be recommended by other fog nodes registered in the system. The maximum number of recommended fog nodes is m, and the initial reputation value CFN of the fog node is related to the reputation value of the recommended fog node.

物联网设备注册具体为:The specific registration of IoT devices is as follows:

如图1所示的系统中物联网设备逻辑上可分为数据拥有者DO和数据使用者DU,数据拥有者注册只需要生成唯一标识uid,而数据访问者注册还需要进行终端属性验证,并生成其属性列表Suid。在实际系统中,一个物联网设备可能既是数据拥有者又是数据使用者。在后文中,如无特别说明,用户、数据访问者均代表具有数据访问功能的物联网终端设备。In the system shown in Figure 1, IoT devices can be logically divided into data owners DO and data users DU. Data owner registration only requires the generation of a unique identifier uid, while data accessor registration also requires terminal attribute verification and the generation of its attribute list Suid . In actual systems, an IoT device may be both a data owner and a data user. In the following text, unless otherwise specified, users and data accessors both represent IoT terminal devices with data access functions.

3.用户密钥生成3. User key generation

系统对用户终端进行身份验证,验证成功后获取系统中用户的属性集合。The system authenticates the user terminal and obtains the user's attribute set in the system after successful authentication.

使用基于WordNet的语义推理将用户的属性列表中的属性映射到属性全集中的概念属性上,以用户的属性值x为起点,通过WordNet推理x的同义词集合和上位词集合,用WordNet将这些同义词集和上位词集的ID进行合并,得到用户的概念属性集。Use WordNet-based semantic reasoning to map the attributes in the user's attribute list to the conceptual attributes in the entire attribute set. Take the user's attribute value x as the starting point, infer the synonym set and hypernym set of x through WordNet, and use WordNet to merge the IDs of these synonym sets and hypernym sets to obtain the user's conceptual attribute set.

然后属性授权机构用该属性集合与属性全集的交集为用户生成用户密钥,包括外包解密密钥和用户解密密钥。Then the attribute authority generates a user key for the user using the intersection of the attribute set and the entire attribute set, including an outsourced decryption key and a user decryption key.

4.数据上传4. Data upload

4.1设置访问控制策略及隐私阈值4.1 Setting access control policies and privacy thresholds

使用如附图2所示门限值访问策略树来表达访问控制策略,叶子节点表示属性,非叶节点表示门限值,根节点存储秘密值s,对子节点进行秘密值分发,只有满足属性条件的属性集密钥可以解密出根节点的秘密值。首先对策略树中所要使用的属性进行语义映射,将这些属性通过语义推理转化为属性全集中的概念属性,然后用这些概念属性进行门限值访问策略树的设置。根据对上传信息的隐私重视程度,设置一个隐私阈值ε,将其作为密文的标签。The access control policy is expressed using the threshold access policy tree shown in Figure 2. Leaf nodes represent attributes, non-leaf nodes represent threshold values, and the root node stores the secret value s. The secret value is distributed to the child nodes. Only the attribute set key that meets the attribute conditions can decrypt the secret value of the root node. First, the attributes to be used in the policy tree are semantically mapped, and these attributes are converted into conceptual attributes in the attribute set through semantic reasoning. Then, these conceptual attributes are used to set the threshold access policy tree. According to the degree of attention to the privacy of the uploaded information, a privacy threshold ε is set and used as the label of the ciphertext.

4.2代理雾节点负载均衡算法4.2 Proxy Fog Node Load Balancing Algorithm

假设雾群中的雾节点列表为L0,雾管理节点通过以下步骤选择一个较优的雾节点作为终端设备的代理:Assuming that the list of fog nodes in the fog group is L 0 , the fog management node selects a better fog node as the proxy of the terminal device through the following steps:

步骤1、筛选雾节点列表L0中信誉值大于等于ε的节点,得到一个新的雾节点列表L。如果L为空,则代表当前附近没有合适的代理雾节点,DO自己执行信息加密和上传;反之,执行步骤2;Step 1: Filter the nodes with reputation values greater than or equal to ε in the fog node list L0 to obtain a new fog node list L. If L is empty, it means that there is no suitable proxy fog node nearby, and DO performs information encryption and upload by itself; otherwise, execute step 2;

步骤2、根据雾节点信任模型计算用户终端设备对L中雾节点的综合信任值,结合雾节点的空闲资源情况计算雾节点的权重,然后使用权重随机负载均衡算法在列表L中选取代理雾节点。首先对L中雾节点的空闲资源量进行归一化处理,转化后的空闲资源量为{RS(1),RS(2),...,RS(n)},区间为[0,1]。雾节点k的权重计算公式为:Step 2: Calculate the comprehensive trust value of the user terminal device to the fog nodes in L according to the fog node trust model, calculate the weight of the fog node in combination with the idle resources of the fog node, and then use the weighted random load balancing algorithm to select the proxy fog node in the list L. First, normalize the idle resources of the fog nodes in L. The converted idle resources are {RS(1), RS(2),..., RS(n)}, with a range of [0,1]. The weight calculation formula of fog node k is:

weight(k)=∝·Ti,k+β·RS(k)weight(k)=∝·T i,k +β·RS(k)

其中∝、β是权重因子且∝+β=1。Where ∝ and β are weight factors and ∝+β=1.

4.3数据拥有者加密4.3 Data Owner Encryption

首先随机生成一个对称密钥k,使用对称加密算法对信息进行对称加密得到密文CT1,然后生成两个秘密值,使用系统公共参数和秘密值对k进行加密得到密文CT2,并将其中一个秘密值和访问树T发送给代理雾节点进行外包计算。通过BLS短签名算法生成一对公私钥,用私钥对信息加密生成签名,将签名和公钥嵌入密文中一起上传。First, a symmetric key k is randomly generated, and the information is symmetrically encrypted using a symmetric encryption algorithm to obtain the ciphertext CT 1. Then two secret values are generated, and k is encrypted using the system public parameters and the secret value to obtain the ciphertext CT 2. One of the secret values and the access tree T is sent to the proxy fog node for outsourced calculation. A pair of public and private keys is generated using the BLS short signature algorithm, and the private key is used to encrypt the information to generate a signature. The signature and public key are embedded in the ciphertext and uploaded together.

4.4雾节点外包计算4.4 Fog Node Outsourcing Computing

代理雾节点负责加密过程中的访问策略树预处理及秘密值分发等运算,得到密文CT3。特别地,假如通过雾节点负载均衡算法没有找到合适的雾节点,则由数据拥有者完成所有加密计算。最后,将密文CT1、CT2、CT3、数字签名、签名公钥和隐私阈值合并为最终密文CT,上传到云服务器。The proxy fog node is responsible for the access strategy tree preprocessing and secret value distribution in the encryption process, and obtains the ciphertext CT 3. In particular, if no suitable fog node is found through the fog node load balancing algorithm, the data owner completes all encryption calculations. Finally, the ciphertexts CT 1 , CT 2 , CT 3 , digital signature, signature public key and privacy threshold are merged into the final ciphertext CT and uploaded to the cloud server.

5.数据访问5. Data Access

用户向云服务器请求密文,使用步骤4中的雾节点负载均衡算法选择代理雾节点,如果存在符合信誉条件的雾节点,则将外包密钥发送给该雾节点进行外包解密得到中间密文,再用用户密钥对其进行计算开销较小的解密运算,得到数据拥有者设置的对称密钥k,最后用k对密文进行解密得到最终的明文信息;否则,由用户设备完成所有的解密运算。The user requests the ciphertext from the cloud server and uses the fog node load balancing algorithm in step 4 to select the proxy fog node. If there is a fog node that meets the credibility conditions, the outsourced key is sent to the fog node for outsourced decryption to obtain the intermediate ciphertext, and then the user key is used to perform a decryption operation with low computational overhead to obtain the symmetric key k set by the data owner. Finally, k is used to decrypt the ciphertext to obtain the final plaintext information; otherwise, all decryption operations are completed by the user device.

6.密文验证6. Ciphertext verification

使用BLS签名验证算法对解密后的信息进行完整性验证,确保其未被篡改,并将验证结果反馈给雾管理节点。The BLS signature verification algorithm is used to verify the integrity of the decrypted information to ensure that it has not been tampered with, and the verification result is fed back to the fog management node.

BLS短签名算法定义了一个哈希函数H:{0,1}*→G,G是一个阶为p、生成元为g的素数阶乘法循环群。具体步骤如下:The BLS short signature algorithm defines a hash function H:{0,1} * →G, where G is a prime multiplication cyclic group with order p and generator g. The specific steps are as follows:

步骤1、密钥生成:数据拥有者选择一个随机数x∈Zp *,计算v=gx,则公钥为v,私钥为x;Step 1, key generation: the data owner selects a random number x∈Z p * and calculates v=g x , then the public key is v and the private key is x;

步骤2、签名:数据拥有者对明文m进行如下运算:σ=H(m)x,将σ和v嵌入密文中一起上传;Step 2: Signature: The data owner performs the following operation on the plaintext m: σ = H(m) x , embeds σ and v into the ciphertext and uploads them together;

步骤3、验证:数据访问者使用e(σ,g)=e(H(m),v)验证m是否被篡改。Step 3: Verification: The data accessor uses e(σ,g)=e(H(m),v) to verify whether m has been tampered with.

7.雾节点信任模型7. Fog Node Trust Model

本发明的终端设备对雾节点的交互行为包括外包加密请求、外包解密请求、数据传输请求。终端设备对于雾节点的信任由直接信任和间接信任组成。直接信任取决于终端与雾节点的历史交互结果;间接信任包括审计信任值和对等实体信任值,审计信任值是对雾节点与所有终端的历史交互结果进行审计得出;对等实体信任值是通过对等体选择策略选择一些终端设备,计算这些终端设备对雾节点的信任。The interactive behaviors of the terminal device of the present invention with the fog node include outsourced encryption request, outsourced decryption request, and data transmission request. The trust of the terminal device in the fog node consists of direct trust and indirect trust. Direct trust depends on the historical interaction results between the terminal and the fog node; indirect trust includes audit trust value and peer entity trust value. The audit trust value is obtained by auditing the historical interaction results between the fog node and all terminals; the peer entity trust value is selected by a peer selection strategy to calculate the trust of these terminal devices in the fog node.

从可用性、可靠性、数据完整性三个维度评价终端devicei和雾节点nodek的历史交互结果。可用性为雾节点对终端请求的响应能力,可靠性为雾节点在规定时间内完成已接受的请求的能力,数据完整性为雾节点外包解密结果的正确性。具体计算方式如下:The historical interaction results between terminal device i and fog node k are evaluated from three dimensions: availability, reliability, and data integrity. Availability refers to the ability of fog nodes to respond to terminal requests, reliability refers to the ability of fog nodes to complete accepted requests within a specified time, and data integrity refers to the correctness of fog node outsourced decryption results. The specific calculation method is as follows:

Figure BDA0004060075180000091
Figure BDA0004060075180000091

Figure BDA0004060075180000092
Figure BDA0004060075180000092

Figure BDA0004060075180000093
Figure BDA0004060075180000093

其中,dim1、dim2、dim3分别为nodek对于devicei的可用性、可靠性和数据完整性,Acc为雾节点k接受终端i请求的次数,Sub为该终端提交的请求次数,Fin为雾节点完成该终端请求并返回结果的次数,Tru为雾节点返回的结果通过数据完整性验证的次数。Wherein, dim 1 , dim 2 , and dim 3 are the availability, reliability, and data integrity of node k for device i, respectively. Acc is the number of times fog node k accepts requests from terminal i. Sub is the number of requests submitted by the terminal. Fin is the number of times the fog node completes the terminal request and returns the result. Tru is the number of times the result returned by the fog node passes the data integrity verification.

①直接信任值① Direct trust value

终端devicei对于雾节点nodek的直接信任值trusta(i,k)为:The direct trust value trust a (i, k) of terminal device i for fog node node k is:

trusta(i,k)=dim1·w1+dim2*w2+dim3·w3 trust a (i,k)=dim 1 ·w 1 +dim 2 *w 2 +dim 3 ·w 3

w1、w2、w3分别为可用性、可靠性、数据完整性的权重,且w1+w2+w3=1。特别地,当终端i与雾节点k的历史交互行为没有外包解密时,对应的权重w3设置为0。如果终端i与雾节点k无交互记录的话,直接信任值为null。w 1 , w 2 , and w 3 are the weights of availability, reliability, and data integrity, respectively, and w 1 +w 2 +w 3 = 1. In particular, when the historical interaction between terminal i and fog node k is not outsourced for decryption, the corresponding weight w 3 is set to 0. If there is no interaction record between terminal i and fog node k, the direct trust value is null.

②审计信任值②Audit Trust Value

审计信任值反映了系统中所有终端设备对于雾节点的评价,假设雾节点k的访问设备列表为L,trustb(k)表示雾节点k的审计信任值,计算方式为:The audit trust value reflects the evaluation of the fog node by all terminal devices in the system. Assuming that the access device list of fog node k is L, trust b (k) represents the audit trust value of fog node k, which is calculated as follows:

Figure BDA0004060075180000094
Figure BDA0004060075180000094

③对等实体信任值③Peer entity trust value

选择与雾节点k交互次数最多的前n个终端设备作为对等实体,计算对等实体信任值:Select the first n terminal devices that interact with fog node k the most times as peer entities and calculate the peer entity trust value:

Figure BDA0004060075180000095
Figure BDA0004060075180000095

对等实体信任值反映了系统中其他有代表性的终端设备对雾节点k的信任情况。The peer entity trust value reflects the trust of other representative terminal devices in the system towards the fog node k.

下面根据以上三种信任值的计算方法,对雾节点的信誉及终端设备i对雾节点k的综合信任度进行表示。Based on the above three trust value calculation methods, the reputation of the fog node and the comprehensive trust of the terminal device i in the fog node k are expressed below.

雾节点k的信誉值Reputationk:假设雾节点k的推荐节点列表为{node1,node2,...,nodep},根据②分别计算雾节点k的审计信任值trustb(k)和推荐节点列表的审计信任值{trustb(node1),trustb(node2),...,trustb(nodep)},然后计算:Reputation k of fog node k: Assume that the recommended node list of fog node k is {node 1 , node 2 , ..., node p }. According to ②, calculate the audit trust value trust b (k) of fog node k and the audit trust value of the recommended node list {trust b (node 1 ), trust b (node 2 ), ..., trust b (node p )} respectively, and then calculate:

Figure BDA0004060075180000101
Figure BDA0004060075180000101

wα和wβ为权重且wα+wβ=1。w α and w β are weights and w α +w β =1.

对①②③的信任值进行合并,得到终端i对节点k的综合信任值Ti,k:Combine the trust values of ①②③ to get the comprehensive trust value Ti ,k of terminal i to node k:

Ti,k=wa·trust(devicei,nodek)+wb·trust(deviceL,nodek)+wc·trust(devicei,nodeFL)T i,kwa ·trust(device i ,node k )+w b ·trust(device L ,node k )+w c ·trust(device i ,node FL )

其中,wa、wb、wc为对应权重且wa+wb+wc=1。需要注意的是,当存在直接信任值为null或者推荐节点信任值为null的情况时,计算综合信任值要将对应的部分去掉,即将对应权重设置为0。Among them, wa , wb , wc are corresponding weights and wa + wb + wc = 1. It should be noted that when there is a direct trust value of null or a recommendation node trust value of null, the corresponding part should be removed when calculating the comprehensive trust value, that is, the corresponding weight should be set to 0.

该模型的主要作用是计算雾节点k在系统中的信誉值Reputationk和终端设备i对节点k的综合信任值Ti,kThe main function of this model is to calculate the reputation value Reputation k of fog node k in the system and the comprehensive trust value Ti ,k of terminal device i to node k.

实施例:Example:

本发明提供一种基于属性基加密和信任模型的雾计算访问控制方法,包括:The present invention provides a fog computing access control method based on attribute-based encryption and trust model, comprising:

1.系统初始化1. System initialization

1.1公共参数及主密钥生成1.1 Public parameters and master key generation

CA首先根据随机安全参数τ,选择双线性映射e:G*G→G0,其中G是阶为素数p生成元为g的乘法循环群群,随机选取α,β∈Zp,h∈G,哈希函数:H:{0,1}*→Zp。记公共参数PP=(G,G0,p,g,gα,h,H,e(g,g)β),主密钥MK={α,gβ}。First, according to the random security parameter τ, CA selects the bilinear map e:G*G→G 0 , where G is a multiplicative cyclic group with a prime order p and a generator g, and randomly selects α, β∈Z p , h∈G, and the hash function: H:{0,1}*→Z p . Let the public parameters PP=(G,G 0 ,p,g,g α ,h,H,e(g,g) β ) and the master key MK={α,g β }.

1.2属性集合预处理1.2 Attribute Set Preprocessing

对属性全集进行预处理,对于每一个属性授权机构,设置其管理的属性全集,使用WordNet语义推理模块对每个属性授权机构管理的属性全集进行预处理,通过WordNet中的同义词集合对属性全集进行划分,将具有相同语义的属性进行合并,用同义词集合的唯一编号(词典编撰ID(Lexicographer ID))来表示合并结果,合并后的每个属性都代表语义知识库中的一个概念,这些概念属性组成了新的属性集合。Preprocess the complete set of attributes. For each attribute authorization agency, set the complete set of attributes it manages. Use the WordNet semantic reasoning module to preprocess the complete set of attributes managed by each attribute authorization agency. Divide the complete set of attributes by the synonym set in WordNet, merge attributes with the same semantics, and use the unique number of the synonym set (Lexicographer ID) to represent the merged result. Each merged attribute represents a concept in the semantic knowledge base, and these concept attributes constitute a new attribute set.

该处理的有益效果是:建立了标准化的语义属性集合,方便了访问策略的设置以及用户属性的映射,极大的减少了属性全集中的属性数量,从而降低了属性管理的复杂度以及计算开销。The beneficial effects of this processing are: establishing a standardized set of semantic attributes, facilitating the setting of access policies and the mapping of user attributes, and greatly reducing the number of attributes in the attribute set, thereby reducing the complexity of attribute management and computing overhead.

1.3属性授权机构初始化1.3 Attribute Authority Initialization

假设一共有N个属性授权机构,每个属性授权机构管理的属性集合为Si(i∈N),各属性集合互不相交。每个属性授权机构选取一个随机数ti∈Zp,对于Si中的每个属性x,选择一个随机数bx∈Zp,生成

Figure BDA0004060075180000111
Figure BDA0004060075180000112
Assume that there are N attribute authorization agencies, each of which manages a set of attributes Si (i∈N), and each attribute set is disjoint. Each attribute authorization agency selects a random number ti∈Zp , and for each attribute x in Si , selects a random number bx∈Zp to generate
Figure BDA0004060075180000111
and
Figure BDA0004060075180000112

2.雾节点注册、物联网设备注册2. Fog node registration, IoT device registration

雾节点注册具体为:The specific registration of fog nodes is as follows:

雾节点进行雾节点注册,为雾节点生成唯一标识nid,记录节点信息并为其初始化信誉值。雾节点注册可由系统中已注册的其他雾节点推荐,推荐雾节点最多为m个,且雾节点的初始信誉值CFN与推荐雾节点的信誉值相关。The fog node registers the fog node, generates a unique identifier nid for the fog node, records the node information and initializes its reputation value. The fog node registration can be recommended by other fog nodes registered in the system. The maximum number of recommended fog nodes is m, and the initial reputation value CFN of the fog node is related to the reputation value of the recommended fog node.

物联网设备注册具体为:The specific registration of IoT devices is as follows:

本系统中物联网设备逻辑上可分为数据拥有者DO和数据使用者DU。数据拥有者注册只需要生成唯一标识uid,而数据访问者注册还需要进行终端属性验证,并生成其属性列表SuidIn this system, IoT devices can be logically divided into data owners DO and data users DU. Data owner registration only requires the generation of a unique identifier uid, while data accessor registration also requires terminal attribute verification and the generation of its attribute list Suid .

3.密钥生成3. Key Generation

(uid,PP,ASK)→{SK,SK’}(uid,PP,ASK)→{SK,SK’}

3.1基于WordNet的用户属性语义映射3.1 User Attribute Semantic Mapping Based on WordNet

首先根据uid查询到用户注册的属性列表Suid,然后使用基于WordNet的语义推理将用户的属性列表中的属性映射到属性全集中的概念属性上,以用户的属性值x为起点,通过WordNet推理x的同义词集合和上位词集合,用WordNet将这些同义词集和上位词集的ID进行合并,得到一个新的属性列表S’uidFirst, query the user's registered attribute list Suid according to uid, and then use WordNet-based semantic reasoning to map the attributes in the user's attribute list to the conceptual attributes in the entire attribute set. Taking the user's attribute value x as the starting point, infer the synonym set and hypernym set of x through WordNet, and use WordNet to merge the IDs of these synonym sets and hypernym sets to obtain a new attribute list S'uid .

3.2用户密钥生成3.2 User Key Generation

AAi对于每一个属性x∈Si∩S’uid,计算

Figure BDA0004060075180000113
令用户的属性私钥SKAA={D’x},AAi将SKAA发送给CA进行下一步,CA接收到用户的属性私钥之后,选取随机数λ,θ∈Zp,计算D=gβ+α,D1=gαλhθ,D2=gθ,
Figure BDA0004060075180000121
输出用户的私钥SK和外包密钥SK’为:AA i For each attribute x∈S i ∩S' uid , calculate
Figure BDA0004060075180000113
Let the user's attribute private key SK AA = {D' x }, AA i sends SK AA to CA for the next step. After receiving the user's attribute private key, CA selects a random number λ, θ∈Z p and calculates D = g β + α , D 1 = g αλ h θ , D 2 = g θ ,
Figure BDA0004060075180000121
The output user's private key SK and outsourcing key SK' are:

SK={D=gβ+αλ}SK={D=g β+αλ }

Figure BDA0004060075180000122
Figure BDA0004060075180000122

4.数据上传4. Data upload

4.1设置访问策略和隐私阈值4.1 Setting Access Policies and Privacy Thresholds

首先对策略树中所要使用的属性进行语义映射,将这些属性通过语义推理转化为属性全集中的概念属性,然后用概念属性集进行门限值访问策略树的设置。根据对上传信息的隐私重视程度,设置一个隐私阈值ε,并将其作为上传内容的标签。First, semantic mapping is performed on the attributes to be used in the strategy tree, and these attributes are converted into conceptual attributes in the attribute set through semantic reasoning. Then, the threshold access strategy tree is set using the conceptual attribute set. According to the degree of attention paid to the privacy of the uploaded information, a privacy threshold ε is set and used as the label of the uploaded content.

4.2代理雾节点负载均衡算法4.2 Proxy Fog Node Load Balancing Algorithm

假设雾群中的雾节点列表L0,雾管理节点通过以下步骤选择一个较优的雾节点作为终端设备的代理:Assuming the fog node list L 0 in the fog group, the fog management node selects a better fog node as the proxy of the terminal device through the following steps:

步骤1、筛选雾节点列表L0中信誉值大于等于ε的节点,得到一个新的雾节点列表L。如果L为空,则代表当前附近没有合适的代理雾节点,DO自己执行信息加密和上传;反之,执行步骤2;Step 1: Filter the nodes with reputation values greater than or equal to ε in the fog node list L0 to obtain a new fog node list L. If L is empty, it means that there is no suitable proxy fog node nearby, and DO performs information encryption and upload by itself; otherwise, execute step 2;

步骤2、根据雾节点信任模型计算用户终端设备对L中雾节点的综合信任值,结合雾节点的空闲资源情况计算雾节点的权重,然后使用权重随机负载均衡算法在列表L中选取代理雾节点。首先对L中雾节点的空闲资源量进行归一化处理,转化后的空闲资源量为{RS(1),RS(2),...,RS(n)},区间为[0,1]。雾节点k的权重计算公式为:Step 2: Calculate the comprehensive trust value of the user terminal device to the fog nodes in L according to the fog node trust model, calculate the weight of the fog node in combination with the idle resources of the fog node, and then use the weighted random load balancing algorithm to select the proxy fog node in the list L. First, normalize the idle resources of the fog nodes in L. The converted idle resources are {RS(1), RS(2),..., RS(n)}, with a range of [0,1]. The weight calculation formula of fog node k is:

weight(k)=∝·Ti,k+β·RS(k)weight(k)=∝·T i,k +β·RS(k)

其中,∝、β是权重因子且∝+β=1。Among them, ∝, β are weight factors and ∝+β=1.

此节点负载均衡算法的有益效果是结合了信息隐私等级、雾节点在系统中的信誉值、用户对雾节点的信任值、空闲资源情况,综合选出一个优质雾节点作为代理。The beneficial effect of this node load balancing algorithm is that it combines the information privacy level, the reputation value of the fog node in the system, the user's trust value in the fog node, and the idle resource situation to comprehensively select a high-quality fog node as a proxy.

4.3 DO加密算法4.3 DO encryption algorithm

DO先选择一个对称密钥k对数据信息M进行对称加密,得到密文SEk(M),然后随机选择u,v∈Zp,满足s=u+v,s∈Zp,计算C=k·e(g,g)βs,C’=gs,C1=gv,C2=hv,σ=H(M)s,生成密文CT1={SEk(M),σ,C,C’,C1,C2}。DO first selects a symmetric key k to symmetrically encrypt the data information M to obtain the ciphertext SE k (M), then randomly selects u, v∈Z p to satisfy s=u+v, s∈Z p , calculates C=k·e(g,g) βs , C'=g s , C 1 =g v , C 2 =h v , σ=H(M) s , and generates the ciphertext CT 1 ={SE k (M),σ,C,C',C 1 ,C 2 }.

如果经过节点选择算法之后DO找到了符合信誉条件的代理雾节点,就将{T,u}发送给该雾节点进行外包加密;否则,DO自己进行CT2的计算,CT2的计算方法见4.4。If DO finds a proxy fog node that meets the reputation conditions after the node selection algorithm, it will send {T,u} to the fog node for outsourced encryption; otherwise, DO calculates CT 2 by itself. The calculation method of CT 2 is shown in 4.4.

4.4雾节点加密算法4.4 Fog Node Encryption Algorithm

首先为T中每一个节点i选取多项式Qi,其中多项式Qi的次数fi和节点i的门限值ni的关系为fi=ni-1。对于根节点R,让其多项式的常数项为u,然后选择fR个随机值把QR定义完整;对于其他节点,Qi(0)=Qparent(i)(index(i)),然后再随机选择fi个值完成多项式定义。其中parent(i)是节点i的父节点,index(i)是节点i的索引值。First, for each node i in T, select a polynomial Qi , where the degree fi of the polynomial Qi and the threshold value ni of the node i are related by fi = ni -1. For the root node R, let the constant term of its polynomial be u, and then select f R random values to complete the definition of QR ; for other nodes, Qi (0) = Q parent (i) (index (i)), and then randomly select f i values to complete the polynomial definition. Where parent (i) is the parent node of node i, and index (i) is the index value of node i.

设访问策略T中的叶子节点集合为Sattr,对于Sattr中的每一个叶子节点,定义

Figure BDA0004060075180000131
输出部分密文
Figure BDA0004060075180000132
Let the set of leaf nodes in access strategy T be S attr . For each leaf node in S attr , define
Figure BDA0004060075180000131
Output partial ciphertext
Figure BDA0004060075180000132

最终,用户将两部分密文合并为

Figure BDA0004060075180000133
将CT上传至云服务器进行存储。Finally, the user merges the two parts of the ciphertext into
Figure BDA0004060075180000133
Upload CT to the cloud server for storage.

5.数据访问5. Data Access

用户向云服务器请求密文,使用4.2中的负载均衡算法选择雾节点,如果存在符合条件的雾节点,则将外包密钥发送给该雾节点进行外包解密;否则,在用户本地进行所有解密步骤。The user requests the ciphertext from the cloud server and uses the load balancing algorithm in 4.2 to select a fog node. If there is a fog node that meets the conditions, the outsourced key is sent to the fog node for outsourced decryption; otherwise, all decryption steps are performed locally on the user.

5.1外包解密5.1 Outsourcing Decryption

外包解密的过程如下:The process of outsourcing decryption is as follows:

用户的外包密钥

Figure BDA0004060075180000134
定义递归算法DfsNode(T,SK’,x)表示访问树中任意节点x与用户的概念属性集的解密结果。Outsourced keys for users
Figure BDA0004060075180000134
Define the recursive algorithm DfsNode(T,SK',x) to represent the decryption result of any node x in the access tree and the user's conceptual attribute set.

如果x是叶子节点,假设attr(x)∈Sattr,计算

Figure BDA0004060075180000135
Figure BDA0004060075180000136
如果
Figure BDA0004060075180000137
Fx为null。If x is a leaf node, assuming attr(x)∈S attr , calculate
Figure BDA0004060075180000135
Figure BDA0004060075180000136
if
Figure BDA0004060075180000137
F x is null.

如果x是非叶节点,Sx表示x的子节点中满足F≠null的节点集合,假设Sx的节点个数小于x的门限值,Fx为null;否则,根据拉格朗日插值法进行如下计算:If x is a non-leaf node, S x represents the set of nodes in x's child nodes that satisfy F≠null. Assuming that the number of nodes in S x is less than the threshold value of x, F x is null; otherwise, the Lagrange interpolation method is used to perform the following calculation:

Figure BDA0004060075180000138
Figure BDA0004060075180000138

其中,i=index(z),S’x={index(z):z∈S},

Figure BDA0004060075180000139
where i = index(z), S' x = {index(z):z∈S},
Figure BDA0004060075180000139

对根节点R调用该递归算法,若用户的属性集合符合访问策略T,则:Call the recursive algorithm on the root node R. If the user's attribute set meets the access policy T, then:

Figure BDA00040600751800001310
Figure BDA00040600751800001310

Figure BDA0004060075180000141
Figure BDA0004060075180000141

生成中间密文CT’={SEk(M),σ,C,C’,IT},发送给用户。Generate an intermediate ciphertext CT'={SE k (M),σ,C,C',IT} and send it to the user.

5.2用户解密5.2 User Decryption

用户计算

Figure BDA0004060075180000142
然后使用对称密钥k对SEk(M)进行解密得到明文。User Computing
Figure BDA0004060075180000142
Then, the symmetric key k is used to decrypt SE k (M) to obtain the plaintext.

6.密文验证6. Ciphertext verification

用户通过以下等式对解密后信息的正确性进行验证:The user verifies the correctness of the decrypted information through the following equation:

e(σ,g)=e(H(M),C’)e(σ,g)=e(H(M),C’)

若该等式成立,则明文M正确;否则,验证失败,用户将失败记录上传至信誉管理服务器,失败记录包括用户id,雾节点id,密文id。If the equation holds true, the plaintext M is correct; otherwise, the verification fails, and the user uploads the failure record to the reputation management server. The failure record includes the user id, fog node id, and ciphertext id.

7.雾节点信任模型7. Fog Node Trust Model

本方案中终端设备对雾节点的交互行为包括外包加密请求、外包解密请求、数据传输请求。终端设备对于雾节点的信任由直接信任和间接信任组成。直接信任取决于终端与雾节点的历史交互结果;间接信任包括审计信任值和对等实体信任值,审计信任值是对雾节点与所有终端的历史交互结果进行审计得出;对等实体信任值是通过对等体选择策略选择一些终端设备,计算这些终端设备对雾节点的信任。In this scheme, the interactive behaviors of terminal devices to fog nodes include outsourced encryption requests, outsourced decryption requests, and data transmission requests. The trust of terminal devices to fog nodes consists of direct trust and indirect trust. Direct trust depends on the historical interaction results between the terminal and the fog node; indirect trust includes audit trust value and peer entity trust value. The audit trust value is obtained by auditing the historical interaction results between the fog node and all terminals; the peer entity trust value is selected by the peer selection strategy to calculate the trust of these terminal devices to the fog node.

从可用性、可靠性、数据完整性三个维度评价终端devicei和雾节点nodek的历史交互结果。可用性为雾节点对终端请求的响应能力,可靠性为雾节点在规定时间内完成已接受的请求的能力,数据完整性为雾节点外包解密结果的正确性。具体计算方式如下:The historical interaction results between terminal device i and fog node k are evaluated from three dimensions: availability, reliability, and data integrity. Availability refers to the ability of fog nodes to respond to terminal requests, reliability refers to the ability of fog nodes to complete accepted requests within a specified time, and data integrity refers to the correctness of fog node outsourced decryption results. The specific calculation method is as follows:

Figure BDA0004060075180000143
Figure BDA0004060075180000143

Figure BDA0004060075180000144
Figure BDA0004060075180000144

Figure BDA0004060075180000145
Figure BDA0004060075180000145

其中,dim1、dim2、dim3分别为nodek对于devicei的可用性、可靠性和数据完整性,Acc为雾节点k接受终端i请求的次数,Sub为该终端提交的请求次数,Fin为雾节点完成该终端请求并返回结果的次数,Tru为雾节点返回的结果通过数据完整性验证的次数。Wherein, dim 1 , dim 2 , and dim 3 are the availability, reliability, and data integrity of node k for device i, respectively. Acc is the number of times fog node k accepts requests from terminal i. Sub is the number of requests submitted by the terminal. Fin is the number of times the fog node completes the terminal request and returns the result. Tru is the number of times the result returned by the fog node passes the data integrity verification.

①直接信任值① Direct trust value

终端devicei对于雾节点nodek的直接信任值trusta(i,k)为:The direct trust value trust a (i, k) of terminal device i for fog node node k is:

trusta(i,k)=dim1·w1+dim2·w2+dim3·w3 trust a (i,k)=dim 1 ·w 1 +dim 2 ·w 2 +dim 3 ·w 3

w1、w2、w3分别为可用性、可靠性、数据完整性的权重,且w1+w2+w3=1。特别地,当终端i与雾节点k的历史交互行为没有外包解密时,对应的权重w3设置为0。如果终端i与雾节点k无交互记录的话,直接信任值为null。w 1 , w 2 , and w 3 are the weights of availability, reliability, and data integrity, respectively, and w 1 +w 2 +w 3 = 1. In particular, when the historical interaction between terminal i and fog node k is not outsourced for decryption, the corresponding weight w 3 is set to 0. If there is no interaction record between terminal i and fog node k, the direct trust value is null.

②审计信任值②Audit Trust Value

审计信任值反映了系统中所有终端设备对于雾节点的评价,假设雾节点k的访问设备列表为L,trustb(k)表示雾节点k的审计信任值,计算方式为:The audit trust value reflects the evaluation of the fog node by all terminal devices in the system. Assuming that the access device list of fog node k is L, trust b (k) represents the audit trust value of fog node k, which is calculated as follows:

Figure BDA0004060075180000151
Figure BDA0004060075180000151

③对等实体信任值③Peer entity trust value

选择与雾节点k交互次数最多的前n个终端设备作为对等实体,计算对等实体信任值:Select the first n terminal devices that interact with fog node k the most times as peer entities and calculate the peer entity trust value:

Figure BDA0004060075180000152
Figure BDA0004060075180000152

对等实体信任值反映了系统中其他有代表性的终端设备对雾节点k的信任情况。The peer entity trust value reflects the trust of other representative terminal devices in the system towards the fog node k.

下面根据以上三种信任值的计算方法,对雾节点的信誉及终端设备i对雾节点k的综合信任度进行表示。Based on the above three trust value calculation methods, the reputation of the fog node and the comprehensive trust of the terminal device i in the fog node k are expressed below.

雾节点k的信誉值:假设雾节点k的推荐节点列表为{node1,node2,...,nodep},根据②分别计算雾节点k的审计信任值trustb(k)和推荐节点列表的审计信任值{trustb(node1),trustb(node2),...,trustb(nodep)},然后计算:Reputation value of fog node k: Assume that the recommended node list of fog node k is {node 1 , node 2 , ..., node p }. According to ②, calculate the audit trust value trust b (k) of fog node k and the audit trust value of the recommended node list {trust b (node 1 ), trust b (node 2 ), ..., trust b (node p )} respectively, and then calculate:

Figure BDA0004060075180000153
Figure BDA0004060075180000153

wα和wβ为权重且wα+wβ=1。w α and w β are weights and w α +w β =1.

对①②③的信任值进行合并,得到终端i对节点k的综合信任值Ti,k:Combine the trust values of ①②③ to get the comprehensive trust value Ti ,k of terminal i to node k:

Ti,k=wa·trust(devicei,nodek)+wb·trust(deviceL,nodek)+wc·trust(devicei,nodeFL)T i,kwa ·trust(device i ,node k )+w b ·trust(device L ,node k )+w c ·trust(device i ,node FL )

其中,wa、wb、wc为对应权重且wa+wb+wc=1。需要注意的是,当存在直接信任值为null或者推荐节点信任值为null的情况时,计算综合信任值要将对应的部分去掉,即将对应权重设置为0。Among them, wa , wb , wc are corresponding weights and wa + wb + wc = 1. It should be noted that when there is a direct trust value of null or a recommendation node trust value of null, the corresponding part should be removed when calculating the comprehensive trust value, that is, the corresponding weight should be set to 0.

本发明的主要创新点体现在:The main innovative features of the present invention are:

1.基于wordnet的属性映射方案:简化了属性管理,降低了访问策略构建的难度,通过减少属性的数量间接提高了加解密效率;1. Wordnet-based attribute mapping solution: simplifies attribute management, reduces the difficulty of building access policies, and indirectly improves encryption and decryption efficiency by reducing the number of attributes;

2、构建雾节点信任模型:通过信任度量对雾节点进行风险预估,通过多个维度计算雾节点信誉及终端对节点的综合信任值;2. Construct a fog node trust model: Use trust metrics to estimate the risk of fog nodes, and calculate the reputation of fog nodes and the comprehensive trust value of terminals to nodes through multiple dimensions;

3、结合信誉值和信任度的雾节点负载均衡方案:首先通过信誉值过滤掉不符合隐私阈值的节点,然后通过信任度和节点空闲资源对雾节点赋予权重,再通过权重随机负载均衡算法选出代理雾节点。3. A fog node load balancing solution combining reputation and trust: First, nodes that do not meet the privacy threshold are filtered out by reputation, then fog nodes are weighted by trust and node idle resources, and then proxy fog nodes are selected by weighted random load balancing algorithm.

本发明的优点为:The advantages of the present invention are:

本发明通过基于语义推理的属性映射对现有属性基加密方案进行优化,简化了属性管理,使用优化后的属性基加密技术实现了雾计算中隐私信息的细粒度访问控制;The present invention optimizes the existing attribute-based encryption scheme through attribute mapping based on semantic reasoning, simplifies attribute management, and uses the optimized attribute-based encryption technology to achieve fine-grained access control of privacy information in fog computing;

对于物联网环境中设备属性爆炸的现状,本发明结合了不同系统中属性具有异构性的特点,设计了基于语义推理的属性管理方式,不仅更方便于用户设置访问结构和自身属性,更大大减少了属性全集中属性的数量,进而提升了访问控制的效率;In view of the current situation of device attribute explosion in the IoT environment, the present invention combines the heterogeneous characteristics of attributes in different systems and designs an attribute management method based on semantic reasoning, which is not only more convenient for users to set access structures and their own attributes, but also greatly reduces the number of attributes in the attribute set, thereby improving the efficiency of access control;

由于使用了雾节点进行外包计算和请求代理,所以评判雾节点的安全风险是很有必要的;为此,本发明设计了雾节点的信任模型,既增加了访问控制的安全性,又给终端设备如何选择雾节点带来了一个可参考的标准,根据信任值权重负载均衡算法,更加充分地利用了雾计算节点的计算能力。Since fog nodes are used for outsourced computing and request proxying, it is necessary to judge the security risks of fog nodes. To this end, the present invention designs a trust model for fog nodes, which not only increases the security of access control, but also provides a reference standard for terminal devices to select fog nodes. According to the trust value weight load balancing algorithm, the computing power of fog computing nodes is more fully utilized.

以上仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above are only preferred embodiments of the present invention and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and variations. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included in the protection scope of the present invention.

Claims (7)

1. A fog computing access control method based on attribute-based encryption and trust model, comprising:
constructing a fog node trust model:
dividing the fog nodes into fog groups, and calculating the credit of the fog nodes and the trust value of the user terminal to the fog nodes by the management nodes in the fog groups through three dimensions of direct trust, audit trust and peer entity trust;
establishing a semantic optimization attribute-based encryption method:
optimizing an attribute-based encryption method based on attribute mapping of semantic reasoning, and converting character attribute mapping of an access strategy tree and a user into semantic attribute mapping;
access control in fog calculation is carried out based on a fog node trust model and a semantic optimization attribute-based encryption method:
the data owner sets an access control strategy tree and a privacy threshold, selects a proxy fog node through a trust-based weight load balancing algorithm, and performs outsourcing encryption and ciphertext uploading through the proxy fog node;
the data visitor firstly acquires the privacy threshold of the target information, then invokes a trust-based weight load balancing algorithm to select the proxy fog node for outsourcing decryption to obtain an intermediate ciphertext, and finally decrypts the intermediate ciphertext to obtain a required plaintext;
and carrying out integrity verification on the plaintext through a short signature algorithm, and uploading a verification result to the fog management node as one of trust evaluation bases.
2. The mist computing access control method of claim 1, wherein,
reputation reporting of foggy node k k The calculation formula of (2) is as follows:
Figure FDA0004060075170000011
wherein w is α And w β Is weight and w α +w β =1,trust b (k) Audit trust value for mist node k b (i') recommended node list { node ] for foggy node k 1 ,node 2 ,...,node p Audit trust value of };
comprehensive trust value T of user terminal i to fog node k i,k The method comprises the following steps:
T i,k =w a ·trust a (i,k)+w b ·trust b (k)+w c ·trust c (i,k)
wherein w is a 、w b 、w c Is weight and w a +w b +w c =1,trust a (i, k) is the direct trust of the user terminal i to the fog node k, trust b (k) Audit trust value for mist node k c (i, k) trust for peer entities.
3. The mist computing access control method of claim 2, wherein,
direct trust value trust a The calculation formula of (i, k) is:
trust a (i,k)=dim 1 ·w 1 +dim 2 ·w 2 +dim 3 ·w 3
wherein w is 1 、w 2 、w 3 Weights availability, reliability, data integrity, respectively, and w 1 +w 2 +w 3 =1,dim 1 、dim 2 、dim 3 Availability, reliability and data integrity of the fog node k to the user terminal i respectively;
audit letterAny value trust b (k) The calculation formula of (2) is as follows:
Figure FDA0004060075170000021
wherein L is an access equipment list of the fog node k;
peer trust c The calculation formula of (i, k) is:
Figure FDA0004060075170000022
in the formula, n is the first n terminals with the largest interaction times with the fog node k.
4. A fog computing access control method as claimed in claim 3, wherein dim 1 、dim 2 、dim 3 The calculation formulas of (a) are respectively as follows:
Figure FDA0004060075170000023
Figure FDA0004060075170000024
Figure FDA0004060075170000025
in the formula, acc is the number of times that the fog node k receives the request of the terminal i, sub is the number of times that the terminal submits the request, fin is the number of times that the fog node finishes the request of the terminal and returns a result, and Tru is the number of times that the result returned by the fog node passes the data integrity verification.
5. The fog-computing access control method of claim 1, wherein the converting the character attribute map of the access policy tree and the user into the semantic attribute map comprises:
performing semantic mapping on attributes to be used in the strategy tree, converting the attributes into concept attributes in the attribute total set through semantic reasoning, and then performing threshold value access strategy tree setting by using the concept attributes;
mapping the attribute in the attribute list of the user to the conceptual attribute in the attribute total set by using semantic reasoning based on WordNet, and merging IDs of the synonym set and the superword set by using the WordNet reasoning of the synonym set and the superword set by taking the attribute value x of the user as a starting point to obtain the conceptual attribute set of the user.
6. The fog computing access control method of claim 1, wherein the method of selecting the proxy fog node comprises:
screening fog node list L 0 Nodes with the medium reputation value being greater than or equal to epsilon are obtained to obtain a new fog node list L;
calculating the comprehensive trust value of the user terminal equipment to the fog nodes in the L according to the fog node trust model, calculating the weight of the fog nodes by combining the idle resource condition of the fog nodes, and then selecting the alternative fog management nodes in the list L by using a weight random load balancing algorithm; firstly, carrying out normalization processing on the idle resource quantity of the fog node in the L, wherein the converted idle resource quantity is { RS (1), RS (2),. The number of the idle resource quantity is RS (n) }, and the interval is [0,1];
the weight calculation formula of the fog node k is as follows:
weight(k)=∝·T i,k +β·RS(k)
where, c and β are weight factors and c+β=1.
7. The fog-computing access control method of claim 1, wherein the decrypted information is integrity verified using a BLS signature verification algorithm.
CN202310054749.3A 2023-02-03 2023-02-03 Fog computing access control method based on attribute-based encryption and trust model Pending CN116204917A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310054749.3A CN116204917A (en) 2023-02-03 2023-02-03 Fog computing access control method based on attribute-based encryption and trust model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310054749.3A CN116204917A (en) 2023-02-03 2023-02-03 Fog computing access control method based on attribute-based encryption and trust model

Publications (1)

Publication Number Publication Date
CN116204917A true CN116204917A (en) 2023-06-02

Family

ID=86518429

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310054749.3A Pending CN116204917A (en) 2023-02-03 2023-02-03 Fog computing access control method based on attribute-based encryption and trust model

Country Status (1)

Country Link
CN (1) CN116204917A (en)

Similar Documents

Publication Publication Date Title
US20230023857A1 (en) Data processing method and apparatus, intelligent device, and storage medium
Feng et al. Efficient and secure data sharing for 5G flying drones: A blockchain-enabled approach
Zhang et al. Attribute-based access control for smart cities: A smart-contract-driven framework
Aujla et al. SecSVA: secure storage, verification, and auditing of big data in the cloud environment
Wang et al. A blockchain-based framework for data sharing with fine-grained access control in decentralized storage systems
WO2019214311A1 (en) Blockchain-based information supervision method and device
Zhu et al. Dynamic audit services for integrity verification of outsourced storages in clouds
CN114205136A (en) A method and system for sharing traffic data resources based on blockchain technology
CN106682069A (en) User-controllable data retravel method and data storage method, terminal and system
Li et al. Zero trust in edge computing environment: a blockchain based practical scheme
Xu et al. An efficient blockchain‐based privacy‐preserving scheme with attribute and homomorphic encryption
CN115380303A (en) Trusted platform based on block chain
CN112214544A (en) Secure storage method for edge data of ubiquitous power Internet of things based on permissioned blockchain
Chai et al. BHE-AC: A blockchain-based high-efficiency access control framework for Internet of Things
Ahmed et al. Toward fine‐grained access control and privacy protection for video sharing in media convergence environment
Cai et al. Vizard: A metadata-hiding data analytic system with end-to-end policy controls
Liu et al. Blockchain-based access control approaches
CN113302612B (en) Computer implementation method, system and device for cross-chain and cross-network data transmission
CN114978664A (en) Data sharing method and device and electronic equipment
CN113597608B (en) Trusted platform based on blockchain
Zhang et al. A Blockchain‐Based Microgrid Data Disaster Backup Scheme in Edge Computing
CN113011960A (en) Block chain-based data access method, device, medium and electronic equipment
Cheng et al. Ocean data sharing based on blockchain
Zhang et al. Research and application of data privacy protection technology in cloud computing environment based on attribute encryption
CN113449014B (en) A selective cloud data query system based on blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination