CN116204917A - Fog computing access control method based on attribute-based encryption and trust model - Google Patents
Fog computing access control method based on attribute-based encryption and trust model Download PDFInfo
- Publication number
- CN116204917A CN116204917A CN202310054749.3A CN202310054749A CN116204917A CN 116204917 A CN116204917 A CN 116204917A CN 202310054749 A CN202310054749 A CN 202310054749A CN 116204917 A CN116204917 A CN 116204917A
- Authority
- CN
- China
- Prior art keywords
- fog
- trust
- node
- attribute
- fog node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000004364 calculation method Methods 0.000 claims abstract description 37
- 238000013507 mapping Methods 0.000 claims abstract description 25
- 238000012550 audit Methods 0.000 claims abstract description 23
- 238000012946 outsourcing Methods 0.000 claims abstract description 23
- 238000005457 optimization Methods 0.000 claims abstract description 7
- 238000011217 control strategy Methods 0.000 claims abstract description 3
- 238000007726 management method Methods 0.000 claims description 22
- 238000012795 verification Methods 0.000 claims description 18
- 230000003993 interaction Effects 0.000 claims description 13
- 239000003595 mist Substances 0.000 claims description 7
- 238000011156 evaluation Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 5
- 238000013496 data integrity verification Methods 0.000 claims description 4
- 238000010606 normalization Methods 0.000 claims description 4
- 238000012216 screening Methods 0.000 claims description 4
- 239000003795 chemical substances by application Substances 0.000 description 11
- 230000000875 corresponding effect Effects 0.000 description 8
- 230000006872 improvement Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 238000007781 pre-processing Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Medical Informatics (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a fog computing access control method based on attribute-based encryption and trust model, which comprises the following steps: constructing a fog node trust model: calculating the credit of the fog node through three dimensions of direct trust, audit trust and peer entity trust, and the trust value of the user terminal to the fog node; establishing a semantic optimization attribute-based encryption method: optimizing an attribute-based encryption method based on attribute mapping of semantic reasoning, and converting character attribute mapping of an access strategy tree and a user into semantic attribute mapping; access control in fog calculation is carried out based on a fog node trust model and a semantic optimization attribute-based encryption method: the data owner sets an access control strategy tree and a privacy threshold, selects a proxy fog node through a trust-based weight load balancing algorithm, and performs outsourcing encryption and ciphertext uploading through the proxy fog node; and the data visitor acquires the privacy threshold of the target information, calls the proxy fog node to perform outsourcing decryption to obtain an intermediate ciphertext, and decrypts the intermediate ciphertext to obtain a required plaintext.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a fog computing access control method based on attribute-based encryption and a trust model.
Background
Internet of things-based interconnected devices and applications are and will continue to grow at a staggering rate, bringing many new devices and applications that require lower latency, location awareness, mobility support, etc. Centralized cloud computing has not met the internet of things scene requirements, and fog computing has resulted. The fog calculation is composed of a large number of fog nodes, and the fog nodes are distributed near the user terminal, so that the method can provide faster request response speed, position sensing capability, real-time analysis function and the like for terminal application, and meets the requirements of low delay, position sensing, geographic distribution and the like of Internet of things equipment and application.
While fog computing provides many benefits, it also faces various security and privacy concerns. Privacy protection in fog computing is more challenging because fog server nodes adjacent to end nodes may collect sensitive data about identity, location, utility usage, as compared to remote cloud servers at the core network, while the destruction of unsafe edge nodes may be entry points for intruders into the network. Once an intruder enters the network, private data exchanged by the user between the entities can be mined and stolen, and communication between the fog architectures can also lead to privacy disclosure. While some existing solutions in cloud computing environments can address many security and privacy issues in fog computing, these new features can present new security and privacy challenges due to their unique characteristics, such as strong mobility of terminal devices, extremely large scale of quantity, limited fog node computing resources, etc. Therefore, the data security protection of users in the fog computing environment has important research significance.
In order to ensure data security in cloud computing, it is a common practice to use access control for information protection. The access control method refers to defining access of the foreign object to the subject data resource using various techniques. In the traditional role-based access control scheme in cloud computing, the concept of 'role' is set between a user and authority, the authority of the role is set firstly, then the authority is authorized by distributing the role to the user, in the Internet of things with huge terminal number, the workload of adopting the authorization mode is very large, and the authority of the access control is given by the role in a coarse granularity, so that an efficient and fine-granularity access control method suitable for a fog computing scene is necessary to be designed. The access control method based on the attribute encryption (CP-ABE, ciphertext policy attribute) of the ciphertext strategy is widely used in the access control mode of a distributed system, in the CP-ABE system, a data owner encrypts by using a related strategy formulated by an attribute set, the private key of each data visitor in the system depends on the attribute owned by the data visitor, and when the attribute in the private key of the user is matched with the strategy in the ciphertext, the information can be successfully decrypted, so that the access control of fine granularity is flexibly realized. However, the conventional attribute-based encryption technology cannot be directly applied to the fog computing scene, and mainly has the following problems:
(1) Traditional encryption technology based on attribute is complex in calculation and is difficult to bear for the Internet of things equipment with limited calculation resources;
(2) The encryption technology based on the attribute has complicated attribute management, and particularly for the scene of the equipment such as the Internet of things, the complexity is greatly increased;
(3) The access strategy is difficult to construct, and all the attributes in the attribute complete set and various combination modes need to be considered;
(4) Fog computing devices are not fully trusted, and cannot be determined that they would not steal private information during data transmission;
(5) How to select the fog node, and fully utilizing the computing power of the fog node on the premise of protecting the information security is also a concern.
There are some attribute-based encryption studies using fog nodes for outsourcing computation, but these research schemes pay little attention to management of attributes, complexity of constructing access policies, and trusted metrics of fog nodes, reasonable allocation of computing resources, and so on.
In conclusion, the design of the safe and efficient access control method suitable for the cloud computing architecture has important significance.
Disclosure of Invention
Aiming at the defects existing in the prior art, the invention provides a fog computing access control method based on attribute-based encryption and trust model.
The invention discloses a fog computing access control method based on attribute-based encryption and trust model, which comprises the following steps:
constructing a fog node trust model:
dividing the fog nodes into fog groups, and calculating the credit of the fog nodes and the trust value of the user terminal to the fog nodes by the management nodes in the fog groups through three dimensions of direct trust, audit trust and peer entity trust;
establishing a semantic optimization attribute-based encryption method:
optimizing an attribute-based encryption method based on attribute mapping of semantic reasoning, and converting character attribute mapping of an access strategy tree and a user into semantic attribute mapping;
access control in fog calculation is carried out based on a fog node trust model and a semantic optimization attribute-based encryption method:
the data owner sets an access control strategy tree and a privacy threshold, selects a proxy fog node through a trust-based weight load balancing algorithm, and performs outsourcing encryption and ciphertext uploading through the proxy fog node;
the data visitor firstly acquires the privacy threshold of the target information, then invokes a trust-based weight load balancing algorithm to select the proxy fog node for outsourcing decryption to obtain an intermediate ciphertext, and finally decrypts the intermediate ciphertext to obtain a required plaintext;
and carrying out integrity verification on the plaintext through a short signature algorithm, and uploading a verification result to the fog management node as one of trust evaluation bases.
As a further improvement of the present invention,
reputation reporting of foggy node k k The calculation formula of (2) is as follows:
wherein w is α And w β Is weight and w α +w β =1,trust b (k) Audit trust value for mist node k b (i') recommended node list { node ] for foggy node k 1 ,node 2 ,...,node p Audit trust value of };
comprehensive trust value T of user terminal i to fog node k i,k The method comprises the following steps:
T i,k =w a ·trust a (i,k)+w b ·trust b (k)+w c ·trust c (i,k)
wherein w is a 、w b 、w c Is weight and w a +w b +w c =1,trust a (i, k) is the direct trust of the user terminal i to the fog node k, trust b (k) Audit trust value for mist node k c (i, k) trust for peer entities.
As a further improvement of the present invention,
direct trust value trust a The calculation formula of (i, k) is:
trust a (i,k)=dim 1 ·w 1 +dim 2 ·w 2 +dim 3 ·w 3
wherein w is 1 、w 2 、w 3 Weights availability, reliability, data integrity, respectively, and w 1 +w 2 +w 3 =1,dim 1 、dim 2 、dim 3 Availability, reliability and data integrity of the fog node k to the user terminal i respectively;
audit trust value trust b (k) The calculation formula of (2) is as follows:
wherein L is an access equipment list of the fog node k;
peer trust c The calculation formula of (i, k) is:
in the formula, n is the first n terminals with the largest interaction times with the fog node k.
As a further improvement of the invention dim 1 、dim 2 、dim 3 The calculation formulas of (a) are respectively as follows:
in the formula, acc is the number of times that the fog node k receives the request of the terminal i, sub is the number of times that the terminal submits the request, fin is the number of times that the fog node finishes the request of the terminal and returns a result, and Tru is the number of times that the result returned by the fog node passes the data integrity verification.
As a further improvement of the present invention, the converting the character attribute mapping of the access policy tree and the user into the semantic attribute mapping includes:
performing semantic mapping on attributes to be used in the strategy tree, converting the attributes into concept attributes in the attribute total set through semantic reasoning, and then performing threshold value access strategy tree setting by using the concept attributes;
mapping the attribute in the attribute list of the user to the conceptual attribute in the attribute total set by using semantic reasoning based on WordNet, and merging IDs of the synonym set and the superword set by using the WordNet reasoning of the synonym set and the superword set by taking the attribute value x of the user as a starting point to obtain the conceptual attribute set of the user.
As a further improvement of the present invention, a method for selecting a proxy cloud node includes:
screening fog node arrayTable L 0 Nodes with the medium reputation value being greater than or equal to epsilon are obtained to obtain a new fog node list L;
calculating the comprehensive trust value of the user terminal equipment to the fog nodes in the L according to the fog node trust model, calculating the weight of the fog nodes by combining the idle resource condition of the fog nodes, and then selecting the alternative fog management nodes in the list L by using a weight random load balancing algorithm; firstly, carrying out normalization processing on the idle resource quantity of the fog node in the L, wherein the converted idle resource quantity is { RS (1), RS (2),. The number of the idle resource quantity is RS (n) }, and the interval is [0,1];
the weight calculation formula of the fog node k is as follows:
weight(k)=∝·T i,k +β·RS(k)
where, c and β are weight factors and c+β=1.
As a further improvement of the present invention, the integrity verification of the decrypted information is performed using a BLS signature verification algorithm.
Compared with the prior art, the invention has the beneficial effects that:
according to the invention, the existing attribute-based encryption scheme is optimized through attribute mapping based on semantic reasoning, so that attribute management is simplified, and fine-grained access control of privacy information in fog calculation is realized by using an optimized attribute-based encryption technology; the fog node trust model and the node state evaluation mechanism enable the equipment to select better-quality fog computing nodes, and further ensure the usability and safety of the system.
Drawings
FIG. 1 is a diagram of a system model for implementing a fog computing access control method in accordance with one embodiment of the present invention; an access policy tree diagram;
fig. 2 is a schematic diagram of an access policy tree disclosed in an embodiment of the present invention.
In the figure:
CSP: the cloud service provider is mainly responsible for storing information and providing an interface for a user to access;
FN: the fog node is provided with geographic position characteristics and is mainly responsible for providing outsourcing computing capability for nearby user equipment;
FN management Node: the fog management node audits the historical interaction behavior of the terminal and the fog node, and evaluates and manages the trust value of the fog node;
data Owner: a data owner;
data User: a data user;
CA: and the central authority generates public parameters and a master key for the whole system.
AA: and the attribute authorization mechanism is responsible for attribute management of the system and user key generation.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention is described in further detail below with reference to the attached drawing figures:
the invention provides a fog computing access control method based on attribute-based encryption and trust model, which comprises the following steps:
1. system initialization
Setting a system public parameter PP and a master key MK; the attribute authority sets an attribute corpus S, optimizes the attribute corpus through a semantic reasoning module, reduces the number of attributes in the system, and then generates an attribute public key and an attribute private key for each attribute in the attribute corpus managed by the attribute authority.
The optimization processing of the semantic reasoning module to the attribute corpus is specifically as follows: dividing the attribute corpus by the synonym set in the semantic knowledge base, merging the attributes with the same semantics, using the unique number of the synonym set to represent the merging result, and each attribute after merging represents a concept in the semantic knowledge base, wherein the concept attributes form a new attribute set.
2. Fog node registration and internet of things equipment registration
The fog node registration specifically comprises the following steps:
the fog node carries out fog node registration, generates a unique identifier nid for the fog node, records node information and initializes a reputation value for the node information. The fog node registration can be recommended by other registered fog nodes in the system, the recommended fog nodes are m at most, and the initial reputation value C of the fog nodes FN Is associated with the reputation value of the recommended foggy node.
The registration of the Internet of things equipment is specifically as follows:
the internet of things device in the system as shown in fig. 1 can be logically divided into a data owner DO and a data user DU, the data owner registration only needs to generate a unique identifier uid, and the data visitor registration also needs to perform terminal attribute verification and generate an attribute list S thereof uid . In a practical system, one internet of things device may be both a data owner and a data user. In the following, unless otherwise specified, the user and the data visitor represent the terminal device of the internet of things with the data access function.
3. User key generation
The system performs identity verification on the user terminal, and acquires the attribute set of the user in the system after the verification is successful.
Mapping the attribute in the attribute list of the user to the conceptual attribute in the attribute total set by using semantic reasoning based on WordNet, and merging IDs of the synonym set and the superword set by using the WordNet reasoning of the synonym set and the superword set by taking the attribute value x of the user as a starting point to obtain the conceptual attribute set of the user.
The attribute authority then uses the intersection of the attribute set and the full set of attributes to generate a user key for the user, including an outsource decryption key and a user decryption key.
4. Data upload
4.1 setting Access control policy and privacy threshold
The access control policy is expressed by using a threshold access policy tree as shown in fig. 2, a leaf node represents an attribute, a non-leaf node represents a threshold, a root node stores a secret value s, secret value distribution is carried out on the child nodes, and only an attribute set key meeting an attribute condition can decrypt the secret value of the root node. Firstly, carrying out semantic mapping on attributes to be used in a strategy tree, converting the attributes into concept attributes in a total set of attributes through semantic reasoning, and then setting a threshold access strategy tree by using the concept attributes. And setting a privacy threshold epsilon according to the importance of the privacy of the uploaded information, and taking the privacy threshold epsilon as a tag of the ciphertext.
4.2 agent fog node load balancing algorithm
Assume that the list of fog nodes in the fog group is L 0 The fog management node selects a better fog node as a proxy of the terminal equipment by the following steps:
step 1, screening a fog node list L 0 And obtaining a new fog node list L by nodes with the reputation value larger than or equal to epsilon. If L is empty, the DO performs encryption and uploading of information by itself, representing that no suitable agent fog node exists in the current vicinity; otherwise, executing the step 2;
and 2, calculating the comprehensive trust value of the user terminal equipment to the fog nodes in the L according to the fog node trust model, calculating the weight of the fog nodes by combining the idle resource condition of the fog nodes, and then selecting the alternative fog management nodes in the list L by using a weight random load balancing algorithm. Firstly, carrying out normalization processing on the idle resource quantity of the fog node in the L, wherein the converted idle resource quantity is { RS (1), RS (2),. The number of the idle resource quantity is RS (n) }, and the interval is [0,1]. The weight calculation formula of the fog node k is as follows:
weight(k)=∝·T i,k +β·RS(k)
where ∈β is a weight factor and ∈β=1.
4.3 data owner encryption
Firstly, randomly generating a symmetric key k, and symmetrically encrypting information by using a symmetric encryption algorithm to obtain a ciphertext CT 1 Then generating two secret values, and encrypting k by using the system public parameter and the secret value to obtain ciphertext CT 2 And sending one of the secret values and the access tree T to the agent fog node for outsourcing calculation. Generating a pair of public and private keys through BLS short signature algorithm, and using the private keys to pair messagesThe signature is generated by encrypting the information, and the signature and the public key are embedded in the secret text to be uploaded together.
4.4 fog node outsourcing calculation
The agent fog node is responsible for access strategy tree preprocessing, secret value distribution and other operations in the encryption process to obtain ciphertext CT 3 . In particular, if no suitable foggy node is found by the foggy node load balancing algorithm, all encryption calculations are completed by the data owner. Finally, ciphertext CT 1 、CT 2 、CT 3 And combining the digital signature, the signature public key and the privacy threshold value into a final ciphertext CT, and uploading the final ciphertext CT to a cloud server.
5. Data access
A user requests ciphertext from a cloud server, a fog node load balancing algorithm in the step 4 is used for selecting an agent fog node, if fog nodes conforming to reputation conditions exist, an outsourcing key is sent to the fog node to conduct outsourcing decryption to obtain intermediate ciphertext, then the user key is used for conducting decryption operation with low calculation cost on the intermediate ciphertext to obtain a symmetric key k set by a data owner, and finally the ciphertext is decrypted by the k to obtain final plaintext information; otherwise, the user equipment completes all decryption operations.
6. Ciphertext verification
And carrying out integrity verification on the decrypted information by using a BLS signature verification algorithm, ensuring that the decrypted information is not tampered, and feeding back a verification result to the fog management node.
The BLS short signature algorithm defines a hash function H: {0,1} * G, G is a prime order multiplication cyclic group with order p and generator G. The method comprises the following specific steps:
step 1, key generation: the data owner selects a random number x epsilon Z p * Calculate v=g x The public key is v and the private key is x;
step 2, signature: the data owner performs the following operation on the plaintext m: sigma=h (m) x Embedding sigma and v into the secret text and uploading together;
step 3, verification: the data visitor verifies whether m is tampered with using e (σ, g) =e (H (m), v).
7. Fog node trust model
The interaction behavior of the terminal equipment to the fog node comprises an outsourcing encryption request, an outsourcing decryption request and a data transmission request. The trust of the terminal equipment for the fog node consists of direct trust and indirect trust. Direct trust depends on the historical interaction results of the terminal and the fog node; the indirect trust comprises an audit trust value and a peer entity trust value, wherein the audit trust value is obtained by auditing historical interaction results of the fog node and all terminals; the peer trust value is the trust of some terminal devices to the fog node calculated by selecting some terminal devices through a peer selection strategy.
Evaluating terminal device from three dimensions of availability, reliability, and data integrity i And fog node k Is provided. The availability is the response capability of the fog node to the terminal request, the reliability is the capability of the fog node to finish the accepted request within the specified time, and the data integrity is the correctness of the fog node outsource decryption result. The specific calculation mode is as follows:
wherein dim 1 、dim 2 、dim 3 Respectively is node k For devices i Acc is the number of times that the fog node k accepts the request of the terminal i, sub is the number of times that the terminal submits the request, fin is the number of times that the fog node completes the request of the terminal and returns the result, tru is the number of times that the result returned by the fog node passes the data integrity verification.
(1) Direct trust value
Terminal device i For fog node nodes k Is to be used in a direct trust value trust of (a) a (i, k) is:
trust a (i,k)=dim 1 ·w 1 +dim 2 *w 2 +dim 3 ·w 3
w 1 、w 2 、w 3 weights availability, reliability, data integrity, respectively, and w 1 +w 2 +w 3 =1. In particular, when the historical interaction behavior of the terminal i and the fog node k is not outsourced decrypted, the corresponding weight w 3 Set to 0. If the terminal i has no interactive record with the fog node k, the direct trust value is null.
(2) Auditing trust values
The audit trust value reflects the evaluation of all terminal devices in the system to the fog node, and the access device list of the fog node k is assumed to be L, trust b (k) The audit trust value of the fog node k is represented by the following calculation modes:
(3) peer trust value
Selecting the first n terminal devices with the largest interaction times with the fog node k as peer entities, and calculating the trust value of the peer entities:
the trust value of the peer entity reflects the trust condition of other representative terminal equipment in the system on the fog node k.
And the credit of the fog node and the comprehensive trust degree of the terminal equipment i to the fog node k are expressed according to the three trust value calculation methods.
Reputation value reproduction of foggy node k k : suppose that the recommended node list of the foggy node k is { node ] 1 ,node 2 ,...,node p Respectively calculating audit trust of fog node k according to (2)Value trust b (k) And an audit trust value { trust } for a list of recommended nodes b (node 1 ),trust b (node 2 ),...,trust b (node p ) Then calculate:
w α and w β Is weight and w α +w β =1。
Combining the trust values of (1), 2 and 3 to obtain the comprehensive trust value T of the terminal i to the node k i,k :
T i,k =w a ·trust(device i ,node k )+w b ·trust(device L ,node k )+w c ·trust(device i ,node FL )
Wherein w is a 、w b 、w c Is of corresponding weight and w a +w b +w c =1. It should be noted that when there is a direct trust value null or a recommended node trust value null, the corresponding portion is removed, i.e., the corresponding weight is set to 0, by calculating the integrated trust value.
The main function of the model is to calculate the reputations value reproduction of the fog node k in the system k And the integrated trust value T of the terminal equipment i to the node k i,k 。
Examples:
the invention provides a fog computing access control method based on attribute-based encryption and trust model, which comprises the following steps:
1. system initialization
1.1 public parameters and master Key Generation
CA firstly selects bilinear mapping e.G.G.fwdarw.G according to random security parameter tau 0 Wherein G is a multiplication cyclic group with the order of prime number p and the generator of G, and alpha, beta E Z are randomly selected p h.epsilon.G, hash function: h {0,1} → Z p . Note the public parameter pp= (G, G) 0 ,p,g,g α ,h,H,e(g,g) β ) Master keyMK={α,g β }。
1.2 Attribute set Pre-processing
Preprocessing the attribute corpus, setting the managed attribute corpus for each attribute authority, preprocessing the attribute corpus managed by each attribute authority by using a WordNet semantic reasoning module, dividing the attribute corpus by using a synonym set in the WordNet, merging the attributes with the same semantics, representing a merging result by using a unique number (dictionary composition ID (Lexicographer ID)) of the synonym set, and representing a concept in a semantic knowledge base by each attribute after merging, wherein the concept attributes form a new attribute set.
The beneficial effects of this treatment are: the standardized semantic attribute set is established, the setting of access strategies and the mapping of user attributes are facilitated, and the attribute quantity in the attribute set is greatly reduced, so that the complexity of attribute management and the calculation cost are reduced.
1.3 Attribute authority initialization
Assuming that there are N attribute authorities in total, the attribute set managed by each attribute authority is S i (i ε N), the property sets do not intersect each other. Each attribute authority selects a random number t i ∈Z p For S i Each attribute x in (a) selecting a random number b x ∈Z p GeneratingAnd->
2. Fog node registration and internet of things equipment registration
The fog node registration specifically comprises the following steps:
the fog node carries out fog node registration, generates a unique identifier nid for the fog node, records node information and initializes a reputation value for the node information. The fog node registration can be recommended by other registered fog nodes in the system, the recommended fog nodes are m at most, and the initial reputation value C of the fog nodes FN And pushThe reputation value of the haze node is correlated.
The registration of the Internet of things equipment is specifically as follows:
the internet of things devices in the system can be logically divided into a data owner DO and a data user DU. Only the unique identification uid needs to be generated for the registration of the data owner, and the terminal attribute verification needs to be performed for the registration of the data visitor, and the attribute list S is generated uid 。
3. Key generation
(uid,PP,ASK)→{SK,SK’}
3.1 user Attribute semantic mapping based on WordNet
Firstly, inquiring an attribute list S registered by a user according to a uid uid Then mapping the attribute in the attribute list of the user to the conceptual attribute in the attribute total set by using semantic reasoning based on WordNet, and combining the IDs of the synonym set and the superword set by using the WordNet to infer the synonym set and the superword set of x by taking the attribute value x of the user as a starting point to obtain a new attribute list S '' uid 。
3.2 user Key Generation
AA i For each attribute x ε S i ∩S’ uid Calculation ofEnabling the attribute private key SK of the user AA ={D’ x },AA i SK is used for AA The random number lambda, theta epsilon Z is selected after the CA receives the attribute private key of the user p Calculate d=g β+α ,D 1 =g αλ h θ ,D 2 =g θ ,The private key SK and the outsource key SK' of the output user are:
SK={D=g β+αλ }
4. data upload
4.1 setting Access policy and privacy threshold
Firstly, carrying out semantic mapping on attributes to be used in a strategy tree, converting the attributes into concept attributes in a total set of attributes through semantic reasoning, and then setting a threshold access strategy tree by using the concept attribute set. And setting a privacy threshold epsilon according to the importance of the privacy of the uploaded information, and taking the privacy threshold epsilon as a label of the uploaded content.
4.2 agent fog node load balancing algorithm
Suppose a list L of fog nodes in a fog group 0 The fog management node selects a better fog node as a proxy of the terminal equipment by the following steps:
step 1, screening a fog node list L 0 And obtaining a new fog node list L by nodes with the reputation value larger than or equal to epsilon. If L is empty, the DO performs encryption and uploading of information by itself, representing that no suitable agent fog node exists in the current vicinity; otherwise, executing the step 2;
and 2, calculating the comprehensive trust value of the user terminal equipment to the fog nodes in the L according to the fog node trust model, calculating the weight of the fog nodes by combining the idle resource condition of the fog nodes, and then selecting the alternative fog management nodes in the list L by using a weight random load balancing algorithm. Firstly, carrying out normalization processing on the idle resource quantity of the fog node in the L, wherein the converted idle resource quantity is { RS (1), RS (2),. The number of the idle resource quantity is RS (n) }, and the interval is [0,1]. The weight calculation formula of the fog node k is as follows:
weight(k)=∝·T i,k +β·RS(k)
where, oc and β are weight factors and oc+β=1.
The node load balancing algorithm has the beneficial effects that the information privacy level, the credit value of the fog node in the system, the trust value of the user on the fog node and the idle resource condition are combined, and a high-quality fog node is comprehensively selected as an agent.
4.3 DO encryption algorithm
DO first selects a symmetric key k to symmetrically encrypt the data information M,obtaining ciphertext SE k (M) then randomly selecting u, v ε Z p Satisfy s=u+v, s ε Z p Calculate c=k·e (g, g) βs ,C’=g s ,C 1 =g v ,C 2 =h v ,σ=H(M) s Generating ciphertext CT 1 ={SE k (M),σ,C,C’,C 1 ,C 2 }。
If DO finds out the agent fog node meeting the credit condition after the node selection algorithm, the { T, u } is sent to the fog node for outsourcing encryption; otherwise, DO performs CT by itself 2 Computed for CT 2 See 4.4.
4.4 fog node encryption algorithm
Firstly, selecting a polynomial Q for each node i in T i Wherein the polynomial Q i Number f of times (f) i And a threshold value n of node i i Is f in relation to i =n i -1. For the root node R, let the constant term of its polynomial be u, then select f R A random value of Q R Defining completely; for other nodes, Q i (0)=Q parent(i) (index (i)) and then randomly selecting f i The individual values complete the polynomial definition. Where parent (i) is the parent node of node i and index (i) is the index value of node i.
Let the leaf node set in the access policy T be S attr For S attr Each leaf node of (1), defineOutput part ciphertext->
Finally, the user merges the two parts of ciphertext intoAnd uploading the CT to a cloud server for storage.
5. Data access
The user requests ciphertext from the cloud server, selects the fog node by using the load balancing algorithm in 4.2, and if the fog node meeting the condition exists, sends the outsourcing key to the fog node for outsourcing decryption; otherwise, all decryption steps are performed locally at the user.
5.1 outsourcing decryption
The process of outsourcing decryption is as follows:
user outsourcing keyThe definition recursive algorithm DfsNode (T, SK ', x) represents the decryption result of any node x in the access tree and the user's conceptual property set.
If x is a non-leaf node, S x Node set satisfying F +.null among child nodes representing x, assume S x The number of the nodes is smaller than the threshold value of x, F x Is null; otherwise, the following calculation is performed according to the Lagrange interpolation method:
The recursive algorithm is called for the root node R, and if the attribute set of the user accords with the access strategy T, the recursive algorithm is:
generating intermediate ciphertext CT' = { SE k (M), σ, C, C', IT), sent to the user.
5.2 user decryption
6. Ciphertext verification
The user verifies the correctness of the decrypted information by the following equation:
e(σ,g)=e(H(M),C’)
if the equation is true, the plaintext M is correct; otherwise, the verification fails, the user uploads a failure record to the credit management server, wherein the failure record comprises a user id, a fog node id and a ciphertext id.
7. Fog node trust model
In the scheme, the interaction behavior of the terminal equipment on the fog node comprises an outsourcing encryption request, an outsourcing decryption request and a data transmission request. The trust of the terminal equipment for the fog node consists of direct trust and indirect trust. Direct trust depends on the historical interaction results of the terminal and the fog node; the indirect trust comprises an audit trust value and a peer entity trust value, wherein the audit trust value is obtained by auditing historical interaction results of the fog node and all terminals; the peer trust value is the trust of some terminal devices to the fog node calculated by selecting some terminal devices through a peer selection strategy.
Evaluating terminal device from three dimensions of availability, reliability, and data integrity i And fog node k Is provided. Availability is the ability of the foggy node to respond to a terminal request, reliability is the ability of the foggy node to complete an accepted request within a specified time,the data integrity is the correctness of the decryption result of the fog node outer package. The specific calculation mode is as follows:
wherein dim 1 、dim 2 、dim 3 Respectively is node k For devices i Acc is the number of times that the fog node k accepts the request of the terminal i, sub is the number of times that the terminal submits the request, fin is the number of times that the fog node completes the request of the terminal and returns the result, tru is the number of times that the result returned by the fog node passes the data integrity verification.
(1) Direct trust value
Terminal device i For fog node nodes k Is to be used in a direct trust value trust of (a) a (i, k) is:
trust a (i,k)=dim 1 ·w 1 +dim 2 ·w 2 +dim 3 ·w 3
w 1 、w 2 、w 3 weights availability, reliability, data integrity, respectively, and w 1 +w 2 +w 3 =1. In particular, when the historical interaction behavior of the terminal i and the fog node k is not outsourced decrypted, the corresponding weight w 3 Set to 0. If the terminal i has no interactive record with the fog node k, the direct trust value is null.
(2) Auditing trust values
The audit trust value reflects the evaluation of all terminal devices in the system to the fog node, and the access device list of the fog node k is assumed to be L, trust b (k) Representing a foggy node kAudit trust value, the calculation mode is:
(3) peer trust value
Selecting the first n terminal devices with the largest interaction times with the fog node k as peer entities, and calculating the trust value of the peer entities:
the trust value of the peer entity reflects the trust condition of other representative terminal equipment in the system on the fog node k.
And the credit of the fog node and the comprehensive trust degree of the terminal equipment i to the fog node k are expressed according to the three trust value calculation methods.
Reputation value of foggy node k: suppose that the recommended node list of the foggy node k is { node ] 1 ,node 2 ,...,node p Respectively calculating audit trust value trust of fog node k according to (2) b (k) And an audit trust value { trust } for a list of recommended nodes b (node 1 ),trust b (node 2 ),...,trust b (node p ) Then calculate:
w α and w β Is weight and w α +w β =1。
Combining the trust values of (1), 2 and 3 to obtain the comprehensive trust value T of the terminal i to the node k i,k :
T i,k =w a ·trust(device i ,node k )+w b ·trust(device L ,node k )+w c ·trust(device i ,node FL )
Wherein w is a 、w b 、w c Is of corresponding weight and w a +w b +w c =1. It should be noted that when there is a direct trust value null or a recommended node trust value null, the corresponding portion is removed, i.e., the corresponding weight is set to 0, by calculating the integrated trust value.
The main innovation points of the invention are as follows:
1. attribute mapping scheme based on wordnet: the attribute management is simplified, the difficulty of constructing the access strategy is reduced, and the encryption and decryption efficiency is indirectly improved by reducing the number of the attributes;
2. constructing a fog node trust model: risk prediction is carried out on the fog node through trust measurement, and the credit of the fog node and the comprehensive trust value of the terminal to the node are calculated through multiple dimensions;
3. mist node load balancing scheme combining reputation value and trust degree: firstly, nodes which do not accord with privacy threshold values are filtered through reputation values, then weight is given to fog nodes through trust and node idle resources, and then agent fog nodes are selected through a weight random load balancing algorithm.
The invention has the advantages that:
according to the invention, the existing attribute-based encryption scheme is optimized through attribute mapping based on semantic reasoning, so that attribute management is simplified, and fine-grained access control of privacy information in fog calculation is realized by using an optimized attribute-based encryption technology;
for the current situation of equipment attribute explosion in the environment of the Internet of things, the invention combines the characteristic of isomerism of the attributes in different systems, designs an attribute management mode based on semantic reasoning, is more convenient for a user to set an access structure and own attributes, greatly reduces the number of attributes in the total set of attributes, and further improves the efficiency of access control;
because fog nodes are used for outsourcing calculation and request agent, the security risk of the fog nodes is judged to be necessary; therefore, the trust model of the fog node is designed, so that the security of access control is improved, a referent standard is brought to how the terminal equipment selects the fog node, and the computing capacity of the fog computing node is more fully utilized according to a trust value weight load balancing algorithm.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (7)
1. A fog computing access control method based on attribute-based encryption and trust model, comprising:
constructing a fog node trust model:
dividing the fog nodes into fog groups, and calculating the credit of the fog nodes and the trust value of the user terminal to the fog nodes by the management nodes in the fog groups through three dimensions of direct trust, audit trust and peer entity trust;
establishing a semantic optimization attribute-based encryption method:
optimizing an attribute-based encryption method based on attribute mapping of semantic reasoning, and converting character attribute mapping of an access strategy tree and a user into semantic attribute mapping;
access control in fog calculation is carried out based on a fog node trust model and a semantic optimization attribute-based encryption method:
the data owner sets an access control strategy tree and a privacy threshold, selects a proxy fog node through a trust-based weight load balancing algorithm, and performs outsourcing encryption and ciphertext uploading through the proxy fog node;
the data visitor firstly acquires the privacy threshold of the target information, then invokes a trust-based weight load balancing algorithm to select the proxy fog node for outsourcing decryption to obtain an intermediate ciphertext, and finally decrypts the intermediate ciphertext to obtain a required plaintext;
and carrying out integrity verification on the plaintext through a short signature algorithm, and uploading a verification result to the fog management node as one of trust evaluation bases.
2. The mist computing access control method of claim 1, wherein,
reputation reporting of foggy node k k The calculation formula of (2) is as follows:
wherein w is α And w β Is weight and w α +w β =1,trust b (k) Audit trust value for mist node k b (i') recommended node list { node ] for foggy node k 1 ,node 2 ,...,node p Audit trust value of };
comprehensive trust value T of user terminal i to fog node k i,k The method comprises the following steps:
T i,k =w a ·trust a (i,k)+w b ·trust b (k)+w c ·trust c (i,k)
wherein w is a 、w b 、w c Is weight and w a +w b +w c =1,trust a (i, k) is the direct trust of the user terminal i to the fog node k, trust b (k) Audit trust value for mist node k c (i, k) trust for peer entities.
3. The mist computing access control method of claim 2, wherein,
direct trust value trust a The calculation formula of (i, k) is:
trust a (i,k)=dim 1 ·w 1 +dim 2 ·w 2 +dim 3 ·w 3
wherein w is 1 、w 2 、w 3 Weights availability, reliability, data integrity, respectively, and w 1 +w 2 +w 3 =1,dim 1 、dim 2 、dim 3 Availability, reliability and data integrity of the fog node k to the user terminal i respectively;
audit letterAny value trust b (k) The calculation formula of (2) is as follows:
wherein L is an access equipment list of the fog node k;
peer trust c The calculation formula of (i, k) is:
in the formula, n is the first n terminals with the largest interaction times with the fog node k.
4. A fog computing access control method as claimed in claim 3, wherein dim 1 、dim 2 、dim 3 The calculation formulas of (a) are respectively as follows:
in the formula, acc is the number of times that the fog node k receives the request of the terminal i, sub is the number of times that the terminal submits the request, fin is the number of times that the fog node finishes the request of the terminal and returns a result, and Tru is the number of times that the result returned by the fog node passes the data integrity verification.
5. The fog-computing access control method of claim 1, wherein the converting the character attribute map of the access policy tree and the user into the semantic attribute map comprises:
performing semantic mapping on attributes to be used in the strategy tree, converting the attributes into concept attributes in the attribute total set through semantic reasoning, and then performing threshold value access strategy tree setting by using the concept attributes;
mapping the attribute in the attribute list of the user to the conceptual attribute in the attribute total set by using semantic reasoning based on WordNet, and merging IDs of the synonym set and the superword set by using the WordNet reasoning of the synonym set and the superword set by taking the attribute value x of the user as a starting point to obtain the conceptual attribute set of the user.
6. The fog computing access control method of claim 1, wherein the method of selecting the proxy fog node comprises:
screening fog node list L 0 Nodes with the medium reputation value being greater than or equal to epsilon are obtained to obtain a new fog node list L;
calculating the comprehensive trust value of the user terminal equipment to the fog nodes in the L according to the fog node trust model, calculating the weight of the fog nodes by combining the idle resource condition of the fog nodes, and then selecting the alternative fog management nodes in the list L by using a weight random load balancing algorithm; firstly, carrying out normalization processing on the idle resource quantity of the fog node in the L, wherein the converted idle resource quantity is { RS (1), RS (2),. The number of the idle resource quantity is RS (n) }, and the interval is [0,1];
the weight calculation formula of the fog node k is as follows:
weight(k)=∝·T i,k +β·RS(k)
where, c and β are weight factors and c+β=1.
7. The fog-computing access control method of claim 1, wherein the decrypted information is integrity verified using a BLS signature verification algorithm.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310054749.3A CN116204917A (en) | 2023-02-03 | 2023-02-03 | Fog computing access control method based on attribute-based encryption and trust model |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310054749.3A CN116204917A (en) | 2023-02-03 | 2023-02-03 | Fog computing access control method based on attribute-based encryption and trust model |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116204917A true CN116204917A (en) | 2023-06-02 |
Family
ID=86518429
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310054749.3A Pending CN116204917A (en) | 2023-02-03 | 2023-02-03 | Fog computing access control method based on attribute-based encryption and trust model |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116204917A (en) |
-
2023
- 2023-02-03 CN CN202310054749.3A patent/CN116204917A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Sun | Privacy protection and data security in cloud computing: a survey, challenges, and solutions | |
Aujla et al. | SecSVA: secure storage, verification, and auditing of big data in the cloud environment | |
CN114239046A (en) | Data sharing method | |
CN108021677A (en) | The control method of cloud computing distributed search engine | |
CN113434875A (en) | Lightweight access method and system based on block chain | |
CN107302524A (en) | A kind of ciphertext data-sharing systems under cloud computing environment | |
Paul et al. | Enhanced Trust Based Access Control for Multi-Cloud Environment. | |
CN117454414A (en) | Dynamic searchable encryption method and system based on distributed storage | |
CN110012024B (en) | Data sharing method, system, equipment and computer readable storage medium | |
Zhou et al. | Research on multi-authority CP-ABE access control model in multicloud | |
CN110933052A (en) | Encryption and policy updating method based on time domain in edge environment | |
CN112822009B (en) | Attribute ciphertext efficient sharing system supporting ciphertext deduplication | |
Bansal et al. | Providing security, integrity and authentication using ECC algorithm in cloud storage | |
CN105790929A (en) | High-efficient access control method based on rule redundancy elimination in encryption environment | |
CN116805078A (en) | Logistics information platform data intelligent management system and method based on big data | |
Sultanov et al. | Development of a centralized system for data storage and processing on operation modes and reliability indicators of power equipment | |
Charanya et al. | Attribute based encryption for secure sharing of E-health data | |
CN116204917A (en) | Fog computing access control method based on attribute-based encryption and trust model | |
Zhang et al. | Research and application of data privacy protection technology in cloud computing environment based on attribute encryption | |
CN110851850B (en) | Method for realizing searchable encryption system | |
CN108055256A (en) | The platform efficient deployment method of cloud computing SaaS | |
Patel et al. | An approach to analyze data corruption and identify misbehaving server | |
Cindhamani et al. | An enhanced data security and trust management enabled framework for cloud computing systems | |
Mounnan et al. | Efficient distributed access control using blockchain for big data in clouds | |
Parkavi | An Efficient Improving Cloud Data Storage Security Using Failure Aware Resource Scheduling Algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |