CN116204917A - Fog computing access control method based on attribute-based encryption and trust model - Google Patents

Fog computing access control method based on attribute-based encryption and trust model Download PDF

Info

Publication number
CN116204917A
CN116204917A CN202310054749.3A CN202310054749A CN116204917A CN 116204917 A CN116204917 A CN 116204917A CN 202310054749 A CN202310054749 A CN 202310054749A CN 116204917 A CN116204917 A CN 116204917A
Authority
CN
China
Prior art keywords
fog
trust
node
attribute
fog node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310054749.3A
Other languages
Chinese (zh)
Inventor
何泾沙
何海洋
朱娜斐
王虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN202310054749.3A priority Critical patent/CN116204917A/en
Publication of CN116204917A publication Critical patent/CN116204917A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a fog computing access control method based on attribute-based encryption and trust model, which comprises the following steps: constructing a fog node trust model: calculating the credit of the fog node through three dimensions of direct trust, audit trust and peer entity trust, and the trust value of the user terminal to the fog node; establishing a semantic optimization attribute-based encryption method: optimizing an attribute-based encryption method based on attribute mapping of semantic reasoning, and converting character attribute mapping of an access strategy tree and a user into semantic attribute mapping; access control in fog calculation is carried out based on a fog node trust model and a semantic optimization attribute-based encryption method: the data owner sets an access control strategy tree and a privacy threshold, selects a proxy fog node through a trust-based weight load balancing algorithm, and performs outsourcing encryption and ciphertext uploading through the proxy fog node; and the data visitor acquires the privacy threshold of the target information, calls the proxy fog node to perform outsourcing decryption to obtain an intermediate ciphertext, and decrypts the intermediate ciphertext to obtain a required plaintext.

Description

Fog computing access control method based on attribute-based encryption and trust model
Technical Field
The invention relates to the technical field of information security, in particular to a fog computing access control method based on attribute-based encryption and a trust model.
Background
Internet of things-based interconnected devices and applications are and will continue to grow at a staggering rate, bringing many new devices and applications that require lower latency, location awareness, mobility support, etc. Centralized cloud computing has not met the internet of things scene requirements, and fog computing has resulted. The fog calculation is composed of a large number of fog nodes, and the fog nodes are distributed near the user terminal, so that the method can provide faster request response speed, position sensing capability, real-time analysis function and the like for terminal application, and meets the requirements of low delay, position sensing, geographic distribution and the like of Internet of things equipment and application.
While fog computing provides many benefits, it also faces various security and privacy concerns. Privacy protection in fog computing is more challenging because fog server nodes adjacent to end nodes may collect sensitive data about identity, location, utility usage, as compared to remote cloud servers at the core network, while the destruction of unsafe edge nodes may be entry points for intruders into the network. Once an intruder enters the network, private data exchanged by the user between the entities can be mined and stolen, and communication between the fog architectures can also lead to privacy disclosure. While some existing solutions in cloud computing environments can address many security and privacy issues in fog computing, these new features can present new security and privacy challenges due to their unique characteristics, such as strong mobility of terminal devices, extremely large scale of quantity, limited fog node computing resources, etc. Therefore, the data security protection of users in the fog computing environment has important research significance.
In order to ensure data security in cloud computing, it is a common practice to use access control for information protection. The access control method refers to defining access of the foreign object to the subject data resource using various techniques. In the traditional role-based access control scheme in cloud computing, the concept of 'role' is set between a user and authority, the authority of the role is set firstly, then the authority is authorized by distributing the role to the user, in the Internet of things with huge terminal number, the workload of adopting the authorization mode is very large, and the authority of the access control is given by the role in a coarse granularity, so that an efficient and fine-granularity access control method suitable for a fog computing scene is necessary to be designed. The access control method based on the attribute encryption (CP-ABE, ciphertext policy attribute) of the ciphertext strategy is widely used in the access control mode of a distributed system, in the CP-ABE system, a data owner encrypts by using a related strategy formulated by an attribute set, the private key of each data visitor in the system depends on the attribute owned by the data visitor, and when the attribute in the private key of the user is matched with the strategy in the ciphertext, the information can be successfully decrypted, so that the access control of fine granularity is flexibly realized. However, the conventional attribute-based encryption technology cannot be directly applied to the fog computing scene, and mainly has the following problems:
(1) Traditional encryption technology based on attribute is complex in calculation and is difficult to bear for the Internet of things equipment with limited calculation resources;
(2) The encryption technology based on the attribute has complicated attribute management, and particularly for the scene of the equipment such as the Internet of things, the complexity is greatly increased;
(3) The access strategy is difficult to construct, and all the attributes in the attribute complete set and various combination modes need to be considered;
(4) Fog computing devices are not fully trusted, and cannot be determined that they would not steal private information during data transmission;
(5) How to select the fog node, and fully utilizing the computing power of the fog node on the premise of protecting the information security is also a concern.
There are some attribute-based encryption studies using fog nodes for outsourcing computation, but these research schemes pay little attention to management of attributes, complexity of constructing access policies, and trusted metrics of fog nodes, reasonable allocation of computing resources, and so on.
In conclusion, the design of the safe and efficient access control method suitable for the cloud computing architecture has important significance.
Disclosure of Invention
Aiming at the defects existing in the prior art, the invention provides a fog computing access control method based on attribute-based encryption and trust model.
The invention discloses a fog computing access control method based on attribute-based encryption and trust model, which comprises the following steps:
constructing a fog node trust model:
dividing the fog nodes into fog groups, and calculating the credit of the fog nodes and the trust value of the user terminal to the fog nodes by the management nodes in the fog groups through three dimensions of direct trust, audit trust and peer entity trust;
establishing a semantic optimization attribute-based encryption method:
optimizing an attribute-based encryption method based on attribute mapping of semantic reasoning, and converting character attribute mapping of an access strategy tree and a user into semantic attribute mapping;
access control in fog calculation is carried out based on a fog node trust model and a semantic optimization attribute-based encryption method:
the data owner sets an access control strategy tree and a privacy threshold, selects a proxy fog node through a trust-based weight load balancing algorithm, and performs outsourcing encryption and ciphertext uploading through the proxy fog node;
the data visitor firstly acquires the privacy threshold of the target information, then invokes a trust-based weight load balancing algorithm to select the proxy fog node for outsourcing decryption to obtain an intermediate ciphertext, and finally decrypts the intermediate ciphertext to obtain a required plaintext;
and carrying out integrity verification on the plaintext through a short signature algorithm, and uploading a verification result to the fog management node as one of trust evaluation bases.
As a further improvement of the present invention,
reputation reporting of foggy node k k The calculation formula of (2) is as follows:
Figure BDA0004060075180000031
wherein w is α And w β Is weight and w α +w β =1,trust b (k) Audit trust value for mist node k b (i') recommended node list { node ] for foggy node k 1 ,node 2 ,...,node p Audit trust value of };
comprehensive trust value T of user terminal i to fog node k i,k The method comprises the following steps:
T i,k =w a ·trust a (i,k)+w b ·trust b (k)+w c ·trust c (i,k)
wherein w is a 、w b 、w c Is weight and w a +w b +w c =1,trust a (i, k) is the direct trust of the user terminal i to the fog node k, trust b (k) Audit trust value for mist node k c (i, k) trust for peer entities.
As a further improvement of the present invention,
direct trust value trust a The calculation formula of (i, k) is:
trust a (i,k)=dim 1 ·w 1 +dim 2 ·w 2 +dim 3 ·w 3
wherein w is 1 、w 2 、w 3 Weights availability, reliability, data integrity, respectively, and w 1 +w 2 +w 3 =1,dim 1 、dim 2 、dim 3 Availability, reliability and data integrity of the fog node k to the user terminal i respectively;
audit trust value trust b (k) The calculation formula of (2) is as follows:
Figure BDA0004060075180000041
wherein L is an access equipment list of the fog node k;
peer trust c The calculation formula of (i, k) is:
Figure BDA0004060075180000042
in the formula, n is the first n terminals with the largest interaction times with the fog node k.
As a further improvement of the invention dim 1 、dim 2 、dim 3 The calculation formulas of (a) are respectively as follows:
Figure BDA0004060075180000043
Figure BDA0004060075180000044
Figure BDA0004060075180000045
in the formula, acc is the number of times that the fog node k receives the request of the terminal i, sub is the number of times that the terminal submits the request, fin is the number of times that the fog node finishes the request of the terminal and returns a result, and Tru is the number of times that the result returned by the fog node passes the data integrity verification.
As a further improvement of the present invention, the converting the character attribute mapping of the access policy tree and the user into the semantic attribute mapping includes:
performing semantic mapping on attributes to be used in the strategy tree, converting the attributes into concept attributes in the attribute total set through semantic reasoning, and then performing threshold value access strategy tree setting by using the concept attributes;
mapping the attribute in the attribute list of the user to the conceptual attribute in the attribute total set by using semantic reasoning based on WordNet, and merging IDs of the synonym set and the superword set by using the WordNet reasoning of the synonym set and the superword set by taking the attribute value x of the user as a starting point to obtain the conceptual attribute set of the user.
As a further improvement of the present invention, a method for selecting a proxy cloud node includes:
screening fog node arrayTable L 0 Nodes with the medium reputation value being greater than or equal to epsilon are obtained to obtain a new fog node list L;
calculating the comprehensive trust value of the user terminal equipment to the fog nodes in the L according to the fog node trust model, calculating the weight of the fog nodes by combining the idle resource condition of the fog nodes, and then selecting the alternative fog management nodes in the list L by using a weight random load balancing algorithm; firstly, carrying out normalization processing on the idle resource quantity of the fog node in the L, wherein the converted idle resource quantity is { RS (1), RS (2),. The number of the idle resource quantity is RS (n) }, and the interval is [0,1];
the weight calculation formula of the fog node k is as follows:
weight(k)=∝·T i,k +β·RS(k)
where, c and β are weight factors and c+β=1.
As a further improvement of the present invention, the integrity verification of the decrypted information is performed using a BLS signature verification algorithm.
Compared with the prior art, the invention has the beneficial effects that:
according to the invention, the existing attribute-based encryption scheme is optimized through attribute mapping based on semantic reasoning, so that attribute management is simplified, and fine-grained access control of privacy information in fog calculation is realized by using an optimized attribute-based encryption technology; the fog node trust model and the node state evaluation mechanism enable the equipment to select better-quality fog computing nodes, and further ensure the usability and safety of the system.
Drawings
FIG. 1 is a diagram of a system model for implementing a fog computing access control method in accordance with one embodiment of the present invention; an access policy tree diagram;
fig. 2 is a schematic diagram of an access policy tree disclosed in an embodiment of the present invention.
In the figure:
CSP: the cloud service provider is mainly responsible for storing information and providing an interface for a user to access;
FN: the fog node is provided with geographic position characteristics and is mainly responsible for providing outsourcing computing capability for nearby user equipment;
FN management Node: the fog management node audits the historical interaction behavior of the terminal and the fog node, and evaluates and manages the trust value of the fog node;
data Owner: a data owner;
data User: a data user;
CA: and the central authority generates public parameters and a master key for the whole system.
AA: and the attribute authorization mechanism is responsible for attribute management of the system and user key generation.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention is described in further detail below with reference to the attached drawing figures:
the invention provides a fog computing access control method based on attribute-based encryption and trust model, which comprises the following steps:
1. system initialization
Setting a system public parameter PP and a master key MK; the attribute authority sets an attribute corpus S, optimizes the attribute corpus through a semantic reasoning module, reduces the number of attributes in the system, and then generates an attribute public key and an attribute private key for each attribute in the attribute corpus managed by the attribute authority.
The optimization processing of the semantic reasoning module to the attribute corpus is specifically as follows: dividing the attribute corpus by the synonym set in the semantic knowledge base, merging the attributes with the same semantics, using the unique number of the synonym set to represent the merging result, and each attribute after merging represents a concept in the semantic knowledge base, wherein the concept attributes form a new attribute set.
2. Fog node registration and internet of things equipment registration
The fog node registration specifically comprises the following steps:
the fog node carries out fog node registration, generates a unique identifier nid for the fog node, records node information and initializes a reputation value for the node information. The fog node registration can be recommended by other registered fog nodes in the system, the recommended fog nodes are m at most, and the initial reputation value C of the fog nodes FN Is associated with the reputation value of the recommended foggy node.
The registration of the Internet of things equipment is specifically as follows:
the internet of things device in the system as shown in fig. 1 can be logically divided into a data owner DO and a data user DU, the data owner registration only needs to generate a unique identifier uid, and the data visitor registration also needs to perform terminal attribute verification and generate an attribute list S thereof uid . In a practical system, one internet of things device may be both a data owner and a data user. In the following, unless otherwise specified, the user and the data visitor represent the terminal device of the internet of things with the data access function.
3. User key generation
The system performs identity verification on the user terminal, and acquires the attribute set of the user in the system after the verification is successful.
Mapping the attribute in the attribute list of the user to the conceptual attribute in the attribute total set by using semantic reasoning based on WordNet, and merging IDs of the synonym set and the superword set by using the WordNet reasoning of the synonym set and the superword set by taking the attribute value x of the user as a starting point to obtain the conceptual attribute set of the user.
The attribute authority then uses the intersection of the attribute set and the full set of attributes to generate a user key for the user, including an outsource decryption key and a user decryption key.
4. Data upload
4.1 setting Access control policy and privacy threshold
The access control policy is expressed by using a threshold access policy tree as shown in fig. 2, a leaf node represents an attribute, a non-leaf node represents a threshold, a root node stores a secret value s, secret value distribution is carried out on the child nodes, and only an attribute set key meeting an attribute condition can decrypt the secret value of the root node. Firstly, carrying out semantic mapping on attributes to be used in a strategy tree, converting the attributes into concept attributes in a total set of attributes through semantic reasoning, and then setting a threshold access strategy tree by using the concept attributes. And setting a privacy threshold epsilon according to the importance of the privacy of the uploaded information, and taking the privacy threshold epsilon as a tag of the ciphertext.
4.2 agent fog node load balancing algorithm
Assume that the list of fog nodes in the fog group is L 0 The fog management node selects a better fog node as a proxy of the terminal equipment by the following steps:
step 1, screening a fog node list L 0 And obtaining a new fog node list L by nodes with the reputation value larger than or equal to epsilon. If L is empty, the DO performs encryption and uploading of information by itself, representing that no suitable agent fog node exists in the current vicinity; otherwise, executing the step 2;
and 2, calculating the comprehensive trust value of the user terminal equipment to the fog nodes in the L according to the fog node trust model, calculating the weight of the fog nodes by combining the idle resource condition of the fog nodes, and then selecting the alternative fog management nodes in the list L by using a weight random load balancing algorithm. Firstly, carrying out normalization processing on the idle resource quantity of the fog node in the L, wherein the converted idle resource quantity is { RS (1), RS (2),. The number of the idle resource quantity is RS (n) }, and the interval is [0,1]. The weight calculation formula of the fog node k is as follows:
weight(k)=∝·T i,k +β·RS(k)
where ∈β is a weight factor and ∈β=1.
4.3 data owner encryption
Firstly, randomly generating a symmetric key k, and symmetrically encrypting information by using a symmetric encryption algorithm to obtain a ciphertext CT 1 Then generating two secret values, and encrypting k by using the system public parameter and the secret value to obtain ciphertext CT 2 And sending one of the secret values and the access tree T to the agent fog node for outsourcing calculation. Generating a pair of public and private keys through BLS short signature algorithm, and using the private keys to pair messagesThe signature is generated by encrypting the information, and the signature and the public key are embedded in the secret text to be uploaded together.
4.4 fog node outsourcing calculation
The agent fog node is responsible for access strategy tree preprocessing, secret value distribution and other operations in the encryption process to obtain ciphertext CT 3 . In particular, if no suitable foggy node is found by the foggy node load balancing algorithm, all encryption calculations are completed by the data owner. Finally, ciphertext CT 1 、CT 2 、CT 3 And combining the digital signature, the signature public key and the privacy threshold value into a final ciphertext CT, and uploading the final ciphertext CT to a cloud server.
5. Data access
A user requests ciphertext from a cloud server, a fog node load balancing algorithm in the step 4 is used for selecting an agent fog node, if fog nodes conforming to reputation conditions exist, an outsourcing key is sent to the fog node to conduct outsourcing decryption to obtain intermediate ciphertext, then the user key is used for conducting decryption operation with low calculation cost on the intermediate ciphertext to obtain a symmetric key k set by a data owner, and finally the ciphertext is decrypted by the k to obtain final plaintext information; otherwise, the user equipment completes all decryption operations.
6. Ciphertext verification
And carrying out integrity verification on the decrypted information by using a BLS signature verification algorithm, ensuring that the decrypted information is not tampered, and feeding back a verification result to the fog management node.
The BLS short signature algorithm defines a hash function H: {0,1} * G, G is a prime order multiplication cyclic group with order p and generator G. The method comprises the following specific steps:
step 1, key generation: the data owner selects a random number x epsilon Z p * Calculate v=g x The public key is v and the private key is x;
step 2, signature: the data owner performs the following operation on the plaintext m: sigma=h (m) x Embedding sigma and v into the secret text and uploading together;
step 3, verification: the data visitor verifies whether m is tampered with using e (σ, g) =e (H (m), v).
7. Fog node trust model
The interaction behavior of the terminal equipment to the fog node comprises an outsourcing encryption request, an outsourcing decryption request and a data transmission request. The trust of the terminal equipment for the fog node consists of direct trust and indirect trust. Direct trust depends on the historical interaction results of the terminal and the fog node; the indirect trust comprises an audit trust value and a peer entity trust value, wherein the audit trust value is obtained by auditing historical interaction results of the fog node and all terminals; the peer trust value is the trust of some terminal devices to the fog node calculated by selecting some terminal devices through a peer selection strategy.
Evaluating terminal device from three dimensions of availability, reliability, and data integrity i And fog node k Is provided. The availability is the response capability of the fog node to the terminal request, the reliability is the capability of the fog node to finish the accepted request within the specified time, and the data integrity is the correctness of the fog node outsource decryption result. The specific calculation mode is as follows:
Figure BDA0004060075180000091
Figure BDA0004060075180000092
Figure BDA0004060075180000093
wherein dim 1 、dim 2 、dim 3 Respectively is node k For devices i Acc is the number of times that the fog node k accepts the request of the terminal i, sub is the number of times that the terminal submits the request, fin is the number of times that the fog node completes the request of the terminal and returns the result, tru is the number of times that the result returned by the fog node passes the data integrity verification.
(1) Direct trust value
Terminal device i For fog node nodes k Is to be used in a direct trust value trust of (a) a (i, k) is:
trust a (i,k)=dim 1 ·w 1 +dim 2 *w 2 +dim 3 ·w 3
w 1 、w 2 、w 3 weights availability, reliability, data integrity, respectively, and w 1 +w 2 +w 3 =1. In particular, when the historical interaction behavior of the terminal i and the fog node k is not outsourced decrypted, the corresponding weight w 3 Set to 0. If the terminal i has no interactive record with the fog node k, the direct trust value is null.
(2) Auditing trust values
The audit trust value reflects the evaluation of all terminal devices in the system to the fog node, and the access device list of the fog node k is assumed to be L, trust b (k) The audit trust value of the fog node k is represented by the following calculation modes:
Figure BDA0004060075180000094
(3) peer trust value
Selecting the first n terminal devices with the largest interaction times with the fog node k as peer entities, and calculating the trust value of the peer entities:
Figure BDA0004060075180000095
the trust value of the peer entity reflects the trust condition of other representative terminal equipment in the system on the fog node k.
And the credit of the fog node and the comprehensive trust degree of the terminal equipment i to the fog node k are expressed according to the three trust value calculation methods.
Reputation value reproduction of foggy node k k : suppose that the recommended node list of the foggy node k is { node ] 1 ,node 2 ,...,node p Respectively calculating audit trust of fog node k according to (2)Value trust b (k) And an audit trust value { trust } for a list of recommended nodes b (node 1 ),trust b (node 2 ),...,trust b (node p ) Then calculate:
Figure BDA0004060075180000101
w α and w β Is weight and w α +w β =1。
Combining the trust values of (1), 2 and 3 to obtain the comprehensive trust value T of the terminal i to the node k i,k :
T i,k =w a ·trust(device i ,node k )+w b ·trust(device L ,node k )+w c ·trust(device i ,node FL )
Wherein w is a 、w b 、w c Is of corresponding weight and w a +w b +w c =1. It should be noted that when there is a direct trust value null or a recommended node trust value null, the corresponding portion is removed, i.e., the corresponding weight is set to 0, by calculating the integrated trust value.
The main function of the model is to calculate the reputations value reproduction of the fog node k in the system k And the integrated trust value T of the terminal equipment i to the node k i,k
Examples:
the invention provides a fog computing access control method based on attribute-based encryption and trust model, which comprises the following steps:
1. system initialization
1.1 public parameters and master Key Generation
CA firstly selects bilinear mapping e.G.G.fwdarw.G according to random security parameter tau 0 Wherein G is a multiplication cyclic group with the order of prime number p and the generator of G, and alpha, beta E Z are randomly selected p h.epsilon.G, hash function: h {0,1} → Z p . Note the public parameter pp= (G, G) 0 ,p,g,g α ,h,H,e(g,g) β ) Master keyMK={α,g β }。
1.2 Attribute set Pre-processing
Preprocessing the attribute corpus, setting the managed attribute corpus for each attribute authority, preprocessing the attribute corpus managed by each attribute authority by using a WordNet semantic reasoning module, dividing the attribute corpus by using a synonym set in the WordNet, merging the attributes with the same semantics, representing a merging result by using a unique number (dictionary composition ID (Lexicographer ID)) of the synonym set, and representing a concept in a semantic knowledge base by each attribute after merging, wherein the concept attributes form a new attribute set.
The beneficial effects of this treatment are: the standardized semantic attribute set is established, the setting of access strategies and the mapping of user attributes are facilitated, and the attribute quantity in the attribute set is greatly reduced, so that the complexity of attribute management and the calculation cost are reduced.
1.3 Attribute authority initialization
Assuming that there are N attribute authorities in total, the attribute set managed by each attribute authority is S i (i ε N), the property sets do not intersect each other. Each attribute authority selects a random number t i ∈Z p For S i Each attribute x in (a) selecting a random number b x ∈Z p Generating
Figure BDA0004060075180000111
And->
Figure BDA0004060075180000112
2. Fog node registration and internet of things equipment registration
The fog node registration specifically comprises the following steps:
the fog node carries out fog node registration, generates a unique identifier nid for the fog node, records node information and initializes a reputation value for the node information. The fog node registration can be recommended by other registered fog nodes in the system, the recommended fog nodes are m at most, and the initial reputation value C of the fog nodes FN And pushThe reputation value of the haze node is correlated.
The registration of the Internet of things equipment is specifically as follows:
the internet of things devices in the system can be logically divided into a data owner DO and a data user DU. Only the unique identification uid needs to be generated for the registration of the data owner, and the terminal attribute verification needs to be performed for the registration of the data visitor, and the attribute list S is generated uid
3. Key generation
(uid,PP,ASK)→{SK,SK’}
3.1 user Attribute semantic mapping based on WordNet
Firstly, inquiring an attribute list S registered by a user according to a uid uid Then mapping the attribute in the attribute list of the user to the conceptual attribute in the attribute total set by using semantic reasoning based on WordNet, and combining the IDs of the synonym set and the superword set by using the WordNet to infer the synonym set and the superword set of x by taking the attribute value x of the user as a starting point to obtain a new attribute list S '' uid
3.2 user Key Generation
AA i For each attribute x ε S i ∩S’ uid Calculation of
Figure BDA0004060075180000113
Enabling the attribute private key SK of the user AA ={D’ x },AA i SK is used for AA The random number lambda, theta epsilon Z is selected after the CA receives the attribute private key of the user p Calculate d=g β+α ,D 1 =g αλ h θ ,D 2 =g θ ,
Figure BDA0004060075180000121
The private key SK and the outsource key SK' of the output user are:
SK={D=g β+αλ }
Figure BDA0004060075180000122
4. data upload
4.1 setting Access policy and privacy threshold
Firstly, carrying out semantic mapping on attributes to be used in a strategy tree, converting the attributes into concept attributes in a total set of attributes through semantic reasoning, and then setting a threshold access strategy tree by using the concept attribute set. And setting a privacy threshold epsilon according to the importance of the privacy of the uploaded information, and taking the privacy threshold epsilon as a label of the uploaded content.
4.2 agent fog node load balancing algorithm
Suppose a list L of fog nodes in a fog group 0 The fog management node selects a better fog node as a proxy of the terminal equipment by the following steps:
step 1, screening a fog node list L 0 And obtaining a new fog node list L by nodes with the reputation value larger than or equal to epsilon. If L is empty, the DO performs encryption and uploading of information by itself, representing that no suitable agent fog node exists in the current vicinity; otherwise, executing the step 2;
and 2, calculating the comprehensive trust value of the user terminal equipment to the fog nodes in the L according to the fog node trust model, calculating the weight of the fog nodes by combining the idle resource condition of the fog nodes, and then selecting the alternative fog management nodes in the list L by using a weight random load balancing algorithm. Firstly, carrying out normalization processing on the idle resource quantity of the fog node in the L, wherein the converted idle resource quantity is { RS (1), RS (2),. The number of the idle resource quantity is RS (n) }, and the interval is [0,1]. The weight calculation formula of the fog node k is as follows:
weight(k)=∝·T i,k +β·RS(k)
where, oc and β are weight factors and oc+β=1.
The node load balancing algorithm has the beneficial effects that the information privacy level, the credit value of the fog node in the system, the trust value of the user on the fog node and the idle resource condition are combined, and a high-quality fog node is comprehensively selected as an agent.
4.3 DO encryption algorithm
DO first selects a symmetric key k to symmetrically encrypt the data information M,obtaining ciphertext SE k (M) then randomly selecting u, v ε Z p Satisfy s=u+v, s ε Z p Calculate c=k·e (g, g) βs ,C’=g s ,C 1 =g v ,C 2 =h v ,σ=H(M) s Generating ciphertext CT 1 ={SE k (M),σ,C,C’,C 1 ,C 2 }。
If DO finds out the agent fog node meeting the credit condition after the node selection algorithm, the { T, u } is sent to the fog node for outsourcing encryption; otherwise, DO performs CT by itself 2 Computed for CT 2 See 4.4.
4.4 fog node encryption algorithm
Firstly, selecting a polynomial Q for each node i in T i Wherein the polynomial Q i Number f of times (f) i And a threshold value n of node i i Is f in relation to i =n i -1. For the root node R, let the constant term of its polynomial be u, then select f R A random value of Q R Defining completely; for other nodes, Q i (0)=Q parent(i) (index (i)) and then randomly selecting f i The individual values complete the polynomial definition. Where parent (i) is the parent node of node i and index (i) is the index value of node i.
Let the leaf node set in the access policy T be S attr For S attr Each leaf node of (1), define
Figure BDA0004060075180000131
Output part ciphertext->
Figure BDA0004060075180000132
Finally, the user merges the two parts of ciphertext into
Figure BDA0004060075180000133
And uploading the CT to a cloud server for storage.
5. Data access
The user requests ciphertext from the cloud server, selects the fog node by using the load balancing algorithm in 4.2, and if the fog node meeting the condition exists, sends the outsourcing key to the fog node for outsourcing decryption; otherwise, all decryption steps are performed locally at the user.
5.1 outsourcing decryption
The process of outsourcing decryption is as follows:
user outsourcing key
Figure BDA0004060075180000134
The definition recursive algorithm DfsNode (T, SK ', x) represents the decryption result of any node x in the access tree and the user's conceptual property set.
If x is a leaf node, assume attr (x) ∈S attr Calculation of
Figure BDA0004060075180000135
Figure BDA0004060075180000136
If it is
Figure BDA0004060075180000137
F x Is null. />
If x is a non-leaf node, S x Node set satisfying F +.null among child nodes representing x, assume S x The number of the nodes is smaller than the threshold value of x, F x Is null; otherwise, the following calculation is performed according to the Lagrange interpolation method:
Figure BDA0004060075180000138
wherein i=index (z), S' x ={index(z):z∈S},
Figure BDA0004060075180000139
The recursive algorithm is called for the root node R, and if the attribute set of the user accords with the access strategy T, the recursive algorithm is:
Figure BDA00040600751800001310
Figure BDA0004060075180000141
generating intermediate ciphertext CT' = { SE k (M), σ, C, C', IT), sent to the user.
5.2 user decryption
User computing
Figure BDA0004060075180000142
And then uses the symmetric key k to SE k And (M) decrypting to obtain a plaintext.
6. Ciphertext verification
The user verifies the correctness of the decrypted information by the following equation:
e(σ,g)=e(H(M),C’)
if the equation is true, the plaintext M is correct; otherwise, the verification fails, the user uploads a failure record to the credit management server, wherein the failure record comprises a user id, a fog node id and a ciphertext id.
7. Fog node trust model
In the scheme, the interaction behavior of the terminal equipment on the fog node comprises an outsourcing encryption request, an outsourcing decryption request and a data transmission request. The trust of the terminal equipment for the fog node consists of direct trust and indirect trust. Direct trust depends on the historical interaction results of the terminal and the fog node; the indirect trust comprises an audit trust value and a peer entity trust value, wherein the audit trust value is obtained by auditing historical interaction results of the fog node and all terminals; the peer trust value is the trust of some terminal devices to the fog node calculated by selecting some terminal devices through a peer selection strategy.
Evaluating terminal device from three dimensions of availability, reliability, and data integrity i And fog node k Is provided. Availability is the ability of the foggy node to respond to a terminal request, reliability is the ability of the foggy node to complete an accepted request within a specified time,the data integrity is the correctness of the decryption result of the fog node outer package. The specific calculation mode is as follows:
Figure BDA0004060075180000143
Figure BDA0004060075180000144
Figure BDA0004060075180000145
wherein dim 1 、dim 2 、dim 3 Respectively is node k For devices i Acc is the number of times that the fog node k accepts the request of the terminal i, sub is the number of times that the terminal submits the request, fin is the number of times that the fog node completes the request of the terminal and returns the result, tru is the number of times that the result returned by the fog node passes the data integrity verification.
(1) Direct trust value
Terminal device i For fog node nodes k Is to be used in a direct trust value trust of (a) a (i, k) is:
trust a (i,k)=dim 1 ·w 1 +dim 2 ·w 2 +dim 3 ·w 3
w 1 、w 2 、w 3 weights availability, reliability, data integrity, respectively, and w 1 +w 2 +w 3 =1. In particular, when the historical interaction behavior of the terminal i and the fog node k is not outsourced decrypted, the corresponding weight w 3 Set to 0. If the terminal i has no interactive record with the fog node k, the direct trust value is null.
(2) Auditing trust values
The audit trust value reflects the evaluation of all terminal devices in the system to the fog node, and the access device list of the fog node k is assumed to be L, trust b (k) Representing a foggy node kAudit trust value, the calculation mode is:
Figure BDA0004060075180000151
(3) peer trust value
Selecting the first n terminal devices with the largest interaction times with the fog node k as peer entities, and calculating the trust value of the peer entities:
Figure BDA0004060075180000152
the trust value of the peer entity reflects the trust condition of other representative terminal equipment in the system on the fog node k.
And the credit of the fog node and the comprehensive trust degree of the terminal equipment i to the fog node k are expressed according to the three trust value calculation methods.
Reputation value of foggy node k: suppose that the recommended node list of the foggy node k is { node ] 1 ,node 2 ,...,node p Respectively calculating audit trust value trust of fog node k according to (2) b (k) And an audit trust value { trust } for a list of recommended nodes b (node 1 ),trust b (node 2 ),...,trust b (node p ) Then calculate:
Figure BDA0004060075180000153
w α and w β Is weight and w α +w β =1。
Combining the trust values of (1), 2 and 3 to obtain the comprehensive trust value T of the terminal i to the node k i,k :
T i,k =w a ·trust(device i ,node k )+w b ·trust(device L ,node k )+w c ·trust(device i ,node FL )
Wherein w is a 、w b 、w c Is of corresponding weight and w a +w b +w c =1. It should be noted that when there is a direct trust value null or a recommended node trust value null, the corresponding portion is removed, i.e., the corresponding weight is set to 0, by calculating the integrated trust value.
The main innovation points of the invention are as follows:
1. attribute mapping scheme based on wordnet: the attribute management is simplified, the difficulty of constructing the access strategy is reduced, and the encryption and decryption efficiency is indirectly improved by reducing the number of the attributes;
2. constructing a fog node trust model: risk prediction is carried out on the fog node through trust measurement, and the credit of the fog node and the comprehensive trust value of the terminal to the node are calculated through multiple dimensions;
3. mist node load balancing scheme combining reputation value and trust degree: firstly, nodes which do not accord with privacy threshold values are filtered through reputation values, then weight is given to fog nodes through trust and node idle resources, and then agent fog nodes are selected through a weight random load balancing algorithm.
The invention has the advantages that:
according to the invention, the existing attribute-based encryption scheme is optimized through attribute mapping based on semantic reasoning, so that attribute management is simplified, and fine-grained access control of privacy information in fog calculation is realized by using an optimized attribute-based encryption technology;
for the current situation of equipment attribute explosion in the environment of the Internet of things, the invention combines the characteristic of isomerism of the attributes in different systems, designs an attribute management mode based on semantic reasoning, is more convenient for a user to set an access structure and own attributes, greatly reduces the number of attributes in the total set of attributes, and further improves the efficiency of access control;
because fog nodes are used for outsourcing calculation and request agent, the security risk of the fog nodes is judged to be necessary; therefore, the trust model of the fog node is designed, so that the security of access control is improved, a referent standard is brought to how the terminal equipment selects the fog node, and the computing capacity of the fog computing node is more fully utilized according to a trust value weight load balancing algorithm.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (7)

1. A fog computing access control method based on attribute-based encryption and trust model, comprising:
constructing a fog node trust model:
dividing the fog nodes into fog groups, and calculating the credit of the fog nodes and the trust value of the user terminal to the fog nodes by the management nodes in the fog groups through three dimensions of direct trust, audit trust and peer entity trust;
establishing a semantic optimization attribute-based encryption method:
optimizing an attribute-based encryption method based on attribute mapping of semantic reasoning, and converting character attribute mapping of an access strategy tree and a user into semantic attribute mapping;
access control in fog calculation is carried out based on a fog node trust model and a semantic optimization attribute-based encryption method:
the data owner sets an access control strategy tree and a privacy threshold, selects a proxy fog node through a trust-based weight load balancing algorithm, and performs outsourcing encryption and ciphertext uploading through the proxy fog node;
the data visitor firstly acquires the privacy threshold of the target information, then invokes a trust-based weight load balancing algorithm to select the proxy fog node for outsourcing decryption to obtain an intermediate ciphertext, and finally decrypts the intermediate ciphertext to obtain a required plaintext;
and carrying out integrity verification on the plaintext through a short signature algorithm, and uploading a verification result to the fog management node as one of trust evaluation bases.
2. The mist computing access control method of claim 1, wherein,
reputation reporting of foggy node k k The calculation formula of (2) is as follows:
Figure FDA0004060075170000011
wherein w is α And w β Is weight and w α +w β =1,trust b (k) Audit trust value for mist node k b (i') recommended node list { node ] for foggy node k 1 ,node 2 ,...,node p Audit trust value of };
comprehensive trust value T of user terminal i to fog node k i,k The method comprises the following steps:
T i,k =w a ·trust a (i,k)+w b ·trust b (k)+w c ·trust c (i,k)
wherein w is a 、w b 、w c Is weight and w a +w b +w c =1,trust a (i, k) is the direct trust of the user terminal i to the fog node k, trust b (k) Audit trust value for mist node k c (i, k) trust for peer entities.
3. The mist computing access control method of claim 2, wherein,
direct trust value trust a The calculation formula of (i, k) is:
trust a (i,k)=dim 1 ·w 1 +dim 2 ·w 2 +dim 3 ·w 3
wherein w is 1 、w 2 、w 3 Weights availability, reliability, data integrity, respectively, and w 1 +w 2 +w 3 =1,dim 1 、dim 2 、dim 3 Availability, reliability and data integrity of the fog node k to the user terminal i respectively;
audit letterAny value trust b (k) The calculation formula of (2) is as follows:
Figure FDA0004060075170000021
wherein L is an access equipment list of the fog node k;
peer trust c The calculation formula of (i, k) is:
Figure FDA0004060075170000022
in the formula, n is the first n terminals with the largest interaction times with the fog node k.
4. A fog computing access control method as claimed in claim 3, wherein dim 1 、dim 2 、dim 3 The calculation formulas of (a) are respectively as follows:
Figure FDA0004060075170000023
Figure FDA0004060075170000024
Figure FDA0004060075170000025
in the formula, acc is the number of times that the fog node k receives the request of the terminal i, sub is the number of times that the terminal submits the request, fin is the number of times that the fog node finishes the request of the terminal and returns a result, and Tru is the number of times that the result returned by the fog node passes the data integrity verification.
5. The fog-computing access control method of claim 1, wherein the converting the character attribute map of the access policy tree and the user into the semantic attribute map comprises:
performing semantic mapping on attributes to be used in the strategy tree, converting the attributes into concept attributes in the attribute total set through semantic reasoning, and then performing threshold value access strategy tree setting by using the concept attributes;
mapping the attribute in the attribute list of the user to the conceptual attribute in the attribute total set by using semantic reasoning based on WordNet, and merging IDs of the synonym set and the superword set by using the WordNet reasoning of the synonym set and the superword set by taking the attribute value x of the user as a starting point to obtain the conceptual attribute set of the user.
6. The fog computing access control method of claim 1, wherein the method of selecting the proxy fog node comprises:
screening fog node list L 0 Nodes with the medium reputation value being greater than or equal to epsilon are obtained to obtain a new fog node list L;
calculating the comprehensive trust value of the user terminal equipment to the fog nodes in the L according to the fog node trust model, calculating the weight of the fog nodes by combining the idle resource condition of the fog nodes, and then selecting the alternative fog management nodes in the list L by using a weight random load balancing algorithm; firstly, carrying out normalization processing on the idle resource quantity of the fog node in the L, wherein the converted idle resource quantity is { RS (1), RS (2),. The number of the idle resource quantity is RS (n) }, and the interval is [0,1];
the weight calculation formula of the fog node k is as follows:
weight(k)=∝·T i,k +β·RS(k)
where, c and β are weight factors and c+β=1.
7. The fog-computing access control method of claim 1, wherein the decrypted information is integrity verified using a BLS signature verification algorithm.
CN202310054749.3A 2023-02-03 2023-02-03 Fog computing access control method based on attribute-based encryption and trust model Pending CN116204917A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310054749.3A CN116204917A (en) 2023-02-03 2023-02-03 Fog computing access control method based on attribute-based encryption and trust model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310054749.3A CN116204917A (en) 2023-02-03 2023-02-03 Fog computing access control method based on attribute-based encryption and trust model

Publications (1)

Publication Number Publication Date
CN116204917A true CN116204917A (en) 2023-06-02

Family

ID=86518429

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310054749.3A Pending CN116204917A (en) 2023-02-03 2023-02-03 Fog computing access control method based on attribute-based encryption and trust model

Country Status (1)

Country Link
CN (1) CN116204917A (en)

Similar Documents

Publication Publication Date Title
Sun Privacy protection and data security in cloud computing: a survey, challenges, and solutions
Aujla et al. SecSVA: secure storage, verification, and auditing of big data in the cloud environment
CN114239046A (en) Data sharing method
CN108021677A (en) The control method of cloud computing distributed search engine
CN113434875A (en) Lightweight access method and system based on block chain
CN107302524A (en) A kind of ciphertext data-sharing systems under cloud computing environment
Paul et al. Enhanced Trust Based Access Control for Multi-Cloud Environment.
CN117454414A (en) Dynamic searchable encryption method and system based on distributed storage
CN110012024B (en) Data sharing method, system, equipment and computer readable storage medium
Zhou et al. Research on multi-authority CP-ABE access control model in multicloud
CN110933052A (en) Encryption and policy updating method based on time domain in edge environment
CN112822009B (en) Attribute ciphertext efficient sharing system supporting ciphertext deduplication
Bansal et al. Providing security, integrity and authentication using ECC algorithm in cloud storage
CN105790929A (en) High-efficient access control method based on rule redundancy elimination in encryption environment
CN116805078A (en) Logistics information platform data intelligent management system and method based on big data
Sultanov et al. Development of a centralized system for data storage and processing on operation modes and reliability indicators of power equipment
Charanya et al. Attribute based encryption for secure sharing of E-health data
CN116204917A (en) Fog computing access control method based on attribute-based encryption and trust model
Zhang et al. Research and application of data privacy protection technology in cloud computing environment based on attribute encryption
CN110851850B (en) Method for realizing searchable encryption system
CN108055256A (en) The platform efficient deployment method of cloud computing SaaS
Patel et al. An approach to analyze data corruption and identify misbehaving server
Cindhamani et al. An enhanced data security and trust management enabled framework for cloud computing systems
Mounnan et al. Efficient distributed access control using blockchain for big data in clouds
Parkavi An Efficient Improving Cloud Data Storage Security Using Failure Aware Resource Scheduling Algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination