EHR系统中一种验证外包加密数据正确性的访问控制方案

doi:10.3969/j.issn.1671-1122.2023.05.009

摘要/Abstract

摘要：

为了满足人们对远程医疗服务日益增长的需求，近年来电子医疗记录（EHR）系统很受欢迎。数据所有者可以通过移动设备将EHR上传到云服务器以获取数据共享。然而，EHR系统可能存在隐私泄露的风险。基于属性的加密（ABE）为数据的安全共享提供了一个良好的解决方案。通常移动设备计算能力有限，ABE的复杂加密操作实现较为困难。因此，文章将繁重的加密操作分配给边缘服务器（ES）。然而，ES可能会遭到攻击，因此检查ES是否正确加密了明文至关重要。文章提出一种基于零知识证明的双外包轻量级的验证方案，检查ES中数据的正确性。为了防止EHR信息泄露给不诚实的ES，文章将区块链与混合加密相结合，以实现更加安全的数据共享。实验结果表明，该方案是安全有效的，且计算效率更高。

关键词: 边缘计算, 访问控制, EHR系统, 零知识证明, 数据正确性

Abstract:

To meet the growing demand for telemedicine services, electronic health record (EHR) systems have become popular in recent years. Data owners can upload EHRs to the cloud for data sharing via mobile devices. However, there can be privacy breaches in EHR systems. Attribute-based encryption (ABE) provided a good solution for the secure sharing of data. Usually, mobile devices have limited computing power and it is very difficult to implement the complex encryption operations of ABE. Therefore, this paper assigned heavy encryption operations to the edge server (ES). However, the ES could be subject to attacks. It was crucial to check whether the ES encrypts the correct plaintext. This paper proposed a double-outsourced lightweight verification scheme based on zero-knowledge proofs to check the correctness of the data in the ES. To prevent EHR information from being leaked to dishonest ESs, this paper combined blockchain with hybrid encryption for more secure data sharing. Experimental results show that the proposed scheme is effective.

Key words: edge computing, access control, EHR systems, zero-knowledge proof, data correctness

中图分类号:

TP309

张晓旭, 石润华. EHR系统中一种验证外包加密数据正确性的访问控制方案[J]. 信息网络安全, 2023, 23(5): 85-94.

ZHANG Xiaoxu, SHI Runhua. An Access Control Scheme for Verifying the Correctness of Outsourcing Encrypted Data in EHR System[J]. Netinfo Security, 2023, 23(5): 85-94.

图/表 6

图1

图2

表1

表2

表3

图3

参考文献 25

[1]	SU Yuan, LI Yanping, ZHANG Kai, et al. A Privacy-Preserving Public Integrity Check Scheme for Outsourced EHRs[J]. Information Sciences, 2021, 542: 112-130. doi: 10.1016/j.ins.2020.06.043 URL
[2]	XU Jian, WEI Laiwen, WU Wei, et al. Privacy-Preserving Data Integrity Verification by Using Lightweight Streaming Authenticated Data Structures for Healthcare Cyber-Physical System[J]. Future Generation Computer Systems, 2020, 108: 1287-1296. doi: 10.1016/j.future.2018.04.018 URL
[3]	SICARI S, RIZZARDI A, DINI G, et al. Attribute-Based Encryption and Sticky Policies for Data Access Control in a Smart Home Scenario: A Comparison on Networked Smart Object Middleware[J]. International Journal of Information Security, 2021, 20(5): 695-713. doi: 10.1007/s10207-020-00526-3
[4]	QIN Xuanmei, HUANG Yongfeng, YANG Zhen, et al. LBAC: A Lightweight Blockchain-Based Access Control Scheme for the Internet of Things[J]. Information Sciences, 2021, 554: 222-235. doi: 10.1016/j.ins.2020.12.035 URL
[5]	WANG Tian, ZHANG Guangxue. A Secure IoT Service Architecture with an Efficient Balance Dynamics Based on Cloud and Edge Computing[J]. IEEE Internet of Things Journal, 2018, 6(3): 4831-4843. doi: 10.1109/JIoT.6488907 URL
[6]	WANG Tian, BHUIYAN M Z A, WANG Guojun, et al. Preserving Balance Between Privacy and Data Integrity in Edge-Assisted Internet of Things[J]. IEEE Internet of Things Journal, 2019, 7(4): 2679-2689. doi: 10.1109/JIoT.6488907 URL
[7]	SANDHU R S, COYNE E J, FEINSTEIN H L, et al. Role-Based Access Control Models[J]. Computer, 1996, 29(2): 38-47.
[8]	HU V C, KUHN D R, FERRAIOLO D F, et al. Attribute-Based Access Control[J]. Computer, 2015, 48(2): 85-88.
[9]	BETHENCOURT J, SAHAI A, WATERS B. Ciphertext-Policy Attribute-Based Encryption[C]// IEEE. 2007 IEEE Symposium on Security and Privacy (SP'07). New York: IEEE, 2007: 321-334.
[10]	GOYAL V, PANDEY O, SAHAI A, et al. Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data[C]// ACM. Proceedings of the 13th ACM Conference on Computer and Communications Security. New York: ACM, 2006: 89-98.
[11]	YANG Yifan, SHI Runhua, LI Kunchang, et al. Multiple Access Control Scheme for EHRs Combining Edge Computing with Smart Contracts[J]. Future Generation Computer Systems, 2022, 129: 453-463. doi: 10.1016/j.future.2021.11.002 URL
[12]	ZHANG Qingyan, ZHONG Hong. AC4AV: A Flexible and Dynamic Access Control Framework for Connected and Autonomous Vehicles[J]. IEEE Internet of Things Journal, 2020, 8(3): 1946-1958. doi: 10.1109/JIoT.6488907 URL
[13]	LI Jiguo, YAO Wei, ZHANG Yichen, et al. Flexible and Fine-Grained Attribute-Based Data Storage in Cloud Computing[J]. IEEE Transactions on Services Computing, 2016, 10(5): 785-796. doi: 10.1109/TSC.2016.2520932 URL
[14]	TANG Zhaohui. Secret Sharing-Based IoT Text Data Outsourcing: A Secure and Efficient Scheme[J]. IEEE Access, 2021, 9: 76908-76920. doi: 10.1109/ACCESS.2021.3075282 URL
[15]	SETHI K, PRADHAN A, BERA P. Practical Traceable Multi-Authority CP-ABE with Outsourcing Decryption and Access Policy Updation[J]. Journal of Information Security and Applications, 2020, 51: 102435-102445. doi: 10.1016/j.jisa.2019.102435 URL
[16]	LI Jin, HUANG Xinyi, LI Jingwei, et al. Securely Outsourcing Attribute-Based Encryption with Checkability[J]. IEEE Transactions on Parallel and Distributed Systems, 2013, 25(8): 2201-2210. doi: 10.1109/TPDS.2013.271 URL
[17]	SONG Wenna, XIANG Guangli, LI Ankang, et al. Improved Attribute-Based Encryption Scheme[J]. Computer Science, 2017, 44(1): 167-171. doi: 10.11896/j.issn.1002-137X.2017.01.032
	宋文纳, 向广利, 李安康, 等. 一种改进的属性加密方案[J]. 计算机科学, 2017, 44(1): 167-171. doi: 10.11896/j.issn.1002-137X.2017.01.032
[18]	LIU Peng, HE Qian, LIU Wangyang, et al. CP-ABE Scheme Supporting Attribute Revocation and Outsourcing Decryption[J]. Netinfo Security, 2020, 20(3): 90-97.
	刘鹏, 何倩, 刘汪洋, 等. 支持撤销属性和外包解密的 CP-ABE 方案[J]. 信息网络安全, 2020, 20(3): 90-97.
[19]	WANG Le, YANG Zherong, LIU Rongjing, et al. A CP-ABE Privacy Preserving Method for Wearable Devices[J]. Netinfo Security, 2018, 18 (6): 77-84.
	王乐, 杨哲荣, 刘容京, 等. 基于属性加密算法的可穿戴设备系统隐私保护方法研究[J]. 信息网络安全, 2018, 18(6): 77-84.
[20]	ZOU Liping, FENG Chaosheng, QIN Zhiguang, et al. CP-ABE Scheme with Fast Decryption for Public Cloud[J]. Journal of Software, 2020, 31(6): 1817-1828.
	邹莉萍, 冯朝胜, 秦志光, 等. 面向公有云的支持快速解密的CP-ABE方案[J]. 软件学报, 2020, 31(6): 1817-1828.
[21]	CHEN Yu, MA Xuecheng, TANG Cong, et al. PGC: Decentralized Confidential Payment System with Auditability[C]// Springer. European Symposium on Research in Computer Security. Berlin:Springer, 2020:591-610.
[22]	YIN Hongjian, ZHU Yan, WANG Jing, et al. Design and Implementation of a Smart-Contract Voting System Based on Zero-Knowledge Proof[J]. Chinese Journal of Engineering, 2023, 45(4): 632-642.
	殷红建, 朱岩, 王静, 等. 基于零知识证明的智能合约投票系统设计与实现[J]. 工程科学学报, 2023, 45(4): 632-642.
[23]	WATERS B. Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization[C]// Springer. International Workshop on Public Key Cryptography. Berlin:Springer, 2011: 53-70.
[24]	LI Jingwei, JIA Chunfu, LI Jin, et al. Outsourcing Encryption of Attribute-Based Encryption with Mapreduce[C]// Springer. International Conference on Information and Communications Security. Berlin:Springer, 2012: 191-201.
[25]	ZHANG Rui, MA Hui, LU Yao. Fine-Grained Access Control System Based on Fully Outsourced Attribute-Based Encryption[J]. Journal of Systems and Software, 2017, 125: 344-353. doi: 10.1016/j.jss.2016.12.018 URL

方案	外包加密	智能合约验证DU身份	验证ES诚实性
文献[23]方案	×	×	×
文献[24]方案	√	×	×
文献[25]方案	√	×	×
本文方案	√	√	√

方案	文献[23] 方案	文献[24] 方案	文献[25] 方案	本文方案
密钥生成	$\text{(2}+{{S}_{U}}){{E}_{1}}$	$\text{(1}+3{{S}_{U}}){{E}_{1}}$	$\text{(3}+4{{S}_{U}}){{E}_{1}}$	$\text{(3}+{{S}_{U}}){{E}_{1}}$
密文生成	$(1+2C){{E}_{1}}+{{E}_{2}}$	$4C{{E}_{1}}$	$(1+5C){{E}_{1}}+{{E}_{2}}$	$(2+2C){{E}_{1}}+2{{E}_{2}}$
解密	$\text{(1+2s)}e\text{+(}s){{E}_{2}}$	$\text{(2s)}e\text{+(}s){{E}_{2}}$	$\text{(1+2s)}e\text{+(4}s+2){{E}_{2}}$	$\text{(2+s)}e\text{+(}s){{E}_{2}}$
零知识交互	—	—	—	$\text{4}{{E}_{2}}$

方案	文献[23]方案	文献[24]方案	文献[25]方案	本文方案
密钥大小	(2+2S_U)\|G\|+ 2S_U\|Z_p\|	(3+S_U)\|G\|+ (2+S_U)\|Z_p\|	2((2+2S_U)\|G\|+ (2+2S_U)\|Z_p\|)	(2+S_U)\|G\|+ S_U\|Z_p\|
密文大小	(1+3C)\|G\|+ 2C\|Z_p\|	n(\|A\|+2C\|G\|)	2((2+3C)\|G\|+ 2C\|Z_p\|)	2\|G\|+2\|G_T\|+ 2C\|Z_p\|