随着物联网(Internet of Things, IoT)、云计算等技术的飞速发展, 便携式诊所(portable health clinic, PHC)得以实现, 并广泛应用于远程医疗. 我国依托5G通信的大幅优势, 积极推进智慧医疗的建设, 搭建了多功能、高质量的远程医疗信息服务平台. 以PHC为代表的远程医疗得以实现, 离不开远程数据共享系统的技术支撑. 目前IoT和云服务器(cloud server, CS)相结合(通常称为云边协同)的远程数据共享系统以其灵活性、高效性广受关注, 然而其隐私和安全问题却鲜有研究. 考虑到医疗数据的敏感性, 致力于研究PHC数据共享系统的安全隐私问题, 实现了PHC系统中物联网感知数据的安全上传、个性密文的归一化、云服务器上动态多用户的细粒度访问控制、高效的解密操作, 并给出了形式化的安全性证明. 在具体创新上, 第一, 分别对经典的代理重加密和属性基加密算法进行改进, 提出了IPRE-TO-FAME组合加密机制, 以保障云边协同的PHC系统数据共享的安全性. 第二, 为了应对物联网终端数量众多、分散性强带来的密钥更新难题, 借鉴代理重加密(proxy re-encryption, PRE)的思想, 实现了基于单方变换的密钥更新, 即无需变换IoT终端密钥条件下的密钥更新. 同时, 应用场景中重加密方可视为完全可信, 而常规PRE机制重加密方通常为不可信的第三方服务器, 为此, 改进了经典PRE算法, 提出了一种高效的IPRE (improved PRE)算法, 以适应提出的场景; 第三, 改进经典的FAME (fast attribute-based message encryption)机制, 实现了动态多用户的细粒度访问控制, 便于用户可以随时随地使用便携式智能设备访问数据. 安全性证明、理论分析和实验结果证明, 提出的方案具有较好的安全性和较强的实用性, 是一类解决PHC安全数据共享问题的有效方案.
With the rapid development of technologies such as the Internet of Things (IoT) and cloud computing, portable health clinics (PHCs) have been realized and widely used in telemedicine. Relying on the significant advantages of 5G communications, China has actively promoted the construction of smart healthcare and built a multi-function and high-quality telemedicine information service platform.The realization of telemedicine represented by PHCs is inseparable from the technical support of remote data-sharing systems. At present, the remote data-sharing system combining IoT and the cloud server (CS) has attracted wide attention due to its flexibility and efficiency, but its privacy and security issues are rarely studied. Considering the sensitivity of medical data, this paper endeavors to study the security and privacy issues in the PHC data-sharing system. As a result, in the PHC system, this study achieves the secure uploading of IoT awareness data, normalization of personalized ciphertexts, dynamic multi-user fine-grained access control, and efficient decryption operations, and it also presents formal security verification. The specific innovations of this study are as follows: (1) The classical proxy re-encryption (PRE) and attribute-based encryption algorithms are improved, and an IPRE-TO-FAME combined encryption mechanism is proposed to ensure the data-sharing security of the PHC system with cloud-edge collaboration. (2) To address the challenge of key updates caused by many highly distributed IoT terminals, this paper uses the idea of PRE to realize the key updates on the basis of the unilateral transformation without changing the keys to IoT terminals. Meanwhile, the re-encryption entities can be regarded as fully trusted in the application scenarios of this study, which is different from the situation of the conventional PRE mechanism, where the re-encryption entities are usually untrusted third-party servers. Therefore, the conventional PRE algorithm is improved, and an efficient improved PRE (IPRE) algorithm is put forward to adapt to the scenarios proposed in this study. (3) The classical fast attribute-based message encryption (FAME) mechanism is improved to enable dynamic multi-user fine-grained access control. In this way, users can easily use portable intelligent devices to access data anytime and anywhere. The security proofs, theoretical analysis, and experimental results reveal that the proposed solution is highly secure and practical, which is an effective way to ensure secure PHC data sharing.