CN103873236A - Searchable encryption method and equipment thereof - Google Patents

Searchable encryption method and equipment thereof Download PDF

Info

Publication number
CN103873236A
CN103873236A CN201210534843.0A CN201210534843A CN103873236A CN 103873236 A CN103873236 A CN 103873236A CN 201210534843 A CN201210534843 A CN 201210534843A CN 103873236 A CN103873236 A CN 103873236A
Authority
CN
China
Prior art keywords
searcher
keyword
identity information
encryption
storage server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201210534843.0A
Other languages
Chinese (zh)
Other versions
CN103873236B (en
Inventor
高云超
邹继富
董秋香
关志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201210534843.0A priority Critical patent/CN103873236B/en
Publication of CN103873236A publication Critical patent/CN103873236A/en
Application granted granted Critical
Publication of CN103873236B publication Critical patent/CN103873236B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a searchable encryption method and equipment thereof. According to the method, a sender obtains identity of a searcher or identity of a group to which the searcher belongs and system parameters of a key management center; the sender encrypts a keyword according to the identity of the searcher or the identity of the group to which the searcher belongs and the system parameters and uploads the encrypted keyword ciphertext to a storage server; simultaneously, the searcher obtains a query key from the key management center according to the identity of the searcher or the identity of the group to which the searcher belongs, a query token is generated according to the keyword and the obtained enquiry key, the encrypted keyword ciphertext is queried from the storage server through the query token, and data returned back from the storage server is received. By the above method, a searchable encryption technology can be realized without the support of expensive public key infrastructure and without downloading of public keys by the sender.

Description

One can be searched for encryption method and equipment
Technical field
The present invention is applied to encryption technology field, relates in particular to one and can search for encryption method and equipment.
Background technology
Encipherment scheme is in order to guarantee Semantic Security, often require ciphertext that cryptographic algorithm produces distribute with the cryptogram space on be uniformly distributed both and calculating undistinguishable (calculate undistinguishable refer to for two probability distribution, do not exist polynomial time algorithm can distinguish them).Therefore, all cannot from encrypt the ciphertext obtaining, obtain any significant semantic information for any effective algorithm, and the forfeiture of semantic information makes cannot realize the retrieval to encrypt data by common searching algorithm.In order to solve searching ciphertext problem, occur searching for encryption technology.
Can search for encryption, not need the encrypt data to encrypting to be decrypted, but utilize detection algorithm search, output be the result whether this ciphertext contains searched key word, be generally 0 or 1.The development that can search for encryption comprises three main historical stages, is first that symmetric key can be searched for encryption, in 2000 by propositions such as Song.Its application scenarios is searcher is same entity with the side of encryptioning, uploads onto the server after utilizing DSE arithmetic that data and keyword are encrypted, and afterwards this encrypt data is retrieved.Its shortcoming is that user can only search for and oneself encrypts and upload to the enciphered data in database.
In order to overcome the limitation in this application, Dan Boneh proposed the public key encryption (Public Key Encryption with Keyword Search, PEKS) with keyword search in 2004.The application scenarios of PEKS scheme is that multiple transmit legs send keyword ciphertexts and data ciphertext to recipient, and recipient utilizes private key to generate search token, uploads onto the server, and server moves corresponding detection algorithm and carries out keyword search.Recipient in this scheme can only be single entities, the operation of simultaneously each keyword spotting algorithm can only realize the retrieval to a keyword, cannot realize conjunction keyword is retrieved and (supposed to have n keyword to be respectively W1, W2, Wn, to comprising keyword W1, and comprises keyword W2, and the ciphertext that comprises keyword Wn is searched for, be called conjunction keyword search), this is the bottleneck in its function.
Hwang in 2007 and Lee have proposed the scheme addressing this problem, be multi-user's (the Multi-user Public Key Encryption with Conjunctive Keyword Search of the public key encryption with conjunction keyword search, mPECK), the public key cryptography scheme with multi-receiver conjunction keyword retrieval.This scheme is based on public-key cryptosystem, need the support of the infrastructure of online database of public keys or certificate repository, the all members' of group PKI need to be inquired about and download to transmit leg simultaneously, according to each recipient's PKI, data are encrypted, recipient generates search token according to the private key of oneself data is searched for.But the maintenance and management cost of database of public keys is very high, and sender inquires about and downloads multiple users' PKI and may waste the network bandwidth and storage resources.
Summary of the invention
The object of the embodiment of the present invention is to provide one can search for encryption method and equipment, solved the support that needs the infrastructure of online database of public keys or certificate repository in prior art in the searched for encryption technology based on PKI, the problem of all members' of group PKI need to be inquired about and download to transmit leg simultaneously.
First aspect, one can be searched for encryption method, and described method comprises:
Obtain the identity information of searcher and the system parameters of KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
According to the identity information of described searcher and described system parameters, keyword is encrypted, and the keyword ciphertext after encrypting is uploaded to storage server.
In conjunction with first aspect, in the possible implementation of the first of first aspect, describedly according to the identity information of described searcher and described system parameters, keyword is encrypted, comprising:
Calculate according to the identity information of described searcher and described system parameters the PKI of encrypting described keyword, and according to keyword described in the described public key encryption calculating.
In conjunction with the possible implementation of the first of first aspect or first aspect, in the possible implementation of the second of first aspect, described method also comprises:
According to the identity information of described searcher and described system parameters encrypting plaintext data, and the ciphertext of the clear data after encrypting is uploaded to described storage server.
In conjunction with the possible implementation of the second of first aspect, in the third possible implementation of first aspect, described according to the identity of described searcher and described system parameters encrypting plaintext data, comprising:
Calculate according to the identity information of described searcher and described system parameters the PKI of encrypting described clear data, and according to clear data described in the described public key encryption calculating.
In conjunction with the possible implementation of the first of first aspect or first aspect, in the 4th kind of possible implementation of first aspect, described method also comprises:
According to the encryption attribute clear data of described searcher, and the ciphertext of the clear data after encrypting is uploaded to described storage server.
Second aspect, a kind of searched for encryption method based on identity, described method comprises:
Obtain query key according to the identity information of searcher from KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
According to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token.
In conjunction with second aspect, in the possible implementation of the first of second aspect, described keyword ciphertext of inquiring about from storage server by described query token after encrypting, comprising:
Contain the file of the keyword after encrypting by described query token inquiry packet from storage server.
In conjunction with the possible implementation of the first of second aspect or second aspect, in the possible implementation of the second of second aspect, described according to keyword and described in the query key generated query token that obtains, comprising:
In the time obtaining query key according to searcher place group's identity from KMC, described in the described direction of search, searcher place group submits keyword, described searcher place group checks whether described searcher is the member in group, if, described searcher place group is according to described keyword and described query key generated query token, and described query token is turned back to described searcher.
In conjunction with the possible implementation of the second of the possible implementation of the first of second aspect or second aspect or second aspect, in the third possible implementation of second aspect, described keyword ciphertext of inquiring about from storage server by described query token after encrypting, comprising:
Receive that described storage server returns according to the ciphertext of the clear data of public key encryption.
In conjunction with the third possible implementation of second aspect, in the 4th kind of possible implementation of second aspect, described method receive in step that described storage server returns according to the ciphertext of the clear data of public key encryption after, also comprise:
According to described query key, the described ciphertext according to the clear data of public key encryption is decrypted, obtain the clear data after deciphering.
In conjunction with the third possible implementation of the possible implementation of the second of the possible implementation of the first of second aspect or second aspect or second aspect or second aspect or the 4th kind of possible implementation of second aspect, in the 5th kind of possible implementation of second aspect, described method, also comprises:
Obtain from described KMC the data decryption key that described attribute is corresponding according to the searcher attribute setting in advance.
In conjunction with the 5th kind of possible implementation of second aspect, in the 6th kind of possible implementation of second aspect, described keyword ciphertext of inquiring about from storage server by described query token after encrypting, comprising:
Receive that described storage server returns according to the ciphertext of the clear data of the described searcher encryption attribute setting in advance.
In conjunction with the 6th kind of possible implementation of second aspect, in the 7th kind of possible implementation of second aspect, described method receive in step that described storage server returns according to the ciphertext of the clear data of the described searcher encryption attribute setting in advance after, also comprise:
According to described data decryption key, the ciphertext according to the clear data of the described searcher encryption attribute setting in advance that described storage server is returned is decrypted, and obtains the clear data after deciphering.
The third aspect, a kind of encryption device, described equipment comprises:
The first acquiring unit, for obtaining the identity information of searcher and the system parameters of KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Encrypt uploading unit, for according to the identity information of described searcher and described system parameters, keyword being encrypted, and the keyword ciphertext after encrypting is uploaded to storage server.
In conjunction with the third aspect, in the possible implementation of the first of the third aspect, described encryption uploading unit specifically for:
Calculate according to the identity information of described searcher and described system parameters the PKI of encrypting described keyword, and according to keyword described in the described public key encryption calculating.
In conjunction with the third aspect or the 3rd 's the possible implementation of the first, in the possible implementation of the second of the third aspect, described equipment also comprises:
The first ciphering unit, for according to the identity information of described searcher and described system parameters encrypting plaintext data, and uploads to described storage server by the ciphertext of the clear data after encrypting.
In conjunction with the possible implementation of the second of the 3rd, in the third possible implementation of the third aspect, described the first ciphering unit specifically for:
Calculate according to the identity information of described searcher and described system parameters the PKI of encrypting described clear data, and according to clear data described in the described public key encryption calculating.
In conjunction with the possible implementation of the first of the third aspect or the third aspect, in the 4th kind of possible implementation of the third aspect, described equipment also comprises:
The second ciphering unit, for according to the encryption attribute clear data of described searcher, and uploads to described storage server by the ciphertext of the clear data after encrypting.
Fourth aspect, a kind of search equipment, described equipment comprises:
Second acquisition unit, obtains query key for the identity information according to searcher from KMC, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Inquire-receive unit, for according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token.
In conjunction with fourth aspect, in the possible implementation of the first of fourth aspect, in described inquire-receive unit, execution step is inquired about the keyword ciphertext after encrypting from storage server by described query token, comprising:
Contain the file of the keyword after encrypting by described query token inquiry packet from storage server.
In conjunction with the possible implementation of the first of fourth aspect or fourth aspect, in the possible implementation of the second of fourth aspect, described inquire-receive unit execution step according to keyword and described in the query key generated query token that obtains, comprising:
In the time obtaining query key according to searcher place group's identity from KMC, described in the described direction of search, searcher place group submits keyword, described searcher place group checks whether described searcher is the member in group, if, described searcher place group is according to described keyword and described query key generated query token, and described query token is turned back to described searcher.
In conjunction with the possible implementation of the second of the possible implementation of the first of fourth aspect or fourth aspect or fourth aspect, in the third possible implementation of fourth aspect, described inquire-receive unit, comprising:
Receive that described storage server returns according to the ciphertext of the clear data of public key encryption.
In conjunction with the third possible implementation of fourth aspect, in the 4th kind of possible implementation of fourth aspect, described equipment also comprises the first decryption unit, described the first decryption unit specifically for:
According to described query key, the described ciphertext according to the clear data of public key encryption is decrypted, obtain the clear data after deciphering.
In conjunction with the third possible implementation of the possible implementation of the second of the possible implementation of the first of fourth aspect or fourth aspect or fourth aspect or fourth aspect or the 4th kind of possible implementation of fourth aspect, in the 5th kind of possible implementation of fourth aspect, described equipment also comprises the 3rd acquiring unit, described the 3rd acquiring unit specifically for:
Obtain from described KMC the data decryption key that described attribute is corresponding according to the searcher attribute setting in advance.
In conjunction with the 5th kind of possible implementation of fourth aspect, in the 6th kind of possible implementation of fourth aspect, described inquire-receive unit, comprising:
Receive that described storage server returns according to the ciphertext of the clear data of the described searcher encryption attribute setting in advance.
In conjunction with the 6th kind of possible implementation of fourth aspect, in the 7th kind of possible implementation of fourth aspect, described equipment also comprises the second decryption unit, and described the second decryption unit comprises:
According to described data decryption key, the ciphertext according to the clear data of the described searcher encryption attribute setting in advance that described storage server is returned is decrypted, and obtains the clear data after deciphering.
Compared with prior art, the embodiment of the present invention provides one can search for encryption method, described method, by obtain system parameters and private key from KMC, makes KMC can adopt the mode work of off-line can realize equally the object that transmit leg is encrypted and searcher is searched for.Simultaneously, transmit leg only need to know that the identity of searcher or searcher place group can realize the encryption method of keyword, make transmit leg not need to download the identity of multiple searcher or searcher place group's PKI, do not need online database of public keys to support, reduced the network bandwidth and storage overhead.Because the query key of corresponding transmit leg PKI is produced by described KMC, therefore all keyword encrypt datas can be searched for by KMC, realize centralized key escrow function, and this function is even more important in company and some government bodies.Simultaneously by the mode of above-mentioned one or more keyword, can realize searcher described one or more keywords are carried out to search inquiry at described storage server, by searcher place group, to searcher, inquiry manages and controls, thereby realizes the object of multi-user's search.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, to the accompanying drawing of required use in embodiment be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is that the one that the embodiment of the present invention one provides can be searched for encryption method flow chart;
Fig. 2 is that the one that the embodiment of the present invention two provides can be searched for encryption method flow chart;
Fig. 3 is that the one that the embodiment of the present invention one, two provides can be searched for encryption method schematic diagram;
Fig. 4 is that the one that the embodiment of the present invention one, two provides can be searched for encryption method schematic diagram;
Fig. 5 is that the one that the embodiment of the present invention three provides can be searched for encryption method flow chart;
Fig. 6 is that the one that the embodiment of the present invention four provides can be searched for encryption method flow chart;
Fig. 7 is that the one that the embodiment of the present invention three, four provides can be searched for encryption method schematic diagram;
Fig. 8 is that the one that the embodiment of the present invention five provides can be searched for encryption method flow chart;
Fig. 9 is that the one that the embodiment of the present invention six provides can be searched for encryption method flow chart;
Figure 10 is that the one that the embodiment of the present invention five, six provides can be searched for encryption method schematic diagram;
Figure 11 is that the one that the embodiment of the present invention seven provides can be searched for encryption method flow chart;
Figure 12 is that the one that the embodiment of the present invention seven provides can be searched for encryption method flow chart;
Figure 13 is that the one that the embodiment of the present invention seven, eight provides can be searched for encryption method schematic diagram;
Figure 14 is the structure drawing of device of a kind of encryption device of providing of the embodiment of the present invention nine;
Figure 15 is the structure drawing of device of a kind of search equipment of providing of the embodiment of the present invention ten;
Figure 16 is the structure drawing of device of a kind of encryption device of providing of the embodiment of the present invention 11;
Figure 17 is the structure drawing of device of a kind of search equipment of providing of the embodiment of the present invention 12;
Figure 18 is the structure drawing of device of a kind of encryption device of providing of the embodiment of the present invention 13;
Figure 19 is the structure drawing of device of a kind of search equipment of providing of the embodiment of the present invention 14;
Figure 20 is the structure drawing of device of a kind of encryption device of providing of the embodiment of the present invention 15;
Figure 21 is the structure drawing of device of a kind of search equipment of providing of the embodiment of the present invention 16.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any modifications of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.
Embodiment mono-
With reference to figure 1, Fig. 1 is that the one that the embodiment of the present invention one provides can be searched for encryption method flow chart.As shown in Figure 1, the method comprises the following steps:
Step 101, obtain the identity information of searcher and the system parameters of KMC, described searcher comprises the group at single searchers or several searchers place, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Wherein, the identity information of described searcher includes but not limited to the information such as the phone number, job number, No. QQ, Email of searcher.The mode of the described identity information that obtains searcher includes but not limited to obtain by the mode such as Help by Phone or E-mail inquiries.Described searcher place group's identity information includes but not limited to the information such as searcher place group's QQ group number, department name.The mode of the described identity of obtaining searcher place group includes but not limited to obtain by the mode such as Help by Phone or E-mail inquiries.Described KMC is responsible for issuing the system parameters for calculating encrypted public key to transmit leg, can also further issue private key corresponding to described encrypted public key to searcher or searcher place group, it is query key, described system parameters includes but not limited to elliptic curve cipher parameter group, mapping function and mapping method.
Concrete, the mapping parameters being obtained by identity is consistent, and the account form of PKI is obtained by mapping parameters and shared key factor matrix multiple, and the account form of private key is obtained by mapping parameters and private key factor matrix multiple, therefore, guaranteed the corresponding one by one of PKI and private key.
In this step, described KMC can adopt the mode of off-line to work, send described identity information and system parameters, and the time that sends query key does not limit, can before off-line, system parameters be handed down to transmit leg, and corresponding the encrypted public key calculating query key is handed down to searcher or searcher place group, also can provide online.
Step 102, is encrypted keyword according to the identity information of described searcher and described system parameters, and the keyword ciphertext after encrypting is uploaded to storage server.
Concrete, describedly according to the identity information of described searcher and described system parameters, keyword is encrypted, comprising:
According to the identity information of described searcher and described system parameters, calculate the encrypted public key for encrypting described keyword, and encrypt described keyword according to the described encrypted public key calculating.
In this step, transmit leg only need to know that the identity information of searcher or the identity information of searcher place group can realize the encryption of keyword, make transmit leg need to not download encrypted public key from online database of public keys or certificate repository, reduced the network bandwidth and storage overhead.
The embodiment of the present invention provides a kind of searched for encryption method based on identity, in described method, transmit leg only need to know that the identity of searcher or searcher place group can realize the encryption method of keyword, make transmit leg not need to download the identity of multiple searcher or searcher place group's PKI, do not need online database of public keys to support, reduced the network bandwidth and storage overhead.
Embodiment bis-
With reference to figure 2, Fig. 2 is a kind of searched for encryption method flow chart based on identity that the embodiment of the present invention two provides.As shown in Figure 2, the method comprises the following steps:
Step 201, obtain query key according to the identity information of searcher from KMC, described searcher comprises the group at single searchers or several searchers place, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Wherein, query key is that described KMC is according to the corresponding private key of encryption key of the identity information of described searcher and system parameters generation.Described KMC can calculate PKI equally, because described KMC stores shared key factor matrix, and private key is only present in described KMC, not external cloth.
Step 202, according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token, and receives the Query Result that described storage server returns.
Wherein, described according to keyword and described in the query key generated query token that obtains, comprising:
According to one or more keyword of searcher and described in the query key generated query token that obtains.
By the mode of above-mentioned one or more keyword, can realize searcher described one or more keywords are carried out to search inquiry at described storage server.
Can be preferred, described according to keyword and described in the query key generated query token that obtains, comprising:
In the time obtaining query key according to searcher place group's identity information from KMC, described in the described direction of search, searcher place group submits keyword, described searcher place group checks whether described searcher is the member in group, if, described searcher place group is according to described keyword and described query key generated query token, and described query token is turned back to described searcher.By searcher place group, to searcher, inquiry manages and controls, thereby realizes the object of multi-user's search.
Fig. 3 and Fig. 4 are a kind of searched for encryption method schematic diagrames based on identity that the embodiment of the present invention one and two provides, and now illustrate a kind of the searched for encryption method based on identity described in embodiment mono-and two in the mode of Signalling exchange.Meanwhile, the implementation of the embodiment of the present invention comprises the step of Fig. 3 and Fig. 4, but is not limited to the order of each step, and Fig. 3 and Fig. 4 are that one can preferred embodiment.As shown in Figure 3, described method comprises the steps:
Step 301, transmit leg obtains system parameters from KMC, and obtain the identity information of searcher simultaneously, described searcher comprises the group at single searchers or several searchers place, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Step 302, transmit leg obtains according to the identity information of searcher and system parameters the encryption key that keyword is encrypted, and uploads to storage server according to described encryption keys keyword and by the keyword ciphertext after encrypting;
Step 303, searcher is obtained query key according to own relevant identity information from described KMC;
Step 304, searcher is according to described query key and keyword generated query token;
Step 305, searcher is uploaded described query token to described storage server;
Step 306, searcher receives the Query Result returning from described storage server.
As shown in Figure 4, described method comprises the steps:
Step 401, transmit leg obtains system parameters from KMC, and obtain the identity information of searcher simultaneously, described searcher comprises the group at single searchers or several searchers place, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Step 402, transmit leg obtains according to the identity information of searcher and system parameters the encryption key that keyword is encrypted, and uploads to storage server according to described encryption keys keyword and by the keyword ciphertext after encrypting;
Step 403, searcher place group obtains query key according to described group's identity information from described KMC;
Step 404, described direction of search searcher place group submits keyword, applies for query token to searcher place group;
Step 405, searcher place group checks that whether described searcher is member in group, if so, generated query token, if not, generated query token not;
Step 406, described searcher receives the query token that described group issues;
Step 407, searcher is uploaded described query token to described storage server;
Step 408, searcher receives the Query Result returning from described storage server.
The embodiment of the present invention provides a kind of searched for encryption method based on identity, and described method, by the mode of above-mentioned one or more keyword, can realize searcher described one or more keywords are carried out to search inquiry at described storage server.By searcher place group, to searcher, inquiry manages and controls simultaneously, thereby realizes the object of multi-user's search.
Embodiment tri-
With reference to figure 5, Fig. 5 is a kind of searched for encryption method flow chart based on identity that the embodiment of the present invention three provides.As shown in Figure 5, said method comprising the steps of:
Step 501, obtains the identity of searcher or searcher place group's identity, and the system parameters of KMC;
Step 502, according to the identity of described searcher or searcher place group's identity, and described system parameters cryptography key word, and the keyword ciphertext after encrypting is uploaded to storage server;
Step 503, according to the method encrypting plaintext data of any one encryption in prior art, and uploads to described storage server by the ciphertext of the clear data after encrypting.
In this step, encrypt by the method for any one encryption in prior art the clear data that described keyword is corresponding.
The embodiment of the present invention is all suitable for for searcher or searcher place group, is mainly described further as an example of searcher example below.Specifically with reference to the step 703 shown in figure 7.
A kind of searched for encryption method cryptography key word based on identity that the embodiment of the present invention provides by the embodiment of the present invention one and two, encrypt by prior art the clear data that described keyword is corresponding, thereby realize on the basis of existing technology, realize the scheme of the cryptography key the searched for word based on identity.
Embodiment tetra-
With reference to figure 6, Fig. 6 is a kind of searched for encryption method flow chart based on identity that the embodiment of the present invention four provides.As shown in Figure 6, described method comprises the steps:
Step 601, obtains query key according to the identity of searcher or searcher place group's identity from KMC;
Step 602, according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token, and receives the data that described storage server returns;
Step 603, obtains the decruption key corresponding to method of any one encrypting plaintext data in prior art;
Step 604, according to the decruption key corresponding to method of any one encrypting plaintext data in described prior art, is decrypted the ciphertext of the clear data after described encryption, obtains the clear data after deciphering.
In this step, decipher by decryption method corresponding to the method for any one encryption in prior art the clear data that described keyword is corresponding.
The embodiment of the present invention is all suitable for for searcher or searcher place group, is mainly described further as an example of searcher example below.Specifically with reference to step 708 and the step 709 shown in figure 7.
Fig. 7 is a kind of searched for encryption method based on identity that the embodiment of the present invention three and embodiment tetra-provide, now illustrate a kind of the searched for encryption method based on identity described in embodiment tri-and four in the mode of Signalling exchange, simultaneously, the implementation of the embodiment of the present invention comprises the step of Fig. 7, but be not limited to the order of each step, Fig. 7 is that one can preferred embodiment.As shown in Figure 7, described method comprises the steps:
Step 701, transmit leg obtains system parameters from KMC, and obtain the identity information of searcher simultaneously, described searcher comprises the group at single searchers or several searchers place, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Step 702, transmit leg obtains according to the identity information of searcher and system parameters the encryption key that keyword is encrypted, and uploads to storage server according to described encryption keys keyword and by the keyword ciphertext after encrypting;
Step 703, described transmit leg is according to the method encrypting plaintext data of any one encryption in prior art, and the ciphertext of the clear data after encrypting is uploaded to described storage server;
Step 704, searcher is obtained query key according to own relevant identity information from described KMC;
Step 705, searcher is according to described query key and keyword generated query token;
Step 706, searcher is uploaded described query token to described storage server;
Step 707, searcher receives the Query Result returning from described storage server;
Step 708, described searcher is obtained the decruption key corresponding to method of any one encrypting plaintext data in prior art;
Step 709, according to the decruption key corresponding to method of any one encrypting plaintext data in described prior art, is decrypted the ciphertext of the clear data after described encryption, obtains the clear data after deciphering.
A kind of searched for encryption method cryptography key word based on identity that the embodiment of the present invention provides by the embodiment of the present invention one and two, encrypt by prior art the clear data that described keyword is corresponding, thereby realize on the basis of existing technology, realize the scheme of the cryptography key the searched for word based on identity.
Embodiment five
With reference to figure 8, Fig. 8 is a kind of searched for encryption method flow chart based on identity that the embodiment of the present invention five provides.Described method comprises the steps:
Step 801, obtains the identity of searcher or searcher place group's identity, and the system parameters of KMC;
Step 802, according to the identity of described searcher or searcher place group's identity, and described system parameters cryptography key word, and the keyword ciphertext after encrypting is uploaded to storage server;
Step 803, according to the identity of described searcher and described system parameters encrypting plaintext data, and uploads to described storage server by the ciphertext of the clear data after encrypting.
Concrete, described according to the identity of described searcher and described system parameters encrypting plaintext data, comprising:
Calculate according to the identity of described searcher and described system parameters the PKI of encrypting described clear data, and according to clear data described in the described public key encryption calculating.
The embodiment of the present invention is all suitable for for searcher or searcher place group, is mainly described further as an example of searcher example below.Specifically with reference to the step 1003 shown in Figure 10.
The embodiment of the present invention is by being used the identity of searcher and clear data corresponding to public key encryption keyword that system parameters calculates, make searcher only need to decipher described clear data by private key corresponding to described PKI, can realize simultaneously keyword and clear data are encrypted simultaneously by a pair of PKI and private key, make simple to operate.Described KMC possesses the ability of inquiry and deciphering total data simultaneously, can realize centralized data management, and company and some government bodies are being even more important.
Embodiment six
With reference to figure 9, Fig. 9 is a kind of searched for encryption method flow chart based on identity that the embodiment of the present invention six provides.As shown in Figure 9, described method comprises the steps:
Step 901, obtains query key according to the identity of searcher or searcher place group's identity from KMC;
Step 902, according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token, and receives the data that described storage server returns;
Step 903, according to described query key, is decrypted the described ciphertext according to the clear data of the identity ciphering of searcher, obtains the clear data after deciphering.
The embodiment of the present invention is all suitable for for searcher or searcher place group, is mainly described further as an example of searcher example below.Specifically with reference to the step 1008 shown in Figure 10.
Figure 10 is a kind of searched for encryption method based on identity that the embodiment of the present invention five and embodiment six provide, now illustrate a kind of the searched for encryption method based on identity described in embodiment five and six in the mode of Signalling exchange, simultaneously, the implementation of the embodiment of the present invention comprises the step of Figure 10, but be not limited to the order of each step, Figure 10 is that one can preferred embodiment.As shown in figure 10, described method comprises the steps:
Step 1001, transmit leg obtains system parameters from KMC, and obtain the identity information of searcher simultaneously, described searcher comprises the group at single searchers or several searchers place, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Step 1002, transmit leg obtains according to the identity information of searcher and system parameters the encryption key that keyword is encrypted, and uploads to storage server according to described encryption keys keyword and by the keyword ciphertext after encrypting;
Step 1003, according to the identity of described searcher and described system parameters encrypting plaintext data, and uploads to described storage server by the ciphertext of the clear data after encrypting;
Step 1004, searcher is obtained query key according to own relevant identity information from described KMC;
Step 1005, searcher is according to described query key and keyword generated query token;
Step 1006, searcher is uploaded described query token to described storage server;
Step 1007, searcher receives the Query Result returning from described storage server;
Step 1008, according to described query key, is decrypted the described ciphertext according to the clear data of the identity ciphering of searcher, obtains the clear data after deciphering.
The embodiment of the present invention is by being used the identity of searcher and clear data corresponding to public key encryption keyword that system parameters calculates, make searcher only need to decipher described clear data by private key corresponding to described PKI, can realize simultaneously keyword and clear data are encrypted simultaneously by a pair of PKI and private key, make simple to operate.Described KMC possesses the ability of inquiry and deciphering total data simultaneously, can realize centralized data management, and company and some government bodies are being even more important.
Embodiment seven
With reference to Figure 11, Figure 11 is a kind of searched for encryption method flow chart based on identity that the embodiment of the present invention seven provides.As shown in figure 11, said method comprising the steps of:
Step 1101, obtains the identity of searcher or searcher place group's identity, and the system parameters of KMC;
Step 1102, according to the identity of described searcher or searcher place group's identity, and described system parameters cryptography key word, and the keyword ciphertext after encrypting is uploaded to storage server;
Step 1103, according to the encryption attribute clear data of described searcher, and uploads to described storage server by the ciphertext of the clear data after encrypting.
Concrete, described attribute includes but not limited to following several situation: for example, the department at company clerk A place is so-and-so A of research and development department of company group, and the attribute of company clerk A can be set to so-and-so A of research and development department of company group, or is set to other forms.The clear data that transmit leg is corresponding according to the encryption attribute keyword of company clerk A, and the ciphertext after encrypting is uploaded to described storage server.
Concrete, during according to the encryption attribute clear data of described searcher, the encryption key of generation is different with the encryption key producing according to the identity ciphering clear data of described searcher.When according to the identity ciphering clear data of described searcher, be to generate PKI according to the identity of described searcher and system parameters, transmit leg is encrypted clear data according to PKI, and searcher is decrypted the clear data after encrypting according to private key corresponding to PKI.In the time clear data being encrypted according to the attribute of searcher, be the encryption key that generates encrypting plaintext data according to attribute, the mode that generates key is different with the mode that generates PKI.
The embodiment of the present invention is all suitable for for searcher or searcher place group, is mainly described further as an example of searcher example below.Specifically with reference to the step 1303 shown in Figure 13.
The embodiment of the present invention is by plaintext attribute corresponding to encryption attribute searcher keyword, make the searcher can be according to the setup of attribute access rights that set in advance, when can carrying out multiple keyword retrieval to group member, the public search property to group data and the deciphering authority of data are carried out effective combination.
Embodiment eight
With reference to Figure 12, Figure 12 is a kind of searched for encryption method flow chart based on identity that the embodiment of the present invention eight provides.As shown in figure 12, said method comprising the steps of:
Step 1201, obtains query key according to the identity of searcher or searcher place group's identity from KMC;
Step 1202, according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token, and receives the data that described storage server returns;
Step 1203, obtains from described KMC the data decryption key that described attribute is corresponding according to the searcher attribute setting in advance;
Step 1204, according to described data decryption key, the ciphertext according to the clear data of the described searcher encryption attribute setting in advance that described storage server is returned is decrypted, and obtains the clear data after deciphering.
The embodiment of the present invention is all suitable for for searcher or searcher place group, is mainly described further as an example of searcher example below.Specifically with reference to step 1308 and the step 1309 shown in Figure 13.
Figure 13 is a kind of searched for encryption method based on identity that the embodiment of the present invention seven and embodiment eight provide, now illustrate a kind of the searched for encryption method based on identity described in embodiment seven and eight in the mode of Signalling exchange, simultaneously, the implementation of the embodiment of the present invention comprises the step of Figure 13, but be not limited to the order of each step, Figure 13 is that one can preferred embodiment.As shown in figure 13, described method comprises the steps:
Step 1301, transmit leg obtains system parameters from KMC, and obtain the identity information of searcher simultaneously, described searcher comprises the group at single searchers or several searchers place, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Step 1302, transmit leg obtains according to the identity information of searcher and system parameters the encryption key that keyword is encrypted, and uploads to storage server according to described encryption keys keyword and by the keyword ciphertext after encrypting;
Step 1303, described transmit leg is according to the encryption attribute clear data of described searcher, and the ciphertext of the clear data after encrypting is uploaded to described storage server;
Step 1304, searcher is obtained query key according to own relevant identity information from described KMC;
Step 1305, searcher is according to described query key and keyword generated query token;
Step 1306, searcher is uploaded described query token to described storage server;
Step 1307, searcher receives the Query Result returning from described storage server;
Step 1308, obtains from described KMC the data decryption key that described attribute is corresponding according to the searcher attribute setting in advance;
Step 1309, according to described data decryption key, the ciphertext according to the clear data of the described searcher encryption attribute setting in advance that described storage server is returned is decrypted, and obtains the clear data after deciphering.
The embodiment of the present invention is by clear data corresponding to encryption attribute searcher keyword, make the searcher can be according to the setup of attribute access rights that set in advance, when can carrying out multiple keyword retrieval to group member, the public search property to group data and the deciphering authority of data are carried out effective combination.
Embodiment nine
With reference to Figure 14, Figure 14 is the structure drawing of device of a kind of encryption device of providing of the embodiment of the present invention nine, and described equipment comprises with lower unit:
The first acquiring unit 1401 and encryption uploading unit 1402, described the first acquiring unit 1401 is for carrying out the step 101 of embodiment mono-Fig. 1, and described encryption uploading unit 1402 is for carrying out the step 102 of embodiment mono-Fig. 1.
One of ordinary skill in the art will appreciate that and just divide according to function logic for the equipment in the described embodiment of the present invention nine included unit, but be not limited to above-mentioned division, as long as can realize corresponding function; In addition, the concrete title of each functional unit also, just for the ease of mutual differentiation, is not limited to the application's protection range.
The first acquiring unit 1401, for obtaining the identity information of searcher and the system parameters of KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Wherein, the identity of described searcher includes but not limited to the information such as the phone number, job number, No. QQ, Email of searcher.The mode of the described identity of obtaining searcher includes but not limited to obtain by the mode such as Help by Phone or E-mail inquiries.Described searcher place group's identity includes but not limited to the information such as searcher place group's QQ group number, department name.The mode of the described identity of obtaining searcher place group includes but not limited to obtain by the mode such as Help by Phone or E-mail inquiries.Described KMC is responsible for the system parameters using in the time that transmit leg issues cryptography key word, simultaneously issue transmit leg according to the identity of searcher or searcher place group's identity and private key corresponding to PKI that system parameters calculates to searcher or searcher place group, be query key, employing PKI and private key one to one mode are managed the PKI of transmit leg and searcher or searcher place group's private key.Specifically with reference to the step 401 shown in step 301 and in Fig. 4 in figure 3.
In this unit, described KMC can adopt the mode of off-line to work, and before off-line, system parameters is handed down to transmit leg, and the corresponding query key of the PKI that searcher is calculated is handed down to searcher or searcher place group.
Encrypt uploading unit 1402, for according to the identity information of described searcher and described system parameters, keyword being encrypted, and the keyword ciphertext after encrypting is uploaded to storage server.
Concrete, described according to the identity of described searcher or searcher place group's identity, and described system parameters cryptography key word, comprising:
According to the identity of described searcher or searcher place group's identity, and described system parameters calculates and encrypts the PKI of described keyword, and according to keyword described in the described public key encryption calculating.
In this unit, transmit leg only need to know that the identity of searcher or searcher place group can realize the encryption method of keyword, make transmit leg not need to download the identity of multiple searcher or searcher place group's PKI, do not need online database of public keys to support, reduced the network bandwidth and storage overhead.Because the query key of corresponding transmit leg PKI is produced by described KMC, therefore total data can be inquired about and decipher in KMC, realizes centralized key escrow function simultaneously, and this function is even more important in company and some government bodies.Specifically with reference to the step 302 of figure 3.
The embodiment of the present invention provides a kind of encryption device, in described encryption device, transmit leg only need to know that the identity of searcher or searcher place group can realize the encryption method of keyword, make transmit leg not need to download the identity of multiple searcher or searcher place group's PKI, do not need online database of public keys to support, reduced the network bandwidth and storage overhead.
Embodiment ten
With reference to Figure 15, Figure 15 is the structure drawing of device of a kind of search equipment of providing of the embodiment of the present invention ten, and described equipment comprises with lower unit:
Second acquisition unit 1501 and inquire-receive unit 1502, described second acquisition unit 1501 is for carrying out the step 201 of embodiment bis-Fig. 2, and described encryption uploading unit 1502 is for carrying out the step 202 of embodiment bis-Fig. 2.
One of ordinary skill in the art will appreciate that and just divide according to function logic for the equipment in the described embodiment of the present invention ten included unit, but be not limited to above-mentioned division, as long as can realize corresponding function; In addition, the concrete title of each functional unit also, just for the ease of mutual differentiation, is not limited to the application's protection range.
Second acquisition unit 1501, obtains query key for the identity information according to searcher from KMC, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Wherein, query key is the private key that described KMC generates according to the identity of described searcher or searcher place group's identity.
Inquire-receive unit 1502, for according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token.
Wherein, described according to keyword and described in the query key generated query token that obtains, comprising:
According to one or more keyword of searcher and described in the query key generated query token that obtains.
By the mode of above-mentioned one or more keyword, can realize searcher described one or more keywords are carried out to search inquiry at described storage server.
Can be preferred, described according to keyword and described in the query key generated query token that obtains, comprising:
In the time obtaining query key according to searcher place group's identity from KMC, described in the described direction of search, searcher place group submits keyword, described searcher place group checks whether described searcher is the member in group, if, described searcher place group is according to described keyword and described query key generated query token, and described query token is turned back to described searcher.
The embodiment of the present invention provides a kind of search equipment, and described search equipment, by the mode of above-mentioned one or more keyword, can be realized searcher described one or more keywords are carried out to search inquiry at described storage server.By searcher place group, to searcher, inquiry manages and controls simultaneously, thereby realizes the object of multi-user's search.
Embodiment 11
With reference to Figure 16, Figure 16 is the structure drawing of device of a kind of encryption device of providing of the embodiment of the present invention 11, and described equipment comprises with lower unit:
The first acquiring unit 1601 and encryption uploading unit 1602, the first ciphering units 1603, described the first ciphering unit 1603 is for carrying out the step 803 of embodiment five Fig. 8.
One of ordinary skill in the art will appreciate that and just divide according to function logic for the equipment in the described embodiment of the present invention 11 included unit, but be not limited to above-mentioned division, as long as can realize corresponding function; In addition, the concrete title of each functional unit also, just for the ease of mutual differentiation, is not limited to the application's protection range.
The first acquiring unit 1601, for obtaining the identity information of searcher and the system parameters of KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Encrypt uploading unit 1602, for according to the identity information of described searcher and described system parameters, keyword being encrypted, and the keyword ciphertext after encrypting is uploaded to storage server;
The first ciphering unit 1603, for according to the identity information of described searcher and described system parameters encrypting plaintext data, and uploads to described storage server by the ciphertext of the clear data after encrypting.
Concrete, described according to the identity of described searcher and described system parameters encrypting plaintext data, comprising:
Calculate according to the identity of described searcher and described system parameters the PKI of encrypting described clear data, and according to clear data described in the described public key encryption calculating.
The embodiment of the present invention is all suitable for for searcher or searcher place group, is mainly described further as an example of searcher example below.The embodiment of the present invention is by being used the identity of searcher and clear data corresponding to public key encryption keyword that system parameters calculates, make searcher only need to decipher described clear data by private key corresponding to described PKI, can realize simultaneously keyword and clear data are encrypted simultaneously by a pair of PKI and private key, make simple to operate.Described KMC possesses the ability of inquiry and deciphering total data simultaneously, can realize centralized data management, and company and some government bodies are being even more important.
Embodiment 12
With reference to Figure 17, Figure 17 is the structure drawing of device of a kind of search equipment of providing of the embodiment of the present invention 12, and described equipment comprises with lower unit:
Second acquisition unit 1701 and inquire-receive unit 1702, the first decryption unit 1703, described the first decryption unit 1703 is for carrying out the step 903 of embodiment six Fig. 9.
One of ordinary skill in the art will appreciate that and just divide according to function logic for the equipment in the described embodiment of the present invention 12 included unit, but be not limited to above-mentioned division, as long as can realize corresponding function; In addition, the concrete title of each functional unit also, just for the ease of mutual differentiation, is not limited to the application's protection range.
Second acquisition unit 1701, obtains query key for the identity information according to searcher from KMC, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Inquire-receive unit 1702, for according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token;
The first decryption unit 1703, for according to described query key, is decrypted the described ciphertext according to the clear data of public key encryption, obtains the clear data after deciphering.
The embodiment of the present invention is by being used the identity of searcher and clear data corresponding to public key encryption keyword that system parameters calculates, make searcher only need to decipher described encrypt data by private key corresponding to described PKI, can realize simultaneously keyword and clear data are encrypted simultaneously by a pair of PKI and private key, make simple to operate.Described KMC possesses the ability of inquiry and deciphering total data simultaneously, can realize centralized data management, and company and some government bodies are being even more important.
Embodiment 13
With reference to Figure 18, Figure 18 is the structure drawing of device of a kind of encryption device of providing of the embodiment of the present invention 13, and described equipment comprises with lower unit:
The first acquiring unit 1801 and encryption uploading unit 1802, the second ciphering units 1803, described the second ciphering unit 1803 is for carrying out the step 1103 of embodiment seven Figure 11.
One of ordinary skill in the art will appreciate that and just divide according to function logic for the equipment in the described embodiment of the present invention 13 included unit, but be not limited to above-mentioned division, as long as can realize corresponding function; In addition, the concrete title of each functional unit also, just for the ease of mutual differentiation, is not limited to the application's protection range.
The first acquiring unit 1801, for obtaining the identity information of searcher and the system parameters of KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Encrypt uploading unit 1802, for according to the identity information of described searcher and described system parameters, keyword being encrypted, and the keyword ciphertext after encrypting is uploaded to storage server;
The second ciphering unit 1803, for according to the encryption attribute clear data of described searcher, and uploads to described storage server by the ciphertext of the clear data after encrypting.
Concrete, described attribute includes but not limited to following several situation: for example, the department at company clerk A place is so-and-so A of research and development department of company group, and the attribute of company clerk A can be set to so-and-so A of research and development department of company group, or is set to other forms.The clear data that transmit leg is corresponding according to the encryption attribute keyword of company clerk A, and the ciphertext after encrypting is uploaded to described storage server.
The embodiment of the present invention is by plaintext attribute corresponding to encryption attribute searcher keyword, make the searcher can be according to the setup of attribute access rights that set in advance, when can carrying out multiple keyword retrieval to group member, the public search property to group data and the deciphering authority of data are carried out effective combination.
Embodiment 14
With reference to Figure 19, Figure 19 is the structure drawing of device of a kind of search equipment of providing of the embodiment of the present invention 14, and described equipment comprises with lower unit:
Second acquisition unit 1901 and inquire-receive unit 1902, the 3rd acquiring unit 1903, the second decryption unit 1904, described the 3rd acquiring unit 1903 is for carrying out the step 1203 of embodiment eight Figure 12, and described the second decryption unit 1904 is for carrying out the step 1204 of embodiment eight Figure 12.
One of ordinary skill in the art will appreciate that and just divide according to function logic for the equipment in the described embodiment of the present invention 14 included unit, but be not limited to above-mentioned division, as long as can realize corresponding function; In addition, the concrete title of each functional unit also, just for the ease of mutual differentiation, is not limited to the application's protection range.
Second acquisition unit 1901, obtains query key for the identity information according to searcher from KMC, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Inquire-receive unit 1902, for according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token;
The 3rd acquiring unit 1903, for obtaining from described KMC the data decryption key that described attribute is corresponding according to the searcher attribute setting in advance;
The second decryption unit 1904, for according to described data decryption key, the ciphertext according to the clear data of the described searcher encryption attribute setting in advance that described storage server is returned is decrypted, and obtains the clear data after deciphering.
The embodiment of the present invention is by plaintext attribute corresponding to encryption attribute searcher keyword, make the searcher can be according to the setup of attribute access rights that set in advance, when can carrying out multiple keyword retrieval to group member, the public search property to group data and the deciphering authority of data are carried out effective combination.
Embodiment 15
With reference to Figure 20, Figure 20 is the structure drawing of device of a kind of encryption device of providing of the embodiment of the present invention 15.With reference to Figure 20, Figure 20 is a kind of encryption device 2000 that the embodiment of the present invention provides, and the specific embodiment of the invention does not limit the specific implementation of the described network equipment.Described equipment 2000 comprises:
Processor (processor) 2001, communication interface (Communications Interface) 2002, memory (memory) 2003, bus 2004.
Processor 2001, communication interface 2002, memory 2003 completes mutual communication by bus 2004.
Communication interface 2002, for communicating with other equipment;
Processor 2001, for executive program A.
Particularly, program A can comprise program code, and described program code comprises computer-managed instruction.
Processor 2001 may be a central processor CPU, or specific integrated circuit ASIC(Application Specific Integrated Circuit), or be configured to implement one or more integrated circuits of the embodiment of the present invention.
Memory 2003, for depositing program A.Memory 2003 may comprise high-speed RAM memory, also may also comprise nonvolatile memory (non-volatile memory), for example at least one magnetic disc store.Program A specifically can comprise:
The first acquiring unit 1401, for obtaining the identity information of searcher and the system parameters of KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Encrypt uploading unit 1402, for according to the identity information of described searcher and described system parameters, keyword being encrypted, and the keyword ciphertext after encrypting is uploaded to storage server.
Or program A specifically can comprise:
The first acquiring unit 1601, for obtaining the identity information of searcher and the system parameters of KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Encrypt uploading unit 1602, for according to the identity information of described searcher and described system parameters, keyword being encrypted, and the keyword ciphertext after encrypting is uploaded to storage server;
The first ciphering unit 1603, for according to the identity information of described searcher and described system parameters encrypting plaintext data, and uploads to described storage server by the ciphertext of the clear data after encrypting.
Or program A specifically can comprise:
The first acquiring unit 1801, for obtaining the identity information of searcher and the system parameters of KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Encrypt uploading unit 1802, for according to the identity information of described searcher and described system parameters, keyword being encrypted, and the keyword ciphertext after encrypting is uploaded to storage server;
The second ciphering unit 1803, for according to the encryption attribute clear data of described searcher, and uploads to described storage server by the ciphertext of the clear data after encrypting.
In program A the specific implementation of each unit referring to Figure 14 or Figure 16 or embodiment illustrated in fig. 18 in corresponding units, be not repeated herein.
Embodiment 16
With reference to Figure 21, Figure 21 is the structure drawing of device of a kind of search equipment of providing of the embodiment of the present invention 16.With reference to Figure 21, Figure 21 is a kind of search equipment 2100 that the embodiment of the present invention provides, and the specific embodiment of the invention does not limit the specific implementation of the described network equipment.Described search equipment 2100 comprises:
Processor (processor) 2101, communication interface (Communications Interface) 2102, memory (memory) 2103, bus 2104.
Processor 2101, communication interface 2102, memory 2103 completes mutual communication by bus 2104.
Communication interface 2102, for communicating with other equipment;
Processor 2101, for executive program A.
Particularly, program A can comprise program code, and described program code comprises computer-managed instruction.
Processor 2101 may be a central processor CPU, or specific integrated circuit ASIC(Application Specific Integrated Circuit), or be configured to implement one or more integrated circuits of the embodiment of the present invention.
Memory 2103, for depositing program A.Memory 2103 may comprise high-speed RAM memory, also may also comprise nonvolatile memory (non-volatile memory), for example at least one magnetic disc store.Program A specifically can comprise:
Second acquisition unit 1501, obtains query key for the identity information according to searcher from KMC, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Inquire-receive unit 1502, for according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token.
Or program A specifically can comprise:
Second acquisition unit 1701, obtains query key for the identity information according to searcher from KMC, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Inquire-receive unit 1702, for according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token;
The first decryption unit 1703, for according to described query key, is decrypted the described ciphertext according to the clear data of public key encryption, obtains the clear data after deciphering.
Or program A specifically can comprise:
Second acquisition unit 1901, obtains query key for the identity information according to searcher from KMC, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Inquire-receive unit 1902, for according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token;
The 3rd acquiring unit 1903, for obtaining from described KMC the data decryption key that described attribute is corresponding according to the searcher attribute setting in advance;
The second decryption unit 1904, for according to described data decryption key, the ciphertext according to the clear data of the described searcher encryption attribute setting in advance that described storage server is returned is decrypted, and obtains the clear data after deciphering.
In program A the specific implementation of each unit referring to Figure 15 or Figure 17 or embodiment illustrated in fig. 19 in corresponding units, be not repeated herein.
The foregoing is only the preferred embodiment of the present invention, do not form limiting the scope of the present invention.Any any modification of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., all should be included within requirement of the present invention comprises scope.

Claims (26)

1. can search for an encryption method, it is characterized in that, described method comprises:
Obtain the identity information of searcher and the system parameters of KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
According to the identity information of described searcher and described system parameters, keyword is encrypted, and the keyword ciphertext after encrypting is uploaded to storage server.
2. method according to claim 1, is characterized in that, describedly according to the identity information of described searcher and described system parameters, keyword is encrypted, and comprising:
Calculate according to the identity information of described searcher and described system parameters the PKI of encrypting described keyword, and according to keyword described in the described public key encryption calculating.
3. method according to claim 1 and 2, is characterized in that, described method also comprises:
According to the identity information of described searcher and described system parameters encrypting plaintext data, and the ciphertext of the clear data after encrypting is uploaded to described storage server.
4. method according to claim 3, is characterized in that, described according to the identity of described searcher and described system parameters encrypting plaintext data, comprising:
Calculate according to the identity information of described searcher and described system parameters the PKI of encrypting described clear data, and according to clear data described in the described public key encryption calculating.
5. method according to claim 1 and 2, is characterized in that, described method also comprises:
According to the encryption attribute clear data of described searcher, and the ciphertext of the clear data after encrypting is uploaded to described storage server.
6. the searched for encryption method based on identity, is characterized in that, described method comprises:
Obtain query key according to the identity information of searcher from KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
According to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token.
7. method according to claim 6, is characterized in that, described keyword ciphertext of inquiring about from storage server by described query token after encrypting, comprising:
Contain the file of the keyword after encrypting by described query token inquiry packet from storage server.
8. according to the method described in claim 6 or 7, it is characterized in that, described according to keyword and described in the query key generated query token that obtains, comprising:
In the time obtaining query key according to searcher place group's identity from KMC, described in the described direction of search, searcher place group submits keyword, described searcher place group checks whether described searcher is the member in group, if, described searcher place group is according to described keyword and described query key generated query token, and described query token is turned back to described searcher.
9. according to the method described in claim 6 to 8 any one, it is characterized in that, described keyword ciphertext of inquiring about from storage server by described query token after encrypting, comprising:
Receive that described storage server returns according to the ciphertext of the clear data of public key encryption.
10. method according to claim 9, is characterized in that, described method receive in step that described storage server returns according to the ciphertext of the clear data of public key encryption after, also comprise:
According to described query key, the described ciphertext according to the clear data of public key encryption is decrypted, obtain the clear data after deciphering.
11. according to the method described in the method described in claim 6 to 10 any one, it is characterized in that, described method, also comprises:
Obtain from described KMC the data decryption key that described attribute is corresponding according to the searcher attribute setting in advance.
12. methods according to claim 11, is characterized in that, described keyword ciphertext of inquiring about from storage server by described query token after encrypting, comprising:
Receive that described storage server returns according to the ciphertext of the clear data of the described searcher encryption attribute setting in advance.
13. methods according to claim 12, is characterized in that, described method receive in step that described storage server returns according to the ciphertext of the clear data of the described searcher encryption attribute setting in advance after, also comprise:
According to described data decryption key, the ciphertext according to the clear data of the described searcher encryption attribute setting in advance that described storage server is returned is decrypted, and obtains the clear data after deciphering.
14. 1 kinds of encryption devices, is characterized in that, described equipment comprises:
The first acquiring unit, for obtaining the identity information of searcher and the system parameters of KMC, the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Encrypt uploading unit, for according to the identity information of described searcher and described system parameters, keyword being encrypted, and the keyword ciphertext after encrypting is uploaded to storage server.
15. equipment according to claim 14, is characterized in that, described encryption uploading unit specifically for:
Calculate according to the identity information of described searcher and described system parameters the PKI of encrypting described keyword, and according to keyword described in the described public key encryption calculating.
16. according to the equipment described in claims 14 or 15, it is characterized in that, described equipment also comprises:
The first ciphering unit, for according to the identity information of described searcher and described system parameters encrypting plaintext data, and uploads to described storage server by the ciphertext of the clear data after encrypting.
17. equipment according to claim 16, is characterized in that, described the first ciphering unit specifically for:
Calculate according to the identity information of described searcher and described system parameters the PKI of encrypting described clear data, and according to clear data described in the described public key encryption calculating.
18. according to the equipment described in claims 14 or 15, it is characterized in that, described equipment also comprises:
The second ciphering unit, for according to the encryption attribute clear data of described searcher, and uploads to described storage server by the ciphertext of the clear data after encrypting.
19. 1 kinds of search equipments, is characterized in that, described equipment comprises:
Second acquisition unit, obtains query key for the identity information according to searcher from KMC, and the identity information of described searcher comprises the identity information of described single searchers's identity information or the group at described several searchers place;
Inquire-receive unit, for according to keyword and described in the query key generated query token that obtains, from storage server, inquire about the keyword ciphertext after encryption by described query token.
20. equipment according to claim 19, is characterized in that, in described inquire-receive unit, execution step is inquired about the keyword ciphertext after encrypting from storage server by described query token, comprising:
Contain the file of the keyword after encrypting by described query token inquiry packet from storage server.
21. according to the equipment described in claim 19 or 20, it is characterized in that, described inquire-receive unit execution step according to keyword and described in the query key generated query token that obtains, comprising:
In the time obtaining query key according to searcher place group's identity from KMC, described in the described direction of search, searcher place group submits keyword, described searcher place group checks whether described searcher is the member in group, if, described searcher place group is according to described keyword and described query key generated query token, and described query token is turned back to described searcher.
22. according to claim 19 to the equipment described in 21 any one, it is characterized in that, described inquire-receive unit, comprising:
Receive that described storage server returns according to the ciphertext of the clear data of public key encryption.
23. equipment according to claim 22, is characterized in that, described equipment also comprises the first decryption unit, described the first decryption unit specifically for:
According to described query key, the described ciphertext according to the clear data of public key encryption is decrypted, obtain the clear data after deciphering.
24. according to claim 19 to the equipment described in 23 any one, it is characterized in that, described equipment also comprises the 3rd acquiring unit, described the 3rd acquiring unit specifically for:
Obtain from described KMC the data decryption key that described attribute is corresponding according to the searcher attribute setting in advance.
25. equipment according to claim 24, is characterized in that, described inquire-receive unit, comprising:
Receive that described storage server returns according to the ciphertext of the clear data of the described searcher encryption attribute setting in advance.
26. equipment according to claim 25, is characterized in that, described equipment also comprises the second decryption unit, described the second decryption unit specifically for:
According to described data decryption key, the ciphertext according to the clear data of the described searcher encryption attribute setting in advance that described storage server is returned is decrypted, and obtains the clear data after deciphering.
CN201210534843.0A 2012-12-12 2012-12-12 One kind can search for encryption method and equipment Active CN103873236B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210534843.0A CN103873236B (en) 2012-12-12 2012-12-12 One kind can search for encryption method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210534843.0A CN103873236B (en) 2012-12-12 2012-12-12 One kind can search for encryption method and equipment

Publications (2)

Publication Number Publication Date
CN103873236A true CN103873236A (en) 2014-06-18
CN103873236B CN103873236B (en) 2017-03-08

Family

ID=50911386

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210534843.0A Active CN103873236B (en) 2012-12-12 2012-12-12 One kind can search for encryption method and equipment

Country Status (1)

Country Link
CN (1) CN103873236B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104394155A (en) * 2014-11-27 2015-03-04 暨南大学 Multi-user cloud encryption keyboard searching method capable of verifying integrity and completeness
CN105049196A (en) * 2015-07-13 2015-11-11 西安理工大学 Searchable encryption method of multiple keywords at specified location in cloud storage
CN105471826A (en) * 2014-09-04 2016-04-06 中电长城网际系统应用有限公司 Ciphertext data query method, device and ciphertext query server
CN105681030A (en) * 2015-12-31 2016-06-15 腾讯科技(深圳)有限公司 Key management system, method and device
CN105868987A (en) * 2016-03-28 2016-08-17 中国银联股份有限公司 Method and system for sharing information among devices
CN105915520A (en) * 2016-04-18 2016-08-31 深圳大学 File storage and searching method based on public key searchable encryption, and storage system
CN105933281A (en) * 2016-03-29 2016-09-07 深圳大学 Quantum homomorphism symmetry searchable encryption method and system
WO2017166054A1 (en) * 2016-03-29 2017-10-05 深圳大学 Quantum homomorphism symmetry searchable encryption method and system
CN111416710A (en) * 2020-03-24 2020-07-14 国网山东省电力公司 Certificateless searchable encryption method and system applied to multiple receiving ends
CN112152803A (en) * 2020-09-15 2020-12-29 河海大学 Identity-based encryption method and system with multiple receiver ciphertext searchable
CN114884700A (en) * 2022-04-18 2022-08-09 华中科技大学 Searchable public key encryption batch processing method and system for resisting keyword guessing attack

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102318263A (en) * 2009-02-16 2012-01-11 微软公司 Trusted cloud computing and services framework
CN102687132A (en) * 2009-12-15 2012-09-19 微软公司 Trustworthy extensible markup language for trustworthy computing and data services
CN102687133A (en) * 2009-11-16 2012-09-19 微软公司 Containerless data for trustworthy computing and data services

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102318263A (en) * 2009-02-16 2012-01-11 微软公司 Trusted cloud computing and services framework
CN102687133A (en) * 2009-11-16 2012-09-19 微软公司 Containerless data for trustworthy computing and data services
CN102687132A (en) * 2009-12-15 2012-09-19 微软公司 Trustworthy extensible markup language for trustworthy computing and data services

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105471826A (en) * 2014-09-04 2016-04-06 中电长城网际系统应用有限公司 Ciphertext data query method, device and ciphertext query server
CN105471826B (en) * 2014-09-04 2019-08-20 中电长城网际系统应用有限公司 Ciphertext data query method, apparatus and cryptogram search server
CN104394155B (en) * 2014-11-27 2017-12-12 暨南大学 It can verify that multi-user's cloud encryption keyword searching method of integrality and completeness
CN104394155A (en) * 2014-11-27 2015-03-04 暨南大学 Multi-user cloud encryption keyboard searching method capable of verifying integrity and completeness
CN105049196A (en) * 2015-07-13 2015-11-11 西安理工大学 Searchable encryption method of multiple keywords at specified location in cloud storage
CN105049196B (en) * 2015-07-13 2018-08-03 佛山市明茂网络科技有限公司 The encryption method that multiple keywords of designated position can search in cloud storage
CN105681030B (en) * 2015-12-31 2017-12-19 腾讯科技(深圳)有限公司 key management system, method and device
CN105681030A (en) * 2015-12-31 2016-06-15 腾讯科技(深圳)有限公司 Key management system, method and device
CN105868987B (en) * 2016-03-28 2019-08-13 中国银联股份有限公司 A kind of method and system of shared information between devices
CN105868987A (en) * 2016-03-28 2016-08-17 中国银联股份有限公司 Method and system for sharing information among devices
WO2017166054A1 (en) * 2016-03-29 2017-10-05 深圳大学 Quantum homomorphism symmetry searchable encryption method and system
CN105933281A (en) * 2016-03-29 2016-09-07 深圳大学 Quantum homomorphism symmetry searchable encryption method and system
CN105933281B (en) * 2016-03-29 2019-05-07 深圳大学 A kind of quantum homomorphism symmetrically can search for the method and system of encryption
CN105915520A (en) * 2016-04-18 2016-08-31 深圳大学 File storage and searching method based on public key searchable encryption, and storage system
CN105915520B (en) * 2016-04-18 2019-02-12 深圳大学 It can search for file storage, searching method and the storage system of encryption based on public key
US10769107B2 (en) 2016-04-18 2020-09-08 Shenzhen University File storage method, file search method and file storage system based on public-key encryption with keyword search
CN111416710A (en) * 2020-03-24 2020-07-14 国网山东省电力公司 Certificateless searchable encryption method and system applied to multiple receiving ends
CN112152803A (en) * 2020-09-15 2020-12-29 河海大学 Identity-based encryption method and system with multiple receiver ciphertext searchable
CN112152803B (en) * 2020-09-15 2021-12-21 河海大学 Identity-based encryption method with searchable multi-receiver ciphertext
CN114884700A (en) * 2022-04-18 2022-08-09 华中科技大学 Searchable public key encryption batch processing method and system for resisting keyword guessing attack
CN114884700B (en) * 2022-04-18 2023-04-28 华中科技大学 Searchable public key encryption batch processing method and system for resisting key guessing attack

Also Published As

Publication number Publication date
CN103873236B (en) 2017-03-08

Similar Documents

Publication Publication Date Title
Aljawarneh et al. A resource-efficient encryption algorithm for multimedia big data
CN103873236A (en) Searchable encryption method and equipment thereof
Li et al. KSF-OABE: Outsourced attribute-based encryption with keyword search function for cloud storage
CN105610793B (en) A kind of outsourcing data encryption storage and cryptogram search system and its application process
Zhao et al. Multi-user keyword search scheme for secure data sharing with fine-grained access control
He et al. Secure, efficient and fine-grained data access control mechanism for P2P storage cloud
Shao et al. Fine-grained data sharing in cloud computing for mobile devices
Liu et al. Multi-user searchable encryption with coarser-grained access control in hybrid cloud
CN103944711B (en) Cloud storage ciphertext retrieval method and system
JP6363032B2 (en) Key change direction control system and key change direction control method
Liu et al. Practical ciphertext-policy attribute-based encryption: traitor tracing, revocation, and large universe
Jayapandian et al. Secure and efficient online data storage and sharing over cloud environment using probabilistic with homomorphic encryption
KR101615137B1 (en) Data access method based on attributed
CN104967693A (en) Document similarity calculation method facing cloud storage based on fully homomorphic password technology
Nasiraee et al. Privacy-preserving distributed data access control for cloudiot
Ma et al. Adaptable key-policy attribute-based encryption with time interval
Debnath et al. Study and scope of signcryption for cloud data access control
Lin et al. Secure deduplication schemes for content delivery in mobile edge computing
Feng et al. S2PD: A selective sharing scheme for privacy data in vehicular social networks
Yan et al. Secure and efficient big data deduplication in fog computing
KR101812311B1 (en) User terminal and data sharing method of user terminal based on attributed re-encryption
CN113609077A (en) File retrieval method, system, storage medium and equipment
Silambarasan et al. Attribute-based convergent encryption key management for secure deduplication in cloud
Mansour et al. Evaluation of different cryptographic algorithms on wireless sensor network nodes
Navya et al. Securing smart grid data under key exposure and revocation in cloud computing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220228

Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province

Patentee after: Huawei Cloud Computing Technology Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.