CN104917787B - File security sharing method based on group key and system - Google Patents

File security sharing method based on group key and system Download PDF

Info

Publication number
CN104917787B
CN104917787B CN201410086634.3A CN201410086634A CN104917787B CN 104917787 B CN104917787 B CN 104917787B CN 201410086634 A CN201410086634 A CN 201410086634A CN 104917787 B CN104917787 B CN 104917787B
Authority
CN
China
Prior art keywords
group
key
user terminal
management
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410086634.3A
Other languages
Chinese (zh)
Other versions
CN104917787A (en
Inventor
刘国荣
沈军
金华敏
冯明
汪来富
刘东鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN201410086634.3A priority Critical patent/CN104917787B/en
Publication of CN104917787A publication Critical patent/CN104917787A/en
Application granted granted Critical
Publication of CN104917787B publication Critical patent/CN104917787B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The present invention discloses a kind of file security sharing method and system based on group key.Wherein the first user terminal is in shared original document, original document is encrypted to generate encryption file using working key, working key is encrypted using group key to generate key ciphertext, encryption file and key ciphertext are uploaded to shared storage server;Second user terminal downloads specified encryption file, key ciphertext associated with specified encryption file and group identification from shared storage server;Second user terminal is decrypted to obtain working key key ciphertext when judging the group identification downloaded for the group identification of the second user terminal group, using group key, is decrypted encryption file to obtain original document using working key.By using group key cryptographic work key, it can be achieved that the encryption file security that flexible, user controllable, key is easily managed is shared, the risk that user file is divulged a secret in shared procedure is reduced.

Description

File security sharing method based on group key and system
Technical field
The present invention relates to the communications field, more particularly to a kind of file security sharing method and system based on group key.
Background technology
With the fast development of the Internet, applications, user data value is constantly promoted, and user is to information services such as cloud storages Safety more stringent requirements are proposed, how while promoting secure user data, realize that the safety of data is shared into For the main difficult technical of the service facings such as current cloud storage, the main File Sharing Technique scheme of industry or system exist at present Following some problems:
1, the secret sharing for authorizing and accessing is combined in plain text,
Since file is with stored in clear, safety is low;
2, Cryptograph Sharing scheme:
1)Server end encryption and decryption, presence server side key are divulged a secret risk, user's control scarce capacity, especially in cloud meter Under the multi-tenants application scenarios such as calculation, there are larger security risks;
2)User terminal encryption and decryption, there are key updating, the difficulties of management aspect.
Invention content
The embodiment of the present invention provides a kind of file security sharing method and system based on group key.For existing safety Storage scheme there are user's autonomous control scarce capacity, key and shared management and group are difficult the problems such as, it is proposed that traditional On the basis of file encryption, using group key encryption file key, by the distribution, more of group administrator's differentiated control group key New method, it can be achieved that flexible, user controllable, key is easily managed on the basis of meeting subscriber data file and storing safety Encryption file security it is shared, reduce the risk that user file is divulged a secret in shared procedure.
According to an aspect of the present invention, a kind of file security sharing method based on group key is provided, including:
Original document is encrypted to generate encryption in shared original document, using working key for first user terminal File is encrypted working key using preconfigured group key to generate key ciphertext;
First user terminal will encrypt file and key ciphertext is uploaded to shared storage server;
Shared storage server storage encryption file and key ciphertext, and encryption file, key ciphertext and first are used The group identification of the family terminal group is associated;
Second user terminal downloads specified encryption text from shared storage server when obtaining specified encryption file Part, key ciphertext associated with specified encryption file and group identification;
Second user terminal judge download group identification whether be the second user terminal group group identification;
If the group identification downloaded is the group identification of the second user terminal group, second user terminal is using in advance The key ciphertext of download is decrypted to obtain working key in the group key first configured, using obtained working key under The encryption file of load is decrypted to obtain original document.
In one embodiment, if the group identification downloaded is not the group identification of the second user terminal group, The key ciphertext and group identification of download are sent to the second management and group device by second user terminal, wherein the second management and group device For the manager of the second user terminal group;
Second management and group device sends cipher key acquisition request to the first management and group device, wherein the first management and group device is the The manager of one group, the first group are associated with the group identification of the download;
First management and group device is encrypted using the group key of pre-set the first group of higher level's group key pair, To obtain group key ciphertext, and group key ciphertext is sent to the second management and group device;
Second management and group device is decrypted group key ciphertext using pre-set higher level's group key, to obtain The group key of first group is decrypted the key ciphertext of download using the group key of the first group close to obtain work Obtained working key is sent to second user terminal by key;
Second user terminal is decrypted to obtain original text the encryption file of download using the working key received Part.
In one embodiment, if the group identification downloaded is not the group identification of the second user terminal group, The key ciphertext and group identification of download are sent to the second management and group device by second user terminal, wherein the second management and group device For the manager of the second user terminal group;
Second management and group device sends cipher key acquisition request to the first management and group device, and wherein cipher key acquisition request includes The key ciphertext of download, the first management and group device are the manager of the first group, the group identification of the first group and the download It is associated;
First management and group device is decrypted to obtain working key key ciphertext using the group key of the first group, Obtained working key is encrypted using pre-set higher level's group key, to obtain working key ciphertext, and by work Make key ciphertext and is sent to the second management and group device;
Second management and group device is decrypted to obtain working key ciphertext using pre-set higher level's group key Obtained working key is sent to second user terminal by working key;
Second user terminal is decrypted to obtain original text the encryption file of download using the working key received Part.
In one embodiment, the first user terminal original document is encrypted using working key to generate encryption text The step of part includes:
First user terminal generates working key at random;
First user terminal original document is encrypted using the working key generated at random to generate encryption file.
In one embodiment, group key of the management and group device in designated group in updating the designated group When, the whole key ciphertexts associated with designated group mark being stored in shared storage server are updated, so as to The whole key ciphertext is only capable of being decrypted using updated group key;
The updated group key is sent in the designated group by the management and group device in the designated group Each user terminal.
In one embodiment, group key of the management and group device in designated group in updating the designated group When, the step of the whole key ciphertexts associated with designated group mark being stored in shared storage server are updated Including:
Management and group device in designated group is in the group key in updating the designated group, from shared storage service Device downloads whole key ciphertexts associated with designated group mark;
Using current group key respectively to the key ciphertext K of downloadiE is decrypted, to obtain corresponding work Key Ki, wherein 1≤i≤N, N are the quantity of whole key ciphertexts;
Using updated group key respectively to working key KiIt is encrypted, it is close to respectively obtain updated key Literary Kie′;
By updated key ciphertext KiE ' is sent to shared storage server, to share storage server using update Key ciphertext K afterwardsiE ' is to key ciphertext KiE is updated.
According to another aspect of the present invention, a kind of file security shared system based on group key, including first are provided User terminal, second user terminal and shared storage server, wherein:
First user terminal, in shared original document, original document to be encrypted with life using working key At encryption file, working key is encrypted using preconfigured group key to generate key ciphertext, file will be encrypted It is uploaded to shared storage server with key ciphertext;
Shared storage server, for after the encryption file and key ciphertext for receiving the first user terminal uploads, depositing Storage encryption file and key ciphertext, and the group identification that file, key ciphertext and the first user terminal group will be encrypted It is associated;
Second user terminal is used for when obtaining specified encryption file, and specified add is downloaded from shared storage server Ciphertext part, key ciphertext associated with specified encryption file and group identification;Judge download group identification whether be The group identification of the second user terminal group is marked in the group that the group identification of download is the second user terminal group When knowledge, the key ciphertext of download is decrypted to obtain working key using preconfigured group key, utilizes what is obtained The encryption file of download is decrypted to obtain original document in working key.
In one embodiment, there are one management and group devices for each group's tool, wherein:
Second user terminal be additionally operable to be not in the group identification of download the second user terminal group group identification When, the key ciphertext and group identification of download are sent to the second management and group device, wherein the second management and group device is the second use The manager of the family terminal group;When receiving the working key of the second management and group device transmission, the work received is utilized The encryption file for making key pair download is decrypted to obtain original document;
Second management and group device, for sending cipher key acquisition request to the first management and group device, wherein the first management and group Device is the manager of the first group, and the first group is associated with the group identification of the download;Receiving the first management and group When the group key ciphertext that device is sent, group key ciphertext is decrypted using pre-set higher level's group key, with To the group key of the first group, the key ciphertext of download is decrypted to obtain work using the group key of the first group Obtained working key is sent to second user terminal by key;
First management and group device, for being carried out using the group key of pre-set the first group of higher level's group key pair Encryption, to obtain group key ciphertext, and is sent to the second management and group device by group key ciphertext.
In one embodiment, second user terminal is additionally operable to where the group identification of download is not second user terminal When the group identification of group, the key ciphertext and group identification of download are sent to the second management and group device, wherein the second group Manager is the manager of the second user terminal group;When receiving the working key of the second management and group device transmission, The encryption file of download is decrypted to obtain original document using the working key received;
Second management and group device, for sending cipher key acquisition request, wherein cipher key acquisition request to the first management and group device Include the key ciphertext downloaded, the first management and group device is the manager of the first group, the group of the first group and the download Group mark is associated;When receiving the working key ciphertext of the first management and group device transmission, pre-set higher level group is utilized Working key ciphertext is decrypted to obtain working key in group key, and obtained working key is sent to second user end End;
First management and group device is decrypted to obtain work key ciphertext for the group key using the first group Key is encrypted obtained working key using pre-set higher level's group key, to obtain working key ciphertext, and Working key ciphertext is sent to the second management and group device.
In one embodiment, the first user terminal specifically generates working key at random, close using the work generated at random Key original document is encrypted to generate encryption file.
In one embodiment, the management and group device in designated group, the group being additionally operable in updating the designated group When group key, the whole key ciphertexts associated with designated group mark being stored in shared storage server are carried out more Newly, so that whole key ciphertexts are only capable of being decrypted using updated group key;The updated group is close Key is sent to each user terminal in the designated group.
In one embodiment, group of the management and group implement body in designated group in updating the designated group is close When key, whole key ciphertexts associated with designated group mark are downloaded from shared storage server;It is close using current group Key is respectively to the key ciphertext K of downloadiE is decrypted, to obtain corresponding working key Ki, wherein 1≤i≤N, N are described The quantity of whole key ciphertexts;Using updated group key respectively to working key KiIt is encrypted, to respectively obtain more Key ciphertext K after newie′;By updated key ciphertext KiE ' is sent to shared storage server, to share storage service Device utilizes updated key ciphertext KiE ' is to key ciphertext KiE is updated.
The present invention, in shared original document, original document is encrypted using working key by the first user terminal File is encrypted to generate, working key is encrypted to generate key ciphertext, will be encrypted using preconfigured group key File and key ciphertext are uploaded to shared storage server;Shared storage server storage encryption file and key ciphertext, and will The group identification of encryption file, key ciphertext and the first user terminal group is associated;Second user terminal is obtaining When the fixed encryption file of fetching, specified encryption file, associated with the encryption file specified is downloaded from shared storage server Key ciphertext and group identification;Second user terminal is judging the group identification downloaded for the second user terminal group Group identification when, the key ciphertext of download is decrypted to obtain working key using preconfigured group key, profit The encryption file of download is decrypted to obtain original document with obtained working key.Work is encrypted by using group key Make key, it can be achieved that flexible, user controllable, key is easily managed on the basis of meeting subscriber data file and storing safety Encrypt the risk that file security is shared, and reduction user file is divulged a secret in shared procedure.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention without having to pay creative labor, may be used also for those of ordinary skill in the art With obtain other attached drawings according to these attached drawings.
Fig. 1 is that the present invention is based on the schematic diagrames of file security sharing method one embodiment of group key.
Fig. 2 is that the present invention is based on the schematic diagrames of another embodiment of file security sharing method of group key.
Fig. 3 is the schematic diagram that group key of the present invention updates one embodiment.
Fig. 4 is that the present invention is based on the schematic diagrames of file security shared system one embodiment of group key.
Fig. 5 is that the present invention is based on the schematic diagrames of another embodiment of file security shared system of group key.
Fig. 6 is the schematic diagram that the present invention uploads shared information one embodiment.
Fig. 7 is the schematic diagram that the present invention downloads shared information one embodiment.
Fig. 8 is the schematic diagram that group key of the present invention updates network architecture one embodiment.
Fig. 9 is the schematic diagram of group key differentiated control one embodiment of the present invention.
Figure 10 is the schematic diagram that the present invention downloads another embodiment of shared information.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Below Description only actually at least one exemplary embodiment is illustrative, is never used as to the present invention and its application or makes Any restrictions.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, shall fall within the protection scope of the present invention.
Unless specifically stated otherwise, positioned opposite, the digital table of the component and step that otherwise illustrate in these embodiments It is not limited the scope of the invention up to formula and numerical value.
Simultaneously, it should be appreciated that for ease of description, the size of attached various pieces shown in the drawings is not according to reality Proportionate relationship draw.
Technology, method and apparatus known to person of ordinary skill in the relevant may be not discussed in detail, but suitable In the case of, the technology, method and apparatus should be considered as authorizing part of specification.
In shown here and discussion all examples, any occurrence should be construed as merely illustrative, without It is as limitation.Therefore, the other examples of exemplary embodiment can have different values.
It should be noted that:Similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi It is defined, then it need not be further discussed in subsequent attached drawing in a attached drawing.
Fig. 1 is that the present invention is based on the schematic diagrames of file security sharing method one embodiment of group key.Wherein:
Step 101, the first user terminal is in shared original document, using working key by original document be encrypted with Encryption file is generated, working key is encrypted using preconfigured group key to generate key ciphertext.
Wherein, each group is equipped with group key, which is only distributed to the user terminal in the group.
Preferably, the first user terminal generates working key at random, and using the working key generated at random by original text Part is encrypted to generate encryption file.
Step 102, the first user terminal will encrypt file and key ciphertext is uploaded to shared storage server.
Step 103, share storage server storage encryption file and key ciphertext, and will encryption file, key ciphertext with And first the group identification of the user terminal group be associated.
Step 104, second user terminal is specified when obtaining specified encryption file from the download of shared storage server Encrypt file, key ciphertext associated with specified encryption file and group identification.
Step 105, second user terminal judge download group identification whether be the second user terminal group group Group mark.
It is, judging second user terminal, whether the user terminal of the encryption file shared with offer is in same In group.
Step 106, if the group identification downloaded is the group identification of the second user terminal group, second user is whole End is decrypted to obtain working key the key ciphertext of download using preconfigured group key, utilizes obtained work The encryption file that key pair is downloaded is decrypted to obtain original document.
Based on the file security sharing method based on group key that the above embodiment of the present invention provides, pass through the first user Terminal original document is encrypted in shared original document, using working key to generate encryption file, using matching in advance The group key set is encrypted working key to generate key ciphertext, and encryption file and key ciphertext are uploaded to shared deposit Store up server;Shared storage server storage encryption file and key ciphertext, and encryption file, key ciphertext and first are used The group identification of the family terminal group is associated;Second user terminal is deposited when obtaining specified encryption file from shared It stores up server and downloads specified encryption file, key ciphertext associated with specified encryption file and group identification;Second For user terminal when judging the group identification downloaded for the group identification of the second user terminal group, utilization is preconfigured The key ciphertext of download is decrypted to obtain working key in group key, the encryption using obtained working key to download File is decrypted to obtain original document.By using group key cryptographic work key, deposited meeting subscriber data file , it can be achieved that the encryption file security that flexible, user controllable, key is easily managed is shared on the basis of storage safety, user's text is reduced The risk that part is divulged a secret in shared procedure.
Fig. 2 is that the present invention is based on the schematic diagrames of another embodiment of file security sharing method of group key.Shown in Fig. 1 Embodiment is compared, in the embodiment depicted in figure 2, further to the user terminal of second user terminal and the shared encryption file of offer Processing when in different groups is described.
Step 201, second user terminal is specified when obtaining specified encryption file from the download of shared storage server Encrypt file, key ciphertext associated with specified encryption file and group identification.
Step 202, second user terminal judge download group identification whether be the second user terminal group group Group mark.If the group identification downloaded is the group identification of the second user terminal group, 203 are thened follow the steps;If downloading Group identification be not the second user terminal group group identification, then follow the steps 204.
Step 203, second user terminal using preconfigured group key to the key ciphertext of download be decrypted with Working key is obtained, the encryption file of download is decrypted to obtain original document using obtained working key.Later, no Other steps of the present embodiment are executed again.
That is, when the user terminal of second user terminal and the shared encryption file of offer is in same group, second user Terminal can be used directly preconfigured group key and be decrypted.
Step 204, the key ciphertext and group identification of download are sent to the second management and group device by second user terminal, In the second management and group device be the second user terminal group manager.
Step 205, the second management and group device sends cipher key acquisition request to the first management and group device, wherein the first group manages The manager that device is the first group is managed, the first group is associated with the group identification of the download.
Step 206, the first management and group device utilizes the group key of pre-set the first group of higher level's group key pair It is encrypted, to obtain group key ciphertext, and group key ciphertext is sent to the second management and group device.
Step 207, the second management and group device solves group key ciphertext using pre-set higher level's group key It is close, to obtain the group key of the first group, using the first group group key to the key ciphertext of download be decrypted with Working key is obtained, obtained working key is sent to second user terminal.
Step 208, second user terminal is decrypted to obtain the encryption file of download using the working key received To original document.
That is, when the user terminal of second user terminal and the shared encryption file of offer is not at same group, Second user terminal can be close to be worked accordingly by the information exchange of the first management and group device and the second management and group device Key, and the user terminal in a group can't obtain the group key in other groups, it is ensured that system is safe.
In another embodiment, above-mentioned steps 205-207 also can be replaced step 205 ' -207 ', wherein:
Step 205 ', the second management and group device sends cipher key acquisition request to the first management and group device, and wherein key obtains Request includes the key ciphertext downloaded, and the first management and group device is the manager of the first group, the first group and the download Group identification it is associated.
Step 206 ', the first management and group device is decrypted to obtain key ciphertext using the group key of the first group Working key is encrypted obtained working key using pre-set higher level's group key, close to obtain working key Text, and working key ciphertext is sent to the second management and group device.
Step 207 ', the second management and group device solves working key ciphertext using pre-set higher level's group key It is close to obtain working key, obtained working key is sent to second user terminal.
Pass through the embodiment, it can be ensured that group key will not be known by other management and group devices, to can further improve The safety of system.
In addition, regularly updating requirement in the case where group member changes, group key is revealed, or according to strategy, need The group key of related group is updated.
Wherein, the management and group device in designated group will be stored in the group key in updating the designated group Whole key ciphertexts associated with designated group mark in shared storage server are updated, so as to whole keys Ciphertext is only capable of being decrypted using updated group key.In addition, management and group device in the designated group will described in more Group key after new is sent to each user terminal in the designated group.
To which each user terminal in designated group can realize the update of group key, while by shared storage server In corresponding key ciphertext also carried out corresponding update.
Fig. 3 is the schematic diagram that group key of the present invention updates one embodiment.
Step 301, the management and group device in designated group is in the group key in updating the designated group, from shared Storage server downloads whole key ciphertexts associated with designated group mark.
Step 302, using current group key respectively to the key ciphertext K of downloadiE is decrypted, opposite to obtain The working key K answeredi, wherein 1≤i≤N, N are the quantity of whole key ciphertexts.
Step 303, using updated group key respectively to working key KiIt is encrypted, after respectively obtaining update Key ciphertext Kie′。
Step 304, by updated key ciphertext KiE ' is sent to shared storage server, to share storage server Utilize updated key ciphertext KiE ' is to key ciphertext KiE is updated.
Step 305, the updated group key is sent to the finger by the management and group device in the designated group Each user terminal in grouping group.
Fig. 4 is that the present invention is based on the schematic diagrames of file security shared system one embodiment of group key.Such as Fig. 4 institutes Show, which includes multiple user terminals, for brevity, only provides the first user terminal 401 here and second user is whole End 402, in addition, the system further includes shared storage server 403.Wherein:
First user terminal 401, in shared original document, using working key by original document be encrypted with Encryption file is generated, working key is encrypted using preconfigured group key to generate key ciphertext, by encryption text Part and key ciphertext are uploaded to shared storage server.
Preferably, the first user terminal specifically generates working key at random, will be original using the working key generated at random File is encrypted to generate encryption file.
Shared storage server 403, for after the encryption file and key ciphertext for receiving the first user terminal uploads, Storage encryption file and key ciphertext, and the group for encrypting file, key ciphertext and the first user terminal group is marked Knowledge is associated.
Second user terminal 402, for when obtaining specified encryption file, being specified from the download of shared storage server Encrypt file, key ciphertext associated with specified encryption file and group identification;Whether judge the group identification downloaded For the group identification of the second user terminal group, in the group that the group identification of download is the second user terminal group When mark, the key ciphertext of download is decrypted to obtain working key using preconfigured group key, using obtaining Working key the encryption file of download is decrypted to obtain original document.
Based on the above embodiment of the present invention provide the file security shared system based on group key,
By the first user terminal in shared original document, original document is encrypted to generate using working key Encrypt file, working key be encrypted using preconfigured group key to generate key ciphertext, will encryption file and Key ciphertext is uploaded to shared storage server;Shared storage server storage encryption file and key ciphertext, and will encryption text The group identification of part, key ciphertext and the first user terminal group is associated;Second user terminal is specified in acquisition Encryption file when, download specified encryption file, key associated with the encryption file specified from shared storage server Ciphertext and group identification;Second user terminal is judging the group identification downloaded for the group of the second user terminal group When mark, the key ciphertext of download is decrypted to obtain working key using preconfigured group key, using obtaining Working key the encryption file of download is decrypted to obtain original document.It is close by using group key encrypted work Key, it can be achieved that the encryption that flexible, user controllable, key is easily managed on the basis of meeting subscriber data file and storing safety File security is shared, reduces the risk that user file is divulged a secret in shared procedure.
Fig. 5 is that the present invention is based on the schematic diagrames of another embodiment of file security shared system of group key.Shown in Fig. 4 Embodiment is compared, and further includes management and group device in system shown in Fig. 5, wherein there are one management and group devices for each group tool.For For the sake of concise, the first management and group device 501 and the second management and group device 502 are only provided here.Meanwhile given here second Only as an example, the configuration of the second user terminal is equally applicable to the other user terminals in system to user terminal 402. Wherein:
Second user terminal 402 is additionally operable to mark in the group that the group identification of download is not the second user terminal group When knowledge, the key ciphertext and group identification of download are sent to the second management and group device 502, wherein the second management and group device is the The manager of the two user terminal groups;When receiving the working key of the second management and group device 502 transmission, reception is utilized To working key the encryption file of download is decrypted to obtain original document.
Second management and group device 502, for sending cipher key acquisition request to the first management and group device 501, wherein first group Group manager is the manager of the first group, and the first group is associated with the group identification of the download;Receiving first group When the group key ciphertext that group manager 501 is sent, group key ciphertext is carried out using pre-set higher level's group key Decryption, to obtain the group key of the first group, is decrypted the key ciphertext of download using the group key of the first group To obtain working key, obtained working key is sent to second user terminal 402.
First management and group device 501, for the group key using pre-set the first group of higher level's group key pair It is encrypted, to obtain group key ciphertext, and group key ciphertext is sent to the second management and group device.
To, when the user terminal of second user terminal and the shared encryption file of offer is not at same group, second User terminal can by the information exchange of the first management and group device and the second management and group device to obtain corresponding working key, and User terminal in one group can't obtain the group key in other groups, it is ensured that system is safe.
In another embodiment, second user terminal 402 is additionally operable in the group identification of download not be second user terminal When the group identification of the group, the key ciphertext and group identification of download are sent to the second management and group device, wherein second Management and group device is the manager of the second user terminal group;In the working key for receiving the transmission of the second management and group device When, the encryption file of download is decrypted to obtain original document using the working key received.
Second management and group device 502, for sending cipher key acquisition request to the first management and group device,
Wherein cipher key acquisition request includes the key ciphertext downloaded, and the first management and group device is the management of the first group Device, the first group are associated with the group identification of the download;It is close in the working key for receiving the transmission of the first management and group device Wen Shi is decrypted to obtain working key working key ciphertext using pre-set higher level's group key, by what is obtained Working key is sent to second user terminal.
First management and group device 501 is decrypted to obtain key ciphertext for the group key using the first group Working key is encrypted obtained working key using pre-set higher level's group key, close to obtain working key Text, and working key ciphertext is sent to the second management and group device.
To, it can be ensured that group key will not be known by other management and group devices, to can further improve the peace of system Quan Xing.
In addition, regularly updating requirement in the case where group member changes, group key is revealed, or according to strategy, need The group key of related group is updated.Management and group device in the designated group being set forth below can be in system Any group in management and group device.Wherein:
Management and group device in designated group is additionally operable to, in the group key in updating the designated group, to store Whole key ciphertexts associated with designated group mark in shared storage server are updated, so that the whole is close Key ciphertext is only capable of being decrypted using updated group key;The updated group key is sent to the designated group Each user terminal in group.
Wherein, the management and group implement body in designated group is in the group key in updating the designated group, from altogether It enjoys storage server and downloads whole key ciphertexts associated with designated group mark;Using current group key respectively under The key ciphertext K of loadiE is decrypted, to obtain corresponding working key Ki, wherein 1≤i≤N, N are that whole keys are close The quantity of text;Using updated group key respectively to working key KiIt is encrypted, to respectively obtain updated key Ciphertext Kie′;By updated key ciphertext KiE ' is sent to shared storage server, to share storage server using update Key ciphertext K afterwardsiE ' is to key ciphertext KiE is updated.
The present invention is specifically described below by specific example.
Fig. 6 is the schematic diagram that the present invention uploads shared information one embodiment.It is said by taking user terminal A as an example below It is bright.
Step 601, user terminal A is random to generate working key K in shared original document.
Step 602, original document F is encrypted to generate encryption file Fe using working key.
Step 603, working key K is encrypted using preconfigured group key Kg to generate key ciphertext Ke.
Step 604, user terminal A is uploaded to shared storage server by file Fe and key ciphertext Ke is encrypted.So as to altogether Storage server storage encryption file and key ciphertext are enjoyed, and will encryption file, key ciphertext and the user terminal A group Group identification be associated.
Fig. 7 is the schematic diagram that the present invention downloads shared information one embodiment.The embodiment is related to user terminal B from shared Storage server downloads the shared file of user terminal A, and wherein user terminal B and user terminal A belongs to same group G.
Step 701, user terminal B downloads specified encryption file Fe and specified encryption text from shared storage server The associated key ciphertext Ke of part Fe.
Step 702, the key ciphertext Ke of download is decrypted to obtain work using preconfigured group key Kg Key K.
Step 703, the encryption file Fe of download is decrypted to obtain original document F using obtained working key K.
Fig. 8 is the schematic diagram that group key of the present invention updates network architecture one embodiment.
Being located in group G has user terminal A and B, has had the shared file in group G in shared storage server F1e ..., Fne, corresponding key ciphertext be K1e ..., Kne, specific upload operation can be as shown in above-described embodiment.
1)The management and group device of group G downloads key ciphertext K1e ... Kne from shared storage server.
2)Management and group device uses old group key Kg decruption keys ciphertext K1e, and uses new group key Kg ' encryptions Key ciphertext forms ciphertext K1e '.
3)Group administrator decrypts one by one, re-encrypted private key ciphertext, forms new key ciphertext K1e ' ... Kne '.
4)New key ciphertext K1e ' ... Kne ' is uploaded to document storage system by group administrator, and new and old close Key ciphertext K1e ... Kne.
5)New group key is distributed to all members of group by group administrator.
Fig. 7 and embodiment illustrated in fig. 8 all refer to user terminal A and user terminal B belongs to same group G.In actual conditions Under, it often will appear user terminal A and the case where user terminal B belongs to different groups.As shown in figure 9, member makes in group 11 It is group key 11, member uses group key 1n in group 1n, when the user terminal A in group 1n desires access to When shared information in group 11, since it does not have the group key 11 in group 11, the encryption of download can not be believed Breath is correctly decrypted.At this moment it can pass through the higher level group in group 11 and group 1n(Group 1)Group key 1 carry out correlation Processing also can successfully obtain phase to make the user A in group 1n without group key 11 in group 11 The file answered.Those skilled in the art, can be across it will be appreciated that aforesaid operations can be realized between any two group Multi-level groups obtain key step by step, such as corresponding operating can be carried out between group 1n and group Mn.Corresponding specific processing step It is rapid as shown in Figure 10:
Step 1001, user terminal A downloads specified encryption file Fe and specified encryption text from shared storage server Part associated key ciphertext Ke and group identification ID.
Step 1002, user terminal A is judging that the group identification ID downloaded is not group's mark of the user terminal A group When knowledge, the key ciphertext Ke of download and group identification ID are sent to the management and group device A of user terminal A group GA.
Step 1003, management and group device Bs of the management and group device A into group GB associated with group identification ID sends key Obtain request.
Step 1004, management and group device B carries out the group key B of this group using pre-set higher level's group key Encryption, to obtain group key ciphertext.
Wherein higher level's group key is the group key for the upper level group for including group GA and GB.
Step 1005, group key ciphertext is sent to management and group device A by management and group device B.
Step 1006, management and group device A is decrypted group key ciphertext using pre-set higher level's group key, To obtain the group key KB of group GB, the key ciphertext of download is decrypted using group key KB close to obtain work Key.
Step 1007, obtained working key is sent to user terminal A by management and group device A.
Step 1008, user terminal A is decrypted to obtain the encryption file of download using the working key received Original document.
It is interacted by above- mentioned information, the user terminal A in group GA is without knowing the group key KB's in group GB In the case of, by the information exchange between management and group device A and management and group device B, it can get corresponding working key.To really System safety is protected.
Preferably, above-mentioned steps 1003-1006 also can be replaced step 1003 ' -1006 ', wherein:
Step 1003 ', management and group device Bs of the management and group device A into group GB associated with group identification ID sends close Key obtains request, and cipher key acquisition request includes the key ciphertext Ke downloaded.
Step 1004 ', management and group device B is decrypted key ciphertext Ke using corresponding group key, to obtain phase The working key K answered is encrypted working key K using pre-set higher level's group key, close to obtain working key Text.
Step 1005 ', working key ciphertext is sent to management and group device A by management and group device B.
Step 1006 ', management and group device A solves working key ciphertext using pre-set higher level's group key It is close, to obtain working key K.
To, it can be ensured that group key will not be known by other management and group devices, to can further improve the peace of system Quan Xing.
One of ordinary skill in the art will appreciate that realizing that all or part of step of above-described embodiment can pass through hardware It completes, relevant hardware can also be instructed to complete by program, the program can be stored in a kind of computer-readable In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
Description of the invention provides for the sake of example and description, and is not exhaustively or will be of the invention It is limited to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.It selects and retouches It states embodiment and is to more preferably illustrate the principle of the present invention and practical application, and those skilled in the art is enable to manage Various embodiments with various modifications of the solution present invention to design suitable for special-purpose.

Claims (10)

1. a kind of file security sharing method based on group key, which is characterized in that including:
Original document is encrypted to generate encryption text in shared original document, using working key for first user terminal Part is encrypted working key using preconfigured group key to generate key ciphertext;
First user terminal will encrypt file and key ciphertext is uploaded to shared storage server;
Shared storage server storage encryption file and key ciphertext, and it is whole to encrypt file, key ciphertext and the first user The group identification of the end group is associated;
Second user terminal when obtaining specified encryption file, from shared storage server download specified encryption file, with The associated key ciphertext of specified encryption file and group identification;
Second user terminal judge download group identification whether be the second user terminal group group identification;
If the group identification downloaded is the group identification of the second user terminal group, second user terminal utilizes matches in advance The key ciphertext of download is decrypted to obtain working key in the group key set, using obtained working key to download Encryption file is decrypted to obtain original document;
If the group identification downloaded is not the group identification of the second user terminal group, second user terminal is by download Key ciphertext and group identification are sent to the second management and group device, wherein the second management and group device is group where second user terminal The manager of group;
Second management and group device sends cipher key acquisition request to the first management and group device, wherein the first management and group device is first group The manager of group, the first group are associated with the group identification of the download;
First management and group device is encrypted using the group key of pre-set the first group of higher level's group key pair, with It is sent to the second management and group device to group key ciphertext, and by group key ciphertext;
Second management and group device is decrypted group key ciphertext using pre-set higher level's group key, to obtain first The group key of group is decrypted to obtain working key the key ciphertext of download using the group key of the first group, Obtained working key is sent to second user terminal;
Second user terminal is decrypted to obtain original document the encryption file of download using the working key received.
2. according to the method described in claim 1, it is characterized in that, if the group identification downloaded is not second user terminal place The group identification of group further includes:
The key ciphertext and group identification of download are sent to the second management and group device by second user terminal, wherein the second group manages Manage the manager that device is the second user terminal group;
Second management and group device sends cipher key acquisition request to the first management and group device, and wherein cipher key acquisition request includes downloading Key ciphertext, the first management and group device is the manager of the first group, and the first group is related to the group identification of the download Connection;
First management and group device is decrypted key ciphertext using the group key of the first group to obtain working key, utilizes Obtained working key is encrypted in pre-set higher level's group key, and to obtain working key ciphertext, and it is close to work Key ciphertext is sent to the second management and group device;
Second management and group device is decrypted to obtain work working key ciphertext using pre-set higher level's group key Obtained working key is sent to second user terminal by key;
Second user terminal is decrypted to obtain original document the encryption file of download using the working key received.
3. according to the method described in any one of claim 1-2, which is characterized in that
Original document is encrypted using working key for first user terminal:
First user terminal generates working key at random;
First user terminal original document is encrypted using the working key generated at random to generate encryption file.
4. according to the method described in any one of claim 1-2, which is characterized in that
Management and group device in designated group will be stored in shared storage clothes in the group key in updating the designated group Whole key ciphertexts associated with designated group mark in business device are updated, so that whole key ciphertexts are only capable of making It is decrypted with updated group key;
The updated group key is sent to every in the designated group by the management and group device in the designated group A user terminal.
5. according to the method described in claim 4, it is characterized in that,
Management and group device in designated group will be stored in shared storage clothes in the group key in updating the designated group Whole key ciphertexts the step of being updated associated with designated group mark in business device includes:
Management and group device in designated group is in the group key in updating the designated group, under shared storage server Carry whole key ciphertexts associated with designated group mark;
Using current group key respectively to the key ciphertext K of downloadiE is decrypted, to obtain corresponding working key Ki, wherein 1≤i≤N, N are the quantity of whole key ciphertexts;
Using updated group key respectively to working key KiIt is encrypted, to respectively obtain updated key ciphertext Kie′;
By updated key ciphertext KiE ' is sent to shared storage server, to share storage server using updated Key ciphertext KiE ' is to key ciphertext KiE is updated.
6. a kind of file security shared system based on group key, which is characterized in that including the first user terminal, second user Terminal and shared storage server, there are one management and group devices for each group's tool, wherein:
First user terminal, in shared original document, being encrypted original document using working key and being added with generating Ciphertext part, is encrypted working key using preconfigured group key to generate key ciphertext, will encryption file and close Key ciphertext is uploaded to shared storage server;
Shared storage server, for after the encryption file and key ciphertext for receiving the first user terminal uploads, storage to add Ciphertext part and key ciphertext, and the group identification for encrypting file, key ciphertext and the first user terminal group is carried out Association;
Second user terminal, for when obtaining specified encryption file, specified encryption text to be downloaded from shared storage server Part, key ciphertext associated with specified encryption file and group identification;Judge whether the group identification downloaded is second The group identification of the user terminal group, in the group identification that the group identification of download is the second user terminal group When, the key ciphertext of download is decrypted to obtain working key using preconfigured group key, utilizes obtained work The encryption file for making key pair download is decrypted to obtain original document;It is not second user terminal in the group identification of download When the group identification of the group, the key ciphertext and group identification of download are sent to the second management and group device, wherein second Management and group device is the manager of the second user terminal group;In the working key for receiving the transmission of the second management and group device When, the encryption file of download is decrypted to obtain original document using the working key received;
Second management and group device, for sending cipher key acquisition request to the first management and group device, wherein the first management and group device is The manager of first group, the first group are associated with the group identification of the download;Receiving the first management and group device hair When the group key ciphertext sent, group key ciphertext is decrypted using pre-set higher level's group key, to obtain The group key of one group is decrypted the key ciphertext of download using the group key of the first group close to obtain work Obtained working key is sent to second user terminal by key;
First management and group device, for being added using the group key of pre-set the first group of higher level's group key pair It is close, to obtain group key ciphertext, and group key ciphertext is sent to the second management and group device.
7. system according to claim 6, which is characterized in that
Second user terminal is additionally operable to when the group identification of download is not the group identification of the second user terminal group, will The key ciphertext and group identification of download are sent to the second management and group device, wherein the second management and group device is second user terminal The manager of the group;When receiving the working key of the second management and group device transmission, the working key received is utilized The encryption file of download is decrypted to obtain original document;
Second management and group device is additionally operable to send cipher key acquisition request to the first management and group device, is wherein wrapped in cipher key acquisition request The key ciphertext of download is included, the first management and group device is the manager of the first group, and the first group and the group of the download mark Sensible association;It is close using pre-set higher level group when receiving the working key ciphertext of the first management and group device transmission Working key ciphertext is decrypted to obtain working key in key, and obtained working key is sent to second user terminal;
First management and group device is additionally operable to that key ciphertext is decrypted using the group key of the first group close to obtain work Key is encrypted obtained working key using pre-set higher level's group key, to obtain working key ciphertext, and will Working key ciphertext is sent to the second management and group device.
8. according to the system described in any one of claim 6-7, which is characterized in that
First user terminal specifically generates working key at random, and original document is encrypted using the working key generated at random File is encrypted to generate.
9. the system described according to claim 6 or 7, which is characterized in that
Management and group device in designated group is additionally operable in the group key in updating the designated group, shared by being stored in Whole key ciphertexts associated with designated group mark in storage server are updated, so as to whole key ciphertexts It is only capable of being decrypted using updated group key;The updated group key is sent in the designated group Each user terminal.
10. system according to claim 9, which is characterized in that
Management and group implement body in designated group is in the group key in updating the designated group, from shared storage service Device downloads whole key ciphertexts associated with designated group mark;It is close to the key of download respectively using current group key Literary KiE is decrypted, to obtain corresponding working key Ki, wherein 1≤i≤N, N are the quantity of whole key ciphertexts; Using updated group key respectively to working key KiIt is encrypted, to respectively obtain updated key ciphertext Kie′;It will Updated key ciphertext KiE ' is sent to shared storage server, close using updated key to share storage server Literary KiE ' is to key ciphertext KiE is updated.
CN201410086634.3A 2014-03-11 2014-03-11 File security sharing method based on group key and system Active CN104917787B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410086634.3A CN104917787B (en) 2014-03-11 2014-03-11 File security sharing method based on group key and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410086634.3A CN104917787B (en) 2014-03-11 2014-03-11 File security sharing method based on group key and system

Publications (2)

Publication Number Publication Date
CN104917787A CN104917787A (en) 2015-09-16
CN104917787B true CN104917787B (en) 2018-10-23

Family

ID=54086491

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410086634.3A Active CN104917787B (en) 2014-03-11 2014-03-11 File security sharing method based on group key and system

Country Status (1)

Country Link
CN (1) CN104917787B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104980269A (en) * 2014-04-03 2015-10-14 华为技术有限公司 Secret key sharing method, device and system
CN109831405B (en) * 2017-11-23 2021-06-22 航天信息股份有限公司 File protection method and device on cloud platform
CN108306880B (en) * 2018-01-31 2019-06-11 北京深思数盾科技股份有限公司 A kind of data distribution, retransmission method and device
CN111418181B (en) * 2018-03-28 2021-09-07 华为技术有限公司 Shared data processing method, communication device and communication equipment
CN109104273B (en) * 2018-07-04 2021-03-30 华为技术有限公司 Message processing method and receiving end server
CN113169862B (en) * 2018-09-13 2022-09-23 华为技术有限公司 Information processing method, terminal equipment and network system
CN109614792B (en) * 2018-11-29 2022-02-08 中国电子科技集团公司第三十研究所 Hierarchical file key management method
CN109639682A (en) * 2018-12-14 2019-04-16 深圳市青葡萄科技有限公司 Sharing files method
CN111756524A (en) * 2019-03-26 2020-10-09 深圳市网安计算机安全检测技术有限公司 Dynamic group key generation method and device, computer equipment and storage medium
CN109981663A (en) * 2019-03-31 2019-07-05 杭州复杂美科技有限公司 A kind of privacy group chat method, equipment and storage medium
TWI712307B (en) * 2019-09-18 2020-12-01 遊戲橘子數位科技股份有限公司 Methods for encrypting and decrypting the group message and transporting the encrypted group message
CN110888853A (en) * 2019-11-26 2020-03-17 廊坊新奥燃气有限公司 Data management system and method
CN112235289B (en) * 2020-10-13 2023-03-31 桂林微网互联信息技术有限公司 Data encryption and decryption method and device, computing equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001099333A1 (en) * 2000-06-21 2001-12-27 Sony Corporation Information processing device and processing method
CN101091172A (en) * 2005-01-19 2007-12-19 三星电子株式会社 Method of controlling content access and method of obtaining content key using the same
CN101562519A (en) * 2009-05-27 2009-10-21 广州杰赛科技股份有限公司 Digital certificate management method of user packet communication network and user terminal for accessing into user packet communication network
CN101989984A (en) * 2010-08-24 2011-03-23 北京易恒信认证科技有限公司 Electronic document safe sharing system and method thereof
CN103107992A (en) * 2013-02-04 2013-05-15 杭州师范大学 Multistage authority management method for cloud storage enciphered data sharing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001099333A1 (en) * 2000-06-21 2001-12-27 Sony Corporation Information processing device and processing method
CN101091172A (en) * 2005-01-19 2007-12-19 三星电子株式会社 Method of controlling content access and method of obtaining content key using the same
CN101562519A (en) * 2009-05-27 2009-10-21 广州杰赛科技股份有限公司 Digital certificate management method of user packet communication network and user terminal for accessing into user packet communication network
CN101989984A (en) * 2010-08-24 2011-03-23 北京易恒信认证科技有限公司 Electronic document safe sharing system and method thereof
CN103107992A (en) * 2013-02-04 2013-05-15 杭州师范大学 Multistage authority management method for cloud storage enciphered data sharing

Also Published As

Publication number Publication date
CN104917787A (en) 2015-09-16

Similar Documents

Publication Publication Date Title
CN104917787B (en) File security sharing method based on group key and system
CN110224814B (en) Block chain data sharing method and device
CN109995513B (en) Low-delay quantum key mobile service method
US8059818B2 (en) Accessing protected data on network storage from multiple devices
US20180351734A1 (en) Cloud storage method and system
JP6363032B2 (en) Key change direction control system and key change direction control method
US20140208117A1 (en) Server apparatus and program
CN104917723B (en) For realizing the shared methods, devices and systems of encryption file security
CN104158880B (en) User-end cloud data sharing solution
CN109067528A (en) Crypto-operation, method, cryptographic service platform and the equipment for creating working key
CN111371790B (en) Data encryption sending method based on alliance chain, related method, device and system
CN104735070B (en) A kind of data sharing method between general isomery encryption cloud
CN105610793A (en) Outsourced data encrypted storage and cryptograph query system and application method therefor
KR101615137B1 (en) Data access method based on attributed
CN112532580B (en) Data transmission method and system based on block chain and proxy re-encryption
CN103475474B (en) Method for providing and acquiring shared enciphered data and identity authentication equipment
US20180278414A1 (en) Encrypted data sharing with a hierarchical key structure
WO2017061950A1 (en) Data security system and method for operation thereof
CN112580072A (en) Data set intersection method and device
CN113992330A (en) Block chain data controlled sharing method and system based on proxy re-encryption
CN105915333B (en) A kind of efficient key distribution method based on encryption attribute
JP2020532177A (en) Computer-implemented systems and methods for advanced data security, high-speed encryption, and transmission
CN115766066A (en) Data transmission method, device, safety communication system and storage medium
JP6058514B2 (en) Cryptographic processing method, cryptographic system, and server
US9473471B2 (en) Method, apparatus and system for performing proxy transformation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant