CN108768951A - The data encryption of protection file privacy and search method under a kind of cloud environment - Google Patents

The data encryption of protection file privacy and search method under a kind of cloud environment Download PDF

Info

Publication number
CN108768951A
CN108768951A CN201810412324.4A CN201810412324A CN108768951A CN 108768951 A CN108768951 A CN 108768951A CN 201810412324 A CN201810412324 A CN 201810412324A CN 108768951 A CN108768951 A CN 108768951A
Authority
CN
China
Prior art keywords
file
cloud
keyword
service device
storage service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810412324.4A
Other languages
Chinese (zh)
Other versions
CN108768951B (en
Inventor
路雪
韩德志
毕坤
王军
俞云萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai High Flying Electronics Technology Co ltd
Original Assignee
Shanghai Maritime University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Maritime University filed Critical Shanghai Maritime University
Priority to CN201810412324.4A priority Critical patent/CN108768951B/en
Publication of CN108768951A publication Critical patent/CN108768951A/en
Application granted granted Critical
Publication of CN108768951B publication Critical patent/CN108768951B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses data encryption and search methods that file privacy is protected under a kind of cloud environment, and building the document retrieval based on keyword using multiway tree index structure indexes, and key distribution and management are carried out with Key derivation algorithm.Data owner proposes to upload local file application to cloud trusted party, and it is legal that cloud trusted party verifies its identity information, and distributes key and the certificate of authority, valid data owner for it by Key derivation algorithm and will upload to cloud storage service device after file encryption;Data access user's Xiang Yun trusted parties propose access request, and after cloud trusted party confirms that its identity information is legal, the certificate of authority is sent to the user;Valid data accesses user and submits the certificate of authority and inquiry to apply to cloud storage service device, is verified rear cloud storage service device and encrypts file by keyword search and be transmitted to the user, which decrypts cryptograph files.This method ensure that while data access privacy of user and data safety, memory space expense is saved.

Description

The data encryption of protection file privacy and search method under a kind of cloud environment
Technical field
The present invention relates to field of information security technology, and in particular to the data encryption of file privacy is protected under a kind of cloud environment And search method.
Background technology
Cloud storage can provide on demand, and storage resource that is expansible and meeting Qos, data access user can be right at any time Data are operated.In face of cloud storage so powerful and attractive advantage, many people and enterprise are but reluctant the number of oneself According to moving in cloud storage.Main cause is exactly to fear to lose the control to data, and data are let out in some cloud storages occurred The worry of dew and loss situation verification people.Therefore cloud computing application process more in, safety become data owner at first Consider the problems of.And in cloud storage system, the access structure that data owner formulates may be by incredible cloud storage service Device is stolen, and the leakage of identity and sensitive information is caused, it is also possible in order to interests by leaking data to third party.Therefore, Yun Cun Storage needs to provide the data storage for supporting secret protection and searching ciphertext problem.
Some solutions have been proposed at present, as designed point under a kind of cloud computing environment using key sharing policy Cloth encipherment scheme can effectively reduce the threat of leaking data for incredible cloud computing service provider;Such as propose one kind The scheme of the outer bag data of secure access, establishes index structure using binary tree, by key derivation technical management key, and combines It re-encrypts and handles access rights change and data dynamic change with inertia revocation.However binary tree storage organization can not be abundant Reflect the logical relation of data, and the change of user's access right but will increase additional communication overhead, the update of data can occupy Additional storage resource, and the data access user being revoked is possible to conspire leakage information with ISP;Such as structure A kind of cloud storage scheme for supporting secret protection distinguishes data owner and data consumer, it is ensured that data are in cloud storage service Safety problem in device, but data owner can easily obtain the identity information of data access user, cause data Access the leakage of subscriber identity information;It is such as based on symmetric key and unsymmetrical key designs key derivation strategy, develop a branch The electronic health record system of secret protection is held, but does not account for the change of user's access right and the dynamic operation pair of data In the influence of key derivation.
Therefore for the deficiency of the above solution, it would be desirable to propose to protect the data of file privacy under a kind of cloud environment Encryption and search method also want overall thinking key derivation in addition to safety of the data to be ensured in cloud storage service device And management, the dynamic change of user's access right, data sharing and document retrieval problem, and also to protect data access user The privacy of identity information.
Invention content
Goal of the invention:The present invention provides the data encryption of protection file privacy and search method under a kind of cloud environment, uses Multiway tree builds document retrieval index, and the distribution and management of key are carried out by Key derivation algorithm, utilizes Bloom Filter Constructing the index of the document retrieval based on keyword realizes searching ciphertext, while reducing the storage overhead with communication overhead, energy Enough efficient retrievals realized to file.
Technical solution:The present invention provides the data encryption of protection file privacy and search method under a kind of cloud environment, including Following steps:
(1):Data owner proposes to access application, the identity of cloud trusted party verify data owner to cloud trusted party After information is legal, the certificate of authority is provided for legal data owner, and be its filename by Key derivation algorithm KGABOD fnFile fiGenerate key ki
(2):Legal data owner proposes upper transmitting file application to cloud storage service device, is audited in cloud storage service device After its certificate of authority is effective, valid data owner's file fiKey kiEncrypt the file f to be uploadedi, then by file fi Encryption file to cloud storage service device;
(3):Cloud storage service device receives the file f that valid data owner uploadsiCiphertext, then use multiway tree rope Guiding structure is that valid data owner creates a document retrieval index based on keyword;
(4):Cloud storage service device encrypts file fiReference number of a document fni, and taken using Bloom Filter encryption cloud storages Business device is the document retrieval index based on keyword that valid data owner creates;
(5):Data access user's Xiang Yun trusted parties, which propose to access, to be applied, cloud trusted party verify data accesses user's The certificate of authority is provided for it after identity information is legal, and in the access rights of legal data access user, derives that it can To access the key of file;
(6) data access user proposes to access to cloud storage service device applies and cloud trusted party is submitted to be awarded for what it was provided Warrant book, after cloud storage service device verifies the legitimacy of the certificate of authority, valid data accesses user and uploads retrieval file fiIt is more A keyword, cloud storage service device pass through the document retrieval indexed search based on keyword to file fiCiphertext, return to conjunction Method data user, valid data user decrypt file fiCiphertext obtain in plain text;
Further, the detailed process of the step (1) is:
(11) cloud trusted party can be the root key Kr such as formulas that each legal data owner generates one 128 (2) shown in:
Kr=hash (ID | | fn(16)||TS) (2)
(12) cloud trusted party then can generate file f according to the root key Kr of legal data owneriEncryption it is close Key ki, kiAs shown in formula (3):
ki=rhash (Kr) (3)
Wherein, r is to belong to cloud trusted party to generate encryption key kiAnd the number randomly generated;
Further, the detailed process of the step (2) is:
(21) cloud trusted party calls random key generating algorithm function keygen () to generate Big prime ciphering key Kdc, use CKdcAs the symmetric key communicated between data owner and cloud trusted party, (22) legal data owner is opened by formula (4) Dynamic file fiEncryption key kiEncrypt the file f to be uploadedi, obtain file fiCiphertextIt uploads storage and arrives cloud storage service In device;
Further, the detailed process of the step (3) is:
(31) cloud storage service device is that each node on the document retrieval index tree based on keyword creates one first Keyword set W, and the keyword set of leaf node is the file that cloud storage service device uploads for legal data owner fiJ keyword of establishment, and each keyword in keyword set of words W does not repeat, and set length length (W) is to close The length of the number of keyword, keyword set can be expanded constantly;
(32) it is file fiCreate a reference number of a document fni, file fiReference number of a document fniAs shown in formula (5):
fni=(fn||fln||TS||fp) (5)
The reference number of a document fniIn, fln is n-th that first of the document retrieval index tree based on keyword is l layers Node, TS are file fsiThe timestamp of data update, fpIndicate file fiStore path in cloud storage service device, fnIt is text Part fiTitle;
(33) to calculating each keyword wijHexadecimal ASCII character value sij, method is as follows:, sij=ASCII (wij)16Wherein s={ si1, sI2,, si3... sijBe keyword hexadecimal ASCII value set;
Further, the detailed process of the step (4) is:
(41) cloud storage service device is to file fiReference number of a document fniIt is encrypted, by formula (6) to file fiFile compile Number fniIt is encrypted to obtain
(42) cloud storage service device is that each node on the document retrieval index based on keyword establishes a Bloom Filter, the keyword w that will be found outijCorresponding hexadecimal ASCII character value sijIt is mapped on Bloom Filter;
Each node is expressed as one m arrays, i.e., establishes a Bloom Filter to each node, uses R independent hash function h1 to hr handle the keyword w for including on each nodeijCorresponding hexadecimal ASCII character value sij, leaf node is file fiDistinctive keyword;
The retrieval file fiWhen, it is only necessary to si1,si2,si3...sijHash processing is carried out, if calculate Value is 1 on the position in m bit arrays, then it represents that the key component word of retrieval is in the index.Else if not in array then It is set as 0, is still 1 if same value occur in multiple hash functions;
(43) retrieval file fiWhen, it is only necessary to si1,si2,si3...sijHash processing is carried out, if the value calculated It is 1 on position in m bit arrays, then it represents that the key component word of retrieval is in the index.
Further, the detailed process of the step (5) is:
(51) data access user Xiang Yun trusted parties propose to access application, and cloud trusted party verify data accesses user's After identity information is legal the certificate of authority is provided for it
(52) cloud trusted party derives that it can access file in the access rights of legal data access user Key, if the access rights change of data access user, the conjunction that cloud trusted party is changed using new key pair access rights Method data access user had the file re-encrypted of permission originally, prevented the access of data access user;
Further, the detailed process of the step (6) is:
(61) whether the certificate of authority of cloud storage service device verify data access user is effective;
(62) data access user is with multiple keyword (wi1||wi2||wi3||…||win) literary to the proposition of cloud storage service device When part retrieval request, cloud storage service device uses sij=ASCII (wij)16Formula finds out each keyword wijCorresponding 16 into ASCII character value s processedij
(63) cloud storage service device uses hij=Hash (sij) formula progress hash function operation, to si1,si2, si3...sijH is carried out one by one1To hrA hash function processing, obtains the Hash vector (h of multiple keywordsi1||hi2||hi3||…| |hin);
The hijFor a Hash vector, for recording sijThe hash function value of corresponding position in m bit arrays;
(64) cloud storage service device is searching whether to exist and multi-key word in the document retrieval index I based on keyword The item that Hash vector matches then returns to reference number of a document f if it does, i.e. formula (8) is set upniCiphertext CfniIt is visited to valid data Ask that user, valid data access user and decrypt file f by formula (9) in localiReference number of a document fniObtain reference number of a document fni's In plain text, it is f then to obtain reference number of a document by formula (10)niFile store path and file name;Otherwise illustrate that cloud storage takes There is no the content to be retrieved, retrieval to terminate in business device;
fi,fp=Dkd (fni) (9)
(65) the reference number of a document f that data access user will obtainniPlaintext, according to file store path and file name, It goes at cloud storage service device and obtains the ciphertext of inquiry file, be used in combination Key derivation algorithm to obtain key and be decrypted to obtain file Number fniThe plaintext of respective file.
Advantageous effect:Compared with prior art:The present invention has the following advantages that:
1. ensure that the privacy of data access user identity, the safety of data is also protected.Cloud trusted party is only born It blames the distribution of key and verify data accesses user identity and simultaneously gives authorization code, cloud storage service device possesses data but not directly Verify data accesses the identity of user, reduces the communication between data access user and cloud storage service device, has also been isolated close Key and file.
2. the management and distribution of key has been effectively performed, it is only necessary to preserve root key, save memory space.
3. being indexed by building the document retrieval based on keyword, recall precision is improved, reduces index in server On storage overhead.
In conclusion data encryption and the search method of file privacy are protected under a kind of cloud environment proposed by the present invention, While reducing the storage overhead with communication overhead, the efficient retrieval to file can be realized.
Description of the drawings
Fig. 1 is the cloud storage frame diagram for supporting secret protection.
Fig. 2 is the encryption of cloud file data and search method flow chart, and the Figure of abstract of the present invention;
Fig. 3 is the document retrieval Multiway Tree Structure based on keyword;
Fig. 4 is the schematic diagram that keyword is mapped to Bloom filter;
Specific implementation mode
Below in conjunction with attached drawing, the specific embodiment that further illustrates the present invention.
As shown in Figure 1, this method includes four solid data owners, cloud trusted party, cloud storage service device, data Access user.
Data owner:The use of cloud trusted party is its generation after certification of the data owner by cloud trusted party Key is uploaded to cloud storage service device after the local file encryption that will be uploaded, and data owner itself can also be used as Data access user, access are stored in the alternative document stored in cloud storage service device;
Cloud trusted party:Cloud trusted party is trusted by other entities, verify data owner and data access user's Identity information accesses user to valid data and legal data owner provides the certificate of authority, is by Key derivation algorithm The file f that valid data owner will uploadiGenerate encryption key ki, and key kiIt is sent to the data owner;
Cloud storage service device:After the certificate of authority validity of cloud storage service device verify data owner, receive and store The encryption file that legal data owner uploads;Cloud storage service device verify data accesses the certificate of authority validity of user Afterwards, the search key that user provides is accessed according to valid data, retrieves corresponding ciphertext and is sent to data access user;
Data access user:Data access user's Xiang Yun trusted parties send key request, are sent to cloud storage service device Ciphertext request is obtained, data access user derives key after cloud storage service device acquisition ciphertext by Key derivation algorithm, Plaintext document is obtained after decryption encryption file;Data access user can also be used as data owner and upload files to cloud storage clothes Business device.
As shown in Fig. 2, the present invention provides data encryption and the search method of protecting file privacy under a kind of cloud environment, Detailed process is as follows:
The specific implementation process of step (1) is as follows:
1. cloud trusted party receives the access request of data access user, according to its identity information ID, data access is judged Whether user is legal data owner.
2. it is after legal data owner, to file an application and uploading filename f to cloud trusted party to judgenWith File keyword wij.Cloud trusted party is the entitled f of file by Key derivation algorithmnFile fiGenerate key ki,
Wherein, cloud trusted party when generating encryption key, can be that each valid data possesses by KGABOD algorithms Person generate one 128 root key Kr, Kr=hash (ID | | fn(16)||TS).And file fiKey be ki=r Hash (Kr), r are random number.
The specific implementation process of step (2) is as follows:
1. cloud trusted party calls random key generating algorithm function keygen () to generate Big prime ciphering key Kdc, use CKdcAs the symmetric key communicated between data owner and cloud trusted party;
2. legal data owner's startup file fiEncryption key kiEncrypt the file f to be uploadedi, obtain file fi Ciphertext It uploads in storage to cloud storage service device;
The specific implementation process of step (3) is as follows:
1. as shown in figure 3, cloud storage service device uses multiway tree index structure, to establish the document retrieval based on keyword Index, root node f11In comprising all keywords in file system, then the second node layer f21,f22In include third layer Node f31,f32,f33,f34,f35In all keywords, last leaf node f35For file fiIn distinctive keyword wi1, wi2
2. cloud storage service device, which is each node on the document retrieval index tree based on keyword, creates a keyword Set W;
3. cloud storage service device, which is the All Files of storage, all creates a reference number of a document, wherein being also file fiCreate one A reference number of a document fni, as shown in formula (5):
fni=(fn||fln||TS||fp)
fni=(cloud computing | | f35||2018-1-1||c:/file) (5)
4. keyword w each to calculatingijHexadecimal ASCII character value sij, sij=ASCII (wij)16Wherein s={ si1, si2,,si3,…sijBe keyword hexadecimal ASCII value set;
The specific implementation process of step (4) is as follows:
1. cloud storage service device is to file fiReference number of a document fniIt is encrypted, by formula (6) to file fiReference number of a document fniIt is encrypted to obtain
2. cloud storage service device, which is each node on the document retrieval index based on keyword, establishes a Bloom Filter, the keyword w that will be found outijCorresponding hexadecimal ASCII character value sijIt is mapped on Bloom Filter;
3. retrieval file fiWhen, it is only necessary to si1,si2,si3...sijHash processing is carried out, if the value calculated is in m It is 1 on position in bit array, then it represents that the key component word of retrieval is in the index.
The specific implementation process of step (5) is as follows:
1. data access user's Xiang Yun trusted parties propose to access application, cloud trusted party verify data accesses the body of user After part information is legal the certificate of authority is provided for it
2. cloud trusted party in the access rights of legal data access user, derives that it can access the close of file Key, if the access rights change of data access user, it is legal that cloud trusted party is changed using new key pair access rights Data access user had the file re-encrypted of permission originally, prevented the access of data access user;
The specific implementation process of step (6) is as follows:
1. whether the certificate of authority that cloud storage service device verify data accesses user is effective;
2. valid data accesses user with keyword wi1And wi2When proposing file retrieval request to cloud storage service device, cloud Storage server passes through formula si1=ASCII (wi1)16,si2=ASCII (wi2)16Calculate fiIn two keywords hexadecimal ASCII character value si1, si2, such as provide two crucial language appropriate to the occasion wi1=" privacy ", wi2=" cloud storage ", then
si1=ASCII (wi1)16
=ASCII (privacy)16
=0x9690+0x79c1
=0x11051
S can similarly be obtainedi2=0xFA91, s={ si1,si2Be keyword hexadecimal ASCII character value set.
3. r independent hash functions h of cloud storage service device1To hrHandle the hexadecimal ASCII character of two keywords Value si1, si2, i.e. h1((si1)),h2((si1))…hr((si1)), h1((si2)),h2((si2))…hr((si2)), obtain two passes Hash vector (the h of keywordi1||hi2), as follows:
hi1=Hash (si1), hi2=Hash (si2)
4. as shown in Figure 4:Cloud storage service device is receiving hi1, hi2Afterwards, in the document retrieval index I based on keyword It searches whether there is the item to match with multiple key word Hash vector, if it does, i.e. formula (7) is set up, then returns to file volume Number fniThe ciphertext of respective file accesses user to valid data, and valid data accesses user and decrypts file by formula (8) in local fiReference number of a document fniCiphertext obtain reference number of a document fniIn plain text, it is f then to obtain reference number of a document by formula (9)niFile deposit Store up path and file name;Otherwise illustrate there is no the content to be retrieved, retrieval to terminate in cloud storage service device;
fi,fp=Dkd (fni) (9)
Valid data accesses user by after the plaintext of the reference number of a document of obtained file, according to file store path and file Title goes at cloud storage service device and obtains the ciphertext of inquiry file, and Key derivation algorithm is used in combination to obtain key, and decryption obtains text The plaintext of part number respective file.
Although present disclosure is discussed in detail by above preferred embodiment, but it should be appreciated that above-mentioned Description is not considered as limitation of the present invention.After those skilled in the art have read the above, for the present invention's A variety of modifications and substitutions all will be apparent.Therefore, protection scope of the present invention should be limited to the appended claims.

Claims (9)

1. protecting data encryption and the search method of file privacy under a kind of cloud environment, it is characterised in that include the following steps:
(1):Data owner proposes to access application, the identity information of cloud trusted party verify data owner to cloud trusted party After legal, the certificate of authority is provided for legal data owner, and be its filename f by Key derivation algorithm KGABODn's File fiGenerate key ki
(2):Legal data owner proposes upper transmitting file application to cloud storage service device, audits it in cloud storage service device and awards After warrant book is effective, valid data owner's file fiKey kiEncrypt the file f to be uploadedi, then by file fiPlus Ciphertext part is to cloud storage service device;
(3):Cloud storage service device receives the file f that valid data owner uploadsiCiphertext, then use multiway tree index knot Structure is that valid data owner creates a document retrieval index based on keyword;
(4):Cloud storage service device encrypts file fiReference number of a document fni, and encrypt cloud storage service device using Bloom Filter The document retrieval index based on keyword created for valid data owner;
(5):Data access user's Xiang Yun trusted parties propose to access application, the identity of cloud trusted party verify data access user The certificate of authority is provided for it after information is legal, and in the access rights of legal data access user, derives that it can be visited Ask the key of file;
(6) data access user proposes to access the warrant for applying and submitting cloud trusted party to provide for it to cloud storage service device Book, after cloud storage service device verifies the legitimacy of the certificate of authority, valid data accesses user and uploads retrieval file fiMultiple passes Keyword, cloud storage service device pass through the document retrieval indexed search based on keyword to file fiCiphertext, return to legal number According to user, valid data user decrypts file fiCiphertext obtain in plain text.
2. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1 It is, the cloud trusted party of the step (1) is that legal data owner provides the certificate of authority, and the number of the certificate of authority is Shown in code, code such as formula (1):
Code=g*hash (fn(16)||TS) (1)
Wherein, fnIt is file fiTitle, fn(16) it is fiTitle fnHexadecimal ASCII value, TS is file fiData are more New timestamp, g are the random numbers that cloud trusted party generates.
3. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1 It is, the cloud trusted party of the step (1) is to generate encryption key by KGABOD algorithms, and detailed process is:
(11) cloud trusted party can generate one 128 root key Kr such as formulas (2) institute for each legal data owner Show:
Kr=hash (ID | | fn(16)||TS) (2)
(12) cloud trusted party then can generate file f according to the root key Kr of legal data owneriEncryption key ki, kiAs shown in formula (3):
ki=rhash (Kr) (3)
Wherein, r is to belong to cloud trusted party to generate encryption key kiAnd the number randomly generated.
4. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1 It is, the detailed process of the step (2) is:
(21) cloud trusted party calls random key generating algorithm function keygen () to generate Big prime ciphering key Kdc, use CKdc As the symmetric key communicated between data owner and cloud trusted party, (22) legal data owner is started by formula (4) File fiEncryption key kiEncrypt the file f to be uploadedi, obtain file fiCiphertext CfiIt uploads storage and arrives cloud storage service device In.
Cfi=Eke (fi) (4)
5. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1 It is, in the document retrieval index based on keyword of the step (3), all passes in file system is included in root node Keyword, comprising all keywords in third node layer in the second node layer, and so on, comprising in n+1 node layers in n-th layer Keyword, last leaf node be file fiIn distinctive keyword.
6. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1 It is, the cloud storage service device of the step (3) uses multiway tree index structure to create a base for legal data owner It is indexed in the document retrieval of keyword, detailed process is:
(31) cloud storage service device is that each node on the document retrieval index tree based on keyword creates a key first Set of words W, and the keyword set of leaf node is the file f that cloud storage service device uploads for legal data owneriWound The j keyword built, and each keyword in keyword set of words W does not repeat, and set length length (W) is keyword Number, the length of keyword set can expand constantly;
(32) it is file fiCreate a reference number of a document fni, file fiReference number of a document fniAs shown in formula (5):
fni=(fn||fln||TS||fp) (5)
The reference number of a document fniIn, n-th of node that fln is l layers for first of the document retrieval index tree based on keyword, TS is file fiThe timestamp of data update, fpIndicate file fiStore path in cloud storage service device, fnIt is file fi's Title;
(33) to calculating each keyword wijHexadecimal ASCII character value sij, method is as follows:, sij=ASCII (wij)16 Wherein s={ si1,si2,,si3,...sijBe keyword hexadecimal ASCII value set.
7. protecting the data encryption of file privacy and search method, feature to exist under a kind of cloud environment stated according to claim 1 In the detailed process of the step (4) is:
(41) cloud storage service device is to file fiReference number of a document fniIt is encrypted, by formula (7) to file fiReference number of a document fni It is encrypted to obtain
(42) cloud storage service device is that each node on the document retrieval index based on keyword establishes a Bloom Filter, the keyword w that will be found outijCorresponding hexadecimal ASCII character value sijIt is mapped on Bloom Filter;
Each node is expressed as one m arrays, i.e., establishes a Bloom Filter to each node, with r Independent hash function h1 to hr handles the keyword w for including on each nodeijCorresponding hexadecimal ASCII character value sij, leaf Child node is file fiDistinctive keyword;
The retrieval file fiWhen, it is only necessary to si1,si2,si3...sijHash processing is carried out, if the value calculated is in m It is 1 on position in bit array, then it represents that the key component word of retrieval is in the index.Else if not being set as then in array 0, still it is 1 if same value occur in multiple hash functions;
(43) retrieval file fiWhen, it is only necessary to si1,si2,si3...sijHash processing is carried out, if the value calculated is at m It is 1 on position in array, then it represents that the key component word of retrieval is in the index.
8. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1 It is, the detailed process of the step (5) is;
(51) data access user Xiang Yun trusted parties propose to access application, and cloud trusted party verify data accesses the identity of user After information is legal the certificate of authority is provided for it
(52) cloud trusted party derives that it can access the close of file in the access rights of legal data access user Key, if the access rights change of data access user, it is legal that cloud trusted party is changed using new key pair access rights Data access user had the file re-encrypted of permission originally, prevented the access of data access user.
9. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1 It is, the detailed process of the step (6) is:
(61) whether the certificate of authority of cloud storage service device verify data access user is effective;
(62) valid data accesses user with multiple keyword (wi1||wi2||wi3||…||win) literary to the proposition of cloud storage service device When part retrieval request, cloud storage service device uses sij=ASCII (wij)16Formula finds out each keyword wijCorresponding 16 into ASCII character value s processedij
(63) cloud storage service device uses hij=Hash (sij) formula progress hash function operation, to si1,si2,si3...sijBy A carry out h1To hrA hash function processing, obtains the Hash vector (h of multiple keywordsi1||hi2||hi3||…||hin);
The hijFor a Hash vector, for recording sijThe hash function value of corresponding position in m bit arrays;
(64) cloud storage service device is searching whether exist and multi-key word Hash in the document retrieval index I based on keyword The item that vector matches then returns to reference number of a document f if it does, i.e. formula (8) is set upniCiphertext CfniIt accesses and uses to valid data Family, valid data access user and decrypt file f by formula (9) in localiReference number of a document fniObtain reference number of a document fniPlaintext, Then it is f to obtain reference number of a document by formula (10)niFile store path and file name;Otherwise illustrate in cloud storage service device The content not retrieved, retrieval terminate;
fni=Dec (Cfni) (9)
fi,fp=Dkd (fni) (10)
(65) the reference number of a document f that data access user will obtainniPlaintext gone to according to file store path and file name The ciphertext that inquiry file is obtained at cloud storage service device, is used in combination Key derivation algorithm to obtain key and is decrypted to obtain reference number of a document fniiThe plaintext of respective file.
CN201810412324.4A 2018-05-03 2018-05-03 Data encryption and retrieval method for protecting file privacy in cloud environment Active CN108768951B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810412324.4A CN108768951B (en) 2018-05-03 2018-05-03 Data encryption and retrieval method for protecting file privacy in cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810412324.4A CN108768951B (en) 2018-05-03 2018-05-03 Data encryption and retrieval method for protecting file privacy in cloud environment

Publications (2)

Publication Number Publication Date
CN108768951A true CN108768951A (en) 2018-11-06
CN108768951B CN108768951B (en) 2021-06-08

Family

ID=64009437

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810412324.4A Active CN108768951B (en) 2018-05-03 2018-05-03 Data encryption and retrieval method for protecting file privacy in cloud environment

Country Status (1)

Country Link
CN (1) CN108768951B (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059630A (en) * 2019-04-19 2019-07-26 福州大学 Secret protection can verify that outsourcing monitor video pedestrian recognition methods again
CN110176984A (en) * 2019-05-28 2019-08-27 创意信息技术股份有限公司 A kind of data structure construction and matching process for security string pattern match
CN110263570A (en) * 2019-05-10 2019-09-20 电子科技大学 A kind of gene data desensitization method for realizing efficient similarity query and access control
CN110737905A (en) * 2019-09-19 2020-01-31 深圳市先河系统技术有限公司 Data authorization method, data authorization device and computer storage medium
CN112257096A (en) * 2020-11-23 2021-01-22 中电万维信息技术有限责任公司 Searching method for cloud storage ciphertext encrypted data
CN112749420A (en) * 2020-12-23 2021-05-04 上海同态信息科技有限责任公司 Private data cooperation method taking hash function as attribute
CN112822009A (en) * 2021-01-26 2021-05-18 西安邮电大学 Attribute ciphertext efficient sharing system supporting ciphertext deduplication
CN114302394A (en) * 2021-11-19 2022-04-08 深圳震有科技股份有限公司 Network direct memory access method and system under 5G UPF
CN114900318A (en) * 2022-06-02 2022-08-12 浙江工商大学 Key agreement protocol and verifiable round-of-communication searchable encryption method
CN115033908A (en) * 2022-08-11 2022-09-09 西南石油大学 Cloud storage-based oil and gas exploration fine-grained dense-state data retrieval method
CN116132079A (en) * 2022-08-09 2023-05-16 马上消费金融股份有限公司 Data processing method and device
CN117708878A (en) * 2023-12-08 2024-03-15 中科科界(北京)科技有限公司 ORAM (object oriented authentication and privacy preserving) function-based copyright information trusted retrieval method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143159A (en) * 2011-01-13 2011-08-03 北京邮电大学 Database key management method in DAS (database-as-a-service) model
US20180060435A1 (en) * 2015-09-11 2018-03-01 Skyhigh Networks, Inc. Wildcard search in encrypted text using order preserving encryption

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143159A (en) * 2011-01-13 2011-08-03 北京邮电大学 Database key management method in DAS (database-as-a-service) model
US20180060435A1 (en) * 2015-09-11 2018-03-01 Skyhigh Networks, Inc. Wildcard search in encrypted text using order preserving encryption

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
BING WANG: ""Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud"", 《IEEE》 *
LIU HAO,DEZHI HAN: ""The study and design on secure-cloud storage system"", 《IEEE》 *
徐寒冰,韩德志: ""一种云计算的隐私类型阈值模型和隐私保护方法"", 《数学的实践与认识》 *
黄汝维: ""云计算环境中支持模糊检索的加密算法"", 《广西大学学报》 *

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059630B (en) * 2019-04-19 2022-06-14 福州大学 Verifiable outsourced monitoring video pedestrian re-identification method with privacy protection
CN110059630A (en) * 2019-04-19 2019-07-26 福州大学 Secret protection can verify that outsourcing monitor video pedestrian recognition methods again
CN110263570B (en) * 2019-05-10 2020-09-25 电子科技大学 Gene data desensitization method for realizing efficient similarity query and access control
CN110263570A (en) * 2019-05-10 2019-09-20 电子科技大学 A kind of gene data desensitization method for realizing efficient similarity query and access control
CN110176984B (en) * 2019-05-28 2020-11-03 创意信息技术股份有限公司 Data structure construction for secure string pattern matching and matching method
CN110176984A (en) * 2019-05-28 2019-08-27 创意信息技术股份有限公司 A kind of data structure construction and matching process for security string pattern match
CN110737905A (en) * 2019-09-19 2020-01-31 深圳市先河系统技术有限公司 Data authorization method, data authorization device and computer storage medium
CN112257096A (en) * 2020-11-23 2021-01-22 中电万维信息技术有限责任公司 Searching method for cloud storage ciphertext encrypted data
CN112257096B (en) * 2020-11-23 2022-09-27 中电万维信息技术有限责任公司 Searching method for cloud storage ciphertext encrypted data
CN112749420A (en) * 2020-12-23 2021-05-04 上海同态信息科技有限责任公司 Private data cooperation method taking hash function as attribute
CN112822009A (en) * 2021-01-26 2021-05-18 西安邮电大学 Attribute ciphertext efficient sharing system supporting ciphertext deduplication
CN112822009B (en) * 2021-01-26 2022-07-22 西安邮电大学 Attribute ciphertext efficient sharing system supporting ciphertext deduplication
CN114302394A (en) * 2021-11-19 2022-04-08 深圳震有科技股份有限公司 Network direct memory access method and system under 5G UPF
CN114302394B (en) * 2021-11-19 2023-11-03 深圳震有科技股份有限公司 Network direct memory access method and system under 5G UPF
CN114900318A (en) * 2022-06-02 2022-08-12 浙江工商大学 Key agreement protocol and verifiable round-of-communication searchable encryption method
CN114900318B (en) * 2022-06-02 2024-04-19 浙江工商大学 One-round communication searchable encryption method based on key negotiation protocol and verifiable
CN116132079A (en) * 2022-08-09 2023-05-16 马上消费金融股份有限公司 Data processing method and device
CN115033908A (en) * 2022-08-11 2022-09-09 西南石油大学 Cloud storage-based oil and gas exploration fine-grained dense-state data retrieval method
CN117708878A (en) * 2023-12-08 2024-03-15 中科科界(北京)科技有限公司 ORAM (object oriented authentication and privacy preserving) function-based copyright information trusted retrieval method
CN117708878B (en) * 2023-12-08 2024-05-03 中科科界(北京)科技有限公司 ORAM (object oriented authentication and privacy preserving) function-based copyright information trusted retrieval method

Also Published As

Publication number Publication date
CN108768951B (en) 2021-06-08

Similar Documents

Publication Publication Date Title
CN108768951A (en) The data encryption of protection file privacy and search method under a kind of cloud environment
CN108418681B (en) Attribute-based ciphertext retrieval system and method supporting proxy re-encryption
CN110474893B (en) Heterogeneous cross-trust domain secret data secure sharing method and system
CN106534092B (en) The privacy data encryption method of key is depended on based on message
US20040010699A1 (en) Secure data management techniques
CN112989375B (en) Hierarchical optimization encryption lossless privacy protection method
CN108400871B (en) In conjunction with the searching ciphertext system and method for identity and the support proxy re-encryption of attribute
CN108632385B (en) Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure
US20220014367A1 (en) Decentralized computing systems and methods for performing actions using stored private data
CN112685763B (en) Data opening method and system based on ciphertext authorized access
CN113569271A (en) Threshold proxy re-encryption method and system based on attribute condition
Gajmal et al. Blockchain-based access control and data sharing mechanism in cloud decentralized storage system
Tan et al. Access control scheme based on combination of blockchain and XOR-coding for ICN
Mahalakshmi et al. Effectuation of secure authorized deduplication in hybrid cloud
WO2008065351A1 (en) Self encryption
CN108494724A (en) Cloud storage encryption system based on more authorized organization's encryption attribute algorithms and method
Yan et al. Secure and efficient big data deduplication in fog computing
Mohit et al. Confidentiality and storage of data in cloud environment
CN116611083A (en) Medical data sharing method and system
CN116248289A (en) Industrial Internet identification analysis access control method based on ciphertext attribute encryption
GB2444343A (en) Encryption system for peer-to-peer networks in which data is divided into chunks and self-encryption is applied
CN114640458A (en) Fine-grained multi-user secure searchable encryption method in cloud-edge collaborative environment
Fu et al. Secure storage of data in cloud computing
Panguluri et al. Enabling multi-factor authentication and verification in searchable encryption
Babrekar et al. Public key encryption for cloud storage attack using blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230413

Address after: Building 17, No. 1500, Zuchongzhi Road, Pudong New Area Pilot Free Trade Zone, Shanghai, 201210

Patentee after: SHANGHAI HIGH-FLYING ELECTRONICS TECHNOLOGY Co.,Ltd.

Address before: 201306 1550 Harbour Road, Lingang New Town, Pudong New Area, Shanghai

Patentee before: Shanghai Maritime University