CN108768951A - The data encryption of protection file privacy and search method under a kind of cloud environment - Google Patents
The data encryption of protection file privacy and search method under a kind of cloud environment Download PDFInfo
- Publication number
- CN108768951A CN108768951A CN201810412324.4A CN201810412324A CN108768951A CN 108768951 A CN108768951 A CN 108768951A CN 201810412324 A CN201810412324 A CN 201810412324A CN 108768951 A CN108768951 A CN 108768951A
- Authority
- CN
- China
- Prior art keywords
- file
- cloud
- keyword
- service device
- storage service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses data encryption and search methods that file privacy is protected under a kind of cloud environment, and building the document retrieval based on keyword using multiway tree index structure indexes, and key distribution and management are carried out with Key derivation algorithm.Data owner proposes to upload local file application to cloud trusted party, and it is legal that cloud trusted party verifies its identity information, and distributes key and the certificate of authority, valid data owner for it by Key derivation algorithm and will upload to cloud storage service device after file encryption;Data access user's Xiang Yun trusted parties propose access request, and after cloud trusted party confirms that its identity information is legal, the certificate of authority is sent to the user;Valid data accesses user and submits the certificate of authority and inquiry to apply to cloud storage service device, is verified rear cloud storage service device and encrypts file by keyword search and be transmitted to the user, which decrypts cryptograph files.This method ensure that while data access privacy of user and data safety, memory space expense is saved.
Description
Technical field
The present invention relates to field of information security technology, and in particular to the data encryption of file privacy is protected under a kind of cloud environment
And search method.
Background technology
Cloud storage can provide on demand, and storage resource that is expansible and meeting Qos, data access user can be right at any time
Data are operated.In face of cloud storage so powerful and attractive advantage, many people and enterprise are but reluctant the number of oneself
According to moving in cloud storage.Main cause is exactly to fear to lose the control to data, and data are let out in some cloud storages occurred
The worry of dew and loss situation verification people.Therefore cloud computing application process more in, safety become data owner at first
Consider the problems of.And in cloud storage system, the access structure that data owner formulates may be by incredible cloud storage service
Device is stolen, and the leakage of identity and sensitive information is caused, it is also possible in order to interests by leaking data to third party.Therefore, Yun Cun
Storage needs to provide the data storage for supporting secret protection and searching ciphertext problem.
Some solutions have been proposed at present, as designed point under a kind of cloud computing environment using key sharing policy
Cloth encipherment scheme can effectively reduce the threat of leaking data for incredible cloud computing service provider;Such as propose one kind
The scheme of the outer bag data of secure access, establishes index structure using binary tree, by key derivation technical management key, and combines
It re-encrypts and handles access rights change and data dynamic change with inertia revocation.However binary tree storage organization can not be abundant
Reflect the logical relation of data, and the change of user's access right but will increase additional communication overhead, the update of data can occupy
Additional storage resource, and the data access user being revoked is possible to conspire leakage information with ISP;Such as structure
A kind of cloud storage scheme for supporting secret protection distinguishes data owner and data consumer, it is ensured that data are in cloud storage service
Safety problem in device, but data owner can easily obtain the identity information of data access user, cause data
Access the leakage of subscriber identity information;It is such as based on symmetric key and unsymmetrical key designs key derivation strategy, develop a branch
The electronic health record system of secret protection is held, but does not account for the change of user's access right and the dynamic operation pair of data
In the influence of key derivation.
Therefore for the deficiency of the above solution, it would be desirable to propose to protect the data of file privacy under a kind of cloud environment
Encryption and search method also want overall thinking key derivation in addition to safety of the data to be ensured in cloud storage service device
And management, the dynamic change of user's access right, data sharing and document retrieval problem, and also to protect data access user
The privacy of identity information.
Invention content
Goal of the invention:The present invention provides the data encryption of protection file privacy and search method under a kind of cloud environment, uses
Multiway tree builds document retrieval index, and the distribution and management of key are carried out by Key derivation algorithm, utilizes Bloom Filter
Constructing the index of the document retrieval based on keyword realizes searching ciphertext, while reducing the storage overhead with communication overhead, energy
Enough efficient retrievals realized to file.
Technical solution:The present invention provides the data encryption of protection file privacy and search method under a kind of cloud environment, including
Following steps:
(1):Data owner proposes to access application, the identity of cloud trusted party verify data owner to cloud trusted party
After information is legal, the certificate of authority is provided for legal data owner, and be its filename by Key derivation algorithm KGABOD
fnFile fiGenerate key ki;
(2):Legal data owner proposes upper transmitting file application to cloud storage service device, is audited in cloud storage service device
After its certificate of authority is effective, valid data owner's file fiKey kiEncrypt the file f to be uploadedi, then by file fi
Encryption file to cloud storage service device;
(3):Cloud storage service device receives the file f that valid data owner uploadsiCiphertext, then use multiway tree rope
Guiding structure is that valid data owner creates a document retrieval index based on keyword;
(4):Cloud storage service device encrypts file fiReference number of a document fni, and taken using Bloom Filter encryption cloud storages
Business device is the document retrieval index based on keyword that valid data owner creates;
(5):Data access user's Xiang Yun trusted parties, which propose to access, to be applied, cloud trusted party verify data accesses user's
The certificate of authority is provided for it after identity information is legal, and in the access rights of legal data access user, derives that it can
To access the key of file;
(6) data access user proposes to access to cloud storage service device applies and cloud trusted party is submitted to be awarded for what it was provided
Warrant book, after cloud storage service device verifies the legitimacy of the certificate of authority, valid data accesses user and uploads retrieval file fiIt is more
A keyword, cloud storage service device pass through the document retrieval indexed search based on keyword to file fiCiphertext, return to conjunction
Method data user, valid data user decrypt file fiCiphertext obtain in plain text;
Further, the detailed process of the step (1) is:
(11) cloud trusted party can be the root key Kr such as formulas that each legal data owner generates one 128
(2) shown in:
Kr=hash (ID | | fn(16)||TS) (2)
(12) cloud trusted party then can generate file f according to the root key Kr of legal data owneriEncryption it is close
Key ki, kiAs shown in formula (3):
ki=rhash (Kr) (3)
Wherein, r is to belong to cloud trusted party to generate encryption key kiAnd the number randomly generated;
Further, the detailed process of the step (2) is:
(21) cloud trusted party calls random key generating algorithm function keygen () to generate Big prime ciphering key Kdc, use
CKdcAs the symmetric key communicated between data owner and cloud trusted party, (22) legal data owner is opened by formula (4)
Dynamic file fiEncryption key kiEncrypt the file f to be uploadedi, obtain file fiCiphertextIt uploads storage and arrives cloud storage service
In device;
Further, the detailed process of the step (3) is:
(31) cloud storage service device is that each node on the document retrieval index tree based on keyword creates one first
Keyword set W, and the keyword set of leaf node is the file that cloud storage service device uploads for legal data owner
fiJ keyword of establishment, and each keyword in keyword set of words W does not repeat, and set length length (W) is to close
The length of the number of keyword, keyword set can be expanded constantly;
(32) it is file fiCreate a reference number of a document fni, file fiReference number of a document fniAs shown in formula (5):
fni=(fn||fln||TS||fp) (5)
The reference number of a document fniIn, fln is n-th that first of the document retrieval index tree based on keyword is l layers
Node, TS are file fsiThe timestamp of data update, fpIndicate file fiStore path in cloud storage service device, fnIt is text
Part fiTitle;
(33) to calculating each keyword wijHexadecimal ASCII character value sij, method is as follows:, sij=ASCII
(wij)16Wherein s={ si1, sI2,, si3... sijBe keyword hexadecimal ASCII value set;
Further, the detailed process of the step (4) is:
(41) cloud storage service device is to file fiReference number of a document fniIt is encrypted, by formula (6) to file fiFile compile
Number fniIt is encrypted to obtain
(42) cloud storage service device is that each node on the document retrieval index based on keyword establishes a Bloom
Filter, the keyword w that will be found outijCorresponding hexadecimal ASCII character value sijIt is mapped on Bloom Filter;
Each node is expressed as one m arrays, i.e., establishes a Bloom Filter to each node, uses
R independent hash function h1 to hr handle the keyword w for including on each nodeijCorresponding hexadecimal ASCII character value
sij, leaf node is file fiDistinctive keyword;
The retrieval file fiWhen, it is only necessary to si1,si2,si3...sijHash processing is carried out, if calculate
Value is 1 on the position in m bit arrays, then it represents that the key component word of retrieval is in the index.Else if not in array then
It is set as 0, is still 1 if same value occur in multiple hash functions;
(43) retrieval file fiWhen, it is only necessary to si1,si2,si3...sijHash processing is carried out, if the value calculated
It is 1 on position in m bit arrays, then it represents that the key component word of retrieval is in the index.
Further, the detailed process of the step (5) is:
(51) data access user Xiang Yun trusted parties propose to access application, and cloud trusted party verify data accesses user's
After identity information is legal the certificate of authority is provided for it
(52) cloud trusted party derives that it can access file in the access rights of legal data access user
Key, if the access rights change of data access user, the conjunction that cloud trusted party is changed using new key pair access rights
Method data access user had the file re-encrypted of permission originally, prevented the access of data access user;
Further, the detailed process of the step (6) is:
(61) whether the certificate of authority of cloud storage service device verify data access user is effective;
(62) data access user is with multiple keyword (wi1||wi2||wi3||…||win) literary to the proposition of cloud storage service device
When part retrieval request, cloud storage service device uses sij=ASCII (wij)16Formula finds out each keyword wijCorresponding 16 into
ASCII character value s processedij;
(63) cloud storage service device uses hij=Hash (sij) formula progress hash function operation, to si1,si2,
si3...sijH is carried out one by one1To hrA hash function processing, obtains the Hash vector (h of multiple keywordsi1||hi2||hi3||…|
|hin);
The hijFor a Hash vector, for recording sijThe hash function value of corresponding position in m bit arrays;
(64) cloud storage service device is searching whether to exist and multi-key word in the document retrieval index I based on keyword
The item that Hash vector matches then returns to reference number of a document f if it does, i.e. formula (8) is set upniCiphertext CfniIt is visited to valid data
Ask that user, valid data access user and decrypt file f by formula (9) in localiReference number of a document fniObtain reference number of a document fni's
In plain text, it is f then to obtain reference number of a document by formula (10)niFile store path and file name;Otherwise illustrate that cloud storage takes
There is no the content to be retrieved, retrieval to terminate in business device;
fi,fp=Dkd (fni) (9)
(65) the reference number of a document f that data access user will obtainniPlaintext, according to file store path and file name,
It goes at cloud storage service device and obtains the ciphertext of inquiry file, be used in combination Key derivation algorithm to obtain key and be decrypted to obtain file
Number fniThe plaintext of respective file.
Advantageous effect:Compared with prior art:The present invention has the following advantages that:
1. ensure that the privacy of data access user identity, the safety of data is also protected.Cloud trusted party is only born
It blames the distribution of key and verify data accesses user identity and simultaneously gives authorization code, cloud storage service device possesses data but not directly
Verify data accesses the identity of user, reduces the communication between data access user and cloud storage service device, has also been isolated close
Key and file.
2. the management and distribution of key has been effectively performed, it is only necessary to preserve root key, save memory space.
3. being indexed by building the document retrieval based on keyword, recall precision is improved, reduces index in server
On storage overhead.
In conclusion data encryption and the search method of file privacy are protected under a kind of cloud environment proposed by the present invention,
While reducing the storage overhead with communication overhead, the efficient retrieval to file can be realized.
Description of the drawings
Fig. 1 is the cloud storage frame diagram for supporting secret protection.
Fig. 2 is the encryption of cloud file data and search method flow chart, and the Figure of abstract of the present invention;
Fig. 3 is the document retrieval Multiway Tree Structure based on keyword;
Fig. 4 is the schematic diagram that keyword is mapped to Bloom filter;
Specific implementation mode
Below in conjunction with attached drawing, the specific embodiment that further illustrates the present invention.
As shown in Figure 1, this method includes four solid data owners, cloud trusted party, cloud storage service device, data
Access user.
Data owner:The use of cloud trusted party is its generation after certification of the data owner by cloud trusted party
Key is uploaded to cloud storage service device after the local file encryption that will be uploaded, and data owner itself can also be used as
Data access user, access are stored in the alternative document stored in cloud storage service device;
Cloud trusted party:Cloud trusted party is trusted by other entities, verify data owner and data access user's
Identity information accesses user to valid data and legal data owner provides the certificate of authority, is by Key derivation algorithm
The file f that valid data owner will uploadiGenerate encryption key ki, and key kiIt is sent to the data owner;
Cloud storage service device:After the certificate of authority validity of cloud storage service device verify data owner, receive and store
The encryption file that legal data owner uploads;Cloud storage service device verify data accesses the certificate of authority validity of user
Afterwards, the search key that user provides is accessed according to valid data, retrieves corresponding ciphertext and is sent to data access user;
Data access user:Data access user's Xiang Yun trusted parties send key request, are sent to cloud storage service device
Ciphertext request is obtained, data access user derives key after cloud storage service device acquisition ciphertext by Key derivation algorithm,
Plaintext document is obtained after decryption encryption file;Data access user can also be used as data owner and upload files to cloud storage clothes
Business device.
As shown in Fig. 2, the present invention provides data encryption and the search method of protecting file privacy under a kind of cloud environment,
Detailed process is as follows:
The specific implementation process of step (1) is as follows:
1. cloud trusted party receives the access request of data access user, according to its identity information ID, data access is judged
Whether user is legal data owner.
2. it is after legal data owner, to file an application and uploading filename f to cloud trusted party to judgenWith
File keyword wij.Cloud trusted party is the entitled f of file by Key derivation algorithmnFile fiGenerate key ki,
Wherein, cloud trusted party when generating encryption key, can be that each valid data possesses by KGABOD algorithms
Person generate one 128 root key Kr, Kr=hash (ID | | fn(16)||TS).And file fiKey be ki=r
Hash (Kr), r are random number.
The specific implementation process of step (2) is as follows:
1. cloud trusted party calls random key generating algorithm function keygen () to generate Big prime ciphering key Kdc, use
CKdcAs the symmetric key communicated between data owner and cloud trusted party;
2. legal data owner's startup file fiEncryption key kiEncrypt the file f to be uploadedi, obtain file fi
Ciphertext It uploads in storage to cloud storage service device;
The specific implementation process of step (3) is as follows:
1. as shown in figure 3, cloud storage service device uses multiway tree index structure, to establish the document retrieval based on keyword
Index, root node f11In comprising all keywords in file system, then the second node layer f21,f22In include third layer
Node f31,f32,f33,f34,f35In all keywords, last leaf node f35For file fiIn distinctive keyword wi1, wi2。
2. cloud storage service device, which is each node on the document retrieval index tree based on keyword, creates a keyword
Set W;
3. cloud storage service device, which is the All Files of storage, all creates a reference number of a document, wherein being also file fiCreate one
A reference number of a document fni, as shown in formula (5):
fni=(fn||fln||TS||fp)
fni=(cloud computing | | f35||2018-1-1||c:/file) (5)
4. keyword w each to calculatingijHexadecimal ASCII character value sij, sij=ASCII (wij)16Wherein s={ si1,
si2,,si3,…sijBe keyword hexadecimal ASCII value set;
The specific implementation process of step (4) is as follows:
1. cloud storage service device is to file fiReference number of a document fniIt is encrypted, by formula (6) to file fiReference number of a document
fniIt is encrypted to obtain
2. cloud storage service device, which is each node on the document retrieval index based on keyword, establishes a Bloom
Filter, the keyword w that will be found outijCorresponding hexadecimal ASCII character value sijIt is mapped on Bloom Filter;
3. retrieval file fiWhen, it is only necessary to si1,si2,si3...sijHash processing is carried out, if the value calculated is in m
It is 1 on position in bit array, then it represents that the key component word of retrieval is in the index.
The specific implementation process of step (5) is as follows:
1. data access user's Xiang Yun trusted parties propose to access application, cloud trusted party verify data accesses the body of user
After part information is legal the certificate of authority is provided for it
2. cloud trusted party in the access rights of legal data access user, derives that it can access the close of file
Key, if the access rights change of data access user, it is legal that cloud trusted party is changed using new key pair access rights
Data access user had the file re-encrypted of permission originally, prevented the access of data access user;
The specific implementation process of step (6) is as follows:
1. whether the certificate of authority that cloud storage service device verify data accesses user is effective;
2. valid data accesses user with keyword wi1And wi2When proposing file retrieval request to cloud storage service device, cloud
Storage server passes through formula si1=ASCII (wi1)16,si2=ASCII (wi2)16Calculate fiIn two keywords hexadecimal
ASCII character value si1, si2, such as provide two crucial language appropriate to the occasion wi1=" privacy ", wi2=" cloud storage ", then
si1=ASCII (wi1)16
=ASCII (privacy)16
=0x9690+0x79c1
=0x11051
S can similarly be obtainedi2=0xFA91, s={ si1,si2Be keyword hexadecimal ASCII character value set.
3. r independent hash functions h of cloud storage service device1To hrHandle the hexadecimal ASCII character of two keywords
Value si1, si2, i.e. h1((si1)),h2((si1))…hr((si1)), h1((si2)),h2((si2))…hr((si2)), obtain two passes
Hash vector (the h of keywordi1||hi2), as follows:
hi1=Hash (si1), hi2=Hash (si2)
4. as shown in Figure 4:Cloud storage service device is receiving hi1, hi2Afterwards, in the document retrieval index I based on keyword
It searches whether there is the item to match with multiple key word Hash vector, if it does, i.e. formula (7) is set up, then returns to file volume
Number fniThe ciphertext of respective file accesses user to valid data, and valid data accesses user and decrypts file by formula (8) in local
fiReference number of a document fniCiphertext obtain reference number of a document fniIn plain text, it is f then to obtain reference number of a document by formula (9)niFile deposit
Store up path and file name;Otherwise illustrate there is no the content to be retrieved, retrieval to terminate in cloud storage service device;
fi,fp=Dkd (fni) (9)
Valid data accesses user by after the plaintext of the reference number of a document of obtained file, according to file store path and file
Title goes at cloud storage service device and obtains the ciphertext of inquiry file, and Key derivation algorithm is used in combination to obtain key, and decryption obtains text
The plaintext of part number respective file.
Although present disclosure is discussed in detail by above preferred embodiment, but it should be appreciated that above-mentioned
Description is not considered as limitation of the present invention.After those skilled in the art have read the above, for the present invention's
A variety of modifications and substitutions all will be apparent.Therefore, protection scope of the present invention should be limited to the appended claims.
Claims (9)
1. protecting data encryption and the search method of file privacy under a kind of cloud environment, it is characterised in that include the following steps:
(1):Data owner proposes to access application, the identity information of cloud trusted party verify data owner to cloud trusted party
After legal, the certificate of authority is provided for legal data owner, and be its filename f by Key derivation algorithm KGABODn's
File fiGenerate key ki;
(2):Legal data owner proposes upper transmitting file application to cloud storage service device, audits it in cloud storage service device and awards
After warrant book is effective, valid data owner's file fiKey kiEncrypt the file f to be uploadedi, then by file fiPlus
Ciphertext part is to cloud storage service device;
(3):Cloud storage service device receives the file f that valid data owner uploadsiCiphertext, then use multiway tree index knot
Structure is that valid data owner creates a document retrieval index based on keyword;
(4):Cloud storage service device encrypts file fiReference number of a document fni, and encrypt cloud storage service device using Bloom Filter
The document retrieval index based on keyword created for valid data owner;
(5):Data access user's Xiang Yun trusted parties propose to access application, the identity of cloud trusted party verify data access user
The certificate of authority is provided for it after information is legal, and in the access rights of legal data access user, derives that it can be visited
Ask the key of file;
(6) data access user proposes to access the warrant for applying and submitting cloud trusted party to provide for it to cloud storage service device
Book, after cloud storage service device verifies the legitimacy of the certificate of authority, valid data accesses user and uploads retrieval file fiMultiple passes
Keyword, cloud storage service device pass through the document retrieval indexed search based on keyword to file fiCiphertext, return to legal number
According to user, valid data user decrypts file fiCiphertext obtain in plain text.
2. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1
It is, the cloud trusted party of the step (1) is that legal data owner provides the certificate of authority, and the number of the certificate of authority is
Shown in code, code such as formula (1):
Code=g*hash (fn(16)||TS) (1)
Wherein, fnIt is file fiTitle, fn(16) it is fiTitle fnHexadecimal ASCII value, TS is file fiData are more
New timestamp, g are the random numbers that cloud trusted party generates.
3. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1
It is, the cloud trusted party of the step (1) is to generate encryption key by KGABOD algorithms, and detailed process is:
(11) cloud trusted party can generate one 128 root key Kr such as formulas (2) institute for each legal data owner
Show:
Kr=hash (ID | | fn(16)||TS) (2)
(12) cloud trusted party then can generate file f according to the root key Kr of legal data owneriEncryption key ki,
kiAs shown in formula (3):
ki=rhash (Kr) (3)
Wherein, r is to belong to cloud trusted party to generate encryption key kiAnd the number randomly generated.
4. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1
It is, the detailed process of the step (2) is:
(21) cloud trusted party calls random key generating algorithm function keygen () to generate Big prime ciphering key Kdc, use CKdc
As the symmetric key communicated between data owner and cloud trusted party, (22) legal data owner is started by formula (4)
File fiEncryption key kiEncrypt the file f to be uploadedi, obtain file fiCiphertext CfiIt uploads storage and arrives cloud storage service device
In.
Cfi=Eke (fi) (4)
5. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1
It is, in the document retrieval index based on keyword of the step (3), all passes in file system is included in root node
Keyword, comprising all keywords in third node layer in the second node layer, and so on, comprising in n+1 node layers in n-th layer
Keyword, last leaf node be file fiIn distinctive keyword.
6. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1
It is, the cloud storage service device of the step (3) uses multiway tree index structure to create a base for legal data owner
It is indexed in the document retrieval of keyword, detailed process is:
(31) cloud storage service device is that each node on the document retrieval index tree based on keyword creates a key first
Set of words W, and the keyword set of leaf node is the file f that cloud storage service device uploads for legal data owneriWound
The j keyword built, and each keyword in keyword set of words W does not repeat, and set length length (W) is keyword
Number, the length of keyword set can expand constantly;
(32) it is file fiCreate a reference number of a document fni, file fiReference number of a document fniAs shown in formula (5):
fni=(fn||fln||TS||fp) (5)
The reference number of a document fniIn, n-th of node that fln is l layers for first of the document retrieval index tree based on keyword,
TS is file fiThe timestamp of data update, fpIndicate file fiStore path in cloud storage service device, fnIt is file fi's
Title;
(33) to calculating each keyword wijHexadecimal ASCII character value sij, method is as follows:, sij=ASCII (wij)16
Wherein s={ si1,si2,,si3,...sijBe keyword hexadecimal ASCII value set.
7. protecting the data encryption of file privacy and search method, feature to exist under a kind of cloud environment stated according to claim 1
In the detailed process of the step (4) is:
(41) cloud storage service device is to file fiReference number of a document fniIt is encrypted, by formula (7) to file fiReference number of a document fni
It is encrypted to obtain
(42) cloud storage service device is that each node on the document retrieval index based on keyword establishes a Bloom
Filter, the keyword w that will be found outijCorresponding hexadecimal ASCII character value sijIt is mapped on Bloom Filter;
Each node is expressed as one m arrays, i.e., establishes a Bloom Filter to each node, with r
Independent hash function h1 to hr handles the keyword w for including on each nodeijCorresponding hexadecimal ASCII character value sij, leaf
Child node is file fiDistinctive keyword;
The retrieval file fiWhen, it is only necessary to si1,si2,si3...sijHash processing is carried out, if the value calculated is in m
It is 1 on position in bit array, then it represents that the key component word of retrieval is in the index.Else if not being set as then in array
0, still it is 1 if same value occur in multiple hash functions;
(43) retrieval file fiWhen, it is only necessary to si1,si2,si3...sijHash processing is carried out, if the value calculated is at m
It is 1 on position in array, then it represents that the key component word of retrieval is in the index.
8. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1
It is, the detailed process of the step (5) is;
(51) data access user Xiang Yun trusted parties propose to access application, and cloud trusted party verify data accesses the identity of user
After information is legal the certificate of authority is provided for it
(52) cloud trusted party derives that it can access the close of file in the access rights of legal data access user
Key, if the access rights change of data access user, it is legal that cloud trusted party is changed using new key pair access rights
Data access user had the file re-encrypted of permission originally, prevented the access of data access user.
9. protecting data encryption and the search method of file privacy, feature under a kind of cloud environment according to claim 1
It is, the detailed process of the step (6) is:
(61) whether the certificate of authority of cloud storage service device verify data access user is effective;
(62) valid data accesses user with multiple keyword (wi1||wi2||wi3||…||win) literary to the proposition of cloud storage service device
When part retrieval request, cloud storage service device uses sij=ASCII (wij)16Formula finds out each keyword wijCorresponding 16 into
ASCII character value s processedij;
(63) cloud storage service device uses hij=Hash (sij) formula progress hash function operation, to si1,si2,si3...sijBy
A carry out h1To hrA hash function processing, obtains the Hash vector (h of multiple keywordsi1||hi2||hi3||…||hin);
The hijFor a Hash vector, for recording sijThe hash function value of corresponding position in m bit arrays;
(64) cloud storage service device is searching whether exist and multi-key word Hash in the document retrieval index I based on keyword
The item that vector matches then returns to reference number of a document f if it does, i.e. formula (8) is set upniCiphertext CfniIt accesses and uses to valid data
Family, valid data access user and decrypt file f by formula (9) in localiReference number of a document fniObtain reference number of a document fniPlaintext,
Then it is f to obtain reference number of a document by formula (10)niFile store path and file name;Otherwise illustrate in cloud storage service device
The content not retrieved, retrieval terminate;
fni=Dec (Cfni) (9)
fi,fp=Dkd (fni) (10)
(65) the reference number of a document f that data access user will obtainniPlaintext gone to according to file store path and file name
The ciphertext that inquiry file is obtained at cloud storage service device, is used in combination Key derivation algorithm to obtain key and is decrypted to obtain reference number of a document
fniiThe plaintext of respective file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810412324.4A CN108768951B (en) | 2018-05-03 | 2018-05-03 | Data encryption and retrieval method for protecting file privacy in cloud environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810412324.4A CN108768951B (en) | 2018-05-03 | 2018-05-03 | Data encryption and retrieval method for protecting file privacy in cloud environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108768951A true CN108768951A (en) | 2018-11-06 |
CN108768951B CN108768951B (en) | 2021-06-08 |
Family
ID=64009437
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810412324.4A Active CN108768951B (en) | 2018-05-03 | 2018-05-03 | Data encryption and retrieval method for protecting file privacy in cloud environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108768951B (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110059630A (en) * | 2019-04-19 | 2019-07-26 | 福州大学 | Secret protection can verify that outsourcing monitor video pedestrian recognition methods again |
CN110176984A (en) * | 2019-05-28 | 2019-08-27 | 创意信息技术股份有限公司 | A kind of data structure construction and matching process for security string pattern match |
CN110263570A (en) * | 2019-05-10 | 2019-09-20 | 电子科技大学 | A kind of gene data desensitization method for realizing efficient similarity query and access control |
CN110737905A (en) * | 2019-09-19 | 2020-01-31 | 深圳市先河系统技术有限公司 | Data authorization method, data authorization device and computer storage medium |
CN112257096A (en) * | 2020-11-23 | 2021-01-22 | 中电万维信息技术有限责任公司 | Searching method for cloud storage ciphertext encrypted data |
CN112749420A (en) * | 2020-12-23 | 2021-05-04 | 上海同态信息科技有限责任公司 | Private data cooperation method taking hash function as attribute |
CN112822009A (en) * | 2021-01-26 | 2021-05-18 | 西安邮电大学 | Attribute ciphertext efficient sharing system supporting ciphertext deduplication |
CN114302394A (en) * | 2021-11-19 | 2022-04-08 | 深圳震有科技股份有限公司 | Network direct memory access method and system under 5G UPF |
CN114900318A (en) * | 2022-06-02 | 2022-08-12 | 浙江工商大学 | Key agreement protocol and verifiable round-of-communication searchable encryption method |
CN115033908A (en) * | 2022-08-11 | 2022-09-09 | 西南石油大学 | Cloud storage-based oil and gas exploration fine-grained dense-state data retrieval method |
CN116132079A (en) * | 2022-08-09 | 2023-05-16 | 马上消费金融股份有限公司 | Data processing method and device |
CN117708878A (en) * | 2023-12-08 | 2024-03-15 | 中科科界(北京)科技有限公司 | ORAM (object oriented authentication and privacy preserving) function-based copyright information trusted retrieval method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102143159A (en) * | 2011-01-13 | 2011-08-03 | 北京邮电大学 | Database key management method in DAS (database-as-a-service) model |
US20180060435A1 (en) * | 2015-09-11 | 2018-03-01 | Skyhigh Networks, Inc. | Wildcard search in encrypted text using order preserving encryption |
-
2018
- 2018-05-03 CN CN201810412324.4A patent/CN108768951B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102143159A (en) * | 2011-01-13 | 2011-08-03 | 北京邮电大学 | Database key management method in DAS (database-as-a-service) model |
US20180060435A1 (en) * | 2015-09-11 | 2018-03-01 | Skyhigh Networks, Inc. | Wildcard search in encrypted text using order preserving encryption |
Non-Patent Citations (4)
Title |
---|
BING WANG: ""Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud"", 《IEEE》 * |
LIU HAO,DEZHI HAN: ""The study and design on secure-cloud storage system"", 《IEEE》 * |
徐寒冰,韩德志: ""一种云计算的隐私类型阈值模型和隐私保护方法"", 《数学的实践与认识》 * |
黄汝维: ""云计算环境中支持模糊检索的加密算法"", 《广西大学学报》 * |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110059630B (en) * | 2019-04-19 | 2022-06-14 | 福州大学 | Verifiable outsourced monitoring video pedestrian re-identification method with privacy protection |
CN110059630A (en) * | 2019-04-19 | 2019-07-26 | 福州大学 | Secret protection can verify that outsourcing monitor video pedestrian recognition methods again |
CN110263570B (en) * | 2019-05-10 | 2020-09-25 | 电子科技大学 | Gene data desensitization method for realizing efficient similarity query and access control |
CN110263570A (en) * | 2019-05-10 | 2019-09-20 | 电子科技大学 | A kind of gene data desensitization method for realizing efficient similarity query and access control |
CN110176984B (en) * | 2019-05-28 | 2020-11-03 | 创意信息技术股份有限公司 | Data structure construction for secure string pattern matching and matching method |
CN110176984A (en) * | 2019-05-28 | 2019-08-27 | 创意信息技术股份有限公司 | A kind of data structure construction and matching process for security string pattern match |
CN110737905A (en) * | 2019-09-19 | 2020-01-31 | 深圳市先河系统技术有限公司 | Data authorization method, data authorization device and computer storage medium |
CN112257096A (en) * | 2020-11-23 | 2021-01-22 | 中电万维信息技术有限责任公司 | Searching method for cloud storage ciphertext encrypted data |
CN112257096B (en) * | 2020-11-23 | 2022-09-27 | 中电万维信息技术有限责任公司 | Searching method for cloud storage ciphertext encrypted data |
CN112749420A (en) * | 2020-12-23 | 2021-05-04 | 上海同态信息科技有限责任公司 | Private data cooperation method taking hash function as attribute |
CN112822009A (en) * | 2021-01-26 | 2021-05-18 | 西安邮电大学 | Attribute ciphertext efficient sharing system supporting ciphertext deduplication |
CN112822009B (en) * | 2021-01-26 | 2022-07-22 | 西安邮电大学 | Attribute ciphertext efficient sharing system supporting ciphertext deduplication |
CN114302394A (en) * | 2021-11-19 | 2022-04-08 | 深圳震有科技股份有限公司 | Network direct memory access method and system under 5G UPF |
CN114302394B (en) * | 2021-11-19 | 2023-11-03 | 深圳震有科技股份有限公司 | Network direct memory access method and system under 5G UPF |
CN114900318A (en) * | 2022-06-02 | 2022-08-12 | 浙江工商大学 | Key agreement protocol and verifiable round-of-communication searchable encryption method |
CN114900318B (en) * | 2022-06-02 | 2024-04-19 | 浙江工商大学 | One-round communication searchable encryption method based on key negotiation protocol and verifiable |
CN116132079A (en) * | 2022-08-09 | 2023-05-16 | 马上消费金融股份有限公司 | Data processing method and device |
CN115033908A (en) * | 2022-08-11 | 2022-09-09 | 西南石油大学 | Cloud storage-based oil and gas exploration fine-grained dense-state data retrieval method |
CN117708878A (en) * | 2023-12-08 | 2024-03-15 | 中科科界(北京)科技有限公司 | ORAM (object oriented authentication and privacy preserving) function-based copyright information trusted retrieval method |
CN117708878B (en) * | 2023-12-08 | 2024-05-03 | 中科科界(北京)科技有限公司 | ORAM (object oriented authentication and privacy preserving) function-based copyright information trusted retrieval method |
Also Published As
Publication number | Publication date |
---|---|
CN108768951B (en) | 2021-06-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108768951A (en) | The data encryption of protection file privacy and search method under a kind of cloud environment | |
CN108418681B (en) | Attribute-based ciphertext retrieval system and method supporting proxy re-encryption | |
CN110474893B (en) | Heterogeneous cross-trust domain secret data secure sharing method and system | |
CN106534092B (en) | The privacy data encryption method of key is depended on based on message | |
US20040010699A1 (en) | Secure data management techniques | |
CN112989375B (en) | Hierarchical optimization encryption lossless privacy protection method | |
CN108400871B (en) | In conjunction with the searching ciphertext system and method for identity and the support proxy re-encryption of attribute | |
CN108632385B (en) | Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure | |
US20220014367A1 (en) | Decentralized computing systems and methods for performing actions using stored private data | |
CN112685763B (en) | Data opening method and system based on ciphertext authorized access | |
CN113569271A (en) | Threshold proxy re-encryption method and system based on attribute condition | |
Gajmal et al. | Blockchain-based access control and data sharing mechanism in cloud decentralized storage system | |
Tan et al. | Access control scheme based on combination of blockchain and XOR-coding for ICN | |
Mahalakshmi et al. | Effectuation of secure authorized deduplication in hybrid cloud | |
WO2008065351A1 (en) | Self encryption | |
CN108494724A (en) | Cloud storage encryption system based on more authorized organization's encryption attribute algorithms and method | |
Yan et al. | Secure and efficient big data deduplication in fog computing | |
Mohit et al. | Confidentiality and storage of data in cloud environment | |
CN116611083A (en) | Medical data sharing method and system | |
CN116248289A (en) | Industrial Internet identification analysis access control method based on ciphertext attribute encryption | |
GB2444343A (en) | Encryption system for peer-to-peer networks in which data is divided into chunks and self-encryption is applied | |
CN114640458A (en) | Fine-grained multi-user secure searchable encryption method in cloud-edge collaborative environment | |
Fu et al. | Secure storage of data in cloud computing | |
Panguluri et al. | Enabling multi-factor authentication and verification in searchable encryption | |
Babrekar et al. | Public key encryption for cloud storage attack using blockchain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20230413 Address after: Building 17, No. 1500, Zuchongzhi Road, Pudong New Area Pilot Free Trade Zone, Shanghai, 201210 Patentee after: SHANGHAI HIGH-FLYING ELECTRONICS TECHNOLOGY Co.,Ltd. Address before: 201306 1550 Harbour Road, Lingang New Town, Pudong New Area, Shanghai Patentee before: Shanghai Maritime University |