CN111163036B - Data sharing method, device, client, storage medium and system - Google Patents

Data sharing method, device, client, storage medium and system Download PDF

Info

Publication number
CN111163036B
CN111163036B CN201811318532.4A CN201811318532A CN111163036B CN 111163036 B CN111163036 B CN 111163036B CN 201811318532 A CN201811318532 A CN 201811318532A CN 111163036 B CN111163036 B CN 111163036B
Authority
CN
China
Prior art keywords
attribute
user
client
target
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811318532.4A
Other languages
Chinese (zh)
Other versions
CN111163036A (en
Inventor
程超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Suzhou Software Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201811318532.4A priority Critical patent/CN111163036B/en
Publication of CN111163036A publication Critical patent/CN111163036A/en
Application granted granted Critical
Publication of CN111163036B publication Critical patent/CN111163036B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data sharing method, a device, a client, a storage medium and a system, wherein the system comprises: at least two CAs, a client, at least two AA's and a cloud server; the client is used for sending a registration request to any target CA in the at least two CAs, wherein the registration request comprises an attribute set of a user of the client; the target CA is used for generating a user public key of the user according to the attribute set and a preset random algorithm; the client is also used for sending the user public key and the attribute set to at least two AA; the at least two AA are used for generating the attribute private key of the user according to the private key corresponding to each attribute contained in the attribute set, the user public key and a preset key generation algorithm; and the client is also used for decrypting the shared file which is stored in the cloud server and encrypted by adopting the attribute access structure met by the attribute set of the user according to the attribute private key. The data sharing method is used for improving the safety and the practicability of data sharing.

Description

Data sharing method, device, client, storage medium and system
Technical Field
The invention relates to the field of cloud computing security, in particular to a data sharing method, a data sharing device, a data sharing client, a data sharing storage medium and a data sharing system.
Background
Cloud storage is a data outsourcing storage service technology derived and developed from cloud computing, and enables users to remotely store and access data in the cloud storage as required anytime and anywhere. Cloud storage has received much attention due to its low cost, easy to use interface and high scalability business advantages. With the rapid development of computers, the internet and wireless networks, mass data can be generated every day, and cloud storage provides an effective solution for storage and processing of mass data. However, a cloud server for storing data is not completely trusted, and usually, a holder of the data only allows an authorized visitor to access the data stored in the cloud server, so that the security and privacy of the data stored in the cloud server face a great challenge, and the requirement for the security and privacy of the data needs to be met when the data sharing is realized through the cloud server.
A data sharing method Based on a ciphertext-policy Attribute Encryption scheme (CP-ABE) mechanism can meet the requirements on the security and privacy of shared data, in the CP-ABE mechanism, a ciphertext is associated with an access structure, a user private key is associated with Attribute combination, users meeting the Attribute set of the Attribute access structure can decrypt the ciphertext, and the method is very suitable for data sharing with uncertain decryption parties. However, in the existing CP-ABE mechanism, a data sharing system of a centralized multi-Attribute Authority and a data sharing system of a centerless multi-Attribute Authority are generally adopted, where the data sharing system of the centralized multi-Attribute Authority includes a Certificate Authority (CA) and a plurality of Attribute Authorities (AA), and the plurality of AAs manage a class of attributes that are not crossed with each other, and respectively distribute private keys for the attributes in the Authority of the AA, and distribute Attribute private keys for users according to user public keys generated by the CA, however, the CA is required to be completely trusted, once the CA is untrusted, if the CA is breached, the entire data sharing system may be paralyzed, and an attacker may obtain user public keys of all users, resulting in leakage of user information; in a centerless multi-attribute mechanism data sharing system, a CA is not arranged, when a plurality of AA generate user attribute private keys, the user public keys of users do not need to be considered, and the situation of collusion attack of a plurality of users can occur, namely, a plurality of attribute private keys of users without decryption authority can be combined for use to decrypt encrypted data, and the security of data sharing is influenced.
Disclosure of Invention
The invention provides a data sharing method, a data sharing device, electronic equipment, a storage medium and a data sharing system, which are used for improving the safety and the practicability of data sharing.
In a first aspect, the invention discloses a data sharing system, which comprises at least two certificate authority Centers (CA), a client, at least two Attribute Authorities (AA) and a cloud server;
the client is used for sending a registration request to any target CA in the at least two CAs, wherein the registration request comprises an attribute set of a user of the client;
the target CA is used for receiving a registration request sent by the client, generating a user public key of the user according to the attribute set and a preset random algorithm, and sending the user public key to the client;
the client is further configured to receive a user public key sent by the target CA, and send the user public key and the attribute set to the at least two AAs;
the at least two AA are used for receiving the user public key and the attribute set sent by the client, generating an attribute private key of the user according to a private key corresponding to each attribute contained in the attribute set, the user public key and a preset key generation algorithm, and sending the attribute private key to the client;
and the client is further used for decrypting the shared file which is stored in the cloud server and encrypted by adopting the attribute access structure met by the attribute set of the user according to the attribute private key.
Optionally, the target CA is specifically configured to receive a registration request sent by the client, allocate a global identity GID to the user, and generate a user public key of the user according to the attribute set, the GID, a pre-generated private key of an attribute authority, and a preset random algorithm.
Optionally, the encrypted shared file stored in the cloud server is generated by encrypting the shared file according to the public parameter corresponding to the pre-generated private key of the attribute authority, the public key corresponding to each attribute in the attribute access structure set for the shared file, and a preset encryption algorithm.
Optionally, the system further includes: an attribute control server;
the attribute control server is also used for receiving a first updating request for adding a first attribute; determining a first target type corresponding to the first attribute according to a pre-stored attribute and type comparison table, and identifying whether a first target AA managing the attribute corresponding to the first target type exists in the at least two AA; if so, adding the first attribute to the first target AA; and if not, creating a first target AA for managing the attribute corresponding to the first target category, and adding the first attribute to the first target AA.
Optionally, the attribute control server is further configured to receive a second update request for deleting a second attribute, determine a second target category corresponding to the second attribute according to a pre-stored attribute and category comparison table, and delete the second attribute in a second target AA that manages the attribute corresponding to the second target category.
In a second aspect, the present invention discloses a data sharing method, which is applied to a client, and the method includes:
sending a registration request to any target CA in at least two Certificate Authority (CA) of a data sharing system, wherein the registration request comprises an attribute set of a user of the client, and the target CA generates a user public key of the user according to the attribute set and a preset random algorithm;
sending the user public key and the attribute set to at least two attribute mechanisms AA of the data sharing system, so that the at least two AA generate the attribute private key of the user according to a private key corresponding to each attribute contained in the user attribute set, the user public key and a preset key generation algorithm;
and decrypting the shared file which is stored in the cloud server of the data sharing system and is encrypted by adopting the attribute access structure met by the attribute set of the user according to the attribute private key.
Optionally, the generating, by the target CA, the user public key of the user according to the attribute set and a preset random algorithm includes:
and the target CA distributes a Global Identity (GID) for the user, and generates a user public key of the user according to the attribute set, the GID, a pre-generated attribute mechanism private key and a preset random algorithm.
Optionally, the encrypted shared file stored in the cloud server is generated by encrypting the shared file according to the public parameter corresponding to the pre-generated private key of the attribute authority, the public key corresponding to each attribute in the attribute access structure set for the shared file, and a preset encryption algorithm.
In a third aspect, the present invention discloses a data sharing apparatus, which is applied to a client, and the apparatus includes:
the system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for sending a registration request to any target CA in at least two Certificate Authority (CA) of a data sharing system, wherein the registration request comprises an attribute set of a user of a client, so that the target CA generates a user public key of the user according to the attribute set and a preset random algorithm;
a second sending module, configured to send the user public key and the attribute set to at least two attribute authorities AA of the data sharing system, so that the at least two AAs generate the attribute private key of the user according to a private key corresponding to each attribute included in the user attribute set, the user public key, and a preset key generation algorithm;
and the decryption module is used for decrypting the shared file which is stored in the cloud server of the data sharing system and is encrypted by adopting the attribute access structure met by the attribute set of the user according to the attribute private key.
In a fourth aspect, the invention discloses a client, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
the memory has stored therein a computer program which, when executed by the processor, causes the processor to perform the steps of any of the methods described above.
In a fifth aspect, the present invention discloses a computer readable storage medium storing a computer program executable by an electronic device, the program, when run on the electronic device, causing the electronic device to perform the steps of any of the methods described above.
The invention discloses a data sharing method, a device, a client, a storage medium and a system, wherein the system comprises: the system comprises at least two certificate authority Centers (CA), a client, at least two Attribute Authorities (AA) and a cloud server; the client is used for sending a registration request to any target CA in the at least two CAs, wherein the registration request comprises an attribute set of a user of the client; the target CA is used for receiving a registration request sent by the client, generating a user public key of the user according to the attribute set and a preset random algorithm, and sending the user public key to the client; the client is further configured to receive a user public key sent by the target CA, and send the user public key and the attribute set to the at least two AAs; the at least two AA are used for receiving the user public key and the attribute set sent by the client, generating an attribute private key of the user according to a private key corresponding to each attribute contained in the attribute set, the user public key and a preset key generation algorithm, and sending the attribute private key to the client; and the client is further used for decrypting the shared file which is stored in the cloud server and encrypted by adopting the attribute access structure met by the attribute set of the user according to the attribute private key. In the embodiment of the invention, the user public keys are generated for the user through the at least two CAs, the CAs do not need to be completely trusted, the user can select the CA trusted by the user to register, and meanwhile, the breakdown of the whole data sharing system and the complete leakage of user information are avoided when a certain CA is not trusted, and the user public keys are generated for the user through the at least two CAs, so that the AA distributes the attribute private keys for the user according to the private keys corresponding to each attribute contained in the user attribute set and the user public keys distributed by different CAs, the security of data sharing is further improved, meanwhile, the situation that the attribute private keys of different users can be used in a combined way because the attribute private keys of different users are distributed for the user through the private keys corresponding to each attribute contained in the user attribute set is avoided, collusion attack is avoided, and the security and the practicability of data sharing are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a data sharing system according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a step of implementing data sharing by a data sharing system according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a decryption mechanism according to an embodiment of the present invention;
fig. 4 is a second schematic structural diagram of a data sharing system according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a data sharing procedure according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a data sharing device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a client according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be understood that the terms "first," "second," and the like in the description of the present application are used for distinguishing between the descriptions and are not intended to indicate or imply relative importance nor order to indicate or imply order to the claims.
Example 1:
fig. 1 is a schematic structural diagram of a data sharing system according to an embodiment of the present invention, including at least two CAs 11, a client 12, at least two AAs 13, and a cloud server 14:
the client 12 is configured to send a registration request to any target CA11 of the at least two CAs 11, where the registration request includes a set of attributes of a user of the client 12;
the target CA11 is configured to receive a registration request sent by the client 12, generate a user public key of the user according to the attribute set and a preset random algorithm, and send the user public key to the client 12;
the client 12 is further configured to receive a user public key sent by the target CA11, and send the user public key and the attribute set to the at least two AAs 13;
the at least two AA13 are configured to receive the user public key and the attribute set sent by the client 12, generate an attribute private key of the user according to a private key corresponding to each attribute contained in the attribute set, the user public key, and a preset key generation algorithm, and send the attribute private key to the client 12;
the client 12 is further configured to decrypt, according to the attribute private key, the shared file stored in the cloud server 14 and encrypted by using the attribute access structure satisfied by the attribute set of the user.
In embodiments of the present invention, at least two AA13 manage attributes of a category that do not intersect each other, such as: AA1Managing attributes of subject categories, such as: user name, user ID, department, job title, time of job entry, etc.; … AAkManaging attributes of resource categories, such as: name, topic, resource size, creator, and creation date, etc.
In addition, the embodiment of the present invention relates to the following algorithms, (1) an initialization algorithm, which is used to run the initialization algorithm according to the input security parameter (K) when the data sharing system is initialized, and generate the public parameter (GPK) and the attribute authority private key (SK) of the data sharing system; (2) a key generation algorithm for generating an attribute private key (FK) of the user from the user Public Key (PK) and the attribute set (L) of the user; (3) the encryption algorithm is used for generating an encrypted shared file according to a public parameter (GPK), the shared file needing to be encrypted and an attribute access structure (T); (4) and the decryption algorithm is used for decrypting the encrypted shared file by using an attribute private key (FK) of the user to obtain the plaintext shared file.
As shown in fig. 2, the steps of implementing data sharing by combining the data sharing system are specifically described as follows:
s201: and initializing the system, generating public parameters and private keys of attribute mechanisms of the data sharing system according to the input security parameters, and generating public/private key pairs of each attribute.
Specifically, an initialization algorithm may be run by any of the at least two CAs 11 based on the input security parameters to generate public parameters of the shared system and attribute authority private keys, and each AA13 generates a public/private key pair for each attribute it manages.
S202: a client sends a registration request to any target CA in at least two CAs, wherein the registration request comprises an attribute set of a user of the client; and the target CA generates a user public key of the user according to the attribute set and a preset random algorithm, and sends the user public key to the client.
Specifically, the user of the client 12 may send a registration request including its own attribute set to any target CA11 trusted by the client 12, and after receiving the registration request, the target CA11 may input the attribute set into a preset random algorithm to generate a user public key of the user, or may run the preset random algorithm to generate a random number, which is combined with the attribute set to generate the user public key, without specific limitation.
Preferably, after receiving the registration request containing the attribute set of the user sent by the client 12, the target CA11 allocates a Global Identity (GID) to the user, and generates the user public key of the user according to the attribute set, the GID, a pre-generated private key of the attribute authority, and a preset random algorithm.
S203: and the at least two AA generate the attribute private key of the user according to the private key corresponding to each attribute contained in the attribute set of the user, the user public key and a preset key generation algorithm, and send the attribute private key to the client.
S204: and uploading the encrypted shared file to a cloud server.
In particular, the method comprises the following steps of,and the data holder of the shared file acquires the pre-generated public parameters and the public keys generated by at least two AA13 for each attribute, and encrypts the shared file according to the public parameters, the attribute access structure set for the shared file and the public key corresponding to each attribute in the attribute access structure. For example: the data holder firstly encrypts the shared file through a symmetric encryption algorithm (ENC) to obtain a symmetric encryption KEY (KEY), then operates a preset encryption algorithm according to an attribute access structure set for the shared file, a public KEY corresponding to each attribute in the attribute access structure and public parameters, encrypts the KEY to obtain the encrypted symmetric encryption KEY KEYcp-abeWill contain the encrypted symmetric encryption KEY KEYcp-abeThe encrypted shared file is uploaded to the cloud server 14.
S205: and the client decrypts the shared file encrypted by the attribute access structure satisfied by the attribute set of the user stored in the cloud server according to the attribute private key.
Specifically, the user of the client 12 may send a file request to the server through the client 12, and request the encrypted shared file, and the cloud server 14 sends the encrypted shared file to the client 12 according to the file request sent by the client 12, and preferably, before the cloud server 14 sends the encrypted shared file to the client 12, the uniqueness of the user public key of the user of the client 12 may also be verified, for example, whether the user public key is in a list of user public keys allowed to access and stored in the cloud server 14 is verified, and if the user public key satisfies the uniqueness, the encrypted shared file is sent to the client 12.
After receiving the encrypted shared file, the client 12 operates a decryption algorithm to decrypt the encrypted shared file through the attribute private key, and if the attribute set associated with the attribute private key satisfies the attribute access structure corresponding to the encrypted shared file, the client can decrypt the encrypted shared file. For example: if the attribute set associated with the attribute private KEY of the user satisfies the attribute access structure corresponding to the encrypted shared file, the client 12 can encrypt the symmetric encryption KEY KEYcp-abeDecrypting to obtain symmetric encryptionAnd the secret KEY KEY is used for decrypting the encrypted shared file through the symmetric encryption KEY KEY to obtain a plaintext of the shared file.
As shown in fig. 3, the attributes in the attribute set { ECNU, CS, Professor } associated with the attribute private key of the user 1 include 2 attributes { ECNU, CS } in { ECNU, CS, Female }, which satisfy the attribute access structure corresponding to the encrypted shared file and can decrypt the encrypted shared file; the attribute set { CS, Male, Professor } associated with the attribute private key of the user 2 does not satisfy the attribute access structure corresponding to the encrypted shared file, and cannot decrypt the encrypted shared file.
In the embodiment of the invention, the user public keys are generated for the user through the at least two CAs, the CAs do not need to be completely trusted, the user can select the CA trusted by the user to register, and meanwhile, the breakdown of the whole data sharing system and the complete leakage of user information are avoided when a certain CA is not trusted, and the user public keys are generated for the user through the at least two CAs, so that the AA distributes the attribute private keys for the user according to the private keys corresponding to each attribute contained in the user attribute set and the user public keys distributed by different CAs, the security of data sharing is further improved, meanwhile, the situation that the attribute private keys of different users can be used in a combined way because the attribute private keys of different users are distributed for the user through the private keys corresponding to each attribute contained in the user attribute set is avoided, collusion attack is avoided, and the security and the practicability of data sharing are improved.
Example 2:
to facilitate dynamic addition and deletion of attributes, the utility of a data sharing system is enhanced, as shown in fig. 4, the system further comprising: an attribute control server 15;
the attribute control server 15 is further configured to receive a first update request for adding a first attribute; determining a first target type corresponding to the first attribute according to a pre-stored attribute and type comparison table, and identifying whether a first target AA13 managing the attribute corresponding to the first target type exists in the at least two AA 13; if so, adding the first attribute to the first target AA 13; if not, a first target AA13 managing attributes corresponding to the first target category is created and the first attribute is added to the first target AA 13.
The attribute control server 15 is further configured to receive a second update request for deleting a second attribute, determine a second target category corresponding to the second attribute according to a pre-stored attribute-to-category comparison table, and delete the second attribute in a second target AA13 that manages the attribute corresponding to the second target category.
Specifically, in the embodiment of the present invention, the data sharing system is further provided with an attribute control server 15, and the attribute control server 15 stores in advance an attribute-to-category comparison table in which information of all categories that may appear and all attributes that may appear corresponding to each category are stored.
If the attribute needs to be added, a first update request for adding the first attribute can be sent or issued to the attribute control server 15, after the attribute control server 15 receives the first update request, the first target category corresponding to the first attribute is determined according to a pre-stored attribute and category comparison table, and whether a first target AA13 for managing the attribute corresponding to the first target category exists in at least two AA13 is identified; if so, directly adding the first attribute to the first target AA 13; if not, a first target AA13 managing attributes corresponding to the first target category is created, and the first attribute is added to the first target AA 13.
For example: presence of AA in data sharing systems1Managing attributes of subject categories, such as: user name, department, job title, time of job entry, etc.; … AAkManaging attributes of resource categories, such as: name, subject, resource size, creator, creation date, etc., and if the first attribute to be added is the user ID, the attribute control server 15 determines that the user ID belongs to the AA according to the attribute and category comparison table stored in advance1The administrative principal class, the attribute control server 15 sends the user ID to the AA over a secure channel1,AA1Storing the user ID in the attribute set AU managed by the user ID, and refreshing the attribute set AU, preferablyAA1A public/private key pair corresponding to the user ID is also generated. If the first attribute to be added is a resource attribute, the target class corresponding to the resource attribute is an environment attribute class, no AA13 managing the attribute corresponding to the environment attribute class exists in the two AA13, and an AA managing the attribute corresponding to the environment attribute class is createdk+1Sending resource attributes to the AA over a secure channelk+1,AAk+1Saving the resource attribute to the attribute set AU managed by itself and refreshing the attribute set AU, preferably AAk+1And generating a public/private key pair corresponding to the resource attribute.
If the attribute needs to be deleted, a second update request for deleting the second attribute may be sent or issued to the attribute control server 15, and after receiving the second update request, the attribute control server 15 determines the second target category corresponding to the second attribute according to the pre-stored attribute and category comparison table, and deletes the second attribute in the second target AA13 that manages the attribute corresponding to the second target category.
Preferably, when a user attribute needs to be revoked, the attribute control server 15 creates an attribute revocation list (AL), then writes the AL to the attribute Database (DB), and updates the DB to at least two AA13 for attribute revocation. Preferably, a timer (T) may be further provided for periodically updating the DB to at least two AA 13.
Example 3:
based on the foregoing embodiments, as shown in fig. 5, an embodiment of the present application provides a data sharing method, which includes the following specific steps:
s501: and sending a registration request to any target CA in at least two Certificate Authority (CA) of the data sharing system, wherein the registration request comprises an attribute set of the user of the client, so that the target CA generates the user public key of the user according to the attribute set and a preset random algorithm.
S502: and sending the user public key and the attribute set to at least two attribute mechanisms AA of the data sharing system, so that the at least two AA generate the attribute private key of the user according to a private key corresponding to each attribute contained in the user attribute set, the user public key and a preset key generation algorithm.
S503: and decrypting the shared file which is stored in the cloud server of the data sharing system and is encrypted by adopting the attribute access structure met by the attribute set of the user according to the attribute private key.
Preferably, the generating, by the target CA, the user public key of the user according to the attribute set and a preset random algorithm includes:
and the target CA distributes a Global Identity (GID) for the user, and generates a user public key of the user according to the attribute set, the GID, a pre-generated attribute mechanism private key and a preset random algorithm.
Preferably, the encrypted shared file stored in the cloud server is generated by encrypting the shared file according to the public parameter corresponding to the pre-generated private key of the attribute authority, the public key corresponding to each attribute in the attribute access structure set for the shared file, and a preset encryption algorithm.
Example 4:
based on the foregoing embodiments, as shown in fig. 6, an embodiment of the present application provides a schematic structural diagram of a data sharing device, which is applied to a client, where the device includes:
a first sending module 61, configured to send a registration request to any target CA of at least two certificate authorities CA of a data sharing system, where the registration request includes an attribute set of a user of the client, so that the target CA generates a user public key of the user according to the attribute set and a preset random algorithm;
a second sending module 62, configured to send the user public key and the attribute set to at least two attribute authorities AA of the data sharing system, so that the at least two AAs generate the attribute private key of the user according to a private key corresponding to each attribute included in the user attribute set, the user public key, and a preset key generation algorithm;
and a decryption module 63, configured to decrypt, according to the attribute private key, the shared file that is stored in the cloud server of the data sharing system and encrypted by using the attribute access structure that is satisfied by the attribute set of the user.
Preferably, the target CA allocates a global identity GID to the user, and generates a user public key of the user according to the attribute set, the GID, a pre-generated attribute mechanism private key, and a preset random algorithm.
And the encrypted shared file stored in the cloud server is generated by encrypting the shared file according to the public parameters corresponding to the pre-generated private key of the attribute mechanism, the public key corresponding to each attribute in the attribute access structure set for the shared file and a preset encryption algorithm.
Example 5:
based on the same inventive concept, the embodiment of the present invention further provides a client, and because the principle of solving the problem of the client is similar to that of the data sharing method, the implementation of the client may refer to the implementation of the method, and repeated details are not repeated.
Fig. 7 is a schematic structural diagram of a client according to an embodiment of the present invention, where in fig. 7, the bus architecture may include any number of interconnected buses and bridges, and specifically, one or more processors 71 represented by a processor 71 and various circuits of a memory 73 represented by a memory 73 are linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 72 may be a number of elements including a transmitter and a transceiver providing a means for communicating with various other apparatus over a transmission medium. The processor 71 is responsible for managing the bus architecture and general processing, and the memory 73 may store data used by the processor 71 in performing operations.
In the client provided in the embodiment of the present invention:
the processor 71 is configured to read the program in the memory 73, and execute the following processes: sending a registration request to any target CA in at least two Certificate Authorities (CA) of a data sharing system through a transceiver 72, wherein the registration request comprises an attribute set of a user of the client, so that the target CA generates a user public key of the user according to the attribute set and a preset random algorithm; sending the user public key and the attribute set to at least two attribute mechanisms AA of the data sharing system, so that the at least two AA generate the attribute private key of the user according to a private key corresponding to each attribute contained in the user attribute set, the user public key and a preset key generation algorithm; and decrypting the shared file which is stored in the cloud server of the data sharing system and is encrypted by adopting the attribute access structure met by the attribute set of the user according to the attribute private key.
Example 6:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides a computer storage readable storage medium, in which a computer program executable by an electronic device is stored, and when the program is run on the electronic device, the electronic device is caused to execute the following steps:
sending a registration request to any target CA in at least two Certificate Authority (CA) of a data sharing system, wherein the registration request comprises an attribute set of a user of the client, and the target CA generates a user public key of the user according to the attribute set and a preset random algorithm;
sending the user public key and the attribute set to at least two attribute mechanisms AA of the data sharing system, so that the at least two AA generate the attribute private key of the user according to a private key corresponding to each attribute contained in the user attribute set, the user public key and a preset key generation algorithm;
and decrypting the shared file which is stored in the cloud server of the data sharing system and is encrypted by adopting the attribute access structure met by the attribute set of the user according to the attribute private key.
For the system/apparatus embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference may be made to some descriptions of the method embodiments for relevant points.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (11)

1. A data sharing system is characterized by comprising at least two certificate authority Centers (CA), a client, at least two Attribute Authorities (AA) and a cloud server;
the client is used for sending a registration request to any target CA in the at least two CAs, wherein the registration request comprises an attribute set of a user of the client;
the target CA is used for receiving a registration request sent by the client, generating a user public key of the user according to the attribute set and a preset random algorithm, and sending the user public key to the client;
the client is further configured to receive a user public key sent by the target CA, and send the user public key and the attribute set to the at least two AAs;
the at least two AA are used for receiving the user public key and the attribute set sent by the client, generating an attribute private key of the user according to a private key corresponding to each attribute contained in the attribute set, the user public key and a preset key generation algorithm, and sending the attribute private key to the client;
and the client is further used for decrypting the shared file which is stored in the cloud server and encrypted by adopting the attribute access structure met by the attribute set of the user according to the attribute private key.
2. The system of claim 1, wherein the target CA is specifically configured to receive a registration request sent by the client, assign a global identity GID to the user, and generate the user public key of the user according to the attribute set, the GID, a pre-generated private key of an attribute authority, and a preset random algorithm.
3. The system according to claim 2, wherein the encrypted shared file stored in the cloud server is generated by encrypting the shared file according to a public parameter corresponding to the pre-generated private key of the attribute authority, a public key corresponding to each attribute in an attribute access structure set for the shared file, and a preset encryption algorithm.
4. The system of any one of claims 1-3, further comprising: an attribute control server;
the attribute control server is also used for receiving a first updating request for adding a first attribute; determining a first target type corresponding to the first attribute according to a pre-stored attribute and type comparison table, and identifying whether a first target AA managing the attribute corresponding to the first target type exists in the at least two AA; if so, adding the first attribute to the first target AA; and if not, creating a first target AA for managing the attribute corresponding to the first target category, and adding the first attribute to the first target AA.
5. The system according to claim 4, wherein the attribute control server is further configured to receive a second update request for deleting a second attribute, determine a second target category corresponding to the second attribute according to a pre-stored attribute and category comparison table, and delete the second attribute in a second target AA managing the attribute corresponding to the second target category.
6. A data sharing method is applied to a client, and the method comprises the following steps:
sending a registration request to any target CA in at least two Certificate Authority (CA) of a data sharing system, wherein the registration request comprises an attribute set of a user of the client, and the target CA generates a user public key of the user according to the attribute set and a preset random algorithm;
sending the user public key and the attribute set to at least two attribute mechanisms AA of the data sharing system, so that the at least two AA generate the attribute private key of the user according to a private key corresponding to each attribute contained in the user attribute set, the user public key and a preset key generation algorithm;
and decrypting the shared file which is stored in the cloud server of the data sharing system and is encrypted by adopting the attribute access structure met by the attribute set of the user according to the attribute private key.
7. The data sharing method of claim 6, wherein the generating, by the target CA, the user public key of the user according to the attribute set and a preset random algorithm comprises:
and the target CA distributes a Global Identity (GID) for the user, and generates a user public key of the user according to the attribute set, the GID, a pre-generated attribute mechanism private key and a preset random algorithm.
8. The data sharing method according to claim 7, wherein the encrypted shared file stored in the cloud server is generated by encrypting the shared file according to a public parameter corresponding to the pre-generated private key of the attribute authority, a public key corresponding to each attribute in an attribute access structure set for the shared file, and a preset encryption algorithm.
9. A data sharing apparatus, applied to a client, the apparatus comprising:
the system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for sending a registration request to any target CA in at least two Certificate Authority (CA) of a data sharing system, wherein the registration request comprises an attribute set of a user of a client, so that the target CA generates a user public key of the user according to the attribute set and a preset random algorithm;
a second sending module, configured to send the user public key and the attribute set to at least two attribute authorities AA of the data sharing system, so that the at least two AAs generate the attribute private key of the user according to a private key corresponding to each attribute included in the user attribute set, the user public key, and a preset key generation algorithm;
and the decryption module is used for decrypting the shared file which is stored in the cloud server of the data sharing system and is encrypted by adopting the attribute access structure met by the attribute set of the user according to the attribute private key.
10. The client is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing the communication between the processor and the memory through the communication bus;
the memory has stored therein a computer program which, when executed by the processor, causes the processor to carry out the steps of the method of any one of claims 6 to 8.
11. A computer-readable storage medium, having stored thereon a computer program executable by an electronic device, for causing the electronic device to perform the steps of the method of any one of claims 6-8, when the program is run on the electronic device.
CN201811318532.4A 2018-11-07 2018-11-07 Data sharing method, device, client, storage medium and system Active CN111163036B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811318532.4A CN111163036B (en) 2018-11-07 2018-11-07 Data sharing method, device, client, storage medium and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811318532.4A CN111163036B (en) 2018-11-07 2018-11-07 Data sharing method, device, client, storage medium and system

Publications (2)

Publication Number Publication Date
CN111163036A CN111163036A (en) 2020-05-15
CN111163036B true CN111163036B (en) 2022-03-29

Family

ID=70554486

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811318532.4A Active CN111163036B (en) 2018-11-07 2018-11-07 Data sharing method, device, client, storage medium and system

Country Status (1)

Country Link
CN (1) CN111163036B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112351023A (en) * 2020-10-30 2021-02-09 杭州安恒信息技术股份有限公司 Data sharing and transmission method and system
CN112699392A (en) * 2020-12-31 2021-04-23 青岛海尔科技有限公司 Target data processing method and device, storage medium and electronic device
CN113392427A (en) * 2021-05-07 2021-09-14 卓尔智联(武汉)研究院有限公司 Data storage method and device, electronic equipment and storage medium
CN113641985B (en) * 2021-10-12 2022-02-11 江苏荣泽信息科技股份有限公司 Distributed trusted organization identity access control system and method
CN114239065A (en) * 2021-12-20 2022-03-25 北京深思数盾科技股份有限公司 Data processing method based on secret key, electronic equipment and storage medium
CN114513370B (en) * 2022-04-19 2022-07-15 中国信息通信研究院 Universal identification data conversion method and device, storage medium and electronic equipment
CN115695035B (en) * 2022-11-10 2024-04-19 山东云科汉威软件有限公司 Cloud storage-based oil and gas field service data authorization method and device, electronic equipment and readable medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6370249B1 (en) * 1997-07-25 2002-04-09 Entrust Technologies, Ltd. Method and apparatus for public key management
US8327424B2 (en) * 2009-12-22 2012-12-04 Motorola Solutions, Inc. Method and apparatus for selecting a certificate authority
WO2016153423A1 (en) * 2015-03-25 2016-09-29 Sixscape Communications Pte Ltd Apparatus and method for managing digital certificates
CN104917772B (en) * 2015-06-12 2017-12-08 深圳大学 A kind of access control method of the access control system of cloud storage service platform
CN105208007A (en) * 2015-08-26 2015-12-30 中标软件有限公司 Data sharing system
CN106487506B (en) * 2016-10-08 2020-07-28 西安电子科技大学 Multi-mechanism KP-ABE method supporting pre-encryption and outsourcing decryption
CN107508667B (en) * 2017-07-10 2019-09-17 中国人民解放军信息工程大学 Ciphertext policy ABE base encryption method and its device of the fix duty without key escrow can be disclosed

Also Published As

Publication number Publication date
CN111163036A (en) 2020-05-15

Similar Documents

Publication Publication Date Title
CN111163036B (en) Data sharing method, device, client, storage medium and system
CN109033855B (en) Data transmission method and device based on block chain and storage medium
CN108390876B (en) Multi-authorization-center access control method capable of supporting outsourcing revocation and verification and cloud server
CN109559124B (en) Cloud data security sharing method based on block chain
CN108600217B (en) Cloud-based data authorization certainty updating method based on proxy re-encryption
US7454021B2 (en) Off-loading data re-encryption in encrypted data management systems
CN112131316B (en) Data processing method and device applied to block chain system
AU2015278722B2 (en) Methods and devices for key management in an as-a-service context
KR101615137B1 (en) Data access method based on attributed
CN105122265A (en) Data security service system
CN104158827A (en) Cryptograph data sharing method and device, inquiring server and data uploading client terminal
WO2017061950A1 (en) Data security system and method for operation thereof
CN104901968A (en) Method for managing and distributing secret keys in secure cloud storage system
CN111181719A (en) Hierarchical access control method and system based on attribute encryption in cloud environment
CN107302524A (en) A kind of ciphertext data-sharing systems under cloud computing environment
CN114500069A (en) Method and system for storing and sharing electronic contract
KR102298266B1 (en) Data access control method and system using attribute-based password for secure and efficient data sharing in cloud environment
CN110012024A (en) A kind of data sharing method, system, equipment and computer readable storage medium
Chennam et al. Cloud security in crypt database server using fine grained access control
CN113641985A (en) Distributed trusted organization identity access control system and method
Cui et al. Efficient key management for IOT owner in the cloud
Silambarasan et al. Attribute-based convergent encryption key management for secure deduplication in cloud
JP7350220B2 (en) Search execution device, search execution method, search execution program, and secret search system
Feng et al. Secure data sharing solution for mobile cloud storage
Deepika Data access control for multiauthority storage system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant