CN112241536A - Access control method and device - Google Patents

Access control method and device Download PDF

Info

Publication number
CN112241536A
CN112241536A CN201910654255.2A CN201910654255A CN112241536A CN 112241536 A CN112241536 A CN 112241536A CN 201910654255 A CN201910654255 A CN 201910654255A CN 112241536 A CN112241536 A CN 112241536A
Authority
CN
China
Prior art keywords
key
file
role
tuple
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910654255.2A
Other languages
Chinese (zh)
Inventor
刘道斌
冯绍鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Potevio Information Technology Co Ltd
Original Assignee
Potevio Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Potevio Information Technology Co Ltd filed Critical Potevio Information Technology Co Ltd
Priority to CN201910654255.2A priority Critical patent/CN112241536A/en
Publication of CN112241536A publication Critical patent/CN112241536A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The embodiment of the invention provides an access control method and device. The method comprises the following steps: after the user is successfully registered, distributing an encryption key k based on the user identity for the useruAnd a signing key su(ii) a If a user is assigned to role r, a role-based key tuple is generated for the user, the role-based key tuple comprising the encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature; if the authority of using the file is distributed to the role r, generating a file multi-element group for the role r, wherein the file multi-element group comprises an encryption key k using the role rrThe encrypted symmetric key k, the file encrypted with the symmetric key k, the operation authority allowed to the file, and the administrator signature. The embodiment of the invention avoids the operation of reusing the key encryption files of different roles when the files are distributed to the different roles, thereby greatly improving the working efficiency of the system.

Description

Access control method and device
Technical Field
The present invention relates to the field of access control technologies, and in particular, to an access control method and apparatus.
Background
Access control is a technique that is needed for almost all systems, including computer systems and non-computer systems. Access control is a technique for restricting a user's access to certain information items, or for restricting the use of certain control functions, per a defined set of user identities and to which they belong. Access control is typically used by system administrators to control a user's access to network resources such as servers, directories, files, etc.
Role-based Access control models (RBAC models) are being studied. The basic idea of the RBAC model is to assign access permissions to certain roles, and users gain access permissions owned by the roles by decorating different roles. This is because in many practical applications, users are not owners of object information resources (which information belongs to a business or company) that can be accessed, and thus access control should be based on the job of the employee rather than on which group or who the employee is the owner of the information, i.e., access control is determined by the role that each user plays in the department, e.g., a school may have the roles of a teacher, a student, and other managers. The RBAC divides roles according to relatively stable authority and responsibility in management from the perspective of a control subject, associates access rights with the roles, and associates users with the access rights by assigning appropriate roles to the users. The role becomes a bridge between the access subject and the controlled object in the access control.
The existing role-based file access control strategy is low in efficiency, when the same file is distributed to different roles, different role keys are required to be reused to encrypt the file, and when the data volume of the file is large, the mode can cause low system efficiency and influence normal users to access the file. In addition, the existing file access control policy lacks a flexible change mechanism, and once the user or role authority in the system changes, the whole access control policy cannot be implemented.
Disclosure of Invention
To solve the problem in the prior art, embodiments of the present invention provide an access control method and apparatus.
The embodiment of the invention provides an access control method, which comprises the following steps:
after the user is successfully registered, distributing an encryption key k based on the user identity for the useruAnd a signing key su
If the user is assigned to role r, generating a role-based key multi-tuple for the user, wherein the role-based key multi-tupleThe tuple comprises the encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature;
if the authority of using the file is distributed to the role r, generating a file multi-element group for the role r, wherein the file multi-element group comprises an encryption key k using the role rrThe encrypted symmetric key k, the file encrypted with the symmetric key k, the operation authority allowed to the file, and the administrator signature.
The embodiment of the invention provides an access control method, which comprises the following steps:
after the successful registration, an encryption key k based on the user identity is obtained from an administratoruAnd a signing key su
Downloading a role-based key tuple and a file tuple, wherein if the role of the user is r, the role-based key tuple comprises: using said encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature; the file tuple comprises an encryption key k with the role rrThe method comprises the steps of encrypting a symmetric key k, encrypting a file by using the symmetric key k, allowing operation authority to the file and signing by an administrator;
according to said signing key suVerifying whether the administrator signature in the key tuple and the file tuple is valid;
if the administrator signature in the key multi-tuple and the file multi-tuple is valid, according to the encryption key kuDecrypting obtains the encryption key k of the role rr
An encryption key k according to said role rrAnd decrypting to obtain a symmetric key k of the encrypted file, and decrypting to obtain a file plaintext according to the symmetric key k.
An embodiment of the present invention provides an access control apparatus, where the apparatus includes:
an allocation unit for allocating the user identity-based encryption key k to the user after the user registration is successfuluAnd a signing key su
A first generation unit for use ifAssigning a user to a role r, generating a role-based key-tuple for the user, the role-based key-tuple comprising the encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature;
a second generating unit, configured to generate a file tuple for the role r if the role r is assigned with the authority to use the file, where the file tuple includes the encryption key k for the role rrThe encrypted symmetric key k, the file encrypted with the symmetric key k, the operation authority allowed to the file, and the administrator signature.
An embodiment of the present invention provides an access control apparatus, where the apparatus includes:
an acquisition unit for acquiring an encryption key k based on the user identity from an administrator after the registration is successfuluAnd a signing key su
A downloading unit, configured to download a role-based key tuple and a file tuple, where, if a role of a user is r, the role-based key tuple includes: using said encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature; the file tuple comprises an encryption key k with the role rrThe method comprises the steps of encrypting a symmetric key k, encrypting a file by using the symmetric key k, allowing operation authority to the file and signing by an administrator;
a verification unit for verifying the signature key suVerifying whether the administrator signature in the key tuple and the file tuple is valid;
a first decryption unit for decrypting the encrypted key k according to the administrator signature in the key tuple and the file tuple if the administrator signature is validuDecrypting obtains the encryption key k of the role rr
A second decryption unit for encrypting the key k according to the role rrAnd decrypting to obtain a symmetric key k of the encrypted file, and decrypting to obtain a file plaintext according to the symmetric key k.
An embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program that is stored in the memory and can be run on the processor, and when the processor executes the computer program, the access control method is implemented.
Embodiments of the present invention also provide a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the above access control method.
According to the access control method and device provided by the embodiment of the invention, the symmetric key is set to encrypt the file instead of directly encrypting the file by using the role key, so that the operation of reusing the key encryption files of different roles when distributing the files to different roles is avoided, and the working efficiency of the system is greatly improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an access control structure according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an access control method according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating an access control method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
First, an access control system applied to the embodiment of the present invention is described.
Fig. 1 is a schematic structural diagram illustrating an access control system according to an embodiment of the present invention.
As shown in fig. 1, the access control system is composed of three entities, namely an administrator, a user, and a cloud storage provider, and the cloud storage provider is mainly responsible for management of storage objects and is not trusted in the system; the task of the access control administrator is to manage the storage system so that the system is in a protected state, they control the allocation of access rights, the creation, revocation and distribution of policy data for protecting files, which are stored on the cloud in an encryption protected manner. The user can download any file stored, but can decrypt, read and modify it only after having obtained the corresponding authorization. All files are encrypted and signed before uploading to cloud storage. It is assumed that all parties can communicate through mutual authentication and a private channel.
Fig. 2 is a flowchart illustrating an access control method according to an embodiment of the present invention.
The access control method provided by the embodiment of the invention is applied to an administrator. As shown in fig. 2, the method specifically includes the following steps:
s11, after the user registration is successful, distributing the encryption key k based on the user identity to the useruAnd a signing key su
Specifically, the user must pass registration before becoming a legitimate user of the system, and after the registration is successful, the user identity-based encryption key k is obtained from the administratoruAnd a signing key su
S12, if the user is assigned to the role r, generating a role-based key-tuple for the user, the role-based key-tuple comprisingUsing said encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature;
specifically, for each role r, the administrator generates an identity-based encryption key k for itr(role key for short) and signature key sr. For a certain user u of the member group of role r, the administrator generates and uploads a tuple:
Figure BDA0002136331900000051
in the context of this multi-tuple,
Figure BDA0002136331900000052
encryption key k representing user uuEncryption key k for encryption role rrAnd a signing key sr. The user can obtain the encryption key k of the role r by downloading the tuple and decryptingrAnd a signing key sr
Figure BDA0002136331900000053
A signature representing the supervisor SU, i.e. the administrator; RK represents the identification value of this corner key tuple.
S13, if the role r is distributed with the authority of using the file, generating a file multi-element group for the role r, wherein the file multi-element group comprises an encryption key k using the role rrThe encrypted symmetric key k, the file encrypted with the symmetric key k, the operation authority allowed to the file, and the administrator signature.
Specifically, for each file f assigned to role r, the administrator would generate and upload the following tuples, according to the existing access control policy:
Figure BDA0002136331900000054
wherein the content of the first and second substances,
Figure BDA0002136331900000055
encryption key k representing user role rrEncrypted file f, fn represents the file name, op represents operations that allow reading or writing to the file,
Figure BDA0002136331900000056
a signature representing an administrator; f denotes the identification value of this file tuple.
However, according to this strategy, this structure needs to be duplicated when a file, such as f, is to be shared with multiple roles, e.g., R1 and R2. That is, f must be encrypted twice: r1 is used once, and R2 is used once. This strategy is therefore not suitable for bulk encryption of large amounts of data.
In the embodiment of the invention, when the file is allocated to different roles, the file is encrypted by adopting the symmetric key instead of the role key, so that the situation that the file f needs to be repeatedly encrypted and only the key k needs to be encrypted when the file f is allocated to different roles can be avoided. Therefore, two new tuples are introduced to replace the original file tuple as follows:
Figure BDA0002136331900000061
Figure BDA0002136331900000062
wherein the content of the first and second substances,
Figure BDA0002136331900000063
indicating that file f is encrypted with a symmetric key k,
Figure BDA0002136331900000064
encryption key k representing user role rrThe symmetric key k is encrypted.
According to the access control method provided by the embodiment of the invention, the symmetric key is set to encrypt the file instead of directly encrypting the file by using the role key, so that the operation of reusing the key encryption files of different roles when distributing the files to different roles is avoided, and the working efficiency of the system is greatly improved.
On the basis of the above embodiment, the key tuple and the file tuple include: the version number of the symmetric key k and the version number of the role r.
Specifically, the embodiment of the present invention introduces a version number of a symmetric key k and a version number of a role r, and when roles and users in a system change or revoke the roles, revoking processing and user deletion from the roles are implemented by updating a role key RK tuple, a file key FK tuple, and a file F tuple.
On the basis of the above embodiment, the method further includes:
if the revoke role r uses the authority of the file, generating a new symmetric key, updating the version number of the symmetric key and updating the version number of the role which is not revoked;
and encrypting the file by using the new symmetric key, and encrypting the new symmetric key by using the encryption key of the new version of role again for the role which is not revoked, so as to generate a new file tuple and replace the original file tuple.
Specifically, a version number is introduced into the F and FK tuples, specifically the following tuples are introduced:
Figure BDA0002136331900000065
Figure BDA0002136331900000066
Figure BDA0002136331900000067
where v denotes the version number of the symmetric key k of the encrypted file, and the role r uses (r, v)r) Instead, vrRepresenting the version number of the role r. When revoking role r uses the rights of file F, it needs to regenerate key k and re-encrypt the file, i.e. regenerate file F tuple, pairRoles that are not revoked regenerate new FK tuples while the version number of the role is increased.
On the basis of the above embodiment, the method further includes:
if the user u is deleted from the role r, updating the version number of the current role, generating an encryption key and a signature key of the new version role, generating a new key multi-tuple according to the encryption key of the new version role, and replacing the original key multi-tuple with the new key multi-tuple;
and generating a new symmetric key, updating the version number of the symmetric key, encrypting the file by using the new symmetric key, encrypting the new symmetric key by using the encryption key of the new version role, generating a new file tuple and replacing the original file tuple.
Specifically, when user u is removed from the role r user group, the RK tuple containing user u needs to be deleted, a new role key is generated, and a new RK tuple is generated for the user remaining in role r. All the above operations are performed by an administrator. The explanation is given by deleting the user u from the role r user group, and the method comprises the following steps:
(1) the version number v of the current role rrIs updated to vr+1, i.e. (r, v)r) Change to (r, v)r+1) while generating a new role key k(r,vr+1)And s(r,vr+1)Key tuple to be introduced with version number
Figure BDA0002136331900000071
Is replaced by
Figure BDA0002136331900000072
(2) Generating a new file key k', a file tuple to which a version number is to be introduced
Figure BDA0002136331900000073
Figure BDA0002136331900000074
Is replaced by
Figure BDA0002136331900000075
Figure BDA0002136331900000076
I.e. replacing the old file key k with k'.
(3) Encrypting the file by using a new file key k', and introducing the file tuple of the version number
Figure BDA0002136331900000077
Is replaced by
Figure BDA0002136331900000078
Through the steps, the user u is deleted from the role r, and other users in the role r can normally access the file f, but the deleted user u cannot access the file f.
In the embodiment of the invention, the administrator distributes the authority to the role by sending the FK multi-element group to the role and distributes the role key to the user by sending the RK multi-element group. The symmetric key and the role key are provided with version numbers, so that deletion of a user from roles and revoking of role authority can be realized, dynamic access control of a system is realized, and the security of file access is ensured.
Fig. 3 is a flowchart illustrating an access control method according to an embodiment of the present invention.
The access control method shown in fig. 3 is applied to a user, and as shown in fig. 3, the method includes the steps of:
s21, after the registration is successful, obtaining the encryption key k based on the user identity from the administratoruAnd a signing key su
Specifically, the user must pass registration before becoming a legitimate user of the system, and after the registration is successful, the user identity-based encryption key k is obtained from the administratoruAnd a signing key su
S22, downloading a role-based key multi-element group and a file multi-element group, wherein if the role of the user is r, the role-based key multi-element group comprises: using said encryption key kuOf encrypted character rEncryption key krAnd a signing key srAnd an administrator signature; the file tuple comprises an encryption key k with the role rrThe method comprises the steps of encrypting a symmetric key k, encrypting a file by using the symmetric key k, allowing operation authority to the file and signing by an administrator;
in particular, if user u is allowed to read file f, user u must download the role r based key tuple RK and file f tuple F, FK. Wherein each tuple is as follows:
Figure BDA0002136331900000081
Figure BDA0002136331900000082
encryption key k representing user uuEncryption key k for encryption role rrAnd a signing key sr
Figure BDA0002136331900000083
A signature representing the supervisor SU, i.e. the administrator; RK represents the identification value of this corner key tuple.
Figure BDA0002136331900000084
Figure BDA0002136331900000085
Wherein the content of the first and second substances,
Figure BDA0002136331900000086
indicating that file f is encrypted with a symmetric key k,
Figure BDA0002136331900000087
encryption key k representing user role rrThe symmetric key k is encrypted.
S23, according to the signature key SuVerifying the secretWhether the administrator signature in the key tuple and the file tuple is valid;
specifically, after the user u has to download the key multi-tuple RK and the file f multi-tuple F, FK based on the role r, it first verifies whether the signatures in the multi-tuple RK and the multi-tuple are valid by using its own signature key.
S24, if the administrator signature in the key multi-element group and the file multi-element group is valid, according to the encryption key kuDecrypting obtains the encryption key k of the role rr
Specifically, after the authentication is passed, the user key k is reuseduDecryption
Figure BDA0002136331900000091
Obtaining an encryption key k for a role rr. S25, encryption key k according to the role rrAnd decrypting to obtain a symmetric key k of the encrypted file, and decrypting to obtain a file plaintext according to the symmetric key k.
In particular, with an encryption key krDecryption
Figure BDA0002136331900000092
Obtaining a symmetric key k, decrypting with the symmetric key k
Figure BDA0002136331900000093
And recovering the file plaintext.
On the basis of the above embodiment, the method further includes:
if the user writes the file, i.e. the user u is allowed to write the file f, the user can generate and upload a new file multi-tuple
Figure BDA0002136331900000094
f' is a newly written file, and after the administrator verifies the validity of the signature, the administrator replaces the original file tuple with the new file tuple.
Fig. 4 is a schematic structural diagram illustrating an access control apparatus according to an embodiment of the present invention.
The apparatus shown in fig. 4 is applied to an administrator, and as shown in fig. 4, the apparatus further includes: an assigning unit 11, a first generating unit 12 and a second generating unit 13, wherein:
the distribution unit 11 is configured to distribute the user identity-based encryption key k to the user after the user registration is successfuluAnd a signing key su
Specifically, the user must pass registration before becoming a legitimate user of the system, and after the registration is successful, the user identity-based encryption key k is obtained from the administratoruAnd a signing key su
The first generating unit 12 is configured to generate a role-based key tuple for the user if the user is assigned to the role r, the role-based key tuple comprising the encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature;
specifically, for each role r, the administrator generates an identity-based encryption key k for itr(role key for short) and signature key sr. For a certain user u of the member group of role r, the administrator generates and uploads a tuple:
Figure BDA0002136331900000095
in the context of this multi-tuple,
Figure BDA0002136331900000096
encryption key k representing user uuEncryption key k for encryption role rrAnd a signing key sr. The user can obtain the encryption key k of the role r by downloading the tuple and decryptingrAnd a signing key sr
Figure BDA0002136331900000101
A signature representing the supervisor SU, i.e. the administrator; RK represents the identification value of this corner key tuple.
The second generating unit 13 is configured to generate a file for the role r if the authority to use the file is assigned to the role rA file tuple comprising an encryption key k with the role rrThe encrypted symmetric key k, the file encrypted with the symmetric key k, the operation authority allowed to the file, and the administrator signature.
Specifically, in the embodiment of the present invention, when the file is assigned to different roles, the file is encrypted by using the symmetric key instead of the role key, so that it is possible to avoid repeatedly encrypting the file f when the file f is assigned to different roles, and only the key k is needed to be encrypted. Therefore, two new tuples are introduced to replace the original file tuple as follows:
Figure BDA0002136331900000102
Figure BDA0002136331900000103
wherein the content of the first and second substances,
Figure BDA0002136331900000104
indicating that file f is encrypted with a symmetric key k,
Figure BDA0002136331900000105
encryption key k representing user role rrThe symmetric key k is encrypted.
The access control device provided by the embodiment of the invention encrypts the file by setting the symmetric key instead of directly encrypting the file by using the role key, thereby avoiding the operation of reusing the key encryption files of different roles when distributing the files to different roles and greatly improving the working efficiency of the system.
On the basis of the above embodiment, the key tuple and the file tuple include: the version number of the symmetric key k and the version number of the role r.
Specifically, the embodiment of the present invention introduces a version number of a symmetric key k and a version number of a role r, and when roles and users in a system change or revoke the roles, revoking processing and user deletion from the roles are implemented by updating a role key RK tuple, a file key FK tuple, and a file F tuple.
On the basis of the above embodiment, the apparatus further includes:
the first updating unit is used for generating a new symmetric key if the revoke role r uses the authority of the file, updating the version number of the symmetric key and updating the version number of the role which is not revoked;
and the second updating unit is used for encrypting the file by using the new symmetric key, re-adopting the encryption key of the new version of role to encrypt the new symmetric key for the role without revoking the authority, generating a new file tuple and replacing the original file tuple.
Specifically, a version number is introduced into the F and FK tuples, specifically the following tuples are introduced:
Figure BDA0002136331900000111
Figure BDA0002136331900000112
Figure BDA0002136331900000113
where v denotes the version number of the symmetric key k of the encrypted file, and the role r uses (r, v)r) Instead, vrRepresenting the version number of the role r. When revoking the role r to use the rights of the file F, the key k needs to be regenerated and the file needs to be re-encrypted, i.e. the file F tuple is regenerated, and a new FK tuple is regenerated for the role which is not revoked, and meanwhile, the version number of the role is increased.
On the basis of the above embodiment, the apparatus further includes:
a third updating unit, configured to update the version number of the current role, generate an encryption key and a signature key of the new version role, generate a new key tuple according to the encryption key of the new version role, and replace the original key tuple with the new key tuple;
and the fourth updating unit is used for generating a new symmetric key, updating the version number of the symmetric key, encrypting the file by using the new symmetric key, encrypting the new symmetric key by using the encryption key of the new version role, generating a new file tuple and replacing the original file tuple.
Specifically, when user u is removed from the role r user group, the RK tuple containing user u needs to be deleted, a new role key is generated, and a new RK tuple is generated for the user remaining in role r. All the above operations are performed by an administrator.
In the embodiment of the invention, the administrator distributes the authority to the role by sending the FK multi-element group to the role and distributes the role key to the user by sending the RK multi-element group. The symmetric key and the role key are provided with version numbers, so that deletion of a user from roles and revoking of role authority can be realized, dynamic access control of a system is realized, and the security of file access is ensured.
Fig. 5 is a schematic structural diagram illustrating an access control apparatus according to an embodiment of the present invention.
The apparatus shown in fig. 5 is applied to a user-side device, and includes: an acquisition unit 21 and a download unit 22, an authentication unit 13, a first decryption unit 14 and a second decryption unit 15, wherein:
the obtaining unit 21 is configured to obtain, from an administrator, an encryption key k based on a user identity after the registration is successfuluAnd a signing key su
Specifically, the user must pass registration before becoming a legitimate user of the system, and after the registration is successful, the user identity-based encryption key k is obtained from the administratoruAnd a signing key su
The downloading unit 22 is configured to download a role-based key tuple and a file tuple, where if the role of the user is r, the role-based key tuple includes: using said encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature; the file tuple comprises an encryption key k with the role rrThe method comprises the steps of encrypting a symmetric key k, encrypting a file by using the symmetric key k, allowing operation authority to the file and signing by an administrator;
in particular, if user u is allowed to read file f, user u must download the role r based key tuple RK and file f tuple F, FK. Wherein each tuple is as follows:
Figure BDA0002136331900000121
Figure BDA0002136331900000122
encryption key k representing user uuEncryption key k for encryption role rrAnd a signing key sr
Figure BDA0002136331900000123
A signature representing the supervisor SU, i.e. the administrator; RK represents the identification value of this corner key tuple.
Figure BDA0002136331900000124
Figure BDA0002136331900000125
Wherein the content of the first and second substances,
Figure BDA0002136331900000126
indicating that file f is encrypted with a symmetric key k,
Figure BDA0002136331900000127
encryption key k representing user role rrThe symmetric key k is encrypted.
The verification unit 23 is configured to verify the signature key suValidating the key tuples and filesWhether the administrator signature in the tuple is valid;
specifically, after the user u has to download the key multi-tuple RK and the file f multi-tuple F, FK based on the role r, it first verifies whether the signatures in the multi-tuple RK and the multi-tuple are valid by using its own signature key.
The first decryption unit 24 is configured to, if the administrator signature in the key tuple and the file tuple is valid, decrypt the encrypted key k according to the first decryption key kuDecrypting obtains the encryption key k of the role rr
Specifically, after the authentication is passed, the user key k is reuseduDecryption
Figure BDA0002136331900000128
Obtaining an encryption key k for a role rr
The second decryption unit 25 is configured to decrypt the encryption key k according to the role rrAnd decrypting to obtain a symmetric key k of the encrypted file, and decrypting to obtain a file plaintext according to the symmetric key k.
In particular, with an encryption key krDecryption
Figure BDA0002136331900000131
Obtaining a symmetric key k, decrypting with the symmetric key k
Figure BDA0002136331900000132
And recovering the file plaintext.
On the basis of the above embodiment, the apparatus further includes:
a fifth updating unit, configured to, if the user writes a file, encrypt the written file with the symmetric key k, and use the symmetric key k with the encryption key k of the role rrAnd encrypting to generate a new file tuple to replace the original file tuple.
If the user writes the file, i.e. the user u is allowed to write the file f, the user can generate and upload a new file multi-tuple
Figure BDA0002136331900000133
f' isAnd after the administrator verifies the validity of the signature, the newly written file replaces the original file tuple with the new file tuple.
Fig. 6 illustrates a physical structure diagram of a server, and as shown in fig. 6, the server may include: a processor (processor)31, a communication Interface (communication Interface)32, a memory (memory)33 and a communication bus 34, wherein the processor 31, the communication Interface 32 and the memory 33 are communicated with each other via the communication bus 34. The processor 31 may call logic instructions in the memory 33 to perform the following method:
after the user is successfully registered, distributing an encryption key k based on the user identity for the useruAnd a signing key su
If a user is assigned to role r, a role-based key tuple is generated for the user, the role-based key tuple comprising the encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature;
if the authority of using the file is distributed to the role r, generating a file multi-element group for the role r, wherein the file multi-element group comprises an encryption key k using the role rrThe encrypted symmetric key k, the file encrypted with the symmetric key k, the operation authority allowed to the file, and the administrator signature.
In addition, the logic instructions in the memory 33 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented by a processor to perform the method provided by the foregoing embodiments, for example, including:
after the user is successfully registered, distributing an encryption key k based on the user identity for the useruAnd a signing key su
If a user is assigned to role r, a role-based key tuple is generated for the user, the role-based key tuple comprising the encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature;
if the authority of using the file is distributed to the role r, generating a file multi-element group for the role r, wherein the file multi-element group comprises an encryption key k using the role rrThe encrypted symmetric key k, the file encrypted with the symmetric key k, the operation authority allowed to the file, and the administrator signature.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An access control method, characterized in that the method comprises:
after the user is successfully registered, distributing an encryption key k based on the user identity for the useruAnd a signing key su
If a user is assigned to role r, a role-based key tuple is generated for the user, the role-based key tuple comprising the encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature;
if the authority of using the file is distributed to the role r, generating a file multi-element group for the role r, wherein the file multi-element group comprises an encryption key k using the role rrThe encrypted symmetric key k, the file encrypted with the symmetric key k, the operation authority allowed to the file, and the administrator signature.
2. The access control method of claim 1, further comprising:
the key and file tuples include: the version number of the symmetric key k and the version number of the role r.
3. The access control method of claim 2, further comprising:
if the revoke role r uses the authority of the file, generating a new symmetric key, updating the version number of the symmetric key and updating the version number of the role which is not revoked;
and encrypting the file by using the new symmetric key, and encrypting the new symmetric key by using the encryption key of the new version of role again for the role which is not revoked, so as to generate a new file tuple and replace the original file tuple.
4. The access control method of claim 2, further comprising:
if the user u is deleted from the role r, updating the version number of the current role, generating an encryption key and a signature key of the new version role, generating a new key multi-tuple according to the encryption key of the new version role, and replacing the original key multi-tuple with the new key multi-tuple;
and generating a new symmetric key, updating the version number of the symmetric key, encrypting the file by using the new symmetric key, encrypting the new symmetric key by using the encryption key of the new version role, generating a new file tuple and replacing the original file tuple.
5. An access control method, characterized in that the method comprises:
after the successful registration, an encryption key k based on the user identity is obtained from an administratoruAnd a signing key su
Downloading a role-based key tuple and a file tuple, wherein if the role of the user is r, the role-based key tuple comprises: using said encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature; the file tuple comprises an encryption key k with the role rrThe method comprises the steps of encrypting a symmetric key k, encrypting a file by using the symmetric key k, allowing operation authority to the file and signing by an administrator;
according to said signing key suVerifying said keyWhether the administrator signature in the tuple and the file tuple is valid;
if the administrator signature in the key multi-tuple and the file multi-tuple is valid, according to the encryption key kuDecrypting obtains the encryption key k of the role rr
An encryption key k according to said role rrAnd decrypting to obtain a symmetric key k of the encrypted file, and decrypting to obtain a file plaintext according to the symmetric key k.
6. The access control method of claim 5, further comprising:
if the user writes the file, the written file is encrypted by a symmetric key k, and the symmetric key k is the encryption key k of the role rrAnd encrypting to generate a new file tuple to replace the original file tuple.
7. An access control apparatus, characterized in that the apparatus comprises:
an allocation unit for allocating the user identity-based encryption key k to the user after the user registration is successfuluAnd a signing key su
A first generating unit for generating a role-based key-tuple for a user if the user is assigned to a role r, the role-based key-tuple comprising the encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature;
a second generating unit, configured to generate a file tuple for the role r if the role r is assigned with the authority to use the file, where the file tuple includes the encryption key k for the role rrThe encrypted symmetric key k, the file encrypted with the symmetric key k, the operation authority allowed to the file, and the administrator signature.
8. An access control apparatus, characterized in that the apparatus comprises:
an acquisition unit for acquiring user-based information from the administrator after successful registrationEncryption key k for identityuAnd a signing key su
A downloading unit, configured to download a role-based key tuple and a file tuple, where, if a role of a user is r, the role-based key tuple includes: using said encryption key kuEncryption key k for encrypted character rrAnd a signing key srAnd an administrator signature; the file tuple comprises an encryption key k with the role rrThe method comprises the steps of encrypting a symmetric key k, encrypting a file by using the symmetric key k, allowing operation authority to the file and signing by an administrator;
a verification unit for verifying the signature key suVerifying whether the administrator signature in the key tuple and the file tuple is valid;
a first decryption unit for decrypting the encrypted key k according to the administrator signature in the key tuple and the file tuple if the administrator signature is validuDecrypting obtains the encryption key k of the role rr
A second decryption unit for encrypting the key k according to the role rrAnd decrypting to obtain a symmetric key k of the encrypted file, and decrypting to obtain a file plaintext according to the symmetric key k.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the access control method according to any of claims 1 to 6 are implemented when the processor executes the program.
10. A non-transitory computer readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the access control method according to any one of claims 1 to 6.
CN201910654255.2A 2019-07-19 2019-07-19 Access control method and device Pending CN112241536A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910654255.2A CN112241536A (en) 2019-07-19 2019-07-19 Access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910654255.2A CN112241536A (en) 2019-07-19 2019-07-19 Access control method and device

Publications (1)

Publication Number Publication Date
CN112241536A true CN112241536A (en) 2021-01-19

Family

ID=74167293

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910654255.2A Pending CN112241536A (en) 2019-07-19 2019-07-19 Access control method and device

Country Status (1)

Country Link
CN (1) CN112241536A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100095118A1 (en) * 2006-10-12 2010-04-15 Rsa Security Inc. Cryptographic key management system facilitating secure access of data portions to corresponding groups of users
CN106961431A (en) * 2017-03-17 2017-07-18 福建师范大学 The method and system of role's symmetric cryptography proof of ownership

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100095118A1 (en) * 2006-10-12 2010-04-15 Rsa Security Inc. Cryptographic key management system facilitating secure access of data portions to corresponding groups of users
CN106961431A (en) * 2017-03-17 2017-07-18 福建师范大学 The method and system of role's symmetric cryptography proof of ownership

Similar Documents

Publication Publication Date Title
CN111090622B (en) Cloud storage information processing system and method based on dynamic encryption RBAC model
CA2623141C (en) Content cryptographic firewall system
CN107579958B (en) Data management method, device and system
US20100005318A1 (en) Process for securing data in a storage unit
AU2010256810B2 (en) Workgroup key wrapping for community of interest membership authentication
EP3398073B1 (en) Securely storing and distributing sensitive data in a cloud-based application
US20100217987A1 (en) Document Security Management System
KR20100114066A (en) Method and system for encrypted file access
EP3777022B1 (en) Distributed access control
CN111181719B (en) Hierarchical access control method and system based on attribute encryption in cloud environment
Cui et al. Towards blockchain-based scalable and trustworthy file sharing
CN111885154B (en) Distributed data security sharing method and system based on certificate chain
Fugkeaw Achieving privacy and security in multi-owner data outsourcing
US8995665B1 (en) Role based encryption without key management system
CN109302400B (en) Asset password exporting method for operation and maintenance auditing system
US11374741B2 (en) Systems and methods for data provenance assurance
CN112241536A (en) Access control method and device
EP3357188B1 (en) Code signing service
Grothe et al. Your cloud in my company: Modern rights management services revisited
Piechotta et al. A secure dynamic collaboration environment in a cloud context
US20130014286A1 (en) Method and system for making edrm-protected data objects available
Thushara et al. A survey on secured data sharing using ciphertext policy attribute based encryption in cloud
Senthilkumar et al. HB-PPAC: hierarchy-based privacy preserving access control technique in public cloud
Aziz et al. Assured data deletion in cloud computing: security analysis and requirements
Pavani et al. Enabling Secure Data Sharing Scheme in the Cloud Storage Groups

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination