CN114785622B - Access control method, device and storage medium for multi-identification network - Google Patents
Access control method, device and storage medium for multi-identification network Download PDFInfo
- Publication number
- CN114785622B CN114785622B CN202210700564.0A CN202210700564A CN114785622B CN 114785622 B CN114785622 B CN 114785622B CN 202210700564 A CN202210700564 A CN 202210700564A CN 114785622 B CN114785622 B CN 114785622B
- Authority
- CN
- China
- Prior art keywords
- target
- global
- attribute set
- attribute
- content
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0872—Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
Abstract
The application provides an access control method and related equipment of a multi-identification network, which can realize user revocation and decentralization at the same time, and avoid possible single-point faults. The method comprises the following steps: determining a global public parameter and a master key by the multi-identification system node according to the group generator and the global attribute set, wherein the multi-identification system node is any one node in a multi-identification system network; the multi-identification system node determines an attribute set private key according to the global public parameter, the user global unique identification, the master key, the current time period and the global attribute set; the multi-identification system node determines a target ciphertext according to the global public parameter, the target content plaintext, the access structure of the plaintext and the current time period; and the multi-identification system node sends the target ciphertext, the attribute set private key and the global public parameter to the terminal equipment corresponding to the target user so as to decrypt the target ciphertext and obtain a decryption result.
Description
Technical Field
The present application relates to the field of multiple identity networks, and in particular, to a method, an apparatus, and a storage medium for controlling access to a multiple identity network.
Background
The multi-identification network system is a novel network system proposed in 2019, and aims to break the embarrassing situation that a top-level domain name of a traditional Internet Protocol (IP) network is controlled by a single organization. Multiple network addressing identifications including but not limited to identity identification, content identification, ground and air identification, IP identification and the like can be compatible in the multi-identification network system. A user of an access Network must embed an identity distributed by a Multi-Identifier System (MIS) in a Network packet, otherwise the Network packet cannot be forwarded, i.e. the identity is the core identity of a Multi-Identifier Network (MIN).
In the content transmission process of the multi-identification network system, content blocks are often stored in a network node in a plaintext form, which may cause a security problem, so that the content in the network node should cache a ciphertext. In a one-to-one communication mode, a content provider can choose to encrypt the content by using a traditional symmetric key, so as to ensure the security and privacy of data. However, in the MIN scenario, if the conventional encryption scheme is used, the ciphertexts of different users requesting the same content block will be different, in which case the Multi-Identifier Router (MIR) caching function fails, and the MIN-efficient network distribution function will also deteriorate.
Disclosure of Invention
The application provides an access control method, an access control device and a storage medium of a multi-identification network, which are used for realizing user revocation and decentralization by introducing a parameter of a time period to participate in the generation of a secret key and the encryption of contents, and avoiding possible single-point faults.
A first aspect of the present application provides an access control method for a multiple identity network, including:
if a multi-identification system node receives a key generation request, the multi-identification system node acquires a group generation element and a global attribute set corresponding to a cyclic group, wherein the multi-identification system node is any one node in a multi-identification system network;
the multi-identification system node determines a global public parameter and a master key according to the group generator and the global attribute set;
the multi-identification system node determines an attribute set private key corresponding to the target user in the current time period according to the global public parameter, the global unique identification corresponding to the target user, the master key, the current time period and the global attribute set;
the multi-identification system node determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, an access structure corresponding to the target content plaintext and the current time period;
and the multi-identification system node sends the target ciphertext, the attribute set private key and the global public parameter to a terminal device corresponding to the target user, so that the terminal device decrypts the target ciphertext according to the attribute set private key, the target attribute set and the global public parameter to obtain a decryption result, wherein the target attribute set is an attribute set corresponding to the target user.
A second aspect of the present application provides an access control method for a multiple identity network, including:
the method comprises the steps that terminal equipment sends a key generation request to a multi-identification system node, so that the multi-identification system node obtains a group generation element and a global attribute set corresponding to a cyclic group, determines a global public parameter and a master key according to the group generation element and the global attribute set, determines an attribute set private key corresponding to a target user according to the global public parameter, a global unique identifier corresponding to the target user, the master key, a current time period and the global attribute set, determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, an access structure corresponding to the target content plaintext and the current time period, and returns the target ciphertext, the attribute set private key and the global public parameter;
the terminal equipment receives the target ciphertext, the attribute set private key and the global public parameter which are sent by the multi-identification system node;
and the terminal equipment decrypts the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.
A third aspect of the present application provides a multi-identity system node, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a group generating element and a global attribute set corresponding to a cyclic group when a key generation request is received, and the multi-identification system node is any one node in a multi-identification system network;
a first determining unit, configured to determine a global public parameter and a master key according to the group generator and the global attribute set;
a second determining unit, configured to determine, according to the global public parameter, a global unique identifier corresponding to a target user, the master key, a current time period, and the global attribute set, an attribute set private key corresponding to the target user in the current time period;
a third determining unit, configured to determine a target ciphertext corresponding to the target content plaintext according to the global common parameter, the target content plaintext, an access structure corresponding to the target content plaintext, and the current time period;
and the sending unit is used for sending the target ciphertext, the attribute set private key and the global public parameter to a terminal device corresponding to the target user, so that the terminal device decrypts the target ciphertext according to the attribute set private key, the target attribute set and the global public parameter to obtain a decryption result, and the target attribute set is an attribute set corresponding to the target user.
A fourth aspect of the present application provides a terminal device, including:
a sending unit, configured to send a key generation request to a multi-identification system node, so that the multi-identification system node obtains a group generator and a global attribute set corresponding to a cyclic group, determines a global public parameter and a master key according to the group generator and the global attribute set, determines an attribute set private key corresponding to a target user according to the global public parameter, a global unique identifier corresponding to the target user, the master key, a current time period, and the global attribute set, determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, an access structure corresponding to the target content plaintext, and the current time period, and returns the target ciphertext, the attribute set private key, and the global public parameter;
a receiving unit, configured to receive the target ciphertext, the attribute set private key, and the global public parameter sent by the multi-identity system node;
and the decryption unit is used for decrypting the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.
A fifth aspect of embodiments of the present application provides a computer device, which includes at least one connected processor, a memory and a transceiver, where the memory is configured to store program codes, and the processor is configured to call the program codes in the memory to perform the steps of the method for controlling access to a multi-identity network according to the first aspect.
A sixth aspect of the embodiments of the present application provides a computer storage medium, which includes instructions that, when executed on a computer, cause the computer to perform the steps of the method for controlling access to a multiple identity network according to the first aspect.
Compared with the related technology, in the embodiment provided by the application, the parameter of the time period is introduced to participate in the generation of the key and the encryption of the content, so that the user revocation is realized, meanwhile, each attribute mechanism is deployed on the MIS node, the original single attribute mechanism is expanded into a multi-attribute mechanism, the decentralization is realized, and the possible single-point fault is avoided.
Drawings
Fig. 1 is a network architecture diagram of a multi-identifier network architecture according to an embodiment of the present application;
fig. 2 is a schematic diagram of a complete forwarding flow of an MIR according to an embodiment of the present application;
fig. 3 is a schematic flowchart of ciphertext policy attribute encryption provided in the embodiment of the present application;
fig. 4 is a schematic flowchart of encryption of key policy attributes provided in an embodiment of the present application;
fig. 5 is a schematic view of an application scenario for encryption based on ciphertext policy attribute according to an embodiment of the present application;
fig. 6 is a schematic diagram of a MIN cache content access control model provided in an embodiment of the present application;
fig. 7 is a schematic flowchart of an access control method for a multiple identity network according to an embodiment of the present application;
fig. 8 is another schematic flowchart of an access control method for a multiple identity network according to an embodiment of the present application;
fig. 9 is another schematic flowchart of an access control method of a multiple identity network according to an embodiment of the present application;
fig. 10 is a schematic view of a virtual structure of a multi-identity network node according to an embodiment of the present application;
fig. 11 is a schematic view of a virtual structure of a terminal device according to an embodiment of the present application;
fig. 12 is a schematic hardware structure diagram of a multi-identity network node according to an embodiment of the present disclosure;
fig. 13 is a schematic hardware structure diagram of a terminal device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments.
Referring to fig. 1, fig. 1 is a network architecture diagram of a multi-identifier network system according to an embodiment of the present application, where the multi-identifier network system divides a network into two mutually supporting components: a management plane and a data plane, which are respectively explained in detail below:
in a management plane, a federation block chain is built by taking a Parallel voting Proof algorithm (Parallel Proof of Vote, PPoV) as a core, a network space is subdivided into top-down hierarchical network domains, and a decentralized network identification management and analysis system, namely MIS, is constructed. MIS provides the ability for multiple participants to manage and manage equally, besides managing and analyzing network identification, it also bears the responsibilities of user identity management and providing reliable trust root, etc., a new user who wants to access the multi-identification network must first perform identification registration through MIS, otherwise the sent MIN network packet cannot pass the authentication of MIR.
In the data plane, the interconnected MIRs are used as the core of the data plane to form a data transmission plane supporting multiple network identifications and push-pull communication semantics. The MIR is an indispensable component of a data plane and bears the works of network packet forwarding, content caching, user identity authentication, inter-translation among different network identifications and the like.
In the multi-identifier network, in order to meet different network requirements in different scenes, two complementary communication semantics are designed, which are push-type communication semantics and pull-type communication semantics respectively, and the push-type semantics and the pull-type semantics are described in detail respectively as follows:
push communication semantics, which are the most intuitive communication method dominated by the sender, can easily implement peer-to-peer communication between nodes in a network. In MIN, a generic push packet is used to meet the requirements of push communication semantics. Similar to IP, a general push packet needs to add a source identifier and a destination identifier to a network packet, where the source identifier is used to tell the communication node the network identifier of the sender of the network packet, and the multi-identifier router forwards the network packet to a next-hop router after reading out the destination identifier from the TLV structure. In the push communication semantics of MIN, route forwarding is stateless, because the MIR can Forward the generic push packet by querying a routing Information table (FIB), and neither needs to store the related Information of the network packet nor needs to modify any table entry.
The pull-type communication semantics in MIN, in which MIN no longer focuses on point-to-point communication between two communicating parties, but focuses on the content in the communication process, is a communication mode driven by the data recipient. In modern internet environments, the two communicating parties are not usually peer-to-peer and can be separated into a requestor of content and a creator of content, so MIN defines both parties in pull communication as a producer and consumer of content. The method comprises the steps that a consumer sends an interest packet to an MIN network, an MIR forwards the interest packet to any network node which can meet the request, but not necessarily to a content producer node, the node which can meet the interest packet request takes out content from a cache space of the network node and encapsulates the content into a data packet, and the data packet is sent back to the consumer according to a forwarding original path. The communication mode decouples the content, the content producer and the content position, and is beneficial to reducing the overall network flow.
Aiming at the characteristics of two communication semantics of pushing and pulling, the multi-identification router designs four data structures for the efficient forwarding of network packets: respectively, a Content Store (CS), a Pending Interest Table (PIT), a policy Table (ST), and a Forwarding Information Base (FIB), which are described below:
the data structure of the content repository serves pull-type communication, and when the producer of the content returns a content data packet along the request path, the MIR can decide whether to cache the content in the content repository according to an algorithm. Generally, the content stored in the content repository takes the data packet as the minimum unit, and a small amount of research will store the complete content data in the content repository. The existence of the content repository allows the consumer's request to be satisfied at the MIR without having to send the request to the producer's server. The content is cached in the MIR, and the design mode relieves the binding relation between the content and the position and endows the multi-identification network with the capacity of efficiently distributing the content.
The data structure of the undetermined interest table serves pull-type communication, and the table entry of the undetermined interest table can record the transfer-in Logic interface (Logic Face) and the transfer-out Logic interface (Logic Face) of the interest packet and a destination identifier, so that the data packet can be conveniently returned according to the original path. When there are multiple interest packets requesting the same content sent to the MIR, some and only the first arrived interest packet will be forwarded to the next hop by the MIR, and the remaining interest packets will only insert the information to be recorded into the PIT entry, which is the aggregation function of the PIT. The aggregation function can significantly reduce repeated requests for the same content, while also giving the multi-identity network the ability to efficiently distribute content.
The policy table can separately set different routing modes for destination identifiers of different prefixes. The routing strategy of the MIR can influence the selection of the forwarding outlets of interest packets and general push packets, so that the forwarding paths of the interest packets and the general push packets are changed. Similarly, the policy table applies a longest prefix matcher for the MIR to quickly retrieve the routing policy applied to forward the network packet.
And forwarding the information table. The forwarding information table serves two different communication semantics, push and pull. The FIB is used for managing forwarding paths of interest packets and general push packets, and each FIB entry stores a list of logical interfaces that can be forwarded. For each interest packet and general push packet entering the MIR, a corresponding table entry is inquired in the FIB according to the longest prefix matching principle.
Referring to fig. 2, fig. 2 is a schematic diagram of a complete forwarding flow of an MIR according to an embodiment of the present application, and as shown in fig. 2, in addition to the four data structures, a packet verifier and an identifier selector are further introduced into the MIR.
The packet verifier is a first module which needs to enter after the MIR receives the network packet, the packet verifier can read the identification information of the identification area in the MIN network packet, and the next forwarding process can be entered if and only if the identification can be approved by the MIR and the check label passes. MIR employs a collaborative Pool (Goroutine Pool) to concurrently sign MIN network packets. On the premise of ensuring the security of the MIN network, the working efficiency of the MIR is improved as much as possible. And the identification selector identifies the MIN network packet as an interest packet, a data packet or a general push packet by reading the identification, and then the network packet enters a corresponding forwarding process.
The forwarding flow of the interest packet is relatively the most complex, firstly, whether the content which can meet the request exists in a content warehouse of an MIR is checked, if the content is searched, the content is taken out from the cache space and packaged into a data packet, and the data packet is directly returned according to the original route; if the content can not be satisfied in the content warehouse, inquiring the PIT table, and if finding that the interest packages requesting the same content exist, only inserting a logic interface which should be returned into the entry; and if the table entry corresponding to the identifier of the interest packet cannot be found in the PIT, creating a PIT table entry insertion table according to the information of the interest packet, then inquiring a logic interface corresponding to a next hop MIR capable of forwarding the identifier in the FIB, and finally forwarding the interest packet. If the query in the FIB is not available, the MIR can not forward the interest packet, and NACK is returned or discarded along the transmission path of the interest packet.
For a data packet, firstly, querying a corresponding PIT table entry in the PIT according to the identification name, if the query is not successful, indicating that a problem occurs in the forwarding process, and discarding the data packet; if the data packet can be inquired, the data packet is forwarded to the MIR corresponding to the logical interface according to the logical interface number in the PIT table item. And simultaneously, the content in the data packet is cached in a content warehouse according to a content caching algorithm before forwarding.
The push type semantic transmission in the MIN network is a stateless transmission process, so that the general push packet only needs to inquire the FIB of the MIR and forward the general push packet to a corresponding logic interface in an FIB table item; if the corresponding table entry is not inquired in the FIB, the MIR does not have the rule for forwarding the network packet, and the general push packet is discarded.
In the process of transmitting the content in the multi-identification system, the content block is usually stored in each multi-identification system node in a plaintext form, which causes a security problem, so that the content in each multi-identification system node should cache the ciphertext. In a one-to-one communication mode, a content provider can choose to encrypt the content by using a traditional symmetric key, so as to ensure the security and privacy of data. However, in the MIN scenario, if the conventional encryption scheme is used, different users may request different ciphertexts for the same content block, in which case the MIR caching function is disabled, and the MIN-efficient network distribution function will also be degraded.
In the scheme of attribute encryption, a group of attribute lists can be regarded as the identity of a user, the user has a group of public key sets corresponding to the attribute lists one by one, and simultaneously, a ciphertext is also related to a group of attribute sets representing an access structure. The plaintext can be accurately acquired only when the attribute list of the user can meet the requirement of the access structure of the ciphertext. The fine-grained access control capability possessed by attribute encryption can be applied to one-to-many content encryption and decryption scenes.
Current attribute encryption can be subdivided into two different directions: (a) Ciphertext-Policy Attribute Encryption (CP-ABE) Ciphertext CT is associated and bound with an access structure a in the CP-ABE, an Attribute list is associated and bound with a key, and the Ciphertext is allowed to be decrypted only when an Attribute set meets the requirement of the access structure, as shown in fig. 3. (b) Key-Policy Attribute-based Encryption (KP-ABE). An attribute list is embedded in a ciphertext CT in KP-ABE, at this time, an access structure and a key are associated and bound with each other, and when the attribute list of the ciphertext meets the requirement of the access structure A, the ciphertext is allowed to be decrypted, as shown in FIG. 4.
The following three modules are used as the core of the CP-ABE scheme, and a system model for fine-grained access control and content privacy protection is jointly established: content Providers (CPs), Attribute Authorities (AAs), and consumers (consumers). Where the attribute authority is considered to be a completely trusted authority, it first distributes the system public key to the content provider and the attribute private key according to the consumer's attribute list. The content provider integrates the original data into ciphertext according to different access policies A, and only consumers who satisfy the access structure A can decrypt the ciphertext, for example, in FIG. 5, the content provider restricts the access policyThe content provider's content can be decrypted by Alice and Carol but not by Bob, depending on whether their attribute list satisfies the access policy.
The in-network cache in the MIN system can decouple the binding position relationship between the content and the content provider, and the performance of the network is obviously improved. However, while the efficiency is increased, the content is cached in the network node MIR which is seen everywhere in the network, which results in that the content provider cannot manage the cached content, the content is stored in the MIR in a clear text form before any processing is not performed, and any user can request the content without any access control as long as the user knows the identification of the content. The privacy of the content cannot be guaranteed, and the safety degree of the network is greatly reduced. While the traditional symmetric/asymmetric encryption algorithm can achieve a better privacy protection effect in point-to-point communication, in the process of MIN pull-type semantic transmission, the cache function cannot be used by using a one-to-one encryption algorithm, which is an irreconcilable contradiction between one-to-one encryption and one-to-many content transmission.
Therefore, in order to realize privacy protection and fine-grained access control of contents in MIN pull-type semantic transmission, CP-ABE is adopted as an encryption algorithm of the system, fine-grained access control of different users can be realized, and the characteristic that contents only need to be encrypted once ensures that a cache mechanism of MIR can also work normally. The method is improved on the basis of T-CP-ABE, and the parameter of time period is introduced into the algorithm to participate in the generation of the key and the encryption of the content, so that the user revocation is realized. And the content level revocation is realized by using the cache timing deleting function of the MIR. And in combination with the MIS block chain, each attribute mechanism is deployed on the MIS node, and the original single attribute mechanism is expanded into a multi-attribute mechanism, so that decentralization is realized, and possible single-point faults are avoided. Therefore, the access control method of the multi-identification network provided by the embodiment of the application can realize fine-grained access control and privacy protection of cached content, and also has the functions of a multi-attribute mechanism, and the functions of revocation and traceability.
Referring to fig. 6, fig. 6 is a schematic diagram of a MIN cache content access control model according to an embodiment of the present application, where the MIN cache content access control model is composed of the following entities: content Provider (CP), Content Consumer (CC), Multi-identity Router (MIR), Attribute Agency (AA).
Content Provider (CP): the content provider sets different access policies for different contents, and encrypts the contents according to the access policies and the identifiers corresponding to the current time period. Due to the characteristics of the MIR, after the encrypted content is encapsulated in the data packet, the expiration time of the content can be set therein, and if the expiration time is aligned with the time period, it can be ensured that the previous encrypted data is not stored in the in-network cache, and thus a request for actively replacing the content which should be re-encrypted does not need to be initiated to the MIR.
Content Consumer (CC): each content consumer will have a globally defined identity UUID assigned by the MIS, which is the basis for a user to join a multi-identity network, on which the content consumer is also assigned a set of attributes. The content consumer applies attribute private keys to a plurality of attribute mechanisms, decrypts the content acquired from the MIR or the content provider by using the private keys, and can acquire the plaintext only when the attribute of the consumer can meet the requirement of the access structure of the content and the time period when the private keys are generated is the same as the time period when the ciphertext is encrypted, otherwise, the ciphertext cannot be decrypted.
Multi-identity Router (MIR): the multi-identification router has the functions of forwarding, routing and caching. The content in the data packet is transparent to the MIR, and even if the content of the data packet is stored in an encrypted manner, the caching function of the MIR is not affected. During caching, the fresh period field filled by the content provider will affect the time when the cache exists, and the content outside the time range will be rejected from the cache space. In this solution, the fresh period field is set as the deadline of this time period, so as to ensure that the MIR does not cache the encrypted content in the last time period in this time period.
Attribute Authority (AA): in this access control model, there are multiple attribute authorities, each of which runs on a MIS node, the AA on the MIS sharing the same global public parameters and master key during initialization. Although the attribute mechanism can run on the chain to ensure data unification, the attribute mechanism is designed into a scheme without data synchronization, all attribute mechanisms manage a piece of attribute space together, when the AA receives a key generation request, a log for generating the key is sent to the block chain, and after all nodes synchronize the operation, the AA sends the generated key to a consumer so as to ensure that the authorization operation of each attribute can be traced back. From a consumer's perspective, each AA can be considered to provide the same quality key generation service, which can be considered as a whole.
MIS: MIS as part of a multiple identity network also assumes corresponding responsibility in this application. Each AA runs on an MIS node, the MIS block chain also endows the AA with collusion resistance, and the MIS can store public parameters and logs of key authorization in the block chain to ensure that the logs are not tampered. And the MIS will provide synchronized time period identification for the AA and CP.
The following describes an access control method for a multi-identity network from the perspective of a multi-identity system node, where the multi-identity system node may be a server, or a service unit in the server, and is not particularly limited.
Referring to fig. 7, fig. 7 is a schematic flowchart of an access control method of a multi-identity network according to an embodiment of the present application, including:
701. and if the multi-identification system node receives the key generation request, the multi-identification system node acquires the group generation element and the global attribute set corresponding to the cyclic group.
In this embodiment, in the multi-identifier access control model, there are multiple attribute authorities, each authority will operate on a multi-identifier system MIS node, the AA on the MIS node shares the same global public parameter and master key at the initialization stage, and if the MIS node receives a key generation requestAfter the calculation, a group generator and a global attribute set corresponding to the cyclic group may be obtained, where the group generator is a parameter with a curveThe curve parameter ofThe method comprises the steps of obtaining a plurality of MIS nodes, wherein the MIS nodes are distributed in a distributed manner, the distributed manner comprises the number of prime numbers and the number of bits of each prime number, the global attribute set is all attribute sets corresponding to the MIS nodes, the MIS nodes are any one node in a multi-identification system network, namely the MIS nodes comprise a plurality of MIS nodes, and the MIS nodes can be communicated with one another. The multi-identity system node may be based onObtaining the mapping relation between the elliptic curve and the bilinearAll elements in the elliptic curve are cyclic groupsThe set of attributes may be determined by a common negotiation of all block chain nodes.
702. And the multi-identification system node determines a global public parameter and a master key according to the group generating element and the global attribute set.
In this embodiment, after acquiring the group generator and the global attribute set corresponding to the cyclic group, the multi-identifier system node may determine the global public parameter and the master key according to the group generator and the global attribute set, and specifically may determine the global public parameter and the master key by the following formulas:
wherein the content of the first and second substances,in order to be a global common parameter,,are respectively the prime numbers which are different from each other,respectively, a cyclic group with a level of N,is composed ofThe bilinear mapping of the image to be displayed,is composed ofThe generation element of (a) is generated,is composed ofTo (1) aThe number of the sub-groups,,is composed ofThe elements (A) and (B) in (B),,is a positive integer which is a multiple of,,in order to be a set of global properties,,in order to be able to use said master key,is composed ofAny one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),is composed ofTo (1) aIndividual subgroups.
It is to be noted thatSelecting a hash function,The method is modeled as a random prediction model, specifically, a positive integer is randomly generated, and then a mapping between the current time period and the positive integer is established. In addition, after the multi-identification system node generates the global public parameter, the global public parameter can be stored in the MIS block chain, and the MSK is sent to other MIS nodes through the encrypted communication tunnel.
703. And the multi-identification system node determines an attribute set private key corresponding to the target user according to the global public parameter, the global unique identification corresponding to the target user, the master key, the current time period and the global attribute set.
In this embodiment, the multi-identifier system node determines the attribute set private key corresponding to the target user according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period, and the global attribute set, and specifically, may determine the attribute set private key corresponding to the target user in the current time period according to the following formula:
wherein the content of the first and second substances,in order to be a global common parameter,is the global unique identification corresponding to the target user,for the set of target attributes to be used,is a master key to be used as a master key,as a result of the current time period,the attribute set private key corresponding to the target user in the current time period,the definition is as follows:
wherein the content of the first and second substances,is composed ofThe generation element of (a) is generated,,is a positive integer and is a non-zero integer,,is composed ofThe elements in (A) and (B) are selected,is composed ofTo (1) aThe number of the sub-groups,for a cyclic group of order N,,,in order to be a function of the hash function,,is composed ofTo (1)The number of the sub-groups,,is composed ofTo (1)The number of the sub-groups,,in order to target the set of attributes,,、、、、and, andfor the attribute private key parameter to be,is a self-defined variable.
It should be noted that after the multi-identification system node determines the attribute set private key corresponding to the target user in the current time period, if the multi-identification system node determines that the attribute set private key corresponds to the target user in the current time period, the multi-identification system node determines that the attribute set private key corresponds to the target user in the current time periodOrThen re-randomly selectAnd recalculated. The multi-identification system node can be used for calculating the data of the system nodeGlobally unique identification with target userThe mapping relationship of (a) is stored in the MIS blockchain, and the generated key is not stored in the blockchain.
704. And the multi-identification system node determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext and the current time period.
In this embodiment, the multi-identifier system node determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period, and specifically, may generate the target ciphertext according to the following formula:
wherein the content of the first and second substances,in the case of the target cipher-text,、、、andas the parameter of the cipher-text,to access a structure, the access structure isIs determined by the two-dimensional matrix of (a),for the ith row in the access structureMapping to attributesThe mapping function of (a) is selected,in order to have the target content in clear text,is composed ofThe bilinear mapping of the image to be displayed,for the cyclic group of order N,,is a positive integer and is a non-zero integer,is a vectorThe elements (A) and (B) in (B),,are all positive integers which are randomly selected,is composed ofThe generation element(s) of (a),is composed ofAny one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),is composed ofTo (1) aThe number of the sub-groups,,are randomly assigned parameters, and,is a global set of attributes.
705. And the multi-identification system node sends the target ciphertext, the attribute set private key and the global public parameter to the terminal equipment corresponding to the target user.
In this embodiment, after encrypting a target content plaintext to obtain a target ciphertext, the multi-identifier system node may send the target ciphertext, the attribute set private key, and the global public parameter to the terminal device corresponding to the target user, so that the terminal device decrypts the target ciphertext according to the attribute set private key, the target attribute set, and the global public parameter to obtain a decryption result, where the target attribute set is an attribute set corresponding to the target user.
It should be noted that the multi-identifier system node may also trace back the UUID of the consumer corresponding to the key, specifically, the multi-identifier system node verifies the integrity of the target attribute key, and the target attribute key is a leaked key; if the integrity of the target attribute key passes the verification, the multi-identification system node determines the attribute private key parameter from the target attribute key(ii) a And according to the attribute private key parameterAnd determining the global unique identification corresponding to the leaked key. That is, when the multi-identification system node is tracked, firstly checking the integrity of the key to be tracked, if the key is not complete, outputting the key to indicate that the user who reveals the key cannot be traced, and if the target attribute key is complete, firstly searching attribute key parameters in the keyAnd is combined withAssignment of valueThen in MIS block chainAndthe UUID of the user who has leaked the key can be obtained by searching in the mapping table. The multi-identity system node can verify the integrity of the target attribute key through the following formula:
Wherein the content of the first and second substances,,is composed ofThe generation element of (a) is generated,,is a positive integer and is a non-zero integer,,is composed ofTo (1) aThe number of the sub-groups,for the cyclic group of order N,,,in order to be a function of the hash function,,is composed ofTo (1)The number of the sub-groups,,is composed ofTo (1)The number of the sub-groups,,,、、、、and, andfor the attribute private key parameter to be,is a variable which is self-defined,the cyclic groups of order N, respectively,is composed ofThe bilinear mapping of the image to be displayed,is composed ofThe generation element of (a) is generated,is composed ofTo (1) aThe number of the sub-groups,for the set of target attributes to be used,is the current time period.
In addition, the multi-identification system node can delete the cache in the last time period through the cache expiration function of the multi-identification router, so that the revocation of content and user levels and the tracing of the leaked key are realized.
In summary, it can be seen that in the embodiment provided by the application, a parameter of a time period is introduced to participate in the generation of a key and the encryption of content, so that user revocation is realized, and meanwhile, each attribute mechanism is deployed on an MIS node, so that an original single attribute mechanism is expanded into a multi-attribute mechanism, thereby realizing decentralization and avoiding a single point of failure which may occur.
The access control method of the multi-identity network according to the embodiment of the present application is described above from the perspective of a multi-identity system node, and is described below from the perspective of a terminal device.
Referring to fig. 8, fig. 8 is another schematic flow chart of an access control method of a multi-identity network according to an embodiment of the present application, including:
801. the terminal device sends a key generation request to the multi-identity system node.
In this embodiment, the terminal device is a device corresponding to a target user, and the terminal device may send a key generation request to refer to a multi-identification system node, so that the multi-identification system node obtains a group generator and a global attribute set corresponding to a cyclic group, determines a global public parameter and a master key according to the group generator and the global attribute set, determines an attribute set private key corresponding to the target user according to the global public parameter, a global unique identifier corresponding to the target user, the master key, a current time period, and the global attribute set, determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, an access structure corresponding to the target content plaintext, and the current time period, and returns the target ciphertext, the attribute set private key, and the global public parameter.
It should be noted that, the above-mentioned detailed description has been given on how the multi-identifier system node obtains the group generator and the global attribute set, how to determine the global public parameter and the master key according to the group generator and the global attribute set, how to determine the attribute set private key corresponding to the target user according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period, and the global attribute set, and how to determine the target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period, and is not repeated herein.
802. And the terminal equipment receives the target ciphertext, the attribute set private key and the global public parameter sent by the multi-identification system node.
803. And the terminal equipment decrypts the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.
In this embodiment, the terminal device may encrypt the target ciphertextIs subdivided into several parts, denotedThe attribute set private key of the target user is noted asFirstly, judging whether the target attribute set corresponding to the target user accords with the target ciphertext or notAccess structure ofIf the target content does not meet the requirement (1), outputting the target content, and if the target content does meet the requirement (1), decrypting the target ciphertext according to the following formula to obtain the target contentThe method comprises the following steps:
wherein the content of the first and second substances,in the clear for the target content in question,as the parameter of the cipher-text,,andfor intermediate parameters, the determination is made by the following formulaAnd:
wherein the content of the first and second substances,is composed ofThe bilinear mapping of the image to be displayed,is composed ofThe generation element of (a) is generated,is composed ofTo (1) aThe number of the sub-groups,for a cyclic group of order N,is composed ofAny one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),,,is a positive integer which is a multiple of,in order to be a function of the hash function,for the target attribute setThe (c) th attribute of (a),andis prepared by reacting withThe different ciphertext parameters may be different for each of the ciphertext parameters,, ,,,for the ith row in the access structure, the access structure isIs determined by the two-dimensional matrix of (a),as the vectorThe elements in (A) and (B) are selected,,all are randomly selected positive integers;
andfor the attribute private key parameter to be,as a parameter of the ciphertext,Is composed ofTo (1)The number of the sub-groups,,is composed ofTo (1)The individual subgroups.
In summary, it can be seen that in the embodiment provided by the application, a parameter of a time period is introduced to participate in generation of a secret key and encryption of content, so that user revocation is achieved, meanwhile, each attribute mechanism is deployed on an MIS node, an original single attribute mechanism is expanded into a multi-attribute mechanism, decentralization is achieved, single-point faults which may occur are avoided, meanwhile, the secret key and a ciphertext which include the time period are sent to a terminal device, the terminal device decrypts the ciphertext, it is guaranteed that only the secret key of the current time period can decrypt the ciphertext of the current time period, and safety of information transmission is improved.
Referring to fig. 9, fig. 9 is another schematic flow chart of an access control method of a multi-identity network according to an embodiment of the present application, which includes:
901. the terminal device sends a key generation request to the multi-identity system node.
902. And the multi-identification system node acquires a group generator and a global attribute set corresponding to the cyclic group.
903. And the multi-identification system node determines a global public parameter and a master key according to the group generating element and the global attribute set.
904. And the multi-identification system node determines an attribute set private key corresponding to the target user according to the global public parameter, the global unique identification corresponding to the target user, the master key, the current time period and the global attribute set.
905. And the multi-identification system node determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext and the current time period.
906. And the multi-identification system node sends the target ciphertext, the attribute set private key and the global public parameter to the terminal equipment corresponding to the target user.
It should be noted that steps 902 to 906 are similar to steps 701 to 705 in fig. 7, and detailed description has already been made in fig. 7, and details are not repeated here.
907. And the terminal equipment decrypts the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.
It should be noted that step 907 is similar to step 803 in fig. 8, and the detailed description has already been made in fig. 8, and is not repeated here.
In summary, it can be seen that in the embodiment provided by the application, a parameter of a time period is introduced to participate in generation of a secret key and encryption of content, so that user revocation is achieved, meanwhile, each attribute mechanism is deployed on an MIS node, an original single attribute mechanism is expanded into a multi-attribute mechanism, decentralization is achieved, single-point faults which may occur are avoided, meanwhile, the secret key and a ciphertext which include the time period are sent to a terminal device, the terminal device decrypts the ciphertext, it is guaranteed that only the secret key of the current time period can decrypt the ciphertext of the current time period, and safety of information transmission is improved.
The embodiments of the present invention are described above from the perspective of a control method for a multiple identity network, and the embodiments of the present invention are described below from the perspective of a multiple identity system node and a terminal device.
Referring to fig. 10, fig. 10 is a schematic view of a virtual structure of a multi-id system node according to an embodiment of the present application, where the multi-id system node 1000 includes:
an obtaining unit 1001, configured to obtain a group generator and a global attribute set corresponding to a cyclic group when a key generation request is received, where the multi-identity system node is any one node in a multi-identity system network;
a first determining unit 1002, configured to determine a global public parameter and a master key according to the group generator and the global attribute set;
a second determining unit 1003, configured to determine, according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period, and the global attribute set, an attribute set private key corresponding to the target user in the current time period;
a third determining unit 1004, configured to determine a target ciphertext corresponding to the target content plaintext according to the global common parameter, the target content plaintext, an access structure corresponding to the target content plaintext, and the current time period;
a sending unit 1005, configured to send the target ciphertext, the attribute set private key, and the global public parameter to a terminal device corresponding to the target user, so that the terminal device decrypts the target ciphertext according to the attribute set private key, the target attribute set, and the global public parameter, to obtain a decryption result, where the target attribute set is an attribute set corresponding to the target user.
In one possible design, the first determining unit 1002 is specifically configured to:
determining the global public parameter and the master key by:
wherein the content of the first and second substances,for the purpose of the global common parameter,,are respectively the prime numbers which are different from each other,the cyclic groups of order N, respectively,is composed ofThe bilinear mapping of the image to be displayed,is composed ofThe generation element of (a) is generated,is composed ofTo (1) aThe number of the sub-groups,,,is a positive integer and is a non-zero integer,,in order for the set of global properties to be described,,in order to be able to use said master key,is composed ofAny one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),is composed ofTo (1) aThe individual subgroups.
In one possible design, the second determining unit 1003 is specifically configured to:
determining the attribute set private key by the following formula:
wherein the content of the first and second substances,for the purpose of the global common parameter,is the global unique identification corresponding to the target user,for the set of target attributes to be used,in order to be able to use said master key,for the purpose of said current time period,the attribute set private key corresponding to the target user in the current time period,the definition is as follows:
wherein the content of the first and second substances,is composed ofThe generation element of (a) is generated,,is a positive integer and is a non-zero integer,,is composed ofTo (1) aThe number of the sub-groups,for the cyclic group of order N,,,in order to be a function of the hash function,,is composed ofTo (1)The number of the sub-groups,,is composed ofTo (1)The number of the sub-groups,,for the set of target attributes to be used,,、、、、and, andis the attribute private key parameter that is,is a self-defined variable.
In one possible design, the third determining unit 1004 is specifically configured to:
generating the target ciphertext by:
wherein the content of the first and second substances,in the form of the target ciphertext,、、、andas the parameter of the cipher-text,for the access structure, the access structure isIs determined by the two-dimensional matrix of (a),for the ith row in the access structureMapping to attributesThe mapping function of (a) is selected,for the target content plaintext,Is composed ofThe bilinear mapping of the image to be displayed,for the cyclic group of order N,,is a positive integer and is a non-zero integer,is a vectorThe elements (A) and (B) in (B),,are all positive integers which are randomly selected,is composed ofThe generation element of (a) is generated,is composed ofAny one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),is composed ofTo (1) aThe number of the sub-groups,,are randomly assigned parameters, and,is a global set of attributes.
In one possible design, the multi-identity network node 100 further includes:
a tracking unit 1006, the tracking unit 1006 being configured to:
verifying the integrity of a target attribute key, wherein the target attribute key is a leaked key;
if the integrity verification of the target attribute key passes, determining attribute private key parameters from the target attribute key;
According to the attribute private key parameterAnd determining the global unique identification corresponding to the target attribute key.
In one possible design, the tracking unit 1006 is specifically configured to:
verifying the integrity of the target attribute key by the following formula:
Wherein the content of the first and second substances,,is composed ofThe generation element of (a) is generated,,is a positive integer and is a non-zero integer,,is composed ofTo (1) aThe number of the sub-groups,for the cyclic group of order N,,,in order to be a function of the hash function,,is composed ofTo (1)The number of the sub-groups,,is composed ofToThe number of the sub-groups,,,、、、、and, andfor the attribute private key parameter to be,is a variable which is self-defined,the cyclic groups of order N, respectively,is composed ofThe bilinear mapping of the image to be displayed,is composed ofThe generation element(s) of (a),is composed ofTo (1) aThe number of the sub-groups,in order for the set of target properties to be described,is the current time period.
Referring to fig. 11, fig. 11 is a schematic view of a virtual structure of a terminal device according to an embodiment of the present application, where the terminal device 1100 includes:
a sending unit 1101, configured to send a key generation request to a multi-identification system node, so that the multi-identification system node obtains a group generator and a global attribute set corresponding to a cyclic group, determines a global public parameter and a master key according to the group generator and the global attribute set, determines an attribute set private key corresponding to a target user according to the global public parameter, a global unique identifier corresponding to the target user, the master key, a current time period, and the global attribute set, determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, an access structure corresponding to the target content plaintext, and the current time period, and returns the target ciphertext, the attribute set private key, and the global public parameter;
a receiving unit 1102, configured to receive the target ciphertext, the attribute set private key, and the global public parameter sent by the multi-identity system node;
a decryption unit 1103, configured to decrypt the target ciphertext according to the attribute set private key and the global public parameter, so as to obtain a decryption result.
In one possible design, the decryption unit 1103 is specifically configured to:
if the attribute set meets the requirement of the target access structure, decrypting the target ciphertext through the following formula to obtain the target content plaintext:
wherein the content of the first and second substances,in the clear for the target content in question,as the parameter of the cipher-text,,andfor intermediate parameters, the determination is made by the following formulaAnd:
wherein the content of the first and second substances,is composed ofThe bilinear mapping of (a) is performed,is composed ofThe generation element of (a) is generated,is composed ofTo (1) aThe number of the sub-groups,for a cyclic group of order N,is composed ofAny one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),,,is a positive integer which is a multiple of,in order to be a function of the hash function,is the target attribute setThe (c) th attribute of (a),andis and isThe different ciphertext parameters may be different for each of the ciphertext parameters,, ,,,for the ith row in the access structure, the access structure isIs determined by the two-dimensional matrix of (a),is the vectorThe elements (A) and (B) in (B),,all are randomly selected positive integers;
andfor the attribute private key parameter to be,as a parameter of the ciphertext,Is composed ofTo (1)The number of the sub-groups,,is composed ofTo (1)Individual subgroups.
The embodiment of the application also provides computer equipment. The multi-identification system node provided by the embodiment of the application can be deployed on the computer equipment. Fig. 12 illustratively provides a possible architecture diagram for a computer device. As shown in fig. 12, the computer device 1200 may include a processor 1201, a memory 1202, a communication interface 1203, and a bus 1204. In the computer device, the number of the processors 1201 may be one or more, and fig. 12 illustrates only one of the processors 1201. Alternatively, the processor 1201 may be a Central Processing Unit (CPU). If the computer device has multiple processors 1201, the types of the multiple processors 1201 may be different, or may be the same. Optionally, multiple processors of the computer device may also be integrated into a multi-core processor.
The communication interface 1203 may be any one or any combination of the following devices: network interface (such as Ethernet interface), wireless network card, etc.
The communication interface 1203 is used for data communication of the computer device with other nodes or other computer devices.
Fig. 12 also illustratively depicts bus 1204. The bus 1204 may connect the processor 1201 with the memory 1202 and the communication interface 1203. Thus, the processor 1201 has access to the memory 1202 via the bus 1204, and may also interact with other nodes or other computer devices using the communication interface 1203.
In the present application, a computer device executes computer instructions in the memory 1202, so as to implement the functions of the first multi-identity system node provided by the embodiments of the present application. For example, a computer device executing computer instructions in memory 1202 may perform the operations described above as being performed by a multi-identity system node.
Next, another terminal device provided in the present application is introduced, and as shown in fig. 13, a terminal device 1300 includes:
a receiver 1301, a transmitter 1302, a processor 1303 and a memory 1304 (wherein the number of the processors 1303 in the terminal device 1300 may be one or more, and one processor is taken as an example in fig. 13). In some embodiments of the present application, the receiver 1301, the transmitter 1302, the processor 1303 and the memory 1304 may be connected by a bus or other means, wherein fig. 13 illustrates the connection by a bus.
The memory 1304 may include a read-only memory and a random access memory, and provides instructions and data to the processor 1303. A portion of the memory 1304 may also include NVRAM. The memory 1304 stores an operating system and operating instructions, executable modules or data structures, or subsets thereof, or expanded sets thereof, wherein the operating instructions may include various operating instructions for performing various operations. The operating system may include various system programs for implementing various basic services and for handling hardware-based tasks.
The processor 1303 controls the operation of the terminal device, and the processor 1303 may also be referred to as a CPU. In a specific application, the various components of the terminal device are coupled together by a bus system, which may include a power bus, a control bus, a status signal bus, etc., in addition to a data bus. For clarity of illustration, the various buses are referred to in the figures as a bus system.
The access control method for the multi-identity network disclosed in the embodiment of the present application may be applied to the processor 1303, or implemented by the processor 1303. The processor 1303 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the method shown in fig. 1 may be implemented by hardware integrated logic circuits in the processor 1303 or instructions in the form of software. The processor 1303 described above may be a general purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, discrete hardware component. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 1304, and the processor 1303 reads the information in the memory 1304, and completes the steps of the method in combination with its hardware.
In this embodiment of the application, the processor 1303 is configured to execute the technical solution of the foregoing embodiment of the method for controlling access to a multi-identity network, and the implementation principle and the technical effect are similar, which are not described herein again.
The embodiment of the present application further provides a computer-readable medium, which includes a computer execution instruction, where the computer execution instruction enables a server to execute the method for controlling access to a multi-identity network described in the foregoing embodiment, and the implementation principle and the technical effect of the method are similar, and are not described herein again.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and these modifications or substitutions do not depart from the scope of the technical solutions of the embodiments of the present application.
Claims (8)
1. An access control method for a multiple identity network, comprising:
if a multi-identification system node receives a key generation request, the multi-identification system node acquires a group generator and a global attribute set corresponding to a cyclic group, wherein the multi-identification system node is any one node in a multi-identification system network, and is an MIS node which is deployed and based on a multi-identification system MIS block chain;
the multi-identification system node determines a global public parameter and a master key according to the group generator and the global attribute set;
the multi-identification system node determines an attribute set private key corresponding to the target user in the current time period according to the global public parameter, the global unique identification corresponding to the target user, the master key, the current time period and the global attribute set;
the multi-identification system node determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, an access structure corresponding to the target content plaintext and the current time period;
the multi-identification system node sends the target ciphertext, the attribute set private key and the global public parameter to a terminal device corresponding to the target user, so that the terminal device decrypts the target ciphertext according to the attribute set private key, the target attribute set and the global public parameter to obtain a decryption result, wherein the target attribute set is an attribute set corresponding to the target user;
the determining, by the multi-identifier system node, the attribute set private key corresponding to the target user in the current time period according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period, and the global attribute set includes:
determining the attribute set private key by the following formula:
wherein the content of the first and second substances,for the purpose of the global common parameter,is a global unique identifier corresponding to the target user,in order for the set of target properties to be described,in order to be able to use said master key,for the purpose of said current time period,the attribute set private key corresponding to the target user in the current time period,the definition is as follows:
wherein the content of the first and second substances,is composed ofThe generation element of (a) is generated,,is a positive integer which is a multiple of,,is composed ofTo (1) aThe number of the sub-groups,for the cyclic group of order N,,,in order to be a function of the hash function,,is composed ofTo (1)The number of the sub-groups,,is composed ofTo (1)The number of the sub-groups,,in order for the set of target properties to be described,,、、、、and, andfor the attribute private key parameter to be,is a self-defined variable;
the determining, by the multi-identity system node, a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period includes:
generating the target ciphertext by:
wherein the content of the first and second substances,in order to be the target cipher-text,、、、andas the parameter of the cipher-text,for the access structure, the access structure isIs determined by the two-dimensional matrix of (a),for the ith row in the access structureMapping to attributesThe mapping function of (a) is selected,in the clear for the target content in question,is composed ofThe bilinear mapping of the image to be displayed,for the cyclic group of order N,,is a positive integer and is a non-zero integer,is a vectorThe elements (A) and (B) in (B),,are all positive integers which are randomly selected,is composed ofThe generation element of (a) is generated,is composed ofAny one of the elements of (a) or (b),is composed ofTo (1) aThe number of the sub-groups,,are randomly assigned parameters, and,is a global set of attributes.
2. The method of claim 1, wherein determining, by the multi-identity system node, a global public parameter and a master key based on the group generator and the set of global attributes comprises:
determining the global public parameter and the master key by:
wherein the content of the first and second substances,for the purpose of the global common parameter,,are respectively the prime numbers which are different from each other,the cyclic groups of order N are each the cyclic groups,is composed ofThe bilinear mapping of the image to be displayed,is composed ofThe generation element(s) of (a),is composed ofTo (1) aThe number of the sub-groups,,,is a positive integer and is a non-zero integer,,for the set of global properties,,in order to be able to use said master key,is composed ofAny one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),is composed ofTo (1) aThe individual subgroups.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
the multi-identification system node verifies the integrity of a target attribute key, wherein the target attribute key is a leaked key;
if the integrity verification of the target attribute key passes, the multi-identification system node determines an attribute private key parameter from the target attribute key;
4. The method of claim 3, wherein verifying the integrity of the target attribute key by the multi-identity system node comprises:
verifying the integrity of the target attribute key by the following formula:
Wherein the content of the first and second substances,,is composed ofThe generation element of (a) is generated,,is a positive integer and is a non-zero integer,,is composed ofTo (1) aThe number of the sub-groups,for the cyclic group of order N,,,in order to be a function of the hash function,,is composed ofTo (1)The number of the sub-groups,,is composed ofTo (1)The number of the sub-groups,,,、、、、and, andfor the attribute private key parameter to be,is a variable which is self-defined,the cyclic groups of order N, respectively,is composed ofThe bilinear mapping of the image to be displayed,is composed ofThe generation element of (a) is generated,is composed ofTo (1) aThe number of the sub-groups,for the set of target attributes to be used,is the current time period.
5. An access control method for a multiple identity network, comprising:
the method comprises the steps that terminal equipment sends a key generation request to a multi-identification system node, so that the multi-identification system node obtains a group generator and a global attribute set corresponding to a cyclic group, determines a global public parameter and a master key according to the group generator and the global attribute set, determines an attribute set private key corresponding to a target user according to the global public parameter, a global unique identifier corresponding to the target user, the master key, a current time period and the global attribute set, determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, an access structure corresponding to the target content plaintext and the current time period, and returns the target ciphertext, the attribute set private key and the global public parameter, the multi-identification system node is an MIS node which is provided with a block chain based on a multi-identification system MIS (management information system), the attribute set private key is determined by the multi-identification system node through the following formula:
wherein the content of the first and second substances,for the purpose of the global common parameter,is a global unique identifier corresponding to the target user,in order to target the set of attributes,in order to be able to use said master key,for the purpose of said current time period,the attribute set private key corresponding to the target user in the current time period,the definition is as follows:
wherein the content of the first and second substances,is composed ofThe generation element of (a) is generated,,is a positive integer and is a non-zero integer,,is composed ofTo (1) aThe number of the sub-groups,for the cyclic group of order N,,,in order to be a function of the hash function,,is composed ofTo (1)The number of the sub-groups,,is composed ofTo (1)The number of the sub-groups,,for the set of target attributes to be used,,、、、、and, andfor the attribute private key parameter to be,is a self-defined variable;
the target ciphertext is generated by the multi-identification system node through the following formula:
wherein the content of the first and second substances,in order to be the target cipher-text,、、、andas the parameter of the cipher-text,for the access structure, the access structure isIs determined by the two-dimensional matrix of (a),for the ith row in the access structureMapping to attributesThe mapping function of (a) is selected,in the clear for the target content, the content is,is composed ofThe bilinear mapping of the image to be displayed,for the cyclic group of order N,,is a positive integer and is a non-zero integer,is a vectorThe elements (A) and (B) in (B),,are all positive integers which are randomly selected, and the number of the positive integers is less than the number of the negative integers,is composed ofThe generation element(s) of (a),is composed ofAny one of the elements of (a) or (b),is composed ofTo (1)The number of the sub-groups,,are randomly assigned parameters, and,is a global attribute set;
the terminal equipment receives the target ciphertext, the attribute set private key and the global public parameter which are sent by the multi-identification system node;
and the terminal equipment decrypts the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.
6. The method of claim 5, wherein the terminal device decrypting the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result comprises:
if the attribute set meets the requirement of a target access structure, decrypting the target ciphertext through the following formula to obtain the target content plaintext:
wherein, the first and the second end of the pipe are connected with each other,in the clear for the target content in question,as the parameter of the cipher-text,,andfor intermediate parameters, the determination is made by the following formulaAnd:
wherein, the first and the second end of the pipe are connected with each other,is composed ofThe bilinear mapping of the image to be displayed,is composed ofThe generation element of (a) is generated,is composed ofTo (1) aThe number of the sub-groups,for a cyclic group of order N,is composed ofAny one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),,,is a positive integer and is a non-zero integer,in order to be a function of the hash function,for the target attribute setThe (c) th attribute of (a),andis prepared by reacting withThe different ciphertext parameters may be different for each of the ciphertext parameters,,,,,for the ith row in the access structure, the access structure isIs determined by the two-dimensional matrix of (a),as a vectorThe elements (A) and (B) in (B),,all are randomly selected positive integers;
7. A multi-identity system node, comprising:
the system comprises an acquisition unit, a key generation unit and a management information center (MIS) unit, wherein the acquisition unit is used for acquiring a group generator and a global attribute set corresponding to a cyclic group when receiving a key generation request, the multi-identification system node is any one node in a multi-identification system network, and the multi-identification system node is an MIS node which is deployed on the basis of a multi-identification system MIS block chain;
a first determining unit, configured to determine a global public parameter and a master key according to the group generator and the global attribute set;
a second determining unit, configured to determine, according to the global public parameter, a global unique identifier corresponding to a target user, the master key, a current time period, and the global attribute set, an attribute set private key corresponding to the target user in the current time period;
a third determining unit, configured to determine a target ciphertext corresponding to the target content plaintext according to the global common parameter, the target content plaintext, an access structure corresponding to the target content plaintext, and the current time period;
a sending unit, configured to send the target ciphertext, the attribute set private key, and the global public parameter to a terminal device corresponding to the target user, so that the terminal device decrypts the target ciphertext according to the attribute set private key, the target attribute set, and the global public parameter to obtain a decryption result, where the target attribute set is an attribute set corresponding to the target user;
the second determining unit is specifically configured to determine the attribute set private key by using the following formula:
wherein the content of the first and second substances,for the purpose of the global common parameter,is the global unique identification corresponding to the target user,for the set of target attributes to be used,in order to be able to use said master key,for the purpose of said current time period,the private key of the attribute set corresponding to the target user in the current time period,is defined as follows:
Wherein the content of the first and second substances,is composed ofThe generation element of (a) is generated,,is a positive integer and is a non-zero integer,,is composed ofTo (1) aThe number of the sub-groups,for the cyclic group of order N,,,in order to be a function of the hash function,,is composed ofToThe number of the sub-groups,,is composed ofTo (1)The number of the sub-groups,,for the set of target attributes to be used,,、、、、and, andfor the attribute private key parameter to be,is a self-defined variable;
the third determining unit is specifically configured to generate the target ciphertext according to the following formula:
wherein the content of the first and second substances,in the form of the target ciphertext,、、、andis a parameter of the ciphertext to be,for the access structure, the access structure isIs determined by the two-dimensional matrix of (a),for the ith row in the access structureMapping to attributesThe mapping function of (a) is selected,in the clear for the target content in question,is composed ofThe bilinear mapping of (a) is performed,for the cyclic group of order N,,is a positive integer and is a non-zero integer,is a vectorThe elements (A) and (B) in (B),,are all positive integers which are randomly selected,is composed ofThe generation element of (a) is generated,is composed ofAny one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),is composed ofTo (1) aThe number of the sub-groups,,are randomly assigned parameters, and,is a global set of attributes.
8. A terminal device, comprising:
a sending unit, configured to send a key generation request to a multi-identification system node, so that the multi-identification system node obtains a group generator and a global attribute set corresponding to a cyclic group, determines a global public parameter and a master key according to the group generator and the global attribute set, determines an attribute set private key corresponding to a target user according to the global public parameter, a global unique identifier corresponding to the target user, the master key, a current time period, and the global attribute set, determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, an access structure corresponding to the target content plaintext, and the current time period, and returns the target ciphertext, the attribute set private key, and the global public parameter, where the multi-identification system node is an MIS node that deploys a block chain based on a multi-identification MIS system (management information system), the attribute set private key is determined by the multi-identification system node through the following formula:
wherein the content of the first and second substances,as a result of the global common parameter,is the global unique identification corresponding to the target user,in order to target the set of attributes,in order to be able to use said master key,for the purpose of said current time period,the attribute set private key corresponding to the target user in the current time period,the definition is as follows:
wherein the content of the first and second substances,is composed ofThe generation element of (a) is generated,,is a positive integer and is a non-zero integer,,is composed ofTo (1) aThe number of the sub-groups,for the cyclic group of order N,,,in order to be a function of the hash function,,is composed ofTo (1)The number of the sub-groups,,is composed ofTo (1)The number of the sub-groups,,for the set of target attributes to be used,,、、、、and, andfor the attribute private key parameter to be,is a self-defined variable;
the target ciphertext is generated by the multi-identification system node through the following formula:
wherein the content of the first and second substances,in the form of the target ciphertext,、、、andas the parameter of the cipher-text,for the access structure, the access structure isIs determined by the two-dimensional matrix of (a),for the ith row in the access structureMapping to attributesThe mapping function of (a) is selected,in the clear for the target content in question,is composed ofThe bilinear mapping of (a) is performed,for the cyclic group of order N,,is a positive integer and is a non-zero integer,is a vectorThe elements (A) and (B) in (B),,are all positive integers which are randomly selected,is composed ofThe generation element of (a) is generated,is composed ofAny one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),is composed ofTo (1) aThe number of the sub-groups,,are randomly assigned parameters, and,is a global attribute set;
a receiving unit, configured to receive the target ciphertext, the attribute set private key, and the global public parameter sent by the multi-identity system node;
and the decryption unit is used for decrypting the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210700564.0A CN114785622B (en) | 2022-06-21 | 2022-06-21 | Access control method, device and storage medium for multi-identification network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210700564.0A CN114785622B (en) | 2022-06-21 | 2022-06-21 | Access control method, device and storage medium for multi-identification network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114785622A CN114785622A (en) | 2022-07-22 |
CN114785622B true CN114785622B (en) | 2022-09-30 |
Family
ID=82420622
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210700564.0A Active CN114785622B (en) | 2022-06-21 | 2022-06-21 | Access control method, device and storage medium for multi-identification network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114785622B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115801308B (en) * | 2022-09-16 | 2023-08-29 | 北京瑞莱智慧科技有限公司 | Data processing method, related device and storage medium |
CN115426308B (en) * | 2022-11-08 | 2023-04-11 | 北京大学深圳研究生院 | Link state routing method under multi-identification network |
CN116756780B (en) * | 2023-08-21 | 2024-01-30 | 北京邮电大学 | Alliance chain data access control method based on CP-ABE algorithm and related equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105592100A (en) * | 2016-01-26 | 2016-05-18 | 西安电子科技大学 | Government services cloud access control method based on attribute encryption |
CN105915333A (en) * | 2016-03-15 | 2016-08-31 | 南京邮电大学 | High-efficiency secret key distribution method based on attribute encryption |
CN109711184A (en) * | 2018-12-28 | 2019-05-03 | 国网电子商务有限公司 | Block chain data access control method and device based on attribute encryption |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9209974B1 (en) * | 2015-05-03 | 2015-12-08 | Zeutro, Llc | Functional encryption key management |
CN112291295A (en) * | 2020-08-11 | 2021-01-29 | 佛山赛思禅科技有限公司 | High-safety mobile office network based on multi-identification network system |
CN113098683B (en) * | 2021-03-17 | 2022-05-03 | 武汉理工大学 | Data encryption method and system based on attributes |
CN113194089B (en) * | 2021-04-28 | 2022-03-11 | 四川师范大学 | Attribute-based encryption method for ciphertext strategy supporting attribute revocation |
CN114372292A (en) * | 2021-09-08 | 2022-04-19 | 重庆赛渝深科技有限公司 | Method and system for improving reliability of block chain differential authorization duplicate removal system |
CN113949545A (en) * | 2021-09-30 | 2022-01-18 | 西安理工大学 | Dual access control method based on time and attribute in cloud computing |
CN114036539A (en) * | 2021-10-14 | 2022-02-11 | 国家电网有限公司 | Safety auditable Internet of things data sharing system and method based on block chain |
-
2022
- 2022-06-21 CN CN202210700564.0A patent/CN114785622B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105592100A (en) * | 2016-01-26 | 2016-05-18 | 西安电子科技大学 | Government services cloud access control method based on attribute encryption |
CN105915333A (en) * | 2016-03-15 | 2016-08-31 | 南京邮电大学 | High-efficiency secret key distribution method based on attribute encryption |
CN109711184A (en) * | 2018-12-28 | 2019-05-03 | 国网电子商务有限公司 | Block chain data access control method and device based on attribute encryption |
Non-Patent Citations (1)
Title |
---|
基于属性基加密的区块链隐私保护与访问控制方法;汪金苗等;《信息网络安全》;20200910(第09期);第1-5页 * |
Also Published As
Publication number | Publication date |
---|---|
CN114785622A (en) | 2022-07-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114785622B (en) | Access control method, device and storage medium for multi-identification network | |
CN105847228B (en) | Access control framework for information-centric networks | |
JP5536362B2 (en) | Method for facilitating communication in a content-centric network | |
Kuriharay et al. | An encryption-based access control framework for content-centric networking | |
US7328343B2 (en) | Method and apparatus for hybrid group key management | |
US7334125B1 (en) | Facilitating secure communications among multicast nodes in a telecommunications network | |
US10263965B2 (en) | Encrypted CCNx | |
KR20150141362A (en) | Network node and method for operating the network node | |
CN108833339B (en) | Encrypted access control method under content-centric network | |
WO2018005238A1 (en) | Multi-hop secure content routing based on cryptographic partial blind signatures and embedded terms | |
US10404450B2 (en) | Schematized access control in a content centric network | |
Pallickara et al. | A framework for secure end-to-end delivery of messages in publish/subscribe systems | |
Ramkumar | Symmetric Cryptographic Protocols | |
Kurihara et al. | A consumer-driven access control approach to censorship circumvention in content-centric networking | |
Zhu et al. | An edge re‐encryption‐based access control mechanism in NDN | |
Alzahrani et al. | Key management in information centric networking | |
CN108632197B (en) | Content verification method and device | |
Hanatani et al. | Secure multicast group management and key distribution in IEEE 802.21 | |
Pelz et al. | Circuit comparison by hierarchical pattern matching | |
Adhikari et al. | ECC-based Efficient and Secure Access Control Scheme for Content Centric Network-A Next Generation Internet | |
Unger | End-to-end encrypted group messaging with insider security | |
Zhang et al. | Investigating the design space for name confidentiality in Named Data Networking | |
Agiollo et al. | Anonymous federated learning via named-data networking | |
Lenin et al. | Attribute-based encryption for named data networking | |
Wood | Security and Privacy Challenges in Content-Centric Networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |