CN117118598A - Data sharing method, electronic equipment and computer cluster - Google Patents
Data sharing method, electronic equipment and computer cluster Download PDFInfo
- Publication number
- CN117118598A CN117118598A CN202310280374.2A CN202310280374A CN117118598A CN 117118598 A CN117118598 A CN 117118598A CN 202310280374 A CN202310280374 A CN 202310280374A CN 117118598 A CN117118598 A CN 117118598A
- Authority
- CN
- China
- Prior art keywords
- cloud platform
- cloud
- private key
- identity authentication
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 106
- 230000005540 biological transmission Effects 0.000 claims description 13
- 230000000977 initiatory effect Effects 0.000 claims description 6
- 239000010410 layer Substances 0.000 description 17
- 230000006870 function Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 11
- 239000003999 initiator Substances 0.000 description 6
- 238000004891 communication Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000003190 augmentative effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000012792 core layer Substances 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
A data sharing method, electronic equipment and a computer cluster relate to the technical field of terminals and the technical field of information security. The sharer uses a first device, the method comprising: determining sharees capable of being provided with cloud services by a cloud platform; generating an encryption public key according to the identification information of the sharees, and encrypting the data to be shared by using the encryption public key; and sending the encrypted data to be shared to the cloud platform. The sharee uses a second device, the method comprising: the method comprises the steps that encrypted data to be shared are obtained from a cloud platform, the encrypted data to be shared are encrypted by first equipment of a sharer by means of an encryption public key, and the encryption public key is generated by the first equipment according to identification information of the sharee; decrypting the encrypted data to be shared by using a locally stored second private key to acquire the data to be shared, wherein the second private key is generated by the cloud platform by using the identity authentication information of the sharee. The scheme simplifies the data sharing process of the user and improves the data sharing safety.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a data sharing method, an electronic device, and a computer cluster.
Background
With the development of cloud services, more and more users share data through a cloud disk at present.
At present, when encryption sharing is performed through a cloud disk, a sharing initiator is required to encrypt data to be shared, a key is generated or set, then an access link for accessing the data to be shared is created, and the access link and the key are sent to a sharee. The shared data is obtained and decrypted through the link and the secret key.
The above data sharing method needs to preset a key and inform the sharees, and the sharees decrypt the data. However, when the number of sharees is large, the whole process is long due to the fact that the sharees are individually and sequentially notified, the risk of key leakage exists in the process, and when the key is leaked, all three-party users who know the key can decrypt data, so that the security is poor.
Disclosure of Invention
In order to solve the problems, the application provides a data sharing method, electronic equipment and a computer cluster, which simplify the data sharing process of users and improve the data sharing safety.
In a first aspect, the present application provides a data sharing method, applied to a first device, where a user of the first device is a sharer, the method includes: determining sharees capable of being provided with cloud services by a cloud platform; generating an encryption public key according to the identification information of the sharees, and encrypting the data to be shared by using the encryption public key; and sending the encrypted data to be shared to the cloud platform. The method is applied to the second equipment, the user of the first equipment is a sharee, and the method comprises the following steps: the method comprises the steps that encrypted data to be shared are obtained from a cloud platform, the encrypted data to be shared are encrypted by first equipment of a sharer by means of an encryption public key, and the encryption public key is generated by the first equipment according to identification information of the sharee; decrypting the encrypted data to be shared by using a locally stored second private key to acquire the data to be shared, wherein the second private key is generated by the cloud platform by using the identity authentication information of the sharee and is sent to the second equipment.
By means of the scheme, after the first device and the second device register the data sharing service on the platform, the private key for decryption is locally stored, so that when a sharer shares data with the sharee, the two devices do not need to conduct key negotiation, the data sharer does not need to actively add the contact mode of the sharee and conduct key and download link notification, and the data to be shared only needs to encrypt and upload the data to be shared to the cloud platform according to second identification information of the known sharee, such as a mailbox or a mobile phone number of the sharee. For the sharees, after the data is acquired, the local second private key can be utilized for automatically decrypting. In the whole process, the risk of key leakage caused by notifying the sharee of the key does not exist, and the security of data sharing is improved. In addition, when the number of the sharees is large, each sharee does not need to be notified separately and sequentially, and the data sharing process of the user is simplified.
In one possible implementation manner, the first device runs a cloud disk APP, and the cloud platform is configured to provide cloud services for the cloud disk APP, and determine sharees that can be provided with the cloud services by the cloud platform, specifically includes: initiating a registration inquiry to the contact person to the cloud platform, wherein the registration inquiry is used for determining the contact person registering the cloud disk APP; receiving a query result sent by a cloud platform, wherein the query result indicates contacts registered with a cloud disk APP; and selecting a sharee from the contacts registered with the cloud disk APP.
In a possible implementation manner, the first device runs a system data sharing service, the cloud platform is configured to provide a cloud service for the system data sharing service, and the determining a sharee capable of being provided with the cloud service by the cloud platform specifically includes: initiating a registration inquiry to the contact person to the cloud platform, wherein the registration inquiry is used for determining the contact person registering the system data sharing service; receiving a query result sent by a cloud platform, wherein the query result indicates contacts of a data sharing service of a registration system; the sharee is selected from among the contacts registered with the system data sharing service.
In one possible implementation manner, the method for initiating the registration inquiry of the contact to the cloud platform specifically includes: establishing a secure transmission channel between the first equipment and a secure module SE chip of the cloud platform; and sending the hash information of the contact person performing registration query to the SE chip through the secure transmission channel, wherein the hash information is generated according to the identification information of the contact person performing registration query, and the SE chip is used for acquiring a query result according to the hash information.
In one possible implementation manner, before determining the sharees capable of being provided with the cloud service by the cloud platform, the method further includes: the method comprises the steps of sending identity authentication information carrying identification information of a sharer and account information of the sharer to a cloud platform so that the cloud platform can conduct identity authentication; and receiving and storing the main public key and the first private key which are sent by the cloud platform, wherein the first private key is generated by the cloud platform by using the identity authentication information of the sharer and is sent to the first equipment.
In one possible implementation, the identification information is an email box or a cell phone number.
In a possible implementation manner, the encrypted data to be shared is sent to the cloud platform, and the method further includes: the sharees are notified through a social platform or time-of-day communication software, which is associated with the cloud platform.
In a second aspect, the present application provides a data sharing method applied to a second device, where a user of the second device is a sharee, the method includes: the method comprises the steps that encrypted data to be shared are obtained from a cloud platform, the encrypted data to be shared are encrypted by first equipment of a sharer by means of an encryption public key, and the encryption public key is generated by the first equipment according to identification information of the sharee; decrypting the encrypted data to be shared by using a locally stored second private key to acquire the data to be shared, wherein the second private key is generated by the cloud platform by using the identity authentication information of the sharee and is sent to the second equipment.
In one possible implementation manner, before acquiring the encrypted data to be shared from the cloud platform, the method further includes: and when the second private key is not stored locally, registering the data sharing service of the cloud platform to acquire the second private key generated by the cloud platform.
In a possible implementation manner, the second device runs a cloud disk APP, and the cloud platform is configured to provide cloud services for the cloud disk APP, register data sharing services of the cloud platform, and specifically includes: the method comprises the steps that identity authentication information carrying identification information of a sharee and cloud disk APP account information of the sharee is sent to a cloud platform through a cloud disk APP, so that the cloud platform performs identity authentication; and receiving and storing the main public key and the second private key which are sent by the cloud platform.
In a possible implementation manner, the second device runs a system data sharing service, and the cloud platform is configured to provide a cloud service for the system data sharing service, register the data sharing service of the cloud platform, and specifically includes: the method comprises the steps that identity authentication information carrying identification information of a sharee and equipment account information of the sharee is sent to a cloud platform through a system data sharing service, so that the cloud platform performs identity authentication; and receiving and storing the main public key and the second private key which are sent by the cloud platform.
In one possible implementation, the identification information is an email box or a cell phone number.
In a third aspect, the present application provides a data sharing method, which is applied to a cloud platform, where the cloud platform may be a computer cluster. The cloud platform includes an SE chip for providing identity-based encryption (IBE) services and contact discovery (contact discovery service) services. The method comprises the following steps: determining sharees capable of providing cloud services and informing first equipment, wherein a user of the first equipment is the sharer; generating a second private key by using the identity authentication information of the sharee and sending the second private key to second equipment, wherein a user of the second equipment is the sharee; the encrypted data to be shared, which is sent by the first device, is received and stored and provided for the second device, the encrypted data to be shared is encrypted by the first device of the sharer by using an encryption public key, and the encryption public key is generated by the first device according to the identification information of the sharee.
In one possible implementation manner, the first device runs a cloud disk APP, and the cloud platform is configured to provide cloud services for the cloud disk APP, determine sharees that can provide the cloud services, and inform the first device, and specifically includes: receiving a registration inquiry of a contact person initiated by first equipment, wherein the registration inquiry is used for determining the contact person registering a cloud disk APP; and carrying out registration inquiry on the contact person and sending an inquiry result to the first device, wherein the inquiry result indicates the contact person registering the cloud disk APP.
In one possible implementation manner, the first device runs a system data sharing service, and the cloud platform is configured to provide a cloud service for the system data sharing service, determine sharees that can provide the cloud service, and inform the first device, and specifically includes: receiving a registration inquiry of the contact person initiated by the first equipment, wherein the registration inquiry is used for determining the contact person of the registration system data sharing service; and registering and inquiring the contact person, and sending an inquiry result to the first device, wherein the inquiry result indicates the contact person registering the system data sharing service.
In one possible implementation manner, accepting a registration query for a contact initiated by a first device specifically includes: establishing a secure transmission channel between a secure module SE chip of the cloud platform and first equipment; and receiving hash information of the contact person for registration inquiry sent by the first equipment through the secure transmission channel, so that the SE chip obtains an inquiry result according to the hash information, and the hash information is generated according to the identification information of the contact person for registration inquiry.
In one possible implementation manner, before determining sharees capable of providing cloud services and notifying the first device, the method further includes: receiving identity authentication information carrying identification information of a sharer and account information of the sharer, which are sent by first equipment; carrying out identity authentication on the sharer according to the identity authentication information; when the identity authentication is passed, a first private key is generated according to the identity authentication information; and sending the first private key and the main public key to the first device, wherein the main public key is pre-generated by the cloud platform.
In a possible implementation manner, the second device runs a cloud disk APP, and the cloud platform is configured to provide cloud services for the cloud disk APP, generate a second private key by using identity authentication information of a sharee, and send the second private key to the second device, and specifically includes: receiving identity authentication information which is sent by a cloud disk APP and carries identification information of a sharee and cloud disk APP account information of the sharee; carrying out identity authentication on the sharees according to the identity authentication information; when the identity authentication is passed, generating a second private key according to the identity authentication information; and sending the second private key and the main public key to the second device, wherein the main public key is pre-generated by the cloud platform.
In a possible implementation manner, the second device runs a system data sharing service, the cloud platform is configured to provide a cloud service for the system data sharing service, generate a second private key by using identity authentication information of a sharee, and send the second private key to the second device, and specifically includes: receiving identity authentication information which is sent by a system data sharing service and carries identification information of a sharee and equipment account information of the sharee; carrying out identity authentication on the sharees according to the identity authentication information; when the identity authentication is passed, generating a second private key according to the identity authentication information; and sending the second private key and the main public key to the second device, wherein the main public key is pre-generated by the cloud platform.
In one possible implementation, the identification information is an email box or a cell phone number.
In a fourth aspect, the present application also provides an electronic device, which includes a processor, a memory, and a secure module SE chip. The memory stores computer readable instructions, and the processor executes the computer readable instructions to perform a method of data sharing. And the SE chip is used for storing the main public key sent by the cloud platform and the private key corresponding to the electronic equipment. When the electronic equipment performs data sharing, the SE chip provides IBE encryption service for generating the encryption public key according to the identification information of the sharee and encrypting the data to be shared by using the encryption public key, the electronic equipment is the first equipment, and the private key corresponding to the electronic equipment corresponds to the first private key in the implementation mode. When the electronic device needs to decrypt the encrypted data acquired from the cloud, the SE chip provides an IBE encryption service for decrypting the encrypted data to be shared acquired from the cloud platform by utilizing a private key corresponding to the electronic device, and at the moment, the electronic device is second equipment, and the private key corresponding to the electronic device corresponds to the second private key in the implementation mode.
The embodiment of the application is not particularly limited to the type of the electronic equipment, and can be a mobile phone, a tablet computer, a notebook computer or a desktop computer, for example.
In a fifth aspect, the present application further provides a computer cluster, i.e. a cloud platform. The computer cluster comprises at least one computer comprising a memory, a processor and a security module SE chip. The memory has stored therein computer readable instructions that are executed by the processor to perform a method of data sharing. And the SE chip is used for determining sharees capable of being provided with cloud services by the cloud platform, generating a main private key and a main public key, and generating a private key corresponding to the electronic equipment according to the identity authentication information and the main private key.
Drawings
FIG. 1 is a schematic view of a first embodiment of the present application;
FIG. 2 is a second schematic view of a scenario provided by the present application;
FIG. 3 is a flowchart of a method for a sharer to open a data sharing service according to an embodiment of the present application;
FIG. 4 is a flowchart of a method for sharing data by a sharer according to an embodiment of the present application;
FIG. 5 is a flowchart of a method for a sharee to open a data sharing service according to an embodiment of the present application;
FIG. 6 is a flowchart of a method for a sharee to accept data sharing according to an embodiment of the present application;
fig. 7 is a schematic diagram of data encryption sharing according to an embodiment of the present application;
FIG. 8 is a flowchart of a system for opening a data sharing service according to an embodiment of the present application;
FIG. 9 is a flowchart of another method for sharing data by a sharer according to an embodiment of the present application;
FIG. 10 is a flowchart of another method for a sharee to accept data sharing according to an embodiment of the present application;
fig. 11 is a schematic diagram of an electronic device according to an embodiment of the present application;
fig. 12 is a schematic diagram of a software architecture of an electronic device according to an embodiment of the present application;
fig. 13 is a hardware structure diagram of a cloud platform according to an embodiment of the present application.
Detailed Description
In order to make the technical personnel in the technical field more clearly understand the scheme of the application, the application scenario of the technical scheme of the application is first described below.
Referring to fig. 1, a schematic view of a first scenario provided by the present application is shown.
Currently, when encryption sharing is performed through a cloud disk, a sharing initiator needs to encrypt data to be shared to generate or set a key. For example, the user selects to perform encryption sharing on the file sharing interface, selects the sharing form as encryption, and then clicks to create a link.
Referring to fig. 2, a second schematic view of a scenario provided by the present application is shown.
At this time, the cloud disk generates a sharing link and a password, and the sharing initiator sends the access link and the key to the sharee. The shared data is obtained and decrypted through the link and the secret key.
For example, after the sharing initiator clicks the copy link and the password on the file sharing interface, the sharing initiator may copy the information including the link and the password automatically generated by the cloud disk APP and then send the information to the corresponding sharee.
However, in the actual sharing process, when the number of sharees is large, the sharees need to be notified one by one, which results in a long overall sharing process. For example, when it is desired to share data with a part of specific contacts in the group chat, if the link and the password are directly sent to the group chat, the password is leaked, and non-sharees in the group chat can also acquire the data, and at this time, the part of specific contacts need to be notified one by one, which results in a longer whole flow, and there is a risk of disclosure of the key in the notification process.
In summary, in order to solve the above problems, the present application provides a method, an apparatus, and an electronic device for data sharing. When the data sharer shares the data with the sharee, the sharer does not need to carry out key negotiation, the data sharer does not need to actively add the contact way of the sharee and inform the key and the download link, and the data to be shared is encrypted and uploaded to the cloud platform only according to the second identification information of the known sharee. For sharees, decryption can be automatically performed after the data is acquired. In the whole process, the risk of key leakage caused by notifying the sharee of the key does not exist, and the security of data sharing is improved. In addition, when the number of the sharees is large, each sharee does not need to be notified separately and sequentially, and the data sharing process of the user is simplified.
In order to make the solution of the present application more clearly understood by those skilled in the art, the following description will describe the solution of the present application in connection with the accompanying drawings in the embodiments of the present application.
The words "first," "second," and the like in the description of the application are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated.
In the following, an electronic device is taken as a mobile phone device, and data encryption sharing is implemented through a cloud disk Application (APP). The data in the embodiment of the present application may be picture data, document data, video data, audio data or other types of data, which is not limited in particular. In the following description, the sharer uses a first device and the sharee uses a second device.
Referring to fig. 3, a flowchart of a method for a sharer to open a data sharing service according to an embodiment of the present application is shown.
The method specifically comprises the following steps:
s11: and starting the cloud disk APP.
And the sharer starts the cloud disk APP on the first equipment and triggers the data sharing service.
S12: the first device sends identity authentication information to the cloud platform.
After the user triggers the data sharing service, yun Pan APP sends identity authentication information to the cloud platform to request to start the data sharing service.
The cloud platform is used for providing IDS service, IBE encryption service and key storage service.
The unified identity authentication (uniform identity authentication, IDS) service is a service for authenticating an initiator of the data sharing service, that is, determining whether a user requesting to open the data sharing service is a legal user.
The identity authentication information carries first identification information of the sharer and account information of the sharer.
The first identification information may be one or more of identification information such as a mailbox or a mobile phone number, and the first identification information is used for identifying a sharer.
The account information of the first device is account information of a cloud disk APP registered by the first device.
In some embodiments, the cloud disk account number registered by the user may not be a mailbox or a mobile phone number of the user, so the cloud disk APP of the first device needs to send the first identification information carrying the mailbox or the mobile phone number to the cloud platform for identity authentication. In another embodiment, the cloud disk account registered by the user is one of a mailbox or a mobile phone number, for example, a mailbox. At this time, the cloud disk APP of the first device may carry the remaining mobile phone numbers in the first identification information, or carry both the mobile phone numbers and the mailbox in the first identification information, and send the mobile phone numbers and the mailbox to the cloud platform for unified identity authentication.
For ease of understanding, various possible implementations of the identity authentication information are listed below.
The account information does not carry any first identification information, and the first identification information carries a mailbox;
the account information does not carry any first identification information, and the first identification information carries a mobile phone number;
the account information does not carry any first identification information, and the first identification information carries a mailbox and a mobile phone number;
the account information carries a mailbox, and the first identification information carries a mobile phone number;
the account information carries a mailbox, and the first identification information carries the mailbox;
the account information carries a mailbox, and the first identification information carries a mailbox and a mobile phone number;
the account information carries a mobile phone number, and the first identification information carries the mobile phone number;
the account information carries a mobile phone number, and the first identification information carries a mailbox;
the account information carries a mobile phone number, and the first identification information carries a mailbox and the mobile phone number.
It can be understood that the above first identification information is only illustrative, and in practical application, other identification information for identifying the sharer may be used for the first identification information, which is not described herein.
S13: the IDS service authenticates the first device.
And after the cloud platform receives the identity authentication information sent by the first device, enabling the IDS service to perform identity authentication. And when the IDS service judges that the user requesting to start the data sharing service is a legal user, continuing to carry out the subsequent steps, otherwise, returning a notification that the identity authentication is not passed to the user.
S14: the IDS service sends identity authentication information to the SE chip.
And after the identity authentication of the first device is successfully passed, the IDS service sends the identity authentication information to the IBE encryption service.
The cloud platform comprises a Secure Element (SE) chip, and the SE chip is used for realizing functions of data Secure storage, encryption and decryption operation and the like.
The SE chip of the cloud platform is used for implementing identity-based encryption (IBE) services and contact discovery (contact discovery service) services.
IBE refers to the generation of public keys for encryption and decryption using an identifier, i.e., identification information such as a phone number, a mail address, etc. in the present application. This encryption method greatly reduces the complexity of the encryption process for the user and administrator as compared with the conventional public key encryption method, and the receiving side does not need to prepare special software in advance to receive the read information.
The IBE service generates a master private key and a master public key using a key generation center (key generation center, KGC). In some embodiments, the KGC generates a master private key by a random number generator, and the master public key is generated by the master private key in combination with system parameters. It should be noted that the generation of the master public key and the master private key by the IBE encryption service is performed when the cloud platform service is online, and is not triggered when the first device registers for the data sharing service, that is, the generation of the master public key and the master private key by the IBE encryption service may be completed before the first device registers for the data sharing service.
S15: the IBE encryption service generates a first private key according to the identity authentication information and the main private key.
In some embodiments, the IBE encryption service generates a first private key based on a master private key, first identification information in the authentication information.
S16: the IBE encryption service sends the primary public key and the first private key to the first device and the primary private key to the key storage service.
In some embodiments, after the SE chip completes the generation of the master public key and the encrypted private key, the master private key and the second private key are sent to the first device through the IDS service, and the master private key is sent to the key storage service of the cloud platform.
S17: the key storage service encrypts and stores the main private key.
The key storage service of the cloud platform is used for encrypting and storing the main private key generated by the IBE encryption service so as to improve safety.
S18: the SE chip of the first device stores the master public key and the first private key.
The first device also includes an SE chip for storing the acquired primary public key and the first private key.
The SE chip on the first device can also provide IBE encryption service, the first private key is generated according to the identity authentication information of the sharer and the main private key, and when the first device acquires encrypted data shared by other electronic devices through the cloud disk APP, the cloud disk APP of the first device invokes the IBE encryption service of the SE chip, and the first private key is utilized to automatically decrypt the decrypted data.
The first private key is used for decrypting encrypted shared data acquired by the cloud disk APP.
Through the steps, when the first device triggers the data sharing service through the cloud disk APP for the first time, the generation of the main public key and the encryption private key is completed, namely the registration of the data encryption sharing service is completed.
The following describes the steps of performing data encryption sharing by the first device after the registration of the data encryption sharing service is completed.
Referring to fig. 4, a flowchart of a method for sharing data by a sharer according to an embodiment of the present application is shown.
S20: the sharer initiates registration inquiry on the contact person in the cloud disk APP.
After the sharer finishes the registration of the data encryption sharing service, when the data encryption sharing needs to be carried out on a specific sharee, the contact person list is pulled up in the APP of the cloud disk, and the contact person registering the APP of the cloud disk is inquired.
It should be noted that, the contacts may also complete the registration of the data encryption sharing service, or may not complete the registration of the data encryption sharing service, which is not particularly limited in the embodiment of the present application. That is, the purpose of the service registration query is to query the contacts that hold the cloud disk APP registration account and can be provided with the cloud service, but not to query the contacts that have completed the data encryption sharing service registration.
The contact list may be a contact list of a mailbox, or a contact list of a mobile phone number, or a contact list including both a mailbox and a mobile phone number, which is not particularly limited in the embodiment of the present application.
In some embodiments, the user may actively choose to conduct a business registration query for all or a selected portion of the contacts when the APP pulls up the contact list.
In other embodiments, when the user pulls up the contact list by the APP, the cloud disk APP automatically performs a service registration query on all contacts in the list.
S21: and a secure transmission channel is established between the first equipment and the SE chip of the cloud platform.
S22: the first device sends the hash information of the contact to the SE chip through the secure transmission channel.
After the secure transmission channel is established, the first device transparently transmits Hash (Hash) information of the contact to the SE chip through IDS service. The hash information is obtained after the second identification information corresponding to each contact person is converted. The second identification information may be a cell phone number or mailbox of the contact in the contact list.
The conversion process of obtaining the hash information is to convert the second identification information into a fixed-length output, which is a hash value, by a hash algorithm. The specific implementation manner of obtaining the hash information according to the second identification information is a mature prior art, and the embodiments of the present application are not described herein again.
S23: the contact discovery service queries registration information according to the hash information of the contact and determines the contact registered with the cloud disk APP.
The SE chip is capable of providing contact discovery services.
According to the scheme provided by the application, the registration information is inquired on the SE chip of the cloud platform, so that an upper application or equipment system cannot sense, a relation chain between a user of the first equipment and a sharee is not established, and the privacy and the safety are ensured.
S24: the SE chip sends the query result to the first device.
After finishing the inquiry of the registration information of the contact, the SE chip replies an inquiry result to the first electronic device, and the inquiry result indicates the contact registered with the cloud disk APP.
In one possible implementation manner, a tag is added to the contacts registered with the cloud disk APP in the query result, that is, the tags are used to mark the contacts registered with the cloud disk APP, so that the cloud disk APP of the first device side can identify the tag and further display the corresponding query result.
S25: yun Pan APP displays contacts that have registered with the cloud disk APP.
And the cloud disk APP displays the contacts registered with the cloud disk APP according to the query result.
S26: and selecting the contact to be shared on the cloud disk APP by the user.
The number of the contact persons to be shared in the embodiment of the application can be one or more, and the embodiment of the application is not limited by specific number.
S27: the cloud disk APP calls IBE encryption service of the SE chip of the first device.
S28: the IBE encryption service of the SE chip generates an encryption public key according to the second identification information of the shared contact.
S29: and encrypting the data to be shared by using the encryption public key.
The cloud disk APP encrypts the data to be shared by using the encryption public key, and it can be understood that when the number of sharees is plural, the number of encryption public keys is plural.
S30: and sending the encrypted data to be shared to a cloud platform for storage.
The cloud platform also provides a storage service for storing the encrypted data to be shared so as to wait for the sharees to download.
Thus, the sharee, i.e., the user of the first device, has completed the encrypted sharing of the data, and the process of obtaining and decrypting the encrypted data by the sharee, i.e., the user of the second device, is described below.
Referring to fig. 5, a flowchart of a method for a sharee to open a data sharing service according to an embodiment of the present application is shown.
S31: and starting the cloud disk APP.
And the sharee starts the cloud disk APP on the second equipment and triggers the data sharing service.
S32: and the second equipment sends identity authentication information to the cloud platform.
When the sharee's local area does not store the second private key and the group public key, the data sharing service needs to be started first.
The identity authentication information carries second identification information of the sharee and account information of the second device.
S33: the IDS service authenticates the second device.
S34: the IDS service sends identity authentication information to the SE chip.
S35: the IBE encryption service generates a private key of the second device based on the identity authentication information and the master private key.
It should be noted that the IBE encryption service does not need to repeatedly generate the primary public key and the primary private key again at this time, because the primary public key and the primary private key need only be generated once, and the primary private key has already been saved in the cloud through the key storage service.
The IBE encryption service generates a private key of the second device according to the main private key and the second identification information in the identity authentication information.
S36: the IBE encryption service sends the primary public key and the secondary private key to the second device.
S37: the SE chip of the second device stores the primary public key and the second private key.
The second device also includes an SE chip for storing the acquired primary public key and the second private key.
And when the second equipment acquires encrypted data shared by other electronic equipment through the cloud disk APP, the cloud disk APP of the second equipment invokes the IBE encryption service of the SE chip, and the second private key is utilized to automatically decrypt the decrypted data. The second private key is used for decrypting encrypted shared data acquired by the cloud disk APP of the second device.
The registration process for the second device implementation to the data encryption sharing service may be similar to that described in fig. 3, and the embodiments of the present application are not repeated here.
The specific process by which the second device obtains and decrypts the shared data is described below.
Referring to fig. 6, a flowchart of a method for receiving data sharing by a sharee according to an embodiment of the present application is shown.
S40: and the cloud disk APP downloads the encrypted data to be shared.
And the sharees download the encrypted data to be shared from the cloud platform through the cloud disk APP, namely the cloud platform sends the encrypted data to be shared to the second equipment.
In a possible implementation manner, the cloud platform may be associated with a social platform or time communication software, for example, account number association binding is performed, after the data sharer completes encryption and uploading of data, the cloud platform may automatically notify the sharee through the social platform or time communication software, or the user may actively notify the sharee through the social platform or time communication software, so that the sharee downloads the encrypted data from the cloud platform through the cloud disk APP.
S41: the sharees choose to view the encrypted data to be shared.
S42: the cloud disk APP calls IBE encryption service of the SE chip.
S43: and the IBE encryption service decrypts the encrypted data to be shared by using the locally stored second private key.
At this time, the IBE encryption service decrypts the data to be shared. The encryption public key used by the first device when encrypting the data to be shared is generated according to the second identification information of the contact to be shared, and the second private key is generated according to the second identification information of the contact to be shared when the SE chip of the second device decrypts the data, so that the first device and the second device are matched, and decryption can be normally realized.
In practical applications, the IBE encryption service is automatically performed to decrypt the encrypted data to be shared, and the sharees can open the data without manually inputting a key.
It should be understood that the above steps in the embodiments of the present application are only for convenience of description, and do not limit the technical solution of the present application. For example, the above query process of S20-S25 for the registration information of the contact may also occur in the corresponding data sharing service opening flow of fig. 3, for example, immediately S18, as a step in the data sharing service opening flow. And when the user performs data encryption sharing, the user directly selects the contact to be shared from S26.
With reference to the descriptions in fig. 3 to fig. 6, the principles of data encryption sharing provided by the embodiments of the present application may be represented by the following diagrams.
Referring to fig. 7, the schematic diagram of data encryption sharing according to the embodiment of the present application is shown.
After the first device 10 and the second device 20 both complete the registration of the cloud disk APP and the registration of the data encryption sharing service, when the sharer shares data with the sharee through the first device 10, an encryption public key is generated according to the identification information of the second device, and the data to be shared is encrypted and then sent to the cloud platform 30 for storage.
The second device downloads the encrypted data to be shared through the cloud platform 30, decrypts the encrypted data to be shared by using a second private key which is stored by the second device and is generated according to the second identification information of the second device, and further achieves data acquisition.
In summary, by using the technical scheme provided by the embodiment of the application, when the data sharer shares data with the sharee, the sharee does not need to perform key agreement, the data sharer does not need to actively add the contact information of the sharee and perform key and download link notification, and only needs to encrypt the data to be shared according to the second identification information of the known sharee, such as the mailbox or the mobile phone number of the sharee, upload the encrypted data to the cloud platform, and the sharee can automatically decrypt after acquiring the data. In the whole process, the risk of key leakage caused by notifying the sharee of the key does not exist, and the security of data sharing is improved. In addition, when the number of the sharees is large, each sharee does not need to be notified separately and sequentially, and the data sharing process of the user is simplified.
In the above description, the sharing of data by the cloud disk APP is taken as an example, and in practical application, the cloud disk APP may be replaced by a system of electronic devices. The system of the electronic device performs encryption and decryption by providing a security chip of the system, and performs interaction between the system of the electronic device and the cloud platform, so that sharing of data in a system library can be realized, which is described in detail below.
At this time, the cloud disk APP may not be installed on the first device, and a system of the first device is provided with a data encryption sharing function. The following description is made with reference to the accompanying drawings.
Referring to fig. 8, a flowchart of a system for opening a data sharing service according to an embodiment of the present application is shown.
S51: and starting the system data sharing service.
S52: the first device sends identity authentication information to the cloud platform.
The identity authentication information carries first identification information of a sharer and account information of first equipment.
The account information of the first device at this time is device account information registered by the first device, for example, is a device account corresponding to a device manufacturer, and after the device account is registered, a service provided by the device manufacturer can be used or enjoyed.
The first identification information may be a mobile phone number or a mailbox.
The cloud platform is used for providing IDS service, IBE encryption service and key storage service.
The IBE service generates a main private key and a main public key by utilizing KGC, and encrypts and stores the main private key through a key storage service.
S53: the IDS service authenticates the first device.
S54: the IDS service sends identity authentication information to the SE chip.
S55: the IBE encryption service generates a first private key according to the identity authentication information and the main private key.
S56: the IBE encryption service sends the primary public key and the first private key to the first device.
S57: the SE chip of the first device stores the master public key and the first private key.
The above description of the data sharing service opening is similar to that of fig. 3, and the embodiments of the present application are not repeated here.
Referring to fig. 9, a flowchart of another method for sharing data by a sharer according to an embodiment of the present application is shown.
S60: the sharer initiates a registration query for the contact through the system data sharing service.
After the sharer finishes the registration of the data encryption sharing service, when the data encryption sharing needs to be carried out on a specific sharee, a contact list can be pulled up through an address book of the system, contacts of an account of the registration device, namely contacts of an account provided by a registration device manufacturer, are queried, and the purpose of registration query is to determine the sharee capable of being provided with cloud service.
S61: and a secure transmission channel is established between the first equipment and the SE chip of the cloud platform.
S62: the first device sends the hash information of the contact to the SE chip through the secure transmission channel.
S63: the contact discovery service queries registration information according to the hash information of the contacts and determines the contacts of the registration system account.
S64: the SE chip sends the query result to the first device.
S65: the system data sharing service displays contacts that have registered with the system account.
S66: and the user selects the contact to be shared on the system data sharing service.
S67: the system data sharing service invokes an IBE encryption service of the SE chip of the first device.
S68: the IBE encryption service of the SE chip generates an encryption public key according to the second identification information of the shared contact.
S69: and encrypting the data to be shared by using the encryption public key.
At this time, the data to be shared may be data in a system library, for example, specifically, pictures in a system gallery, videos in a system video library, audios in a system audio library, files in a system file library, and the like.
S70: and sending the encrypted data to be shared to a cloud platform for storage.
Thus, the encrypted sharing of data has been completed for the sharer, i.e. the user of the first device. For the user of the second device, the process of registering the system data sharing service is similar to the registration process of the first device in fig. 8, which is not described herein, and the process of the sharee, that is, the user of the second device, obtaining and decrypting the encrypted data is described below.
Referring to fig. 10, a flowchart of another method for receiving data sharing by a sharee according to an embodiment of the present application is shown.
S80: and the second equipment downloads the encrypted data to be shared.
In one possible implementation manner, the cloud platform may be associated with a social platform or time communication software, for example, account number association binding is performed, after the data sharer completes encryption and uploading of data, the cloud platform may automatically notify the sharee through the social platform or time communication software, or the user may actively notify the sharee through the social platform or time communication software, so that the sharee downloads the encrypted data from the cloud platform through the social platform or time communication software or system data sharing service.
S81: the sharees choose to view the encrypted data to be shared.
S82: the system data sharing service invokes the IBE encryption service of the SE chip.
In one possible implementation, the sharees invoke the system data sharing service through a social platform or time communication software, which in turn invokes the IBE encryption service of the SE chip.
S83: and the IBE encryption service decrypts the encrypted data to be shared by using the locally stored second private key.
The encryption public key used by the first device when encrypting the data to be shared is generated according to the second identification information of the contact to be shared, and the second private key is generated according to the second identification information of the contact to be shared when the SE chip of the second device decrypts the data, so that the first device and the second device are matched, and decryption can be normally realized. The IBE encryption service automatically decrypts the encrypted data to be shared, and a sharee can open the data without manually inputting a secret key.
In summary, by using the technical scheme provided by the embodiment of the application, the sharing of the data of the system library can be realized, the risk of key leakage caused by notifying the sharee of the key does not exist in the whole process, and the security of data sharing is improved. In addition, when the number of the sharees is large, the sharees do not need to be notified separately and sequentially, the data sharees do not need to input keys to decrypt, and the data sharing process of the user is simplified.
Based on the data sharing method provided by the above embodiment, the embodiment of the application further provides an electronic device, and the following detailed description is given with reference to the accompanying drawings.
Referring to fig. 11, a schematic diagram of an electronic device according to an embodiment of the present application is shown.
The electronic device 100 provided by the embodiment of the application comprises an SE chip 101.
The SE chip 101 is configured to provide IBE encryption services, and specifically includes a storage function, an encryption function, and a decryption function.
The storage function refers to that the SE chip 101 can store a main public key of the data encryption sharing service and a private key corresponding to the electronic device. The private key corresponding to the electronic equipment is generated by the cloud platform according to the identity authentication information of the electronic equipment and the main private key.
The encryption function is to generate an encryption public key according to the identification information of the shared contact person when the electronic equipment performs data encryption sharing, and encrypt data to be shared by using the encryption public key.
The decryption function is to decrypt the encrypted data by using a private key corresponding to the locally stored electronic device when the electronic device decrypts the encrypted data.
The electronic device also includes a processor and a memory. The memory is used for storing executable codes, and the processor executes the codes to realize the data sharing method in the above embodiment.
The software architecture of the electronic device is described below.
Referring to fig. 12, the diagram is a schematic diagram of a software architecture of an electronic device according to an embodiment of the present application.
The layered architecture divides the software into several layers, each with distinct roles and branches. The layers communicate with each other through a software interface. In some embodiments, the Android system is divided into four layers, from top to bottom, an application layer, an application framework layer, an Zhuoyun row (Android run) and system libraries, and a kernel layer, respectively.
The application layer may include a series of application packages.
As shown in fig. 12, the application package may include applications such as a camera, music, video, WLAN, gallery, call, address book, and cloud disk APP.
The function of the cloud disk APP can be referred to the related description in the above embodiments, and the embodiments of the present application are not described herein again.
The application framework layer provides an application programming interface (application programming interface, API) and programming framework for application programs of the application layer. The application framework layer includes a number of predefined functions.
As shown in fig. 12, the application framework layer may include a window manager, a content provider, a view system, a phone manager, a resource manager, a notification manager, and the like. Furthermore, the IBE service and the system data sharing service are added in the method. The IBE service is implemented based on SE chips of the electronic devices. The system data sharing service can coexist with the cloud disk APP, or only one of the two services can be included. For specific descriptions of IBE services and system data sharing services, reference may be made to the above embodiments, and details are not repeated here.
Android run time includes a core library and virtual machines. Android run time is responsible for scheduling and management of the Android system.
The core library consists of two parts: one part is a function which needs to be called by java language, and the other part is a core library of android.
The application layer and the application framework layer run in a virtual machine. The virtual machine executes java files of the application program layer and the application program framework layer as binary files. The virtual machine is used for executing the functions of object life cycle management, stack management, thread management, security and exception management, garbage collection and the like.
The system library may include a plurality of functional modules. For example: surface 1 manager (surface manager), media Libraries (Media Libraries), three-dimensional graphics processing Libraries (e.g., openGL ES), 2D graphics engines (e.g., SGL), etc.
The three-dimensional graphic processing library is used for realizing three-dimensional graphic drawing, image rendering, synthesis, layer processing and the like.
The 2D graphics engine is a drawing engine for 2D drawing.
The kernel layer is a layer between hardware and software. The inner core layer at least comprises a display driver, a camera driver, an audio driver and a sensor driver.
The embodiment of the application is not particularly limited to the type of the electronic device, and the electronic device may be a mobile phone, a notebook computer, a wearable electronic device (such as a smart watch), a tablet computer, an augmented reality (augmented reality, AR) device, a Virtual Reality (VR) device, a vehicle-mounted device, and the like.
In summary, by using the electronic device provided by the embodiment of the present application, when the sharer of data shares data with the sharee, the sharer of data does not need to perform key agreement, the sharee of data does not need to actively add the contact information of the sharee and perform key and download link notification, and only needs to encrypt the data to be shared according to the second identification information of the known sharee, for example, the mailbox or the mobile phone number of the sharee and upload the encrypted data to the cloud platform, and the sharee can automatically decrypt after obtaining the data. In the whole process, the risk of key leakage caused by notifying the sharee of the key does not exist, and the security of data sharing is improved. In addition, when the number of the sharees is large, each sharee does not need to be notified separately and sequentially, and the data sharing process of the user is simplified. The electronic equipment can realize the data sharing method based on the cloud disk APP or the system data sharing service provided by the equipment system.
Based on the data sharing method provided by the embodiment, the embodiment of the application also provides a cloud platform, which can be a computer cluster for providing data sharing service. The computer cluster includes at least one computer, which may be a cloud server, and is described in detail below with reference to the accompanying drawings.
Referring to fig. 13, the diagram is a hardware structure diagram of a cloud platform provided by an embodiment of the present application.
The cloud platform, i.e., the computer cluster 200, includes at least one computer 2000. Each computer includes a bus 2001, a processor 2002, a communication interface 2003, and a memory 2004.
The processor 2002, the memory 2004, and the communication interface 2003 communicate via a bus 2001.
Bus 2001 may be a peripheral component interconnect (Peripheral Component Interconnect, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, ESIA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc., and are represented in fig. 13 as only one bus for ease of identification, but are not identified as comprising only one bus or one type of bus.
The communication interface 2003 enables a user to communicate with the outside, for example with an originating device for data sharing or with a receiving device for data sharing.
Memory 2004 may include volatile memory such as random access memory RAM. Memory 2004 may also include non-volatile memory, such as read only memory ROM. A flash controller, a hard disk drive HDD or a solid state drive SSD.
The memory 2004 is used to store executable code that the processor 2002 executes to implement the IDS service, IBE service, contact discovery service, etc. above, and thus the data sharing method in the above embodiments.
Further, the computer may also include an SE chip. SE chip for providing IBE encryption services, comprising: generating a main private key and a main public key in advance; generating a private key corresponding to the electronic equipment according to the identity authentication information and the main private key sent by the electronic equipment; and providing a contact discovery service to acquire a query result corresponding to the registration query. The description of the SE chip may be referred to the description in the above embodiments, and will not be repeated here.
In summary, the cloud platform provided by the embodiment of the application can be matched with the cloud disk APP or the system data sharing service provided by the electronic equipment system to realize the encryption and security sharing of data.
It should be understood that in the present application, "at least one (item)" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (22)
1. A method for sharing data, which is applied to a first device, wherein a user of the first device is a sharer, the method comprising:
determining sharees capable of being provided with cloud services by a cloud platform;
generating an encryption public key according to the identification information of the sharees, and encrypting the data to be shared by using the encryption public key;
and sending the encrypted data to be shared to the cloud platform.
2. The method for sharing data according to claim 1, wherein the first device runs a cloud disk APP, the cloud platform is configured to provide cloud services for the cloud disk APP, and the determining a sharee capable of being provided with cloud services by the cloud platform specifically includes:
Initiating a registration query for contacts to the cloud platform, wherein the registration query is used for determining the contacts registering the cloud disk APP;
receiving a query result sent by the cloud platform, wherein the query result indicates contacts registered with the cloud disk APP;
and selecting the sharees from the contacts registering the cloud disk APP.
3. The method of data sharing according to claim 1, wherein the first device runs a system data sharing service, the cloud platform is configured to provide cloud services for the system data sharing service, and the determining sharees capable of being provided with cloud services by the cloud platform specifically includes:
initiating a registration query for contacts to the cloud platform, wherein the registration query is used for determining the contacts registered in the system data sharing service;
receiving a query result sent by the cloud platform, wherein the query result indicates contacts registered with the system data sharing service;
and selecting the sharees from the contacts registered with the system data sharing service.
4. The method of data sharing according to claim 2 or 3, wherein the initiating a registration query for a contact to the cloud platform specifically includes:
Establishing a secure transmission channel between the first device and a secure module SE chip of the cloud platform;
and sending hash information of the contact person performing registration query to the SE chip through the secure transmission channel, wherein the hash information is generated according to the identification information of the contact person performing registration query, and the SE chip is used for acquiring the query result according to the hash information.
5. The method of claim 1, wherein before determining sharees who can be provided with cloud services by the cloud platform, the method further comprises:
the identity authentication information carrying the identification information of the sharer and the account information of the sharer is sent to the cloud platform, so that the cloud platform performs identity authentication;
and receiving and storing a main public key and a first private key which are sent by the cloud platform, wherein the first private key is generated by the cloud platform by utilizing the identity authentication information of the sharer and is sent to the first equipment.
6. The method of claim 1, wherein the identification information is an email box or a mobile phone number.
7. The method of data sharing according to claim 1, wherein the encrypted data to be shared is sent to the cloud platform, and the method further comprises:
Notifying the sharees through a social platform or time-based communication software, wherein the social platform or time-based communication software is associated with the cloud platform.
8. A method for sharing data, which is applied to a second device, wherein a user of the second device is a sharee, the method comprising:
acquiring encrypted data to be shared from a cloud platform, wherein the encrypted data to be shared is encrypted by first equipment of a sharer by using an encryption public key, and the encryption public key is generated by the first equipment according to identification information of the sharee;
decrypting the encrypted data to be shared by using a locally stored second private key to acquire the data to be shared, wherein the second private key is generated by the cloud platform by using the identity authentication information of the sharee and is sent to the second device.
9. The method of claim 8, wherein before the encrypted data to be shared is obtained from the cloud platform, the method further comprises:
and when the second private key is not stored locally, registering the data sharing service of the cloud platform to acquire the second private key generated by the cloud platform.
10. The method of data sharing according to claim 9, wherein the second device runs a cloud disk APP, the cloud platform is configured to provide cloud services for the cloud disk APP, and the registering the data sharing services of the cloud platform specifically includes:
transmitting identity authentication information carrying identification information of the sharees and cloud disk APP account information of the sharees to the cloud platform through the Yun Pan APP so that the cloud platform performs identity authentication;
and receiving and storing the main public key and the second private key sent by the cloud platform.
11. The method of data sharing according to claim 9, wherein the second device runs a system data sharing service, and the cloud platform is configured to provide a cloud service for the system data sharing service, and register the data sharing service of the cloud platform, and specifically includes:
the identity authentication information carrying the identification information of the sharees and the equipment account information of the sharees is sent to the cloud platform through the system data sharing service, so that the cloud platform performs identity authentication;
and receiving and storing the main public key and the second private key sent by the cloud platform.
12. The method of claim 8, wherein the identification information is an email box or a mobile phone number.
13. The data sharing method is characterized by being applied to a cloud platform, wherein the cloud platform is a computer cluster, and the method comprises the following steps:
determining sharees capable of providing cloud services and informing first equipment, wherein a user of the first equipment is a sharer;
generating a second private key by using the identity authentication information of the sharee and sending the second private key to the second equipment, wherein a user of the second equipment is the sharee;
and receiving and storing the encrypted data to be shared, which is sent by the first device, and providing the encrypted data to be shared to the second device, wherein the encrypted data to be shared is encrypted by the first device of the sharer by using an encryption public key, and the encryption public key is generated by the first device according to the identification information of the sharee.
14. The method for sharing data according to claim 13, wherein the first device runs a cloud disk APP, the cloud platform is configured to provide cloud services for the cloud disk APP, and the determining that a sharee capable of providing cloud services can provide and notifying the first device specifically includes:
Receiving a registration inquiry of a contact person initiated by the first device, wherein the registration inquiry is used for determining the contact person registering the cloud disk APP;
and carrying out registration inquiry on the contact person and sending an inquiry result to the first device, wherein the inquiry result indicates the contact person registering the cloud disk APP.
15. The method for sharing data according to claim 13, wherein the first device runs a system data sharing service, the cloud platform is configured to provide cloud services for the system data sharing service, and the determining a sharee capable of providing cloud services and notifying the first device specifically includes:
receiving a registration inquiry of contacts initiated by the first device, wherein the registration inquiry is used for determining the contacts registered in the system data sharing service;
and registering and inquiring the contact person and sending an inquiry result to the first device, wherein the inquiry result indicates the contact person registering the system data sharing service.
16. The method of claim 14 or 15, wherein accepting the registration query for the contact initiated by the first device specifically includes:
establishing a secure transmission channel between a secure module SE chip of the cloud platform and the first device;
And receiving hash information of the contact person for registration inquiry sent by the first device through the secure transmission channel, so that the SE chip obtains the inquiry result according to the hash information, and the hash information is generated according to the identification information of the contact person for registration inquiry.
17. The method of claim 13, wherein before determining sharees capable of providing cloud services and notifying the first device, the method further comprises:
receiving identity authentication information which is sent by the first equipment and carries identification information of the sharer and account information of the sharer;
carrying out identity authentication on the sharer according to the identity authentication information;
when the identity authentication is passed, a first private key is generated according to the identity authentication information;
and sending the first private key and a main public key to the first device, wherein the main public key is pre-generated by the cloud platform.
18. The method of claim 13, wherein the second device runs a cloud disk APP, the cloud platform is configured to provide cloud services for the cloud disk APP, and the generating a second private key by using the identity authentication information of the sharee and sending the second private key to the second device specifically includes:
Receiving identity authentication information which is sent by the cloud disk APP and carries identification information of the sharee and cloud disk APP account information of the sharee;
carrying out identity authentication on the sharees according to the identity authentication information;
when the identity authentication is passed, generating the second private key according to the identity authentication information;
and sending the second private key and a main public key to the second device, wherein the main public key is pre-generated by the cloud platform.
19. The method of claim 13, wherein the second device runs a system data sharing service, the cloud platform is configured to provide a cloud service for the system data sharing service, and the generating a second private key by using the identity authentication information of the sharee and sending the second private key to the second device specifically includes:
receiving identity authentication information which is sent by the system data sharing service and carries identification information of the sharees and equipment account information of the sharees;
carrying out identity authentication on the sharees according to the identity authentication information;
when the identity authentication is passed, generating the second private key according to the identity authentication information;
and sending the second private key and a main public key to the second device, wherein the main public key is pre-generated by the cloud platform.
20. The method of claim 13, wherein the identification information is an email box or a mobile phone number.
21. An electronic device, characterized in that it comprises a processor, a memory and a security module SE chip;
the memory having stored therein computer readable instructions that are executable by the processor to perform the method of data sharing of any of claims 1-12;
the SE chip is used for storing the main public key sent by the cloud platform and the private key corresponding to the electronic equipment; generating the encryption public key according to the identification information of the sharees, and encrypting the data to be shared by using the encryption public key; and decrypting the encrypted data to be shared obtained from the cloud platform by utilizing the private key corresponding to the electronic equipment.
22. A computer cluster, characterized in that it comprises at least one computer comprising a memory, a processor and a security module SE chip;
the memory having stored therein computer readable instructions that are executable by the processor to perform the method of data sharing of any of claims 13-20;
The secure module SE chip is used for determining sharees capable of being provided with cloud services by the cloud platform, generating a main private key and a main public key, and generating a private key corresponding to the electronic equipment according to the identity authentication information and the main private key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310280374.2A CN117118598A (en) | 2023-03-14 | 2023-03-14 | Data sharing method, electronic equipment and computer cluster |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310280374.2A CN117118598A (en) | 2023-03-14 | 2023-03-14 | Data sharing method, electronic equipment and computer cluster |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117118598A true CN117118598A (en) | 2023-11-24 |
Family
ID=88795401
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310280374.2A Pending CN117118598A (en) | 2023-03-14 | 2023-03-14 | Data sharing method, electronic equipment and computer cluster |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117118598A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117478437A (en) * | 2023-12-27 | 2024-01-30 | 苏州元脑智能科技有限公司 | Data sharing method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009149579A1 (en) * | 2008-06-10 | 2009-12-17 | 上海贝尔阿尔卡特股份有限公司 | Secure communication method and apparatus based on ibe algorithm in the store and forward manner |
| JP2015033068A (en) * | 2013-08-06 | 2015-02-16 | 日本電信電話株式会社 | File sharing system, information provision device, information acquisition device, method thereof and program |
| GB201518370D0 (en) * | 2015-10-16 | 2015-12-02 | Samsung Electronics Co Ltd | Methods adn apparatus for secure communication |
| WO2017000820A1 (en) * | 2015-07-01 | 2017-01-05 | 北京奇虎科技有限公司 | File sharing method, apparatus, and system based on cloud storage |
| CN109873699A (en) * | 2017-12-05 | 2019-06-11 | 南京师范大学 | A kind of voidable identity public key encryption method |
-
2023
- 2023-03-14 CN CN202310280374.2A patent/CN117118598A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009149579A1 (en) * | 2008-06-10 | 2009-12-17 | 上海贝尔阿尔卡特股份有限公司 | Secure communication method and apparatus based on ibe algorithm in the store and forward manner |
| JP2015033068A (en) * | 2013-08-06 | 2015-02-16 | 日本電信電話株式会社 | File sharing system, information provision device, information acquisition device, method thereof and program |
| WO2017000820A1 (en) * | 2015-07-01 | 2017-01-05 | 北京奇虎科技有限公司 | File sharing method, apparatus, and system based on cloud storage |
| GB201518370D0 (en) * | 2015-10-16 | 2015-12-02 | Samsung Electronics Co Ltd | Methods adn apparatus for secure communication |
| CN109873699A (en) * | 2017-12-05 | 2019-06-11 | 南京师范大学 | A kind of voidable identity public key encryption method |
Non-Patent Citations (2)
| Title |
|---|
| 李殿伟;范运东;: "基于IBE机制的云文档安全存储管理系统设计与实现", 信息网络安全, no. 12, 10 December 2016 (2016-12-10), pages 1 - 7 * |
| 胡彦婷;杜江;: "云存储环境下数据共享的安全性分析与改进", 科学咨询(科技・管理), no. 12, 3 December 2016 (2016-12-03), pages 46 - 48 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117478437A (en) * | 2023-12-27 | 2024-01-30 | 苏州元脑智能科技有限公司 | Data sharing method, device, equipment and storage medium |
| CN117478437B (en) * | 2023-12-27 | 2024-03-01 | 苏州元脑智能科技有限公司 | Data sharing method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2017194815A1 (en) | Block chain based resource management | |
| US10623186B1 (en) | Authenticated encryption with multiple contexts | |
| US20170371625A1 (en) | Content delivery method | |
| US10630722B2 (en) | System and method for sharing information in a private ecosystem | |
| WO2018100227A1 (en) | Electronic documents management | |
| EP2869232A1 (en) | Security key device for secure cloud services, and system and method of providing security cloud services | |
| US11509483B2 (en) | Generating electronic signatures | |
| KR20210110597A (en) | Digital Identity Management Device | |
| JP6578751B2 (en) | Contact management program, contact management system, and contact management method | |
| CN117118598A (en) | Data sharing method, electronic equipment and computer cluster | |
| WO2022151888A1 (en) | Data sharing method and apparatus | |
| CN115130075A (en) | Digital signature method and device, electronic equipment and storage medium | |
| CN115296794A (en) | Key management method and device based on block chain | |
| EP3025247B1 (en) | Data view based on context | |
| JP5678150B2 (en) | User terminal, key management system, and program | |
| US10558412B2 (en) | Content delivery network including mobile devices | |
| US20160063264A1 (en) | Method for securing a plurality of contents in mobile environment, and a security file using the same | |
| KR102349682B1 (en) | A safe service method using an augmented reality and a mobile terminal providing the same | |
| CN116049812B (en) | Method for accessing hardware resources and electronic equipment | |
| CN117278323B (en) | Third party information acquisition method, electronic equipment and readable storage medium | |
| CN114430343B (en) | Data synchronization method and device, electronic equipment and readable storage medium | |
| CN115174260B (en) | Data verification method, device, computer, storage medium and program product | |
| US11271738B1 (en) | Secure, reliable, and decentralized communication in cloud platform | |
| US20210334390A1 (en) | System for on-demand capture and exchange of media items that are not recorded at the point of capture | |
| CN111953495A (en) | Private-key-free signing method under electronic signature mixed cloud scene |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |