WO2016197680A1 - Access control system for cloud storage service platform and access control method therefor - Google Patents
Access control system for cloud storage service platform and access control method therefor Download PDFInfo
- Publication number
- WO2016197680A1 WO2016197680A1 PCT/CN2016/078599 CN2016078599W WO2016197680A1 WO 2016197680 A1 WO2016197680 A1 WO 2016197680A1 CN 2016078599 W CN2016078599 W CN 2016078599W WO 2016197680 A1 WO2016197680 A1 WO 2016197680A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- cloud storage
- attribute
- storage service
- access control
- data
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Definitions
- the invention belongs to the field of cloud storage service technologies, and in particular relates to an access control system and an access control method thereof for a cloud storage service platform, in particular, an Amazon S3 cloud storage service platform.
- the cloud storage service provider is the physical owner of the data, and is not in the same trust domain as the data owner.
- a cloud storage service provider manages multiple users and their resources. When users access other user resources across borders, they need to adopt certain access control policies to control access to data and services.
- the cloud storage service platform adopts the virtualized storage technology, the cloud storage service is loosely coupled with the underlying hardware environment, and the data of different users lacks a fixed security boundary, thereby increasing the cloud storage. The difficulty of the service platform to implement access control on data.
- the data owner can set the read/write attribute of the user data uploaded by it, for example, setting the read/write attribute to public read/private write or public read/public write, to a certain extent Data read and write permissions, but because user data is still stored in clear text on the cloud storage service platform, lack of effective privacy protection mechanism, can not effectively resist the access of illegal users and make user data leak.
- An object of the present invention is to provide an access control system for a cloud storage service platform, which aims to solve the problem that the existing cloud storage service platform stores user data in a clear text form with poor privacy and security.
- the embodiment of the present invention is implemented in this manner, and is an access control system for a cloud storage service platform.
- the system includes:
- the management terminal running by the authorization center is used to generate the system common parameters and upload to the cloud storage server, generate the user private key and secretly distribute it to the data owner and the shared user, and generate the first partial secret of the data to be uploaded by using the weight attribute encryption mechanism.
- a client running by the data owner and the shared user, generating a second partial ciphertext to be uploaded by using the weight attribute encryption mechanism, combining the first partial ciphertext, the second partial ciphertext, and the data to be uploaded Generating a final ciphertext and uploading the final ciphertext as shared data to the cloud storage service platform, and also for downloading public parameters and sharing data from the cloud storage service platform, and using the public parameters and corresponding users
- the private key decrypts the downloaded shared data.
- Another object of the present invention is to provide an access control method for an access control system for a cloud storage service platform as described above, the method comprising the following steps:
- the authorization center runs the management terminal, generates public parameters and a master private key, and uploads the public parameters to the cloud storage service platform.
- the data belongs to the main running client, requests authorization from the authorization center and sends data upload request information;
- the authorization center runs a management end, verifies the data owner identity and generates a corresponding user private key in combination with the primary private key, and generates a first partial secret to be uploaded based on the weight attribute encryption mechanism according to the data upload request information. And sending the corresponding user private key and the first partial ciphertext to the data owner;
- the data owner combines the first partial ciphertext, the second partial ciphertext to generate a final ciphertext, and uploads the final ciphertext as shared data to the cloud storage service platform;
- the shared user runs the client and requests authorization from the authorization center;
- the authorization center runs a management terminal, verifies the shared user identity, generates a corresponding user private key in combination with the primary private key, and sends a corresponding user private key to the shared user;
- the shared user runs a client, and downloads the public parameter and the location from the cloud storage service platform
- the shared data is described, and the downloaded shared data is decrypted using the public parameters and the corresponding user private key.
- the authorization center and the data owner are based on the weight attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform. Therefore, effective privacy protection can be implemented for the shared data on the cloud storage service platform, and the security of the cloud storage service is improved.
- the attributes of the user are combined with the weights, the hierarchical management of the user attributes is implemented, so that users of different levels of the same attribute have different access rights.
- the system adopts the ciphertext segmentation method, that is, the authorization center and the data owner respectively generate partial ciphertexts, control the user access rights through the authorization center ciphertext, and formulate the access control policy through the data owner ciphertext, when the user attributes
- the authorization center can update the ciphertext of its own part to realize the real-time revocation of the user's access rights.
- FIG. 1 is a structural diagram of an access control system for a cloud storage service platform provided by the present invention
- FIG. 2 is a flowchart of an access control method of an access control system for a cloud storage service platform provided by the present invention.
- the access control system and the access control method for the cloud storage service platform proposed by the present invention are based on a weight attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform. .
- FIG. 1 shows the structure of an access control system for a cloud storage service platform provided by the present invention, and only parts related to the present invention are shown for convenience of explanation.
- the access control system for the cloud storage service platform comprises: a management terminal 11 operated by an authorization center, configured to generate system public parameters and upload to the cloud storage server, generate a user private key and secretly distribute to the data owner and share The user generates the first partial ciphertext to be uploaded by using the weight attribute encryption mechanism; the client 12 run by the data owner and the shared user generates the second partial ciphertext to be uploaded by using the weight attribute encryption mechanism, in combination with the first Part of the ciphertext, the second part of the ciphertext and the data to be uploaded to generate the final ciphertext and upload the final ciphertext as shared data to the cloud storage service platform, and also used to download public parameters and share data from the cloud storage service platform, and use the public The parameter and the corresponding user private key decrypt the downloaded shared data.
- the data owner and the shared user are respectively the running main body of the client 12, and the authorization center is the running main body of the management terminal 11.
- the data owner refers to the provider of shared data on the cloud storage service platform
- the shared user refers to downloading the shared data from the cloud storage service platform
- the authorization center refers to the cloud storage service in addition to the data owner and the shared user.
- a trusted third party that interacts with the platform. It should be understood that the purpose of defining the data owner and the shared user is to distinguish that the function of the main body running the client 12 during the running of the system is to upload data or download data, so that the data owner in a certain running process of the system can It is another shared user in the running process. Similarly, the shared user in a certain running process of the system can be the data owner in another running process.
- the management terminal 11 can also be used to maintain basic information of the user, provide functions such as adding, deleting, and searching for the user, and can modify user information such as attributes and weights.
- the client 12 can also be used to guide the user to log in to the system based on the identity information provided by the user and the login information distributed by the authorization center.
- the management terminal 11 and the client terminal 12 can respectively implement the aws-java-sdk interface provided by Amazon to implement the relationship with the Amazon S3 cloud storage service platform. Communication.
- the working principle of the access control system for the cloud storage service platform of the present invention is: after the system is established, the authorization center runs the management terminal 11, generates public parameters and a master private key, and uploads the public parameters to the cloud storage service platform.
- the authorization center According to the attribute of the data owner, the weighting attribute encryption mechanism generates a first part of the ciphertext to be uploaded, and sends the first part of the ciphertext to the data owner.
- the data owner generates the second part of the ciphertext to be uploaded, and then combines the first part of the ciphertext and the second part of the ciphertext to generate the final ciphertext and uploads the final ciphertext as the shared data to the cloud storage service platform.
- the shared user reads the shared data uploaded by the first user from the cloud storage service platform, the shared user runs the client 12, and the second user logs in to the client 12 from the shared user according to the identity information and the login information.
- the shared user obtains the user private key, downloads the public parameter and the shared data from the cloud storage service platform, and decrypts the downloaded shared data by using the public parameter and the corresponding user private key, if the attribute of the shared user is not revoked by the authorization center.
- the shared user can successfully decrypt the shared data.
- the authorization center and the data owner are based on the weight attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform, thereby being able to store the cloud storage.
- the shared data on the service platform implements effective privacy protection and improves the security of the cloud storage service.
- the attributes of the user are combined with the weights, the hierarchical management of the user attributes is implemented, so that users of different levels of the same attribute have different access rights, and the attributes are used to describe the information elements of the user, such as students in the campus network.
- the teacher has attributes such as department, title, and teaching age, thus achieving more flexible and meticulous access control while ensuring safety.
- the system adopts the ciphertext segmentation method, that is, the authorization center and the data owner respectively generate partial ciphertexts, control the user access rights through the authorization center ciphertext, and formulate the access control policy through the data owner ciphertext, when the user attributes
- the authorization center can update the ciphertext of its own part to realize the real-time revocation of the user's access rights.
- FIG. 2 is a flowchart of an access control method of an access control system for a cloud storage service platform provided by the present invention, including the following steps:
- the authorization center runs the management terminal, generates public parameters and a master private key, and uploads the public parameters to the cloud storage service platform.
- step of generating the public parameter and the primary private key may specifically be:
- the attribute space U ⁇ U 1 ,...,U m ⁇ is defined.
- the minimum weight of each attribute in the attribute space U is 1.
- the maximum weight corresponding to each attribute is L 1 ,...,L m , and is selected at the same time. random number
- the calculation public parameter PK and the master private key MK are respectively:
- S2 The data belongs to the main running client, requests authorization from the authorization center and sends data upload request information.
- the authorization center runs the management end, verifies the data owner identity and generates the corresponding user private key in combination with the primary private key, and generates the first partial ciphertext to be uploaded based on the weight attribute encryption mechanism according to the data upload request information, and the corresponding user is The private key and the first part of the ciphertext are sent to the data owner.
- the step of generating a corresponding user private key in combination with the primary private key may specifically: input a primary private key MK, and define a weight attribute set. Defining a hash function Then choose a random number for each user Then select a random number for each weight attribute j ⁇ S And set the weight ⁇ ' j , and then generate the user private key SK as:
- the step of generating the first partial ciphertext of the data to be uploaded based on the weight attribute encryption mechanism may specifically be: constructing the first authorization tree And according to the public parameter PK and the first authorization tree Calculate the first part of the ciphertext.
- U represents the first authorization tree Set of leaf nodes
- L u denotes authority set attribute u of the maximum weight value
- q u (0) indicates that the property attribute value corresponding to u (Also the output value of the polynomial when the input is 0).
- S4 The data owner generates a second part of the ciphertext to be uploaded based on the weight attribute encryption mechanism.
- the step may specifically be: constructing a second authorization tree And according to the public parameter PK and the second authorization tree Calculate the second part of the ciphertext.
- Y represents the second authorization tree
- the set of middle leaf nodes the attribute y ⁇ Y, ⁇ y represents the minimum weight value of the data owner setting attribute y, L y represents the maximum weight value of the data owner setting attribute y, and q y (0) represents the attribute y corresponding to The attribute value, ⁇ l represents the current weight of the attribute y.
- S5 The data owner combines the first part of the ciphertext and the second part of the ciphertext to generate the final ciphertext and uploads the final ciphertext as shared data to the cloud storage service platform.
- the final ciphertext CT generated by combining the first partial ciphertext CT 1 and the second partial ciphertext CT 2 can be expressed as:
- S6 The shared user runs the client and requests authorization from the authorization center.
- the authorization center runs the management terminal, verifies the shared user identity and generates a corresponding user private key in combination with the primary private key, and sends the corresponding user private key to the shared user.
- the step of generating the corresponding user private key in combination with the primary private key is the same as the step of generating the key in step S3, and details are not described herein.
- S8 The shared user runs the client, downloads the public parameter and the shared data from the cloud storage service platform, and decrypts the downloaded shared data by using the corresponding user private key.
- step of decrypting the downloaded shared data by using the public parameter and the corresponding user private key may include the following steps:
- the first decoded information A 1 corresponding to the first partial ciphertext is obtained as follows:
- x is the input node
- i is the attribute value corresponding to node x
- i att(x)
- ⁇ i is the weight value of node x that the shared user has input
- ⁇ i ' is the node x that the authorization center has input. The minimum weight value.
- whether the weight attribute of the shared user satisfies the first authorization tree Means: a. If the input node x is a leaf node, if i ⁇ S and ⁇ i ⁇ ⁇ i ', then the weight attribute of the shared user is considered to satisfy the first authorization tree in case Or i ⁇ S and ⁇ i ⁇ i ', it is considered that the weight attribute of the shared user does not satisfy the first authorization tree b. If the input node x is a non-leaf node, and all the node sets under the node x are ⁇ z ⁇ , then when at least one group of nodes in the ⁇ z ⁇ meets the threshold condition, the weight attribute of the shared user is considered to satisfy the first authorization. Tree When each group of nodes in ⁇ z ⁇ does not satisfy the threshold condition, it is considered that the weight attribute of the shared user does not satisfy the first authorization tree. And if the shared user's weight attribute does not satisfy the first authorization tree Then returns null.
- the intermediate parameter K i and the intermediate parameter B i ' are calculated as:
- the second decoding information A 2 corresponding to the second partial ciphertext is obtained as follows:
- whether the weight attribute of the shared user satisfies the second authorization tree Means a. If the input node x is a leaf node, ⁇ i ” is the minimum weight value of the node x that the data owner owns the input, and if i ⁇ S, and ⁇ i ⁇ ⁇ i ”, the weight of the shared user is considered Attribute satisfies the second authorization tree in case Or i ⁇ S and ⁇ i ⁇ i ”, it is considered that the weight attribute of the shared user does not satisfy the second authorization tree b.
- the weight attribute of the shared user is considered to satisfy the second authorization. Tree And when each group of nodes in ⁇ z ⁇ does not satisfy the threshold condition, it is considered that the weight attribute of the shared user does not satisfy the second authorization tree. And if the weight attribute of the shared user does not satisfy the second authorization tree Then returns null.
- the method includes a key generation algorithm of the user.
- C e represents a bilinear pairing operation.
- C e represents a bilinear pairing operation.
- n represents the number of attributes in the system
- S' represents the attribute set that satisfies the access structure defined by the licensor.
- It is the encryption party that sets the attribute set related to the ciphertext.
- the licensor sets a set of attributes related to the ciphertext. Is the attribute set of user u, ⁇ i represents the maximum weight of attribute i in the system, Is the weight of the encryption attribute setting attribute i in the cipher text. Is the weight of the attribute i owned by the user u in the system.
- Weight mechanism The invention and the CP-WABE scheme introduce the concept of weight, realize the hierarchical processing of attributes, and can complete more detailed access control.
- the ciphertext length and the encryption and decryption time are related to the weight level, and the communication and computational consumption are increased compared with the BSW07 scheme in which the weight is not implemented.
- Revocation mechanism CP-WABE does not have the ability to revoke, and the BSW07 scheme can be revoked by time stamping.
- the invention adopts ciphertext segmentation to achieve revocation.
- the authorization center only needs to update some of its own ciphertext to realize real-time revocation of user rights.
- the present invention implements attribute grading processing, and also introduces a new revocable mechanism, at the same time, the computing performance is more prominent, and the computing power allocation is reasonable.
- the authorization center and the data owner are based on the weight attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform. Therefore, effective privacy protection can be implemented for the shared data on the cloud storage service platform, and the security of the cloud storage service is improved.
- the attributes of the user are combined with the weights, the hierarchical management of the user attributes is implemented, so that users of different levels of the same attribute have different access rights, and the attributes are used to describe the information elements of the user, such as students in the campus network.
- the teacher has attributes such as department, title, and teaching age, thus achieving more flexible and meticulous access control while ensuring safety.
- the system uses dense The text segmentation method, that is, the authorization center and the data owner respectively generate a partial ciphertext, control the user access authority through the authorization center ciphertext, and formulate an access control policy through the data owner ciphertext, and only need to authorize when the user's attribute changes.
- the center updates its own ciphertext to achieve real-time revocation of user access rights.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to the technical field of cloud storage services, and provides an access control system for a cloud storage service platform and an access control method therefor. In the method and system, an authorization center and a data owner are based on a weighted attribute-based encryption mechanism. User data that needs to be uploaded is encrypted and stored in the cloud storage service platform, so as to effectively protect privacy of shared data on the cloud storage service platform and improve security of a cloud storage service. Meanwhile, attributes of users are combined with weights, so as to achieve graded management of the attributes of the users, and enable users with the same attribute but different grades to have different access rights. Further, the authorization center and the data owner separately generate parts of a ciphertext. Access rights of the users are controlled by means of the part of ciphertext of the authorization center, and an access control policy is determined by means of the part of ciphertext of the data owner. When an attribute of a user is changed, the access rights of the user can be cancelled in real time as long as the authorization center updates its part of ciphertext.
Description
本发明属于云存储服务技术领域,尤其涉及一种面向云存储服务平台、特别是亚马逊S3云存储服务平台的访问控制系统及其访问控制方法。The invention belongs to the field of cloud storage service technologies, and in particular relates to an access control system and an access control method thereof for a cloud storage service platform, in particular, an Amazon S3 cloud storage service platform.
在云存储服务平台中,由于采用数据远程托管技术,云存储服务提供商是数据的物理拥有者,与数据属主并不在同一个信任域中。云存储服务提供商管理着多个用户及其资源,当用户跨边界访问其它用户资源时,需要采用一定的访问控制策略来控制对数据和服务的访问。但实际中,由于云存储服务平台是采用虚拟化存储技术,云存储服务同底层硬件环境之间是松耦合的,不同用户的数据间缺乏固定不变的安全边界,由此增加了在云存储服务平台对数据实施访问控制的难度。In the cloud storage service platform, because of the data remote hosting technology, the cloud storage service provider is the physical owner of the data, and is not in the same trust domain as the data owner. A cloud storage service provider manages multiple users and their resources. When users access other user resources across borders, they need to adopt certain access control policies to control access to data and services. However, in practice, because the cloud storage service platform adopts the virtualized storage technology, the cloud storage service is loosely coupled with the underlying hardware environment, and the data of different users lacks a fixed security boundary, thereby increasing the cloud storage. The difficulty of the service platform to implement access control on data.
现有技术中,虽然数据属主可对其上传的用户数据的读/写属性进行设置,例如将读/写属性设置为公有读/私有写或公有读/公有写,以在一定程度上限制数据的读写权限,但由于用户数据仍旧是以明文形式存储在云存储服务平台上的,缺乏有效的隐私保护机制,不能有效抵御非法用户的访问而使得用户数据泄露。In the prior art, although the data owner can set the read/write attribute of the user data uploaded by it, for example, setting the read/write attribute to public read/private write or public read/public write, to a certain extent Data read and write permissions, but because user data is still stored in clear text on the cloud storage service platform, lack of effective privacy protection mechanism, can not effectively resist the access of illegal users and make user data leak.
发明内容Summary of the invention
本发明实施例的目的在于提供一种面向云存储服务平台的访问控制系统,旨在解决现有的云存储服务平台是以明文形式存储用户数据,隐私性和安全性差的问题。An object of the present invention is to provide an access control system for a cloud storage service platform, which aims to solve the problem that the existing cloud storage service platform stores user data in a clear text form with poor privacy and security.
本发明实施例是这样实现的,一种面向云存储服务平台的访问控制系统,
所述系统包括:The embodiment of the present invention is implemented in this manner, and is an access control system for a cloud storage service platform.
The system includes:
由授权中心运行的管理端,用于生成系统公共参数并上传至云存储服务器,生成用户私钥并秘密分发至数据属主和共享用户,用基于权重属性加密机制产生需上传数据的第一部分密文;The management terminal running by the authorization center is used to generate the system common parameters and upload to the cloud storage server, generate the user private key and secretly distribute it to the data owner and the shared user, and generate the first partial secret of the data to be uploaded by using the weight attribute encryption mechanism. Text
由数据属主和共享用户运行的客户端,用基于权重属性加密机制产生需上传数据的第二部分密文,结合所述第一部分密文、所述第二部分密文和所述需上传数据生成最终密文并将所述最终密文作为共享数据上传至所述云存储服务平台,还用于从所述云存储服务平台下载公共参数和共享数据,并利用所述公共参数和对应的用户私钥对下载的所述共享数据进行解密。a client running by the data owner and the shared user, generating a second partial ciphertext to be uploaded by using the weight attribute encryption mechanism, combining the first partial ciphertext, the second partial ciphertext, and the data to be uploaded Generating a final ciphertext and uploading the final ciphertext as shared data to the cloud storage service platform, and also for downloading public parameters and sharing data from the cloud storage service platform, and using the public parameters and corresponding users The private key decrypts the downloaded shared data.
本发明实施例的另一目的在于提供一种如上所述的面向云存储服务平台的访问控制系统的访问控制方法,所述方法包括以下步骤:Another object of the present invention is to provide an access control method for an access control system for a cloud storage service platform as described above, the method comprising the following steps:
授权中心运行管理端,生成公共参数与主私钥,并将所述公共参数上传至云存储服务平台。The authorization center runs the management terminal, generates public parameters and a master private key, and uploads the public parameters to the cloud storage service platform.
数据属主运行客户端,向所述授权中心请求授权并发出数据上传请求信息;The data belongs to the main running client, requests authorization from the authorization center and sends data upload request information;
所述授权中心运行管理端,核实所述数据属主身份并结合所述主私钥生成对应的用户私钥,根据所述数据上传请求信息,基于权重属性加密机制产生需上传数据的第一部分密文,将对应的用户私钥和第一部分密文发送给所述数据属主;The authorization center runs a management end, verifies the data owner identity and generates a corresponding user private key in combination with the primary private key, and generates a first partial secret to be uploaded based on the weight attribute encryption mechanism according to the data upload request information. And sending the corresponding user private key and the first partial ciphertext to the data owner;
所述数据属主基于权重属性加密机制产生所述需上传数据的第二部分密文;Generating, by the data owner, a second partial ciphertext of the data to be uploaded based on a weight attribute encryption mechanism;
所述数据属主结合所述第一部分密文、所述第二部分密文生成最终密文并将所述最终密文作为共享数据上传至所述云存储服务平台;The data owner combines the first partial ciphertext, the second partial ciphertext to generate a final ciphertext, and uploads the final ciphertext as shared data to the cloud storage service platform;
共享用户运行客户端,向所述授权中心请求授权;The shared user runs the client and requests authorization from the authorization center;
所述授权中心运行管理端,核实所述共享用户身份并结合所述主私钥生成对应的用户私钥,将对应的用户私钥发送给所述共享用户;The authorization center runs a management terminal, verifies the shared user identity, generates a corresponding user private key in combination with the primary private key, and sends a corresponding user private key to the shared user;
所述共享用户运行客户端,从所述云存储服务平台下载所述公共参数和所
述共享数据,并利用所述公共参数和对应的用户私钥对下载的所述共享数据进行解密。The shared user runs a client, and downloads the public parameter and the location from the cloud storage service platform
The shared data is described, and the downloaded shared data is decrypted using the public parameters and the corresponding user private key.
本发明实施例提供的面向云存储服务平台的访问控制系统及其访问控制方法中,授权中心和数据属主是基于权重属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上的,因而可对云存储服务平台上的共享数据实现有效的隐私保护,提高了云存储服务的安全性。同时,由于将用户的属性与权重相结合,实现了用户属性的分级管理,使得相同属性不同级别的用户具有不同的访问权限。另外,该系统采用了密文分割方法,即由授权中心和数据属主分别产生部分密文,通过授权中心密文控制用户访问权限,通过数据属主密文制定访问控制策略,当用户的属性发生变化时,只需授权中心更新自己部分的密文,即可实现对用户访问权限的实时撤销。In the access control system and the access control method for the cloud storage service platform provided by the embodiment of the present invention, the authorization center and the data owner are based on the weight attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform. Therefore, effective privacy protection can be implemented for the shared data on the cloud storage service platform, and the security of the cloud storage service is improved. At the same time, because the attributes of the user are combined with the weights, the hierarchical management of the user attributes is implemented, so that users of different levels of the same attribute have different access rights. In addition, the system adopts the ciphertext segmentation method, that is, the authorization center and the data owner respectively generate partial ciphertexts, control the user access rights through the authorization center ciphertext, and formulate the access control policy through the data owner ciphertext, when the user attributes When a change occurs, the authorization center can update the ciphertext of its own part to realize the real-time revocation of the user's access rights.
图1是本发明提供的面向云存储服务平台的访问控制系统的结构图;1 is a structural diagram of an access control system for a cloud storage service platform provided by the present invention;
图2是本发明提供的面向云存储服务平台的访问控制系统的访问控制方法的流程图。2 is a flowchart of an access control method of an access control system for a cloud storage service platform provided by the present invention.
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
为了解决现有技术存在的问题,本发明提出的面向云存储服务平台的访问控制系统及其访问控制方法是基于权重属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上的。In order to solve the problems existing in the prior art, the access control system and the access control method for the cloud storage service platform proposed by the present invention are based on a weight attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform. .
图1示出了本发明提供的面向云存储服务平台的访问控制系统的结构,为了便于说明,仅示出了与本发明相关的部分。
FIG. 1 shows the structure of an access control system for a cloud storage service platform provided by the present invention, and only parts related to the present invention are shown for convenience of explanation.
本发明提供的面向云存储服务平台的访问控制系统包括:由授权中心运行的管理端11,用于生成系统公共参数并上传至云存储服务器,生成用户私钥并秘密分发至数据属主和共享用户,用基于权重属性加密机制产生需上传数据的第一部分密文;由数据属主和共享用户运行的客户端12,用基于权重属性加密机制产生需上传数据的第二部分密文,结合第一部分密文、第二部分密文和需上传数据生成最终密文并将最终密文作为共享数据上传至云存储服务平台,还用于从云存储服务平台下载公共参数和共享数据,并利用公共参数和对应的用户私钥对下载的共享数据进行解密。The access control system for the cloud storage service platform provided by the present invention comprises: a management terminal 11 operated by an authorization center, configured to generate system public parameters and upload to the cloud storage server, generate a user private key and secretly distribute to the data owner and share The user generates the first partial ciphertext to be uploaded by using the weight attribute encryption mechanism; the client 12 run by the data owner and the shared user generates the second partial ciphertext to be uploaded by using the weight attribute encryption mechanism, in combination with the first Part of the ciphertext, the second part of the ciphertext and the data to be uploaded to generate the final ciphertext and upload the final ciphertext as shared data to the cloud storage service platform, and also used to download public parameters and share data from the cloud storage service platform, and use the public The parameter and the corresponding user private key decrypt the downloaded shared data.
本发明中,数据属主、共享用户分别是客户端12的运行主体,授权中心是管理端11的运行主体。其中,数据属主是指云存储服务平台上共享数据的提供方,共享用户是指从云存储服务平台下载共享数据方,授权中心是指除数据属主和共享用户之外、与云存储服务平台交互的可信第三方。应当理解,定义数据属主与共享用户的目的是为了区别运行客户端12的主体在系统某次运行过程中的功能是上传数据或下载数据,因而在系统某次运行过程中的数据属主可以是另一次运行过程中的共享用户,同样地,在系统某次运行过程中的共享用户可以是另一次运行过程中的数据属主。In the present invention, the data owner and the shared user are respectively the running main body of the client 12, and the authorization center is the running main body of the management terminal 11. The data owner refers to the provider of shared data on the cloud storage service platform, and the shared user refers to downloading the shared data from the cloud storage service platform, and the authorization center refers to the cloud storage service in addition to the data owner and the shared user. A trusted third party that interacts with the platform. It should be understood that the purpose of defining the data owner and the shared user is to distinguish that the function of the main body running the client 12 during the running of the system is to upload data or download data, so that the data owner in a certain running process of the system can It is another shared user in the running process. Similarly, the shared user in a certain running process of the system can be the data owner in another running process.
本发明中,管理端11还可用于对用户的基本信息进行维护,提供用户增加、删除、查找等功能,并可修改属性、权重等用户信息。客户端12还可用于根据用户提供的身份信息和授权中心分发的登录信息引导用户登录系统。In the present invention, the management terminal 11 can also be used to maintain basic information of the user, provide functions such as adding, deleting, and searching for the user, and can modify user information such as attributes and weights. The client 12 can also be used to guide the user to log in to the system based on the identity information provided by the user and the login information distributed by the authorization center.
本发明中,当云存储服务平台是亚马逊S3云存储服务平台时,管理端11与客户端12可分别通过亚马逊官方提供的aws-java-sdk接口,实现与亚马逊S3云存储服务平台之间的通信。In the present invention, when the cloud storage service platform is the Amazon S3 cloud storage service platform, the management terminal 11 and the client terminal 12 can respectively implement the aws-java-sdk interface provided by Amazon to implement the relationship with the Amazon S3 cloud storage service platform. Communication.
本发明的面向云存储服务平台的访问控制系统的工作原理是:系统建立后,授权中心运行管理端11,生成公共参数与主私钥,并将公共参数上传至云存储服务平台。当第一用户需要上传共享数据时,数据属主运行客户端12,第一用户根据自身的身份信息和登录信息从数据属主登录客户端12。之后,授权中心
根据该数据属主的属性,基于权重属性加密机制产生需上传数据的第一部分密文,将第一部分密文发送给该数据属主。数据属主产生需上传数据的第二部分密文,之后结合第一部分密文、第二部分密文生成最终密文并将最终密文作为共享数据上传至云存储服务平台。当第二用户从云存储服务平台读取第一用户上传的共享数据时,共享用户运行客户端12,第二用户根据自身的身份信息和登录信息从共享用户登录客户端12。之后,共享用户获取用户私钥,从云存储服务平台下载公共参数和共享数据,并利用公共参数和对应的用户私钥对下载的共享数据进行解密,若共享用户的属性未被授权中心撤销并符合数据属主制定的访问控制策略,则该共享用户可成功解密该共享数据。The working principle of the access control system for the cloud storage service platform of the present invention is: after the system is established, the authorization center runs the management terminal 11, generates public parameters and a master private key, and uploads the public parameters to the cloud storage service platform. When the first user needs to upload the shared data, the data belongs to the main running client 12, and the first user logs in to the client 12 from the data owner according to the identity information and the login information. Afterwards, the authorization center
According to the attribute of the data owner, the weighting attribute encryption mechanism generates a first part of the ciphertext to be uploaded, and sends the first part of the ciphertext to the data owner. The data owner generates the second part of the ciphertext to be uploaded, and then combines the first part of the ciphertext and the second part of the ciphertext to generate the final ciphertext and uploads the final ciphertext as the shared data to the cloud storage service platform. When the second user reads the shared data uploaded by the first user from the cloud storage service platform, the shared user runs the client 12, and the second user logs in to the client 12 from the shared user according to the identity information and the login information. After that, the shared user obtains the user private key, downloads the public parameter and the shared data from the cloud storage service platform, and decrypts the downloaded shared data by using the public parameter and the corresponding user private key, if the attribute of the shared user is not revoked by the authorization center. In accordance with the access control policy formulated by the data owner, the shared user can successfully decrypt the shared data.
本发明提供的面向云存储服务平台的访问控制系统中,授权中心和数据属主是基于权重属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上的,因而可对云存储服务平台上的共享数据实现有效的隐私保护,提高了云存储服务的安全性。同时,由于将用户的属性与权重相结合,实现了用户属性的分级管理,使得相同属性不同级别的用户具有不同的访问权限,该属性是用以描述用户的信息要素,例如校园网中的学生具有院系、学生类别、年级、专业等属性,教师具有院系、职称、教龄等属性,从而在保证安全性的同时还实现了更加灵活而细致的访问控制。另外,该系统采用了密文分割方法,即由授权中心和数据属主分别产生部分密文,通过授权中心密文控制用户访问权限,通过数据属主密文制定访问控制策略,当用户的属性发生变化时,只需授权中心更新自己部分的密文,即可实现对用户访问权限的实时撤销。In the access control system for the cloud storage service platform provided by the present invention, the authorization center and the data owner are based on the weight attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform, thereby being able to store the cloud storage. The shared data on the service platform implements effective privacy protection and improves the security of the cloud storage service. At the same time, because the attributes of the user are combined with the weights, the hierarchical management of the user attributes is implemented, so that users of different levels of the same attribute have different access rights, and the attributes are used to describe the information elements of the user, such as students in the campus network. With attributes such as department, student type, grade, and major, the teacher has attributes such as department, title, and teaching age, thus achieving more flexible and meticulous access control while ensuring safety. In addition, the system adopts the ciphertext segmentation method, that is, the authorization center and the data owner respectively generate partial ciphertexts, control the user access rights through the authorization center ciphertext, and formulate the access control policy through the data owner ciphertext, when the user attributes When a change occurs, the authorization center can update the ciphertext of its own part to realize the real-time revocation of the user's access rights.
图2示出了本发明提供的面向云存储服务平台的访问控制系统的访问控制方法的流程,包括以下步骤:FIG. 2 is a flowchart of an access control method of an access control system for a cloud storage service platform provided by the present invention, including the following steps:
S1:授权中心运行管理端,生成公共参数与主私钥,将公共参数上传至云存储服务平台。S1: The authorization center runs the management terminal, generates public parameters and a master private key, and uploads the public parameters to the cloud storage service platform.
进一步地,生成公共参数与主私钥的步骤(即系统初始化的步骤)具体可以为:
Further, the step of generating the public parameter and the primary private key (ie, the step of system initialization) may specifically be:
输入安全参数λ,构造阶为素数p、生成元为g的双线性群
定义双线性映射
定义属性空间U={U1,…,Um},属性空间U中每个属性的最小权重为1、与每个属性分别一一对应的最大权重为L1,…,Lm,同时选取随机数
计算公共参数PK和主私钥MK分别为:Enter the safety parameter λ, the bilinear group whose construction order is prime p and generator is g Defining bilinear mapping The attribute space U={U 1 ,...,U m } is defined. The minimum weight of each attribute in the attribute space U is 1. The maximum weight corresponding to each attribute is L 1 ,...,L m , and is selected at the same time. random number The calculation public parameter PK and the master private key MK are respectively:
PK={G0,g,h=gβ,e(g,g)α}PK={G 0 ,g,h=g β ,e(g,g) α }
MK={gα,β}MK={g α ,β}
S2:数据属主运行客户端,向授权中心请求授权并发出数据上传请求信息。S2: The data belongs to the main running client, requests authorization from the authorization center and sends data upload request information.
S3:授权中心运行管理端,核实数据属主身份并结合主私钥生成对应的用户私钥,根据数据上传请求信息,基于权重属性加密机制产生需上传数据的第一部分密文,将对应的用户私钥和第一部分密文发送给数据属主。S3: The authorization center runs the management end, verifies the data owner identity and generates the corresponding user private key in combination with the primary private key, and generates the first partial ciphertext to be uploaded based on the weight attribute encryption mechanism according to the data upload request information, and the corresponding user is The private key and the first part of the ciphertext are sent to the data owner.
进一步地,结合主私钥生成对应的用户私钥的步骤(即密钥生成的步骤)具体可以为:输入主私钥MK,定义一权重属性集
定义哈希函数
之后为每一用户选择随机数
之后为每一权重属性j∈S选择随机数
并设置权重ω'j,之后生成用户私钥SK为:Further, the step of generating a corresponding user private key in combination with the primary private key (ie, the step of generating a key) may specifically: input a primary private key MK, and define a weight attribute set. Defining a hash function Then choose a random number for each user Then select a random number for each weight attribute j∈S And set the weight ω' j , and then generate the user private key SK as:
进一步地,基于权重属性加密机制产生需上传数据的第一部分密文的步骤(即加密的步骤)具体可以为:构造第一授权结构树
并根据公共参数PK和第一授权结构树
计算得到第一部分密文。Further, the step of generating the first partial ciphertext of the data to be uploaded based on the weight attribute encryption mechanism (ie, the step of encrypting) may specifically be: constructing the first authorization tree And according to the public parameter PK and the first authorization tree Calculate the first part of the ciphertext.
其中,记第一授权结构树
的节点x的门限值为kx,为每一节点选择多项式qx,多项式的度dx=kx-1,若节点x是叶子节点,则有dx=0。则第一授权结构树
的构造方法为:从根节点R开始,随机选择
设定qR(0)=s1,随机选择dR个子节点来完整定义多项式qR;对于其它节点x,设定qx(0)=qparent(index(x)),随机选择dx个子节点来完整定义多项式qx。则第一部分密文CT1可表示为:
Among them, remember the first authorization tree Threshold for the node x K x, Q x the polynomial for each selected node, the degree of the polynomial d x = k x -1, if the x node is a leaf node, there d x = 0. First authorization tree The construction method is: starting from the root node R, randomly selected Set q R (0)=s 1 , randomly select d R sub-nodes to completely define the polynomial q R ; for other nodes x, set q x (0)=q parent (index(x)), randomly select d x Child nodes to fully define the polynomial q x . Then the first part of the ciphertext CT 1 can be expressed as:
其中,U表示第一授权结构树
中叶子节点的集合,属性u∈U,ωu表示授权中心设置属性u的最小权重值,Lu表示授权中心设置属性u的最大权重值,qu(0)表示属性u所对应的属性值(也为当输入为0时多项式的输出值)。Where U represents the first authorization tree Set of leaf nodes, attributes u∈U, ω u represents the authority to set properties of u minimum weight value, L u denotes authority set attribute u of the maximum weight value, q u (0) indicates that the property attribute value corresponding to u (Also the output value of the polynomial when the input is 0).
S4:数据属主基于权重属性加密机制产生需上传数据的第二部分密文。S4: The data owner generates a second part of the ciphertext to be uploaded based on the weight attribute encryption mechanism.
本发明中,该步骤具体可以是:构造第二授权结构树
并根据公共参数PK和第二授权结构树
计算得到第二部分密文。In the present invention, the step may specifically be: constructing a second authorization tree And according to the public parameter PK and the second authorization tree Calculate the second part of the ciphertext.
同样地,记第二授权结构树
的树形结构中的节点x的门限值为kx,为每一节点选择多项式qx,多项式的度dx=kx-1,若节点x是叶子节点,则有dx=0。则第二授权结构树
的构造方法为:从根节点R开始,随机选择
设定qR(0)=s2,随机选择dR个子节点来完整定义多项式qR;对于其它节点x,设定qx(0)=qparent(index(x)),随机选择dx个子节点来完整定义多项式qx。则第二部分密文CT2可表示为:Similarly, remember the second authorization tree Threshold tree structure for node x K x, Q x the polynomial for each selected node, the degree of the polynomial d x = k x -1, if the x node is a leaf node, there d x = 0. Second authorization tree The construction method is: starting from the root node R, randomly selected Set q R (0)=s 2 , randomly select d R sub-nodes to completely define the polynomial q R ; for other nodes x, set q x (0)=q parent (index(x)), randomly select d x Child nodes to fully define the polynomial q x . Then the second part of the ciphertext CT 2 can be expressed as:
其中,Y表示第二授权结构树
中叶子节点的集合,属性y∈Y,ωy表示数据属主设置属性y的最小权重值,Ly表示数据属主设置属性y的最大权重值,qy(0)表示属性y所对应的属性值,ωl表示属性y的当前权重。Where Y represents the second authorization tree The set of middle leaf nodes, the attribute y∈Y, ω y represents the minimum weight value of the data owner setting attribute y, L y represents the maximum weight value of the data owner setting attribute y, and q y (0) represents the attribute y corresponding to The attribute value, ω l represents the current weight of the attribute y.
S5:数据属主结合第一部分密文、第二部分密文生成最终密文并将最终密文作为共享数据上传至云存储服务平台。S5: The data owner combines the first part of the ciphertext and the second part of the ciphertext to generate the final ciphertext and uploads the final ciphertext as shared data to the cloud storage service platform.
若需上传数据(即:明文)为M、则结合第一部分密文CT1、第二部分密文CT2生成的最终密文CT可表示为:
If the data to be uploaded (ie, plaintext) is M, the final ciphertext CT generated by combining the first partial ciphertext CT 1 and the second partial ciphertext CT 2 can be expressed as:
S6:共享用户运行客户端,向授权中心请求授权。S6: The shared user runs the client and requests authorization from the authorization center.
S7:授权中心运行管理端,核实共享用户身份并结合主私钥生成对应的用户私钥,将对应的用户私钥发送给共享用户。其中,结合主私钥生成对应的用户私钥与步骤S3中密钥生成的步骤相同,不赘述。S7: The authorization center runs the management terminal, verifies the shared user identity and generates a corresponding user private key in combination with the primary private key, and sends the corresponding user private key to the shared user. The step of generating the corresponding user private key in combination with the primary private key is the same as the step of generating the key in step S3, and details are not described herein.
S8:共享用户运行客户端,从云存储服务平台下载公共参数和共享数据,并利用对应的用户私钥对下载的共享数据进行解密。S8: The shared user runs the client, downloads the public parameter and the shared data from the cloud storage service platform, and decrypts the downloaded shared data by using the corresponding user private key.
进一步地,利用公共参数和对应的用户私钥对下载的共享数据进行解密的步骤可包括以下步骤:Further, the step of decrypting the downloaded shared data by using the public parameter and the corresponding user private key may include the following steps:
S81:输入共享数据CT、对应的用户私钥SK、以及第一授权结构树
或第二授权结构树
中的一个节点x。S81: input shared data CT, corresponding user private key SK, and first authorization tree Second authorization tree One of the nodes x.
S82:若共享用户的权重属性满足第一授权结构树
则计算中间参数Ai为:S82: If the weight attribute of the shared user satisfies the first authorization tree Then calculate the intermediate parameter A i as:
之后得到第一部分密文对应的第一解码信息A1为:The first decoded information A 1 corresponding to the first partial ciphertext is obtained as follows:
其中,x是输入的节点,i是节点x所对应的属性值即i=att(x),ωi是共享用户拥有输入的节点x的权重值,ωi'是授权中心拥有输入的节点x的最小权重值。Where x is the input node, i is the attribute value corresponding to node x, i=att(x), ω i is the weight value of node x that the shared user has input, and ω i ' is the node x that the authorization center has input. The minimum weight value.
本发明中,共享用户的权重属性是否满足第一授权结构树
是指:a.若输
入的节点x是叶子节点,如果i∈S且ωi≥ωi',则认为共享用户的权重属性满足第一授权结构树
如果
或i∈S且ωi<ωi',则认为共享用户的权重属性不满足第一授权结构树
b.若输入的节点x是非叶子节点,节点x下的所有节点集合为{z},则当{z}中有至少一组节点满足阈值条件时,则认为共享用户的权重属性满足第一授权结构树
而当{z}中的每一组节点均不满足阈值条件时,则认为共享用户的权重属性不满足第一授权结构树
而若共享用户的权重属性不满足第一授权结构树
则返回null。In the present invention, whether the weight attribute of the shared user satisfies the first authorization tree Means: a. If the input node x is a leaf node, if i ∈ S and ω i ≥ ω i ', then the weight attribute of the shared user is considered to satisfy the first authorization tree in case Or i∈S and ω i <ω i ', it is considered that the weight attribute of the shared user does not satisfy the first authorization tree b. If the input node x is a non-leaf node, and all the node sets under the node x are {z}, then when at least one group of nodes in the {z} meets the threshold condition, the weight attribute of the shared user is considered to satisfy the first authorization. Tree When each group of nodes in {z} does not satisfy the threshold condition, it is considered that the weight attribute of the shared user does not satisfy the first authorization tree. And if the shared user's weight attribute does not satisfy the first authorization tree Then returns null.
S83:若共享用户的权重属性满足第二授权结构树
且共享用户拥有输入的节点x的权重值ωi与数据属主拥有输入的节点x的最小权重值ωi”相等,则计算中间参数Bi为:S83: If the weight attribute of the shared user satisfies the second authorization tree And the weight value ω i of the node x that the shared user has input is equal to the minimum weight value ω i ” of the node x that the data owner owns the input, then the intermediate parameter B i is calculated as:
若共享用户的权重属性满足第二授权结构树
且共享用户拥有输入的节点x的权重值ωi大于数据属主拥有输入的节点x的最小权重值ωi”,则计算中间参数Ki和中间参数Bi'为:If the shared user's weight attribute satisfies the second authorization tree And the weight value ω i of the node x that the shared user has input is greater than the minimum weight value ω i ′ of the node x that the data owner owns the input, then the intermediate parameter K i and the intermediate parameter B i ' are calculated as:
之后得到第二部分密文对应的第二解码信息A2为:The second decoding information A 2 corresponding to the second partial ciphertext is obtained as follows:
本发明中,共享用户的权重属性是否满足第二授权结构树
是指:a.若输入的节点x是叶子节点,ωi”是数据属主拥有输入的节点x的最小权重值,如果i∈S,且ωi≥ωi”,则认为共享用户的权重属性满足第二授权结构树
如果
或i∈S且ωi<ωi”,则认为共享用户的权重属性不满足第二授权结构树
b.若输入的节点x是非叶子节点,节点x下的所有节点集合为{z},则当{z}中有至少一组节点满足阈值条件时,则认为共享用户的权重属性满足第二授权结构树
而当{z}中的每一组节点均不满足阈值条件时,则认为共享用户的权重属性不满足第二授权结构树
而若共享用户的权重属性不满足第二授权结构树
则返回null。In the present invention, whether the weight attribute of the shared user satisfies the second authorization tree Means: a. If the input node x is a leaf node, ω i ” is the minimum weight value of the node x that the data owner owns the input, and if i ∈ S, and ω i ≥ ω i ”, the weight of the shared user is considered Attribute satisfies the second authorization tree in case Or i∈S and ω i <ω i ”, it is considered that the weight attribute of the shared user does not satisfy the second authorization tree b. If the input node x is a non-leaf node, and all the node sets under the node x are {z}, then when at least one group of nodes in the {z} meets the threshold condition, the weight attribute of the shared user is considered to satisfy the second authorization. Tree And when each group of nodes in {z} does not satisfy the threshold condition, it is considered that the weight attribute of the shared user does not satisfy the second authorization tree. And if the weight attribute of the shared user does not satisfy the second authorization tree Then returns null.
S84:结合第一解码信息和第二解码信息得到明文M,表示为:S84: Combine the first decoding information and the second decoding information to obtain a plaintext M, which is expressed as:
以下对上述面向云存储服务平台的访问控制系统的访问控制方法的安全性进行分析:The following is an analysis of the security of the access control method for the above-mentioned access control system for the cloud storage service platform:
1、在直接攻击下的安全性:1. Security under direct attack:
若攻击者的属性不满足访问结构树,同时它想对下载的共享数据解密,则必须能够计算出
要建立这样的配对,敌手只能利用已知的信息,即包含α的部分私钥D=g(α+r)/β和包含s1和s2的密文
和
建立配对:
要得到
必须已知
而敌手在不满足访问结构树
和
时无法获得正确的密钥,计算不出该值。因此,敌手不能解密。If the attacker's attribute does not satisfy the access tree and it wants to decrypt the downloaded shared data, it must be able to calculate To establish such a match, the adversary can only use the known information, that is, the partial private key D=g (α+r)/β containing α and the ciphertext containing s 1 and s 2 with Establish pairing: to get Must be known And the adversary is not satisfied with the access tree. with The correct key could not be obtained and the value could not be calculated. Therefore, the adversary cannot decrypt.
2、抗共谋安全性:2. Anti-collusion safety:
该方法中包含了用户的密钥生成算法,解密时,系统先运行该算法为用户分配随机数r,生成用户的部分私钥D=g(α+r)/β。在解密算法中,参数D=g(α+r)/β被植入了随机值,不同的用户不能合谋恢复消息。The method includes a key generation algorithm of the user. When decrypting, the system first runs the algorithm to allocate a random number r to the user, and generates a partial private key D=g (α+r)/β of the user . In the decryption algorithm, the parameter D=g (α+r)/β is implanted with a random value, and different users cannot collude to recover the message.
以下对上述面向云存储服务平台的访问控制系统的访问控制方法的效率进行分析:The following is an analysis of the efficiency of the above access control method for the access control system of the cloud storage service platform:
设
和
表示群上的指数或者乘法运算,Ce表示双线性对运算,
表示有限域上模素数p整数群,n表示系统中属性的个数,S'表示满足授权方定义的访问结构最少的属性集合,
是加密方设置与密文相关的属性集合,
表示授权方设置与密文相关的属性集合,
是用户u的属性集合,ωi表示系统中属性i的最大权重,
是密文中加密方设置属性i的权重,
是系统中用户u拥有属性i的权重,
表示密文中授权方设置属性i的权重。L*是元素在*上的比特长度,|*|是元素在*上的个数。如下表示出了上述方法与现有的访问控制方法BSW07和CP-WABE之间的比较分析:Assume with Represents an exponent or multiplication operation on a group, and C e represents a bilinear pairing operation. Represents the modulo prime number p integer group on the finite field, n represents the number of attributes in the system, and S' represents the attribute set that satisfies the access structure defined by the licensor. It is the encryption party that sets the attribute set related to the ciphertext. Indicates that the licensor sets a set of attributes related to the ciphertext. Is the attribute set of user u, ω i represents the maximum weight of attribute i in the system, Is the weight of the encryption attribute setting attribute i in the cipher text. Is the weight of the attribute i owned by the user u in the system. Indicates the weight of the attribute i in the ciphertext. L * is the bit length of the element on *, and |*| is the number of elements on *. A comparative analysis between the above method and the existing access control methods BSW07 and CP-WABE is shown below:
从上表对比分析可以看出:1)权重机制方面:本发明与CP-WABE方案引入了权重的概念,实现了属性的分级处理,可以完成更加细致的访问控制。然而,密文长度与加解密时间与权重等级有关系,与未实现权重的BSW07方案相比,增加了一定通信与计算消耗。2)撤销机制方面:CP-WABE不具备撤销能力,BSW07方案通过时间戳实现可撤销,本发明采用密文分割的方式实现可撤销。当属性发生变更时,授权中心只需要更新自己部分的密文,即可实现对用户权限的实时撤销。总体来说,本发明即实现了属性分级处理,也引入了新的可撤销机制,同时运算性能比较突出,运算能力分配合理。From the comparison analysis of the above table, it can be seen that: 1) Weight mechanism: The invention and the CP-WABE scheme introduce the concept of weight, realize the hierarchical processing of attributes, and can complete more detailed access control. However, the ciphertext length and the encryption and decryption time are related to the weight level, and the communication and computational consumption are increased compared with the BSW07 scheme in which the weight is not implemented. 2) Revocation mechanism: CP-WABE does not have the ability to revoke, and the BSW07 scheme can be revoked by time stamping. The invention adopts ciphertext segmentation to achieve revocation. When the attribute changes, the authorization center only needs to update some of its own ciphertext to realize real-time revocation of user rights. In general, the present invention implements attribute grading processing, and also introduces a new revocable mechanism, at the same time, the computing performance is more prominent, and the computing power allocation is reasonable.
本发明提供的面向云存储服务平台的访问控制系统及其访问控制方法中,授权中心和数据属主是基于权重属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上的,因而可对云存储服务平台上的共享数据实现有效的隐私保护,提高了云存储服务的安全性。同时,由于将用户的属性与权重相结合,实现了用户属性的分级管理,使得相同属性不同级别的用户具有不同的访问权限,该属性是用以描述用户的信息要素,例如校园网中的学生具有院系、学生类别、年级、专业等属性,教师具有院系、职称、教龄等属性,从而在保证安全性的同时还实现了更加灵活而细致的访问控制。另外,该系统采用了密
文分割方法,即由授权中心和数据属主分别产生部分密文,通过授权中心密文控制用户访问权限,通过数据属主密文制定访问控制策略,当用户的属性发生变化时,只需授权中心更新自己部分的密文,即可实现对用户访问权限的实时撤销。In the access control system and the access control method for the cloud storage service platform provided by the present invention, the authorization center and the data owner are based on the weight attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform. Therefore, effective privacy protection can be implemented for the shared data on the cloud storage service platform, and the security of the cloud storage service is improved. At the same time, because the attributes of the user are combined with the weights, the hierarchical management of the user attributes is implemented, so that users of different levels of the same attribute have different access rights, and the attributes are used to describe the information elements of the user, such as students in the campus network. With attributes such as department, student type, grade, and major, the teacher has attributes such as department, title, and teaching age, thus achieving more flexible and meticulous access control while ensuring safety. In addition, the system uses dense
The text segmentation method, that is, the authorization center and the data owner respectively generate a partial ciphertext, control the user access authority through the authorization center ciphertext, and formulate an access control policy through the data owner ciphertext, and only need to authorize when the user's attribute changes. The center updates its own ciphertext to achieve real-time revocation of user access rights.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来控制相关的硬件完成,所述的程序可以在存储于一计算机可读取存储介质中,所述的存储介质,如ROM/RAM、磁盘、光盘等。A person of ordinary skill in the art can understand that all or part of the steps in implementing the above embodiments may be controlled by a program to control related hardware, and the program may be stored in a computer readable storage medium, the storage. Media, such as ROM/RAM, disk, CD, etc.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。
The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. Within the scope.
Claims (10)
- 一种面向云存储服务平台的访问控制系统,其特征在于,所述系统包括:An access control system for a cloud storage service platform, characterized in that the system comprises:由授权中心运行的管理端,用于生成系统公共参数并上传至云存储服务器,生成用户私钥并秘密分发至数据属主和共享用户,用基于权重属性加密机制产生需上传数据的第一部分密文;The management terminal running by the authorization center is used to generate the system common parameters and upload to the cloud storage server, generate the user private key and secretly distribute it to the data owner and the shared user, and generate the first partial secret of the data to be uploaded by using the weight attribute encryption mechanism. Text由数据属主和共享用户运行的客户端,用基于权重属性加密机制产生需上传数据的第二部分密文,结合所述第一部分密文、所述第二部分密文和所述需上传数据生成最终密文并将所述最终密文作为共享数据上传至所述云存储服务平台,还用于从所述云存储服务平台下载公共参数和共享数据,并利用所述公共参数和对应的用户私钥对下载的所述共享数据进行解密。a client running by the data owner and the shared user, generating a second partial ciphertext to be uploaded by using the weight attribute encryption mechanism, combining the first partial ciphertext, the second partial ciphertext, and the data to be uploaded Generating a final ciphertext and uploading the final ciphertext as shared data to the cloud storage service platform, and also for downloading public parameters and sharing data from the cloud storage service platform, and using the public parameters and corresponding users The private key decrypts the downloaded shared data.
- 如权利要求1所述的面向云存储服务平台的访问控制系统,其特征在于,所述管理端还用于对用户的基本信息进行维护;所述客户端还用于根据用户提供的身份信息和所述授权中心分发的登录信息引导用户登录系统。The access control system for a cloud storage service platform according to claim 1, wherein the management terminal is further configured to maintain basic information of the user; the client is further configured to use the identity information provided by the user. The login information distributed by the authorization center guides the user to log in to the system.
- 如权利要求1所述的面向云存储服务平台的访问控制系统,其特征在于,所述云存储服务平台是亚马逊S3云存储服务平台。The access control system for a cloud storage service platform according to claim 1, wherein the cloud storage service platform is an Amazon S3 cloud storage service platform.
- 一种如权利要求1至3任一项所述的面向云存储服务平台的访问控制系统的访问控制方法,其特征在于,所述方法包括以下步骤:An access control method for an access control system for a cloud storage service platform according to any one of claims 1 to 3, wherein the method comprises the following steps:授权中心运行管理端,生成公共参数与主私钥,将公共参数上传至云存储服务平台;The authorization center runs the management terminal, generates public parameters and the master private key, and uploads the public parameters to the cloud storage service platform;数据属主运行客户端,向授权中心请求授权并发出数据上传请求信息;The data belongs to the main running client, requests authorization from the authorization center and sends data upload request information;授权中心运行管理端,核实所述数据属主身份并结合所述主私钥生成对应的用户私钥,根据所述数据上传请求信息,基于权重属性加密机制产生需上传数据的第一部分密文,将对应的用户私钥和所述第一部分密文发送给数据属主;The authorization center runs the management end, verifies the data owner identity and generates a corresponding user private key in combination with the primary private key, and generates a first partial ciphertext to be uploaded based on the weight attribute encryption mechanism according to the data upload request information. Sending the corresponding user private key and the first partial ciphertext to the data owner;所述数据属主基于权重属性加密机制产生所述需上传数据的第二部分密文;Generating, by the data owner, a second partial ciphertext of the data to be uploaded based on a weight attribute encryption mechanism;所述数据属主结合所述第一部分密文、所述第二部分密文生成最终密文并 将所述最终密文作为共享数据上传至所述云存储服务平台;The data owner combines the first partial ciphertext and the second partial ciphertext to generate a final ciphertext and Uploading the final ciphertext as shared data to the cloud storage service platform;共享用户运行客户端,向授权中心请求授权;The shared user runs the client and requests authorization from the authorization center;授权中心运行管理端,核实所述共享用户身份并结合所述主私钥生成对应的用户私钥,将对应的用户私钥发送给所述共享用户;The authorization center runs the management terminal, verifies the shared user identity, generates a corresponding user private key in combination with the primary private key, and sends the corresponding user private key to the shared user;共享用户运行客户端,从所述云存储服务平台下载所述公共参数和所述共享数据,并利用对应的用户私钥对下载的所述共享数据进行解密。The shared user runs the client, downloads the public parameter and the shared data from the cloud storage service platform, and decrypts the downloaded shared data by using a corresponding user private key.
- 如权利要求4所述的面向云存储服务平台的访问控制系统的访问控制方法,其特征在于,所述生成公共参数与主私钥的步骤具体为:The access control method for the access control system of the cloud storage service platform according to claim 4, wherein the step of generating the public parameter and the master private key is specifically:输入安全参数λ,构造阶为素数p、生成元为g的双线性群定义双线性映射
定义属性空间U={U1,…,Um},所述属性空间U中每个属性的最小权重为1、与每个属性分别一一对应的最大权重为L1,…,Lm,同时选取随机数
计算公共参数PK和主私钥MK分别为:Enter the safety parameter λ, the bilinear group whose construction order is prime p and generator is g
Defining bilinear mappingDefining the attribute space U={U 1 ,..., U m }, the minimum weight of each attribute in the attribute space U is 1, and the maximum weight corresponding to each attribute is L 1 ,...,L m , Simultaneous selection of random numbersThe calculation public parameter PK and the master private key MK are respectively:PK={G0,g,h=gβ,e(g,g)α}PK={G 0 ,g,h=g β ,e(g,g) α }MK={gα,β}。MK = {g α , β}. - 如权利要求5所述的面向云存储服务平台的访问控制系统的访问控制方法,其特征在于,所述结合所述主私钥生成对应的用户私钥的步骤具体为:The access control method for the access control system of the cloud storage service platform according to claim 5, wherein the step of generating the corresponding user private key in combination with the primary private key is specifically:输入所述主私钥MK,定义一权重属性集定义哈希函数
之后为每一用户选择随机数
之后为每一权重属性j∈S选择随机数
并设置权重ω'j,之后生成用户私钥SK为:Enter the master private key MK to define a weight attribute set
Defining a hash functionThen choose a random number for each userThen select a random number for each weight attribute j∈SAnd set the weight ω' j , and then generate the user private key SK as:
- 如权利要求6所述的面向云存储服务平台的访问控制系统的访问控制方法,其特征在于,所述基于权重属性加密机制产生需上传数据的第一部分密文的步骤具体为:The access control method for the access control system of the cloud storage service platform according to claim 6, wherein the step of generating the first partial ciphertext of the data to be uploaded based on the weight attribute encryption mechanism is specifically:构造第一授权结构树并根据所述公共参数PK和所述第一授权结构树
计算得到第一部分密文CT1,所述第一部分密文CT1表示为:Constructing a first authorization tree
And according to the public parameter PK and the first authorization treeThe first partial ciphertext CT 1 is calculated, and the first partial ciphertext CT 1 is expressed as:
其中,随机选择U表示所述第一授权结构树
中叶子节点的集合,属性u∈U,ωu表示所述授权中心设置属性u的最小权重值,Lu表示所述授权中心设置属性u的最大权重值,qu(0)表示属性u所对应的属性值。Among them, random selection
U represents the first authorization treeSet of leaf nodes, attributes u∈U, ω u represents the authority attribute setting weight values weight the minimum of u, L u denotes the authority attribute is provided largest weight value of u, q u (0) indicates the attribute u The corresponding attribute value. - 如权利要求7所述的面向云存储服务平台的访问控制系统的访问控制方法,其特征在于,所述第二部分密文CT2表示为:The access control system for an access control system for a cloud storage service platform according to claim 7, wherein the second partial ciphertext CT 2 is expressed as:
其中,随机选择Y表示第二授权结构树
中叶子节点的集合,属性y∈Y,ωy表示所述数据属主设置属性y的最小权重值,Ly表示所述数据属主设置属性y的最大权重值,qy(0)表示属性y所对应的属性值,ωl表示属性y的当前权重。Among them, random selection
Y represents the second authorization treea set of medium leaf nodes, the attribute y∈Y, ω y represents the minimum weight value of the data owner setting attribute y, L y represents the maximum weight value of the data owner setting attribute y, and q y (0) represents the attribute. The attribute value corresponding to y, ω l represents the current weight of the attribute y. - 如权利要求8所述的面向云存储服务平台的访问控制系统的访问控制方法,其特征在于,若所述需上传数据为M、则所述最终密文CT表示为:The access control system for the access control system of the cloud storage service platform according to claim 8, wherein if the data to be uploaded is M, the final ciphertext CT is expressed as:
- 如权利要求9所述的面向云存储服务平台的访问控制系统的访问控制方法,其特征在于,所述利用对应的用户私钥对下载的所述共享数据进行解密的步骤包括以下步骤:The access control method for the access control system of the cloud storage service platform according to claim 9, wherein the step of decrypting the downloaded shared data by using a corresponding user private key comprises the following steps:A21:输入共享数据CT、对应的用户私钥SK、以及第一授权结构树和 第二授权结构树
中的一个节点x;A21: input shared data CT, corresponding user private key SK, and first authorization tree
And second authorization treeOne of the nodes x;A22:若共享用户的权重属性满足所述第一授权结构树则所述第一部分密文对应的第一解码信息A1为:A22: If the weight attribute of the shared user satisfies the first authorization tree
The first portion of the first ciphertext corresponding to the decoded information A 1 is:
A23:若共享用户的权重属性满足所述第二授权结构树则所述第二部分密文对应的第二解码信息A2为:A23: If the weight attribute of the shared user satisfies the second authorization tree
Then, the second decoding information A 2 corresponding to the second partial ciphertext is:
A24:结合所述第一解码信息A1和所述第二解码信息A2得到明文M,表示为:A24: binding the first decoded information A 1 and A 2 of the second decoded information to obtain the plaintext M, expressed as:
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510323848.2 | 2015-06-12 | ||
| CN201510323848.2A CN105025012B (en) | 2015-06-12 | 2015-06-12 | Towards the access control system and its access control method of cloud storage service platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2016197680A1 true WO2016197680A1 (en) | 2016-12-15 |
Family
ID=54414717
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2016/078599 WO2016197680A1 (en) | 2015-06-12 | 2016-04-06 | Access control system for cloud storage service platform and access control method therefor |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN105025012B (en) |
| WO (1) | WO2016197680A1 (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108173868A (en) * | 2018-01-05 | 2018-06-15 | 中国地质大学(武汉) | A kind of method, equipment and the storage device of one-to-many file distributing |
| CN109768858A (en) * | 2018-12-26 | 2019-05-17 | 西安电子科技大学 | Based on the encryption attribute access control system more authorized and design method under cloud environment |
| WO2019096086A1 (en) * | 2017-11-14 | 2019-05-23 | 钉钉控股(开曼)有限公司 | Access method for shared space, and permission management method and apparatus |
| CN111191288A (en) * | 2019-12-30 | 2020-05-22 | 中电海康集团有限公司 | Block chain data access authority control method based on proxy re-encryption |
| CN112187798A (en) * | 2020-09-28 | 2021-01-05 | 安徽大学 | Bidirectional access control method and system applied to cloud-side data sharing |
| CN114301651A (en) * | 2021-12-22 | 2022-04-08 | 河南大学 | CP-ABE-based yellow river dam bank monitoring data sharing method |
| CN114362924A (en) * | 2020-09-29 | 2022-04-15 | 湖南大学 | CP-ABE-based system and method for supporting flexible revocation and verifiable ciphertext authorization |
| CN115242518A (en) * | 2022-07-25 | 2022-10-25 | 深圳万海思数字医疗有限公司 | Medical health data protection system and method under mixed cloud environment |
| CN115550605A (en) * | 2022-08-19 | 2022-12-30 | 南京邮电大学 | Fault detection method of power grid multimedia dispatching system and automatic detection equipment thereof |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105025012B (en) * | 2015-06-12 | 2017-12-08 | 深圳大学 | Towards the access control system and its access control method of cloud storage service platform |
| CN106341236A (en) * | 2016-09-09 | 2017-01-18 | 深圳大学 | Access control method facing cloud storage service platform and system thereof |
| CN106357395B (en) * | 2016-09-13 | 2019-04-23 | 深圳大学 | A kind of outsourcing access control method and its system towards mist calculating |
| WO2018049601A1 (en) * | 2016-09-14 | 2018-03-22 | 深圳大学 | Outsourcing access control method for fog computing and system thereof |
| CN106529216B (en) * | 2016-10-27 | 2022-04-22 | 西安交通大学 | Software authorization system and software authorization method based on public storage platform |
| CN108076106B (en) * | 2016-11-15 | 2019-11-19 | 中国科学院声学研究所 | A kind of Stream Processing system and method for facing cloud storing data encryption and decryption |
| CN107172014A (en) * | 2017-04-21 | 2017-09-15 | 齐鲁工业大学 | A kind of information management high in the clouds shared system |
| CN108540444A (en) * | 2018-02-24 | 2018-09-14 | 中山大学 | A kind of information transmission storage method and device |
| CN108390886A (en) * | 2018-03-05 | 2018-08-10 | 商丘师范学院 | Educate big data secure access control system |
| CN109583232B (en) * | 2018-11-20 | 2022-03-18 | 深圳大学 | CP-ABE-based medical archive management method, device, equipment and storage medium |
| CN109494879A (en) * | 2018-12-25 | 2019-03-19 | 湖北师范大学 | A kind of data acquisition platform for electric system |
| CN109451067A (en) * | 2018-12-27 | 2019-03-08 | 宝鸡文理学院 | Data sharing method in cloud computing system |
| US11228597B2 (en) | 2019-02-12 | 2022-01-18 | Nutanix, Inc. | Providing control to tenants over user access of content hosted in cloud infrastructures |
| CN112437063B (en) * | 2020-11-11 | 2022-08-23 | 张银杏 | Data fusion and access method, platform and system |
| CN112835935B (en) * | 2021-02-02 | 2021-12-07 | 农夫铺子发展集团有限公司 | Information flow analysis method and cloud service platform based on block chain and mobile internet |
| CN113645206A (en) * | 2021-07-28 | 2021-11-12 | 上海纽盾网安科技有限公司 | Cloud storage data access control method and system for different user requirements |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103107992A (en) * | 2013-02-04 | 2013-05-15 | 杭州师范大学 | Multistage authority management method for cloud storage enciphered data sharing |
| CN103179114A (en) * | 2013-03-15 | 2013-06-26 | 华中科技大学 | Fine-grained access control method for data in cloud storage |
| WO2014043894A1 (en) * | 2012-09-21 | 2014-03-27 | Nokia Corporation | Method and apparatus for providing access control to shared data based on trust level |
| CN105025012A (en) * | 2015-06-12 | 2015-11-04 | 深圳大学 | An access control system and an access control method thereof oriented towards a cloud storage service platform |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011045723A1 (en) * | 2009-10-15 | 2011-04-21 | Koninklijke Philips Electronics N.V. | Ciphertext-policy attribute-based encryption and re-encryption |
| CN102857338A (en) * | 2012-08-31 | 2013-01-02 | 浪潮电子信息产业股份有限公司 | Method for realizing secure transmission of data in cloud storage system |
| CN102916954B (en) * | 2012-10-15 | 2015-04-01 | 南京邮电大学 | Attribute-based encryption cloud computing safety access control method |
| CN103973451B (en) * | 2014-05-05 | 2017-04-12 | 西南交通大学 | Cross-trust-domain authentication method used for distributed network system |
-
2015
- 2015-06-12 CN CN201510323848.2A patent/CN105025012B/en active Active
-
2016
- 2016-04-06 WO PCT/CN2016/078599 patent/WO2016197680A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014043894A1 (en) * | 2012-09-21 | 2014-03-27 | Nokia Corporation | Method and apparatus for providing access control to shared data based on trust level |
| CN103107992A (en) * | 2013-02-04 | 2013-05-15 | 杭州师范大学 | Multistage authority management method for cloud storage enciphered data sharing |
| CN103179114A (en) * | 2013-03-15 | 2013-06-26 | 华中科技大学 | Fine-grained access control method for data in cloud storage |
| CN105025012A (en) * | 2015-06-12 | 2015-11-04 | 深圳大学 | An access control system and an access control method thereof oriented towards a cloud storage service platform |
Non-Patent Citations (2)
| Title |
|---|
| GOVAL, VIPUL ET AL.: "Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data", CCS'06 PROCEEDINGS OF 13TH ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 30 October 2006 (2006-10-30), pages 89 - 98, XP055334553 * |
| LIU, XIMENG ET AL.: "Ciphertext-policy Weighted Attribute-based Encryption Scheme in Cloud Computing", JOURNAL OF SICHUAN UNIVERSITY(ENGINEERING SCIENCE EDITION, vol. 45, no. 6, pages 30 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019096086A1 (en) * | 2017-11-14 | 2019-05-23 | 钉钉控股(开曼)有限公司 | Access method for shared space, and permission management method and apparatus |
| CN108173868A (en) * | 2018-01-05 | 2018-06-15 | 中国地质大学(武汉) | A kind of method, equipment and the storage device of one-to-many file distributing |
| CN109768858A (en) * | 2018-12-26 | 2019-05-17 | 西安电子科技大学 | Based on the encryption attribute access control system more authorized and design method under cloud environment |
| CN109768858B (en) * | 2018-12-26 | 2022-03-08 | 西安电子科技大学 | Multi-authorization-based attribute encryption access control system in cloud environment and design method |
| CN111191288A (en) * | 2019-12-30 | 2020-05-22 | 中电海康集团有限公司 | Block chain data access authority control method based on proxy re-encryption |
| CN111191288B (en) * | 2019-12-30 | 2023-10-13 | 中电海康集团有限公司 | Block chain data access right control method based on proxy re-encryption |
| CN112187798A (en) * | 2020-09-28 | 2021-01-05 | 安徽大学 | Bidirectional access control method and system applied to cloud-side data sharing |
| CN114362924A (en) * | 2020-09-29 | 2022-04-15 | 湖南大学 | CP-ABE-based system and method for supporting flexible revocation and verifiable ciphertext authorization |
| CN114301651A (en) * | 2021-12-22 | 2022-04-08 | 河南大学 | CP-ABE-based yellow river dam bank monitoring data sharing method |
| CN115242518A (en) * | 2022-07-25 | 2022-10-25 | 深圳万海思数字医疗有限公司 | Medical health data protection system and method under mixed cloud environment |
| CN115242518B (en) * | 2022-07-25 | 2024-03-22 | 深圳万海思数字医疗有限公司 | Medical health data protection system and method in mixed cloud environment |
| CN115550605A (en) * | 2022-08-19 | 2022-12-30 | 南京邮电大学 | Fault detection method of power grid multimedia dispatching system and automatic detection equipment thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105025012A (en) | 2015-11-04 |
| CN105025012B (en) | 2017-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2016197680A1 (en) | Access control system for cloud storage service platform and access control method therefor | |
| Zhang et al. | Data security and privacy-preserving in edge computing paradigm: Survey and open issues | |
| CN110224986B (en) | Efficient searchable access control method based on hidden policy CP-ABE | |
| WO2016197770A1 (en) | Access control system and access control method thereof for cloud storage service platform | |
| Jung et al. | Control cloud data access privilege and anonymity with fully anonymous attribute-based encryption | |
| Dong et al. | Achieving an effective, scalable and privacy-preserving data sharing service in cloud computing | |
| Wang et al. | Attribute-based data sharing scheme revisited in cloud computing | |
| Zhou et al. | Achieving secure role-based access control on encrypted data in cloud storage | |
| WO2018045568A1 (en) | Access control method oriented to cloud storage service platform and system thereof | |
| Teng et al. | Attribute-based access control with constant-size ciphertext in cloud computing | |
| CN106375346B (en) | Data guard method based on condition broadcast agent re-encryption under a kind of cloud environment | |
| Zhou et al. | Privacy-preserved access control for cloud computing | |
| CN110247767B (en) | Revocable attribute-based outsourcing encryption method in fog calculation | |
| Huang et al. | Secure data group sharing and dissemination with attribute and time conditions in public cloud | |
| CN114065265A (en) | Fine-grained cloud storage access control method, system and equipment based on block chain technology | |
| Fan et al. | Privacy protection based access control scheme in cloud-based services | |
| Zhang et al. | Feacs: A flexible and efficient access control scheme for cloud computing | |
| Dong et al. | SECO: Secure and scalable data collaboration services in cloud computing | |
| CN111902809A (en) | Ciphertext searching method, device and equipment based on CP-ABE under fog calculation and storage medium | |
| Bokefode Jayant et al. | Developing secure cloud storage system by applying AES and RSA cryptography algorithms with role based access control model | |
| Han et al. | Security and efficiency data sharing scheme for cloud storage | |
| Yang et al. | Secure and efficient fine-grained data access control scheme in cloud computing1 | |
| He et al. | A fine-grained and lightweight data access control scheme for WSN-integrated cloud computing | |
| Wang et al. | A role-based access control system using attribute-based encryption | |
| Wang et al. | A group key‐policy attribute‐based encryption with partial outsourcing decryption in wireless sensor networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16806578 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 30/05/2018) |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 16806578 Country of ref document: EP Kind code of ref document: A1 |