WO2016197770A1 - Access control system and access control method thereof for cloud storage service platform - Google Patents
Access control system and access control method thereof for cloud storage service platform Download PDFInfo
- Publication number
- WO2016197770A1 WO2016197770A1 PCT/CN2016/081388 CN2016081388W WO2016197770A1 WO 2016197770 A1 WO2016197770 A1 WO 2016197770A1 CN 2016081388 W CN2016081388 W CN 2016081388W WO 2016197770 A1 WO2016197770 A1 WO 2016197770A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- attribute
- user
- public key
- key
- access control
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Definitions
- the invention belongs to the field of cloud service information security, and in particular relates to an access control system of a cloud storage service platform and an access control method thereof.
- the cloud service provider is the physical owner of the data, but not in the same trust domain as the data owner.
- a cloud storage service provider manages multiple users and their resources. When users access other user resources across borders, they need to adopt certain access control policies to control access to data and services.
- the cloud storage service platform adopts the virtualized storage technology, the cloud storage service is loosely coupled with the underlying hardware environment, and the data of different users lacks a fixed security boundary, thereby increasing the cloud storage. The difficulty of the service platform to implement access control on data.
- the data owner can set the read/write attribute of the user data uploaded by it, for example, setting the read/write attribute to public read/private write or public read/public write, to a certain extent Data read and write permissions, but because user data is still stored in clear text on the cloud storage service platform, lack of effective privacy protection mechanism, can not effectively resist the access of illegal users and make user data leak.
- An object of the present invention is to provide an access control system for a cloud storage service platform, which aims to solve the problem that the existing cloud storage service platform stores user data in a clear text form with poor privacy and security.
- the embodiment of the present invention is implemented as an access control system of a cloud storage service platform,
- the system includes:
- the authentication center is configured to generate a global public key, a global master key, and a user public key, and then upload the global public key to the cloud;
- At least one attribute authority for managing respective attribute sets, and generating an organization public key and an organization key, and then uploading the organization public key to the cloud, and also for utilizing the attribute list submitted by each user Generating, by the global public key, the user public key, and the institution key, a user private key corresponding to the user;
- a user terminal configured to download the organization public key and the global public key from the cloud, and combine the user private key generated by the attribute authorization mechanism to implement encrypted upload of user data or decryption of shared data. download.
- Another object of the present invention is to provide an access control method for an access control system of a cloud storage service platform as described above, the method comprising the following steps:
- the authentication center registers each user terminal and each attribute authorization authority, and generates a global public key, a global master key, and a user public key, and then uploads the global public key to the cloud, and sends the user public key to the corresponding attribute authority.
- the global master key is saved by the certification center;
- the attribute authority manages the respective attribute sets, and generates an organization public key and an organization key, and then uploads the institution public key to the cloud, and the institution key is saved by the attribute authorization authority;
- the corresponding attribute authority After receiving the user private key obtaining request, the corresponding attribute authority generates a user private key corresponding to the user by using the global public key, the user public key, and the institution key according to the attribute list. And sent to the corresponding user terminal;
- the user terminal implements encrypted uploading of user data or decryption downloading of shared data according to the organization public key, the global public key, and the user private key.
- the access control system and the access control method of the cloud storage service platform proposed by the embodiment of the present invention are based on a weight attribute encryption mechanism, and adopt multi-institution attribute-based encryption technology to add user data to be uploaded.
- the security is stored on the cloud storage service platform, thereby realizing effective privacy protection for the shared data on the cloud storage service platform and improving the security of the cloud storage service.
- the attributes of the user are combined with the weights, the hierarchical management of the user attributes is realized, so that users of different levels of the same attribute have different access rights, thereby achieving more flexible and detailed access control while ensuring security. .
- system and method adopt multi-institution attribute-based encryption technology, which avoids the problem that the power of a single authentication center is too concentrated, and further improves the security of data storage.
- the system and method are particularly suitable for deployment on the OSS platform, which can ensure the confidentiality of data stored by the user on the OSS platform, and implement fine-grained access control for the data sharing range.
- FIG. 1 is a structural diagram of an access control system of a cloud storage service platform provided by the present invention
- FIG. 2 is a flowchart of an access control method of an access control system of a cloud storage service platform provided by the present invention.
- the access control system and the access control method of the cloud storage service platform proposed by the present invention are based on a weight attribute encryption mechanism, and use multi-institution attribute-based encryption technology to encrypt and store user data to be uploaded. Go to the cloud storage service platform.
- FIG. 1 is a diagram showing the structure of an access control system of a cloud storage service platform provided by the present invention. For the convenience of description, only parts related to the present invention are shown.
- the access control system of the cloud storage service platform includes: an authentication center 1 for generating a global public key, a global master key, and a user public key, and then uploading the global public key to the cloud, the global master key Saved by the Certification Authority 1 itself; at least one attribute authority 2 for managing each Attribute collection, and generate the organization public key and organization key, and then upload the organization public key to the cloud, the organization key is saved by the attribute authority 2, and is also used to use the global public key according to the attribute list submitted by each user.
- the user public key and the organization key generate a user private key corresponding to the user;
- the user terminal 3 is configured to download the organization public key and the global public key from the cloud, and combine the corresponding user private key generated by the attribute authority 2 to implement the user data. Encrypted upload or decrypted download of shared data.
- the user terminal 3 can be further divided into a data owner and a shared user.
- the data owner is the owner of the data file, can create, update, delete data, and at the same time want to encrypt the user data and upload it to the cloud to achieve data sharing;
- the shared user is the party who wants to download the shared data from the cloud.
- the purpose of defining the data owner and the shared user is to distinguish that the function of the user terminal 3 during a certain running process of the system is to upload data or download data, so that the data owner in a certain running process of the system may be another time.
- the shared user in the running process similarly, the shared user in a certain running process of the system may be the data owner in another running process.
- both the authentication center 1 and the attribute authorization authority 2 belong to an authorization authority, and the authorization authority refers to another party that interacts with the cloud in addition to the user terminal 3, and mainly completes distribution of the end user private key, user registration, information and The management of the end user's private key is also responsible for the dynamic management of the user's attribute information, for example, dynamic update, addition or deletion of the user or its attributes.
- a cloud is a cloud service provider or a data sharing center, which is always online and provides a user data storage service.
- the cloud is an Open Storage Service (OSS) platform provided by Facebook Cloud Computing Co., Ltd.
- OSS Open Storage Service
- the cloud and the user terminal 3 the attribute authority 2, and the authentication center 1 are limited by Facebook Cloud Computing.
- the development interface of the OSS platform provided by the company communicates with aliyun-sdk-oss-2.0.0.jar.
- the authentication center 1 is also used to accept registration of each user terminal 3 and each attribute authority 2, and the user terminal 3 and the attribute authority 2 log in to the system based on the login information obtained by registration.
- the working principle of the access control system of the cloud storage service platform of the present invention is:
- the authentication center 1 registers each user terminal 3 and each attribute authority 2, and generates a global public key, a global master key, and a user public key, and then uploads the global public key to the cloud, and sends the user public key to the corresponding Attribute Authorization Agency 2.
- each attribute authority 2 manages the respective attribute sets, that is, sets the attribute values and their weight values in the respective managed attribute sets, and generates the institution public key and the institution key, and then uploads the organization public key to the cloud.
- the attribute set may be, for example, a student department, a student category, a grade, a professional, and the like in the campus network, and the teacher has a collection of attributes such as a department, a title, and a teaching age.
- the user terminal 3 logs in to the system according to the login information obtained by the registration, and then downloads the organization public key and the global public key from the cloud, and issues a user private key acquisition request and an attribute list to the corresponding attribute authority 2.
- the corresponding attribute authority 2 After receiving the user private key acquisition request, the corresponding attribute authority 2 generates a user private key corresponding to the user by using the global public key, the user public key, and the organization key according to the attribute list, and sends the file to the corresponding file by FTP.
- User terminal 3. After obtaining the organization public key, the global public key, and the user private key, the user terminal 2 can perform an operation of encrypting uploading or decrypting the download according to requirements.
- the user terminal 2 When the user terminal 2 uploads user data to the cloud as a data owner, the user terminal 2 inputs the input according to the global public key, the set of all attribute authorization mechanisms 2 participating in the encryption, the corresponding set of the organization public key, and the access control policy.
- the plaintext is encrypted, and the encrypted ciphertext is uploaded to the cloud for other users to download.
- the user terminal 2 When the user terminal 2 shares the data stored in the cloud as the shared user, the user terminal 2 downloads the shared data from the cloud, and then decrypts the downloaded shared data according to the global public key and the user private key, if the attribute of the user terminal 2 is not Undoing and conforming to the access control policy established by the data owner can successfully decrypt the shared data.
- FIG. 2 is a flowchart of an access control method of an access control system of a cloud storage service platform provided by the present invention, including the following steps:
- the authentication center registers each user terminal and each attribute authorization authority, and generates a global public key, a global master key, and a user public key, and then uploads the global public key to the cloud, and sends the user public key to the corresponding attribute authority.
- the global master key is saved by the certificate authority.
- the global master key is the master of the entire system. Key
- step S1 may further include:
- Step S11 The authentication center selects a multiplicative group whose order is prime p with g is a multiplicative group Generator, defining a bilinear map Select random number For the integer group ⁇ 0,...,p-1 ⁇ , select a hash function at the same time
- Step S12 the certification center according to the formula
- Step S13 The authentication center receives the registration information sent by each user terminal and each attribute authorization authority. After the verification is passed, each attribute authority is assigned a unique identifier aid, and each user terminal is assigned a unique identifier uid, and then the authentication center is Each user terminal selects a corresponding random number According to the formula The corresponding user public key PK uid is calculated, and the user public key PK uid is sent to the corresponding attribute authority, and the global public key GPK is uploaded to the cloud.
- the attribute authority manages the respective attribute sets, and generates the organization public key and the organization key, and then uploads the organization public key to the cloud, and the organization key is saved by the attribute authorization authority.
- step S2 may further include:
- Step S21 The attribute authority AA aid manages the attribute set S aid and assigns a weight to the weight attribute in the attribute set S aid .
- Step S22 The attribute authority AA aid selects a random number According to the formula Calculate the organization key SK aid and according to the formula Calculate the organization public key PK aid , and then upload the organization public key PK aid to the cloud.
- the attribute list is a set of attributes.
- the attribute set may be a student faculty, a student category, a grade, a professional, and the like in the campus network, and the teacher has a set of attributes such as a department, a title, and a teaching age.
- the corresponding attribute authority after receiving the user private key acquisition request, the corresponding attribute authority receives the attribute list,
- the user private key corresponding to the user is generated by using the global public key, the user public key, and the organization key, and sent to the corresponding user terminal.
- step S4 It can also include:
- Step S41 The attribute authority AA aid selects a random number And select a random number for any attribute x ⁇ S uid, aid If the attribute x is a weight attribute, the attribute authority AA aid sets the weight w x ⁇ [1,n] corresponding to the attribute x.
- Step S42 The attribute authority AA aid is expressed according to the calculated user private key SK uid, aid , as:
- K uid, aid , K' uid, aid , K x, uid , and K' x, uid are all the multiplicative groups
- the upper element, r x is the integer group Random number on.
- Step S43 The attribute authority AA aid sends the user private key SK uid, aid to the user terminal uid.
- S5 The user terminal implements encrypted uploading of user data or decryption and downloading of shared data according to the organization public key, the global public key, and the user private key.
- the step S5 is to perform the step of encrypting and uploading the user data, which may specifically include:
- Step S51 input plaintext M (ie, user data to be uploaded by the data owner), global public key GPK, set I AA of all attribute authorization institutions participating in encryption, and a set of corresponding public keys of the institution And access control strategies.
- the leaf node corresponds to the weight of the attribute
- the root node corresponds to the threshold
- the threshold of the node x in the tree structure of the access control policy is k x
- select the polynomial q x for each node, and the degree of the polynomial d x k x -1.
- This polynomial selection is in a top-down manner, and the access control strategy is constructed by selecting a random number from the root node.
- Set q r (0) s.
- Step S52 The user terminal utilizes the global public key GPK, the set of all attribute authorization mechanisms participating in the encryption, I AA , and the corresponding set of institutional public keys. And the access control policy, encrypting the ciphertext M, calculating the ciphertext CT, and then uploading the ciphertext CT to the cloud.
- GPK global public key
- I AA the set of all attribute authorization mechanisms participating in the encryption
- I AA the set of institutional public keys.
- the access control policy encrypting the ciphertext M, calculating the ciphertext CT, and then uploading the ciphertext CT to the cloud.
- Y is defined as the set of leaf nodes of the access control policy
- the attribute of the leaf node y ⁇ Y is defined as att(y)
- the weight of the weight attribute att(y)(y ⁇ Y) is w y
- the ciphertext is M performs encryption
- the step of calculating the ciphertext CT can be expressed as:
- C is the calculation of the message
- I A is the attribute set of the attribute authority A
- C' and C" are the calculations of the root node
- C y and C' y are the calculations of the corresponding attribute values
- C y,j For the calculation of the attribute corresponding weight
- q y (0) is the attribute value corresponding to the attribute y
- w j is the weight value of the attribute.
- the step S5 is to perform the step of decrypting and downloading the shared data, which may include:
- Step S53 The user terminal downloads the ciphertext CT (that is, the shared data that the shared user wants to read) from the cloud, and inputs the global public key GPK and the corresponding user key.
- Access control policy ⁇ , and a node x in the access control policy ⁇ , and define n A
- Step S54 The user terminal invokes a predefined recursive function DecryptNode (CT, SK, x), if the attribute set of the user terminal After satisfying the access control policy, the decryption information A is calculated as:
- q x (0) is the attribute value corresponding to the attribute x.
- DecryptNode(CT, SK, x) the recursive function DecryptNode(CT, SK, x) is defined as follows:
- C x and C' x are from ciphertext
- K i, uid and K' i, and uid is derived from the user key r i being a random number identifying the user i.
- C x, j comes from the information in the ciphertext.
- Step S55 Obtained by the polynomial interpolation theorem After calculation And combined with the following formula to obtain
- Step S56 The user terminal calculates the plaintext M, which is expressed as:
- the user needs to register with the authentication center, and the authentication center assigns a global unique identifier uid to each user, and generates a random number u uid , which is calculated.
- the authentication center assigns a global unique identifier uid to each user, and generates a random number u uid , which is calculated.
- the user's public key As the user's public key.
- Each user uid to request attributes key before AA aid requires authentication authority attribute its legitimacy, users submit a certificate, AA aid validity of the user certificate, if they issue the relevant legal property keys.
- K x, aid and K' x, aid are both embedded with the random number u uid and the random number r x .
- different users in the decryption algorithm cannot collude to recover messages, and have good anti-collusion attack security.
- the decryption algorithm if the user wants to decrypt the ciphertext, the attribute key SK uid, aid from each AA aid is required. If the authentication center is attacked by the attacker, it only leaks the system's global master key, and only the global master key cannot decrypt any ciphertext. Similarly, if the attribute authority is attacked by the attacker, the attacker can only obtain the attribute key managed by the attribute organization, and cannot decrypt the attribute privilege of multiple attribute authorization agencies. The system can resist n A -1 attribute authorization. Institutional complicity. Therefore, compared with the weight attribute-based access control scheme of a single authority, the scheme does not require the certification center to be completely trusted, and the risk of the single authorization center is distributed to multiple attribute authorization agencies to share the security of the system.
- Table 1 shows a comparative analysis of the encryption mechanism and access structure flexibility between the solution of the present invention and other existing typical attribute-based encryption schemes:
- the M.Chase and M.Chase and Chow schemes do not support complex ciphertext rules and are not suitable for cloud storage environments.
- the K.Yang solution and the solution of the present invention are based on CP-ABE, at the cost of increasing the complexity of a certain system, in exchange for supporting a more flexible access control strategy, and at the same time, the security is enhanced, and the N-1 attribute authority can be resisted. Collusion.
- the solution of the present invention supports attribute weights, and can formulate more complicated ciphertext rules; the authority key is shortened by a certain length, and if the attributes in the policy do not contain weights, the ciphertext length is shortened by nearly half. When the four-level weight is supported, the ciphertext length is equivalent; the decryption phase only requires two bilinear pairing operations, and the efficiency is doubled.
- the access control system and the access control method of the cloud storage service platform proposed by the present invention are based on a weight attribute encryption mechanism, and the user data to be uploaded is encrypted and stored in the cloud storage service by using a multi-institution attribute-based encryption technology.
- effective privacy protection can be realized for the shared data on the cloud storage service platform, and the security of the cloud storage service is improved.
- the attributes of the user are combined with the weights, the hierarchical management of the user attributes is implemented, so that users of different levels of the same attribute have different access rights, and the attributes are used to describe the information elements of the user, such as students in the campus network.
- the teacher has attributes such as department, title, and teaching age, thus achieving more flexible and meticulous access control while ensuring safety.
- the system and method adopt multi-institution attribute-based encryption technology, which avoids the problem that the power of a single authentication center is too concentrated, and further improves the security of data storage.
- the system and method are particularly suitable for deployment on the OSS platform, and are implemented in the Java language under the Windows platform, and have universality, and can download, upload, encrypt and decrypt the cloud files of the OSS platform, and can effectively ensure the user is stored in the OSS platform.
- the confidentiality of the data while implementing fine-grained access control for the data sharing scope.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the field of information security in cloud services. Provided are an access control system and access control method thereof for a cloud storage service platform. The system and method are based on a weighted attribute encryption scheme, and adopt multi-authority attribute-based encryption to encrypt data and store the encrypted data in a cloud storage service platform so as to increase security of a cloud storage service. The invention combines an attribute with a weight to realize a ranking management of a user attribute, so that users having a same attribute but at different ranks have different access authorities, thereby realizing a more flexible and precise access control. Moreover, the system and method adopt multi-authority attribute-based encryption to prevent a single authentication center from having over-centralized authority, thereby increasing the security of the cloud storage service. The system and method are particularly suitable to be deployed in an OSS platform, thereby ensuring confidentiality of data stored therein by a user, and implementing a more precise access control over data sharing.
Description
本发明属于云服务信息安全领域,尤其涉及一种云存储服务平台的访问控制系统及其访问控制方法。The invention belongs to the field of cloud service information security, and in particular relates to an access control system of a cloud storage service platform and an access control method thereof.
在云存储服务平台中,由于采用数据远程托管技术,云服务提供商是数据的物理拥有者,却与数据属主并不在同一个信任域中。云存储服务提供商管理着多个用户及其资源,当用户跨边界访问其它用户资源时,需要采用一定的访问控制策略来控制对数据和服务的访问。但实际中,由于云存储服务平台是采用虚拟化存储技术,云存储服务同底层硬件环境之间是松耦合的,不同用户的数据间缺乏固定不变的安全边界,由此增加了在云存储服务平台对数据实施访问控制的难度。In the cloud storage service platform, because of the data remote hosting technology, the cloud service provider is the physical owner of the data, but not in the same trust domain as the data owner. A cloud storage service provider manages multiple users and their resources. When users access other user resources across borders, they need to adopt certain access control policies to control access to data and services. However, in practice, because the cloud storage service platform adopts the virtualized storage technology, the cloud storage service is loosely coupled with the underlying hardware environment, and the data of different users lacks a fixed security boundary, thereby increasing the cloud storage. The difficulty of the service platform to implement access control on data.
现有技术中,虽然数据属主可对其上传的用户数据的读/写属性进行设置,例如将读/写属性设置为公有读/私有写或公有读/公有写,以在一定程度上限制数据的读写权限,但由于用户数据仍旧是以明文形式存储在云存储服务平台上的,缺乏有效的隐私保护机制,不能有效抵御非法用户的访问而使得用户数据泄露。In the prior art, although the data owner can set the read/write attribute of the user data uploaded by it, for example, setting the read/write attribute to public read/private write or public read/public write, to a certain extent Data read and write permissions, but because user data is still stored in clear text on the cloud storage service platform, lack of effective privacy protection mechanism, can not effectively resist the access of illegal users and make user data leak.
发明内容Summary of the invention
本发明实施例的目的在于提供一种云存储服务平台的访问控制系统,旨在解决现有的云存储服务平台以明文形式存储用户数据,隐私性和安全性差的问题。An object of the present invention is to provide an access control system for a cloud storage service platform, which aims to solve the problem that the existing cloud storage service platform stores user data in a clear text form with poor privacy and security.
本发明实施例是这样实现的,一种云存储服务平台的访问控制系统,所述
系统包括:The embodiment of the present invention is implemented as an access control system of a cloud storage service platform,
The system includes:
认证中心,用于生成全局公钥、全局主密钥、用户公钥,之后将所述全局公钥上传到云端;The authentication center is configured to generate a global public key, a global master key, and a user public key, and then upload the global public key to the cloud;
至少一个属性授权机构,用于管理各自的属性集合,并生成机构公钥和机构密钥,之后将所述机构公钥上传到所述云端,还用于根据每一用户提交的属性列表,利用所述全局公钥、所述用户公钥、所述机构密钥生成与用户对应的用户私钥;At least one attribute authority for managing respective attribute sets, and generating an organization public key and an organization key, and then uploading the organization public key to the cloud, and also for utilizing the attribute list submitted by each user Generating, by the global public key, the user public key, and the institution key, a user private key corresponding to the user;
用户终端,用于从所述云端下载所述机构公钥和所述全局公钥,并结合所述属性授权机构生成的对应的所述用户私钥,实现用户数据的加密上传或共享数据的解密下载。a user terminal, configured to download the organization public key and the global public key from the cloud, and combine the user private key generated by the attribute authorization mechanism to implement encrypted upload of user data or decryption of shared data. download.
本发明实施例的另一目的在于提供一种如上所述的云存储服务平台的访问控制系统的访问控制方法,所述方法包括以下步骤:Another object of the present invention is to provide an access control method for an access control system of a cloud storage service platform as described above, the method comprising the following steps:
认证中心注册各用户终端和各属性授权机构,并生成全局公钥、全局主密钥、用户公钥,之后将全局公钥上传到云端,将所述用户公钥发送给相应的属性授权机构,所述全局主密钥由所述认证中心保存;The authentication center registers each user terminal and each attribute authorization authority, and generates a global public key, a global master key, and a user public key, and then uploads the global public key to the cloud, and sends the user public key to the corresponding attribute authority. The global master key is saved by the certification center;
属性授权机构管理各自的属性集合,并生成机构公钥和机构密钥,之后将所述机构公钥上传到所述云端,所述机构密钥由所述属性授权机构保存;The attribute authority manages the respective attribute sets, and generates an organization public key and an organization key, and then uploads the institution public key to the cloud, and the institution key is saved by the attribute authorization authority;
用户终端登录系统后,从所述云端下载所述机构公钥和所述全局公钥,并向相应的属性授权机构发出用户私钥获取请求和属性列表;After the user terminal logs in to the system, downloading the organization public key and the global public key from the cloud, and issuing a user private key acquisition request and an attribute list to the corresponding attribute authority;
所述相应的属性授权机构接收到所述用户私钥获取请求后,根据所述属性列表,利用所述全局公钥、所述用户公钥、所述机构密钥生成与用户对应的用户私钥,并发送给相应的用户终端;After receiving the user private key obtaining request, the corresponding attribute authority generates a user private key corresponding to the user by using the global public key, the user public key, and the institution key according to the attribute list. And sent to the corresponding user terminal;
用户终端根据所述机构公钥、所述全局公钥和所述用户私钥,实现用户数据的加密上传或共享数据的解密下载。The user terminal implements encrypted uploading of user data or decryption downloading of shared data according to the organization public key, the global public key, and the user private key.
本发明实施例提出的云存储服务平台的访问控制系统及其访问控制方法是基于权重属性加密机制,采用多机构属性基加密技术,将需上传的用户数据加
密后存储到云存储服务平台上的,因而可对云存储服务平台上的共享数据实现有效的隐私保护,提高了云存储服务的安全性。同时,由于将用户的属性与权重相结合,实现了用户属性的分级管理,使得相同属性不同级别的用户具有不同的访问权限,从而在保证安全性的同时还实现了更加灵活而细致的访问控制。另外,该系统和方法采用多机构属性基加密技术,避免了单个认证中心权力过于集中的问题,进一步提高了数据存储的安全性。该系统和方法特别适合部署在OSS平台,可切实保障用户存储在OSS平台数据的机密性,同时可对数据共享范围实施细粒度访问控制。The access control system and the access control method of the cloud storage service platform proposed by the embodiment of the present invention are based on a weight attribute encryption mechanism, and adopt multi-institution attribute-based encryption technology to add user data to be uploaded.
The security is stored on the cloud storage service platform, thereby realizing effective privacy protection for the shared data on the cloud storage service platform and improving the security of the cloud storage service. At the same time, because the attributes of the user are combined with the weights, the hierarchical management of the user attributes is realized, so that users of different levels of the same attribute have different access rights, thereby achieving more flexible and detailed access control while ensuring security. . In addition, the system and method adopt multi-institution attribute-based encryption technology, which avoids the problem that the power of a single authentication center is too concentrated, and further improves the security of data storage. The system and method are particularly suitable for deployment on the OSS platform, which can ensure the confidentiality of data stored by the user on the OSS platform, and implement fine-grained access control for the data sharing range.
图1是本发明提供的云存储服务平台的访问控制系统的结构图;1 is a structural diagram of an access control system of a cloud storage service platform provided by the present invention;
图2是本发明提供的云存储服务平台的访问控制系统的访问控制方法的流程图。2 is a flowchart of an access control method of an access control system of a cloud storage service platform provided by the present invention.
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
为了解决现有技术存在的问题,本发明提出的云存储服务平台的访问控制系统及其访问控制方法是基于权重属性加密机制,采用多机构属性基加密技术,将需上传的用户数据加密后存储到云存储服务平台上的。In order to solve the problems existing in the prior art, the access control system and the access control method of the cloud storage service platform proposed by the present invention are based on a weight attribute encryption mechanism, and use multi-institution attribute-based encryption technology to encrypt and store user data to be uploaded. Go to the cloud storage service platform.
图1是本发明提供的云存储服务平台的访问控制系统的结构,为了便于说明,仅示出了与本发明相关的部分。1 is a diagram showing the structure of an access control system of a cloud storage service platform provided by the present invention. For the convenience of description, only parts related to the present invention are shown.
详细地,本发明提供的云存储服务平台的访问控制系统包括:认证中心1,用于生成全局公钥、全局主密钥、用户公钥,之后将全局公钥上传到云端,全局主密钥由认证中心1自己保存;至少一个属性授权机构2,用于管理各自的
属性集合,并生成机构公钥和机构密钥,之后将机构公钥上传到云端,机构密钥由属性授权机构2自己保存,还用于根据每一用户提交的属性列表,利用全局公钥、用户公钥、机构密钥生成与用户对应的用户私钥;用户终端3,用于从云端下载机构公钥和全局公钥,并结合属性授权机构2生成的对应的用户私钥,实现用户数据的加密上传或共享数据的解密下载。In detail, the access control system of the cloud storage service platform provided by the present invention includes: an authentication center 1 for generating a global public key, a global master key, and a user public key, and then uploading the global public key to the cloud, the global master key Saved by the Certification Authority 1 itself; at least one attribute authority 2 for managing each
Attribute collection, and generate the organization public key and organization key, and then upload the organization public key to the cloud, the organization key is saved by the attribute authority 2, and is also used to use the global public key according to the attribute list submitted by each user. The user public key and the organization key generate a user private key corresponding to the user; the user terminal 3 is configured to download the organization public key and the global public key from the cloud, and combine the corresponding user private key generated by the attribute authority 2 to implement the user data. Encrypted upload or decrypted download of shared data.
本发明中,用户终端3可进一步区分为数据属主和共享用户。其中,数据属主是数据文件的所有者,可以创建、更新、删除数据,同时希望将用户数据加密后上传至云端以实现数据共享;共享用户是希望从云端下载共享数据的一方。In the present invention, the user terminal 3 can be further divided into a data owner and a shared user. Among them, the data owner is the owner of the data file, can create, update, delete data, and at the same time want to encrypt the user data and upload it to the cloud to achieve data sharing; the shared user is the party who wants to download the shared data from the cloud.
应当理解,定义数据属主与共享用户的目的是为了区别用户终端3在系统某次运行过程中的功能是上传数据或下载数据,因而在系统某次运行过程中的数据属主可以是另一次运行过程中的共享用户,同样地,在系统某次运行过程中的共享用户可以是另一次运行过程中的数据属主。It should be understood that the purpose of defining the data owner and the shared user is to distinguish that the function of the user terminal 3 during a certain running process of the system is to upload data or download data, so that the data owner in a certain running process of the system may be another time. The shared user in the running process, similarly, the shared user in a certain running process of the system may be the data owner in another running process.
本发明中,认证中心1和属性授权机构2均属于授权机构,该授权机构是指除用户终端3之外、与云端交互的另一方,主要完成最终用户私钥的分发、用户注册、信息和最终用户私钥的管理工作,同时,还负责对用户的属性信息进行相应的动态管理,例如,对用户或其属性的动态更新、添加或删除等。In the present invention, both the authentication center 1 and the attribute authorization authority 2 belong to an authorization authority, and the authorization authority refers to another party that interacts with the cloud in addition to the user terminal 3, and mainly completes distribution of the end user private key, user registration, information and The management of the end user's private key is also responsible for the dynamic management of the user's attribute information, for example, dynamic update, addition or deletion of the user or its attributes.
本发明中,云端即云服务提供商或称数据共享中心,其一直在线并提供用户数据存储服务。In the present invention, a cloud is a cloud service provider or a data sharing center, which is always online and provides a user data storage service.
本发明中,当云端是阿里云计算有限公司对外提供的开放存储服务(Open Storage Service,OSS)平台时,云端与用户终端3、属性授权机构2和认证中心1之间是通过阿里云计算有限公司提供的OSS平台的开发接口aliyun-sdk-oss-2.0.0.jar实现通信的。In the present invention, when the cloud is an Open Storage Service (OSS) platform provided by Alibaba Cloud Computing Co., Ltd., the cloud and the user terminal 3, the attribute authority 2, and the authentication center 1 are limited by Alibaba Cloud Computing. The development interface of the OSS platform provided by the company communicates with aliyun-sdk-oss-2.0.0.jar.
此外,本发明中,认证中心1还用于接受各用户终端3和各属性授权机构2的注册,用户终端3和属性授权机构2根据注册获得的登录信息登录系统。Further, in the present invention, the authentication center 1 is also used to accept registration of each user terminal 3 and each attribute authority 2, and the user terminal 3 and the attribute authority 2 log in to the system based on the login information obtained by registration.
本发明的云存储服务平台的访问控制系统的工作原理是:
The working principle of the access control system of the cloud storage service platform of the present invention is:
系统建立后,认证中心1注册各用户终端3和各属性授权机构2,并且生成全局公钥、全局主密钥、用户公钥,之后将全局公钥上传到云端,将用户公钥发送给相应的属性授权机构2。之后,各属性授权机构2管理各自的属性集合,即设定各自管理的属性集合中的属性值及其权重值,并生成机构公钥和机构密钥,之后将机构公钥上传到云端。其中,属性集合例如可以是校园网中的学生院系、学生类别、年级、专业等属性,教师具有院系、职称、教龄等属性的集合。After the system is established, the authentication center 1 registers each user terminal 3 and each attribute authority 2, and generates a global public key, a global master key, and a user public key, and then uploads the global public key to the cloud, and sends the user public key to the corresponding Attribute Authorization Agency 2. Thereafter, each attribute authority 2 manages the respective attribute sets, that is, sets the attribute values and their weight values in the respective managed attribute sets, and generates the institution public key and the institution key, and then uploads the organization public key to the cloud. The attribute set may be, for example, a student department, a student category, a grade, a professional, and the like in the campus network, and the teacher has a collection of attributes such as a department, a title, and a teaching age.
用户终端3根据注册获得的登录信息登录系统,之后从云端下载机构公钥和全局公钥,并向相应的属性授权机构2发出用户私钥获取请求和属性列表。相应的属性授权机构2在接收到用户私钥获取请求后,根据属性列表,利用全局公钥、用户公钥、机构密钥生成与用户对应的用户私钥,以文件的方式通过FTP发送给对应的用户终端3。用户终端2在获取到机构公钥、全局公钥和用户私钥后,便可根据需求执行加密上传或解密下载的操作。The user terminal 3 logs in to the system according to the login information obtained by the registration, and then downloads the organization public key and the global public key from the cloud, and issues a user private key acquisition request and an attribute list to the corresponding attribute authority 2. After receiving the user private key acquisition request, the corresponding attribute authority 2 generates a user private key corresponding to the user by using the global public key, the user public key, and the organization key according to the attribute list, and sends the file to the corresponding file by FTP. User terminal 3. After obtaining the organization public key, the global public key, and the user private key, the user terminal 2 can perform an operation of encrypting uploading or decrypting the download according to requirements.
当用户终端2作为数据属主向云端上传用户数据时,用户终端2根据全局公钥、参与加密的所有属性授权机构2的集合、对应的机构公钥的集合、以及访问控制策略,对输入的明文进行加密,并将加密得到的密文上传至云端以供其它用户下载。When the user terminal 2 uploads user data to the cloud as a data owner, the user terminal 2 inputs the input according to the global public key, the set of all attribute authorization mechanisms 2 participating in the encryption, the corresponding set of the organization public key, and the access control policy. The plaintext is encrypted, and the encrypted ciphertext is uploaded to the cloud for other users to download.
当用户终端2作为共享用户而共享云端存储的数据时,用户终端2从云端下载共享数据,之后根据全局公钥和用户私钥,对下载的共享数据进行解密,若用户终端2的属性未被撤销并符合数据属主制定的访问控制策略,则可以成功解密共享数据。When the user terminal 2 shares the data stored in the cloud as the shared user, the user terminal 2 downloads the shared data from the cloud, and then decrypts the downloaded shared data according to the global public key and the user private key, if the attribute of the user terminal 2 is not Undoing and conforming to the access control policy established by the data owner can successfully decrypt the shared data.
图2示出了本发明提供的云存储服务平台的访问控制系统的访问控制方法的流程,包括以下步骤:FIG. 2 is a flowchart of an access control method of an access control system of a cloud storage service platform provided by the present invention, including the following steps:
S1:认证中心注册各用户终端和各属性授权机构,并生成全局公钥、全局主密钥、用户公钥,之后将全局公钥上传到云端,将用户公钥发送给相应的属性授权机构,全局主密钥由认证中心保存。其中的全局主密钥即整个系统的主
密钥,S1: The authentication center registers each user terminal and each attribute authorization authority, and generates a global public key, a global master key, and a user public key, and then uploads the global public key to the cloud, and sends the user public key to the corresponding attribute authority. The global master key is saved by the certificate authority. The global master key is the master of the entire system.
Key,
进一步地,步骤S1又可包括:Further, step S1 may further include:
步骤S11:认证中心选择阶为素数p的乘法群
和
g为乘法群
的生成元,定义双线性映射
选取随机数
为整数群{0,…,p-1},同时选取一哈希函数
Step S11: The authentication center selects a multiplicative group whose order is prime p with g is a multiplicative group Generator, defining a bilinear map Select random number For the integer group {0,...,p-1}, select a hash function at the same time
步骤S12:认证中心根据公式
计算得到全局公钥GPK,并根据公式GMK=(β,gα),计算得到全局主密钥GMK。Step S12: the certification center according to the formula The global public key GPK is calculated, and the global master key GMK is calculated according to the formula GMK=(β, g α ).
步骤S13:认证中心接收各用户终端和各属性授权机构发送的注册信息,验证通过后,为每一属性授权机构分配唯一标识符aid,为每一用户终端分配唯一标识符uid,之后认证中心为每一用户终端选择对应的随机数
根据公式
计算得到对应的用户公钥PKuid,并将用户公钥PKuid发送给对应的属性授权机构,将全局公钥GPK上传到云端。Step S13: The authentication center receives the registration information sent by each user terminal and each attribute authorization authority. After the verification is passed, each attribute authority is assigned a unique identifier aid, and each user terminal is assigned a unique identifier uid, and then the authentication center is Each user terminal selects a corresponding random number According to the formula The corresponding user public key PK uid is calculated, and the user public key PK uid is sent to the corresponding attribute authority, and the global public key GPK is uploaded to the cloud.
S2:属性授权机构管理各自的属性集合,并生成机构公钥和机构密钥,之后将机构公钥上传到云端,机构密钥由属性授权机构保存。S2: The attribute authority manages the respective attribute sets, and generates the organization public key and the organization key, and then uploads the organization public key to the cloud, and the organization key is saved by the attribute authorization authority.
进一步地,步骤S2又可包括:Further, step S2 may further include:
步骤S21:属性授权机构AAaid管理属性集合Said,并为属性集合Said中的权重属性分配权重。Step S21: The attribute authority AA aid manages the attribute set S aid and assigns a weight to the weight attribute in the attribute set S aid .
步骤S22:属性授权机构AAaid选择随机数
根据公式
计算得到机构密钥SKaid,并根据公式
计算得到机构公钥PKaid,之后将机构公钥PKaid上传到云端。Step S22: The attribute authority AA aid selects a random number According to the formula Calculate the organization key SK aid and according to the formula Calculate the organization public key PK aid , and then upload the organization public key PK aid to the cloud.
S3:用户终端登录系统后,从云端下载机构公钥和全局公钥,并向相应的属性授权机构发出用户私钥获取请求和属性列表。其中的属性列表即属性集合,该属性集合例如可以是校园网中的学生院系、学生类别、年级、专业等属性,教师具有院系、职称、教龄等属性的集合。S3: After the user terminal logs in to the system, the organization public key and the global public key are downloaded from the cloud, and the user private key acquisition request and the attribute list are sent to the corresponding attribute authority. The attribute list is a set of attributes. For example, the attribute set may be a student faculty, a student category, a grade, a professional, and the like in the campus network, and the teacher has a set of attributes such as a department, a title, and a teaching age.
S4:相应的属性授权机构接收到用户私钥获取请求后,根据属性列表,利
用全局公钥、用户公钥、机构密钥生成与用户对应的用户私钥,并发送给相应的用户终端。S4: after receiving the user private key acquisition request, the corresponding attribute authority receives the attribute list,
The user private key corresponding to the user is generated by using the global public key, the user public key, and the organization key, and sent to the corresponding user terminal.
假设属性授权机构AAaid接收到的用户终端uid的属性列表为Suid,aid,属性列表Suid,aid包含了用户终端uid在属性授权机构AAaid中所持有的属性的集合,则步骤S4又可包括:Assume that the attribute list of the user terminal uid received by the attribute authority AA aid is S uid, aid , and the attribute list S uid, aid contains the set of attributes held by the user terminal uid in the attribute authority AA aid , then step S4 It can also include:
步骤S41:属性授权机构AAaid选取随机数
并为任意属性x∈Suid,aid选取随机数
若属性x为权重属性,属性授权机构AAaid设置属性x对应的权重wx∈[1,n]。Step S41: The attribute authority AA aid selects a random number And select a random number for any attribute x∈S uid, aid If the attribute x is a weight attribute, the attribute authority AA aid sets the weight w x ∈[1,n] corresponding to the attribute x.
步骤S42:属性授权机构AAaid根据计算用户私钥SKuid,aid,表示为:Step S42: The attribute authority AA aid is expressed according to the calculated user private key SK uid, aid , as:
其中,Kuid,aid、K'uid,aid、Kx,uid、以及K'x,uid均为所述乘法群
上的元素,rx为所述整数群
上的随机数。Where K uid, aid , K' uid, aid , K x, uid , and K' x, uid are all the multiplicative groups The upper element, r x is the integer group Random number on.
步骤S43:属性授权机构AAaid将用户私钥SKuid,aid发送给用户终端uid。Step S43: The attribute authority AA aid sends the user private key SK uid, aid to the user terminal uid.
S5:用户终端根据机构公钥、全局公钥和用户私钥,实现用户数据的加密上传或共享数据的解密下载。S5: The user terminal implements encrypted uploading of user data or decryption and downloading of shared data according to the organization public key, the global public key, and the user private key.
在一种情况下,当用户终端作为数据属主时,步骤S5应为实现用户数据加密上传的步骤,具体可以包括:In one case, when the user terminal is the owner of the data, the step S5 is to perform the step of encrypting and uploading the user data, which may specifically include:
步骤S51:输入明文M(即数据属主需上传的用户数据)、全局公钥GPK、参与加密的所有属性授权机构的集合IAA、对应的机构公钥的集合
以及访问控制策略Γ。Step S51: input plaintext M (ie, user data to be uploaded by the data owner), global public key GPK, set I AA of all attribute authorization institutions participating in encryption, and a set of corresponding public keys of the institution And access control strategies.
其中,访问控制策略Γ的树形结构中,叶子节点对应的是属性的权重,根节点对应的是门限值,记访问控制策略Γ的树形结构中的节点x的门限值为kx,为每一节点选择多项式qx,多项式的度dx=kx-1。这种多项式选取是按照从上至下的方式,则访问控制策略Γ的构造方法为:从根节点开始,选择随机数
设定qr(0)=s。对于任意节点x,其对应的值为一dx次多项式qx的形式,设定qx(0)=qparent(index(x)),index(x)为属性x的索引值,qparent为属性x的父亲节点对应的函数表达式,然后随机选取其它dx个点来完全定义qx。In the tree structure of the access control policy, the leaf node corresponds to the weight of the attribute, the root node corresponds to the threshold, and the threshold of the node x in the tree structure of the access control policy is k x , select the polynomial q x for each node, and the degree of the polynomial d x =k x -1. This polynomial selection is in a top-down manner, and the access control strategy is constructed by selecting a random number from the root node. Set q r (0)=s. For any node x, the corresponding value is a form of d x degree polynomial q x , set q x (0)=q parent (index(x)), index(x) is the index value of attribute x, q parent Is the function expression corresponding to the father node of the attribute x, and then randomly select other d x points to completely define q x .
步骤S52:用户终端利用全局公钥GPK、参与加密的所有属性授权机构的集合IAA、对应的机构公钥的集合
以及访问控制策略Γ,对密文M进行加密,计算得到密文CT,之后将密文CT上传到云端。Step S52: The user terminal utilizes the global public key GPK, the set of all attribute authorization mechanisms participating in the encryption, I AA , and the corresponding set of institutional public keys. And the access control policy, encrypting the ciphertext M, calculating the ciphertext CT, and then uploading the ciphertext CT to the cloud.
若定义Y为访问控制策略Γ的叶子节点的集合,定义叶子节点y∈Y的属性为att(y),其权重属性att(y)(y∈Y)的权重为wy,则对密文M进行加密,计算得到密文CT的步骤可表示为:If Y is defined as the set of leaf nodes of the access control policy, the attribute of the leaf node y∈Y is defined as att(y), and the weight of the weight attribute att(y)(y∈Y) is w y , then the ciphertext is M performs encryption, and the step of calculating the ciphertext CT can be expressed as:
其中,C为对消息的计算,IA为属性授权机构A的属性集合,C'和C”均为对根节点的计算,Cy和C'y为对应属性值的计算,Cy,j为属性对应权重的计算,qy(0)为属性y所对应的属性值,wj为属性的权重值。Where C is the calculation of the message, I A is the attribute set of the attribute authority A, C' and C" are the calculations of the root node, and C y and C' y are the calculations of the corresponding attribute values, C y,j For the calculation of the attribute corresponding weight, q y (0) is the attribute value corresponding to the attribute y, and w j is the weight value of the attribute.
在另一种情况下,当用户终端作为共享用户时,步骤S5应为实现共享数据解密下载的步骤,具体可以包括:In another case, when the user terminal is the shared user, the step S5 is to perform the step of decrypting and downloading the shared data, which may include:
步骤S53:用户终端从云端下载密文CT(即共享用户想要读取的共享数据),并输入全局公钥GPK、对应的用户密钥
访问控制策略Γ、和访问控制策略Γ中的一个节点x,并定义nA=|IAA|。其中,nA表示属性授权机构AA包含的属性个数。Step S53: The user terminal downloads the ciphertext CT (that is, the shared data that the shared user wants to read) from the cloud, and inputs the global public key GPK and the corresponding user key. Access control policy Γ, and a node x in the access control policy 并, and define n A =|I AA |. Where n A represents the number of attributes included in the attribute authority AA.
步骤S54:用户终端调用预先定义的递归函数DecryptNode(CT,SK,x),若用户终端的属性集
满足访问控制策略Γ,则计算解密信息A为:Step S54: The user terminal invokes a predefined recursive function DecryptNode (CT, SK, x), if the attribute set of the user terminal After satisfying the access control policy, the decryption information A is calculated as:
其中,qx(0)为属性x所对应的属性值。Where q x (0) is the attribute value corresponding to the attribute x.
本发明中,用户终端的属性集
是否满足访问控制策略Γ是指:如果
且wi=wx,则认为属性集
满足访问控制策略Γ;如果
且wi=wj>wx,则认为属性集
满足访问控制策略Γ;如果
或者
但wi<wx,则认为属性集
不满足访问控制策略Γ,返回null。In the present invention, the attribute set of the user terminal Whether to meet the access control strategy means: And w i =w x , then the attribute set is considered Meet the access control strategyΓ; if And w i =w j >w x , then the attribute set is considered Meet the access control strategyΓ; if or But w i <w x , then the attribute set Returns null if the access control policy is not met.
本发明中,递归函数DecryptNode(CT,SK,x)定义如下:In the present invention, the recursive function DecryptNode(CT, SK, x) is defined as follows:
a、如果
且wi=wx,则定义:a, if And w i =w x , then define:
其中,Cx和C'x来自于密文,Ki,uid和K'i,uid来自于用户密钥ri为标识用户i的随机数。Where C x and C' x are from ciphertext, K i, uid and K' i, and uid is derived from the user key r i being a random number identifying the user i.
b、如果
且wi=wj>wx,则定义:b, if And w i =w j >w x , then define:
其中,Cx,j来自于密文中的信息。Among them, C x, j comes from the information in the ciphertext.
步骤S55:由多项式插值定理求得
之后计算
并结合下式求得
Step S55: Obtained by the polynomial interpolation theorem After calculation And combined with the following formula to obtain
步骤S56:用户终端计算明文M,表示为:Step S56: The user terminal calculates the plaintext M, which is expressed as:
以下对上述云存储服务平台的访问控制系统的访问控制方法的安全性进行分析:The following is an analysis of the security of the access control method of the above-mentioned cloud storage service platform access control system:
一、安全性分析First, security analysis
理论1、直接攻击下的安全性 Theory 1. Security under direct attack
若攻击者的权重属性集不满足访问控制策略,则攻击者必须已知
才能解密密文。获得了用户的属性私钥中的
结合密文的C'=gs,C”=gβs,建立配对得到
攻击者必须除去
才能得到
而攻击者在不满足访问控制策略的情况下无法计算获得正确的属性密钥,即无法计算出
因此,攻击者不能解密密文。If the attacker's weight attribute set does not satisfy the access control policy, the attacker must be known In order to decrypt the ciphertext. Obtained in the user's attribute private key Combine C'=g s with ciphertext, C"=g βs to establish pairing The attacker must remove Can get The attacker cannot calculate the correct attribute key without satisfying the access control policy, that is, it cannot be calculated. Therefore, an attacker cannot decrypt the ciphertext.
理论2、抗共谋安全性 Theory 2, anti-collusion safety
本发明中,用户需向认证中心注册,认证中心为每一用户分配一个全局唯一标识符uid,并产生一个随机数uuid,计算
作为用户公钥。In the present invention, the user needs to register with the authentication center, and the authentication center assigns a global unique identifier uid to each user, and generates a random number u uid , which is calculated. As the user's public key.
每个用户uid向属性授权机构AAaid申请属性密钥之前需要认证它的合法性,用户提交证书,AAaid验证用户证书的合法性,如果合法便为其颁发相应的属性密钥。在用户密钥中,
Kx,aid和K'x,aid均植入了随机数uuid和随机数rx。相应地,在解密算法中不同的用户就无法共谋恢复消息,具有良好的抗共谋攻击安全性。Each user uid to request attributes key before AA aid requires authentication authority attribute its legitimacy, users submit a certificate, AA aid validity of the user certificate, if they issue the relevant legal property keys. In the user key, K x, aid and K' x, aid are both embedded with the random number u uid and the random number r x . Correspondingly, different users in the decryption algorithm cannot collude to recover messages, and have good anti-collusion attack security.
理论3、多授权机构安全性 Theory 3, multi-authority agency security
由解密算法可知,用户若想解密密文,需要来自各AAaid的属性密钥SKuid,aid。若认证中心被攻击者攻破,只是泄漏了系统的全局主密钥,仅用全局主密钥无法解密任何密文。同样,若属性授权机构被攻击者攻破,攻击者也只能获得该
属性机构所管理的属性密钥,无法解密多个属性授权机构参与加密的密文,系统可以抵抗nA-1个属性授权机构共谋。因此,与单授权机构的权重属性基访问控制方案相比,本文方案不要求认证中心完全可信,同时将单授权中心的风险分散到多个属性授权机构共同承担,提高了系统安全性。According to the decryption algorithm, if the user wants to decrypt the ciphertext, the attribute key SK uid, aid from each AA aid is required. If the authentication center is attacked by the attacker, it only leaks the system's global master key, and only the global master key cannot decrypt any ciphertext. Similarly, if the attribute authority is attacked by the attacker, the attacker can only obtain the attribute key managed by the attribute organization, and cannot decrypt the attribute privilege of multiple attribute authorization agencies. The system can resist n A -1 attribute authorization. Institutional complicity. Therefore, compared with the weight attribute-based access control scheme of a single authority, the scheme does not require the certification center to be completely trusted, and the risk of the single authorization center is distributed to multiple attribute authorization agencies to share the security of the system.
二、效率分析Second, efficiency analysis
如下表一示出了本发明的方案与现有其它典型属性基加密方案之间加密机制和访问结构灵活性的对比分析:Table 1 below shows a comparative analysis of the encryption mechanism and access structure flexibility between the solution of the present invention and other existing typical attribute-based encryption schemes:
表一:Table I:
定义|p|表示群
和
上元素的长度。|Ak|表示属性授权机构所管理的集合大小,|Au|表示用户属性集合大小,|Ac|表示满足访问结构的最小属性集合大小,Wm为系统允许的最大权重值,Aw为权重属性个数。如下表二示出了本发明的方案与现有其它典型属性基加密方案之间在多机构机制存储开销方面的对比分析:Define |p| to represent a group with The length of the upper element. |A k | indicates the size of the collection managed by the attribute authority, |A u | indicates the size of the user attribute set, |A c | indicates the minimum attribute set size that satisfies the access structure, and W m is the maximum weight value allowed by the system, A w The number of weight attributes. Table 2 below shows a comparative analysis of the storage overhead of the multi-agency mechanism between the solution of the present invention and other existing typical attribute-based encryption schemes:
表二:Table II:
从上述对比可以看出,M.Chase和M.Chase and Chow的方案不支持复杂密文规则,不适合云存储环境。K.Yang方案和本发明方案基于CP-ABE,以增加一定系统的复杂度为代价,来换取支持更加灵活的访问控制策略,同时安全性上有所增强,可以抗N-1个属性授权机构共谋。与K.Yang方案相比,本发明方案支持属性权重,可以制定更加复杂的密文规则;授权机构密钥缩短了一定长度,如果策略中的属性不含权重,密文长度缩短近一半,在支持四级权重时,密文长度才与其相当;解密阶段仅需要2次双线性配对运算,效率提高一倍。As can be seen from the above comparison, the M.Chase and M.Chase and Chow schemes do not support complex ciphertext rules and are not suitable for cloud storage environments. The K.Yang solution and the solution of the present invention are based on CP-ABE, at the cost of increasing the complexity of a certain system, in exchange for supporting a more flexible access control strategy, and at the same time, the security is enhanced, and the N-1 attribute authority can be resisted. Collusion. Compared with the K.Yang scheme, the solution of the present invention supports attribute weights, and can formulate more complicated ciphertext rules; the authority key is shortened by a certain length, and if the attributes in the policy do not contain weights, the ciphertext length is shortened by nearly half. When the four-level weight is supported, the ciphertext length is equivalent; the decryption phase only requires two bilinear pairing operations, and the efficiency is doubled.
综上所述,本发明提出的云存储服务平台的访问控制系统及其访问控制方法是基于权重属性加密机制,采用多机构属性基加密技术,将需上传的用户数据加密后存储到云存储服务平台上的,因而可对云存储服务平台上的共享数据实现有效的隐私保护,提高了云存储服务的安全性。同时,由于将用户的属性与权重相结合,实现了用户属性的分级管理,使得相同属性不同级别的用户具有不同的访问权限,该属性是用以描述用户的信息要素,例如校园网中的学生具有院系、学生类别、年级、专业等属性,教师具有院系、职称、教龄等属性,从而在保证安全性的同时还实现了更加灵活而细致的访问控制。另外,该系统和方法采用多机构属性基加密技术,避免了单个认证中心权力过于集中的问题,进一步提高了数据存储的安全性。该系统和方法特别适合部署在OSS平台,并在Windows平台下采用Java语言实现,具有通用性,可以实现对OSS平台的云端文件进行下载、上传、加密和解密,可切实保障用户存储在OSS平台数据的机密性,同时可对数据共享范围实施细粒度访问控制。In summary, the access control system and the access control method of the cloud storage service platform proposed by the present invention are based on a weight attribute encryption mechanism, and the user data to be uploaded is encrypted and stored in the cloud storage service by using a multi-institution attribute-based encryption technology. On the platform, effective privacy protection can be realized for the shared data on the cloud storage service platform, and the security of the cloud storage service is improved. At the same time, because the attributes of the user are combined with the weights, the hierarchical management of the user attributes is implemented, so that users of different levels of the same attribute have different access rights, and the attributes are used to describe the information elements of the user, such as students in the campus network. With attributes such as department, student type, grade, and major, the teacher has attributes such as department, title, and teaching age, thus achieving more flexible and meticulous access control while ensuring safety. In addition, the system and method adopt multi-institution attribute-based encryption technology, which avoids the problem that the power of a single authentication center is too concentrated, and further improves the security of data storage. The system and method are particularly suitable for deployment on the OSS platform, and are implemented in the Java language under the Windows platform, and have universality, and can download, upload, encrypt and decrypt the cloud files of the OSS platform, and can effectively ensure the user is stored in the OSS platform. The confidentiality of the data, while implementing fine-grained access control for the data sharing scope.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来控制相关的硬件完成,所述的程序可以在存储于一计算机可读取存储介质中,所述的存储介质,如ROM/RAM、磁盘、光盘等。A person of ordinary skill in the art can understand that all or part of the steps in implementing the above embodiments may be controlled by a program to control related hardware, and the program may be stored in a computer readable storage medium, the storage. Media, such as ROM/RAM, disk, CD, etc.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。
The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. Within the scope.
Claims (9)
- 一种云存储服务平台的访问控制系统,其特征在于,所述系统包括:An access control system for a cloud storage service platform, characterized in that the system comprises:认证中心,用于生成全局公钥、全局主密钥、用户公钥,之后将所述全局公钥上传到云端;The authentication center is configured to generate a global public key, a global master key, and a user public key, and then upload the global public key to the cloud;至少一个属性授权机构,用于管理各自的属性集合,并生成机构公钥和机构密钥,之后将所述机构公钥上传到所述云端,还用于根据每一用户提交的属性列表,利用所述全局公钥、所述用户公钥、所述机构密钥生成与用户对应的用户私钥;At least one attribute authority for managing respective attribute sets, and generating an organization public key and an organization key, and then uploading the organization public key to the cloud, and also for utilizing the attribute list submitted by each user Generating, by the global public key, the user public key, and the institution key, a user private key corresponding to the user;用户终端,用于从所述云端下载所述机构公钥和所述全局公钥,并结合所述属性授权机构生成的对应的所述用户私钥,实现用户数据的加密上传或共享数据的解密下载。a user terminal, configured to download the organization public key and the global public key from the cloud, and combine the user private key generated by the attribute authorization mechanism to implement encrypted upload of user data or decryption of shared data. download.
- 如权利要求1所述的云存储服务平台的访问控制系统,其特征在于,所述云端是开放存储服务平台,所述云端与所述用户终端、所述属性授权机构和所述认证中心之间是通过开发接口aliyun-sdk-oss-2.0.0.jar实现通信的。The access control system of the cloud storage service platform according to claim 1, wherein the cloud is an open storage service platform, and the cloud is between the cloud and the user terminal, the attribute authorization authority, and the authentication center. The communication is realized through the development interface aliyun-sdk-oss-2.0.0.jar.
- 一种如权利要求1或2所述的云存储服务平台的访问控制系统的访问控制方法,其特征在于,所述方法包括以下步骤:An access control method for an access control system of a cloud storage service platform according to claim 1 or 2, wherein the method comprises the following steps:认证中心注册各用户终端和各属性授权机构,并生成全局公钥、全局主密钥、用户公钥,之后将全局公钥上传到云端,将所述用户公钥发送给相应的属性授权机构,所述全局主密钥由所述认证中心保存;The authentication center registers each user terminal and each attribute authorization authority, and generates a global public key, a global master key, and a user public key, and then uploads the global public key to the cloud, and sends the user public key to the corresponding attribute authority. The global master key is saved by the certification center;属性授权机构管理各自的属性集合,并生成机构公钥和机构密钥,之后将所述机构公钥上传到所述云端,所述机构密钥由所述属性授权机构保存;The attribute authority manages the respective attribute sets, and generates an organization public key and an organization key, and then uploads the institution public key to the cloud, and the institution key is saved by the attribute authorization authority;用户终端登录系统后,从所述云端下载所述机构公钥和所述全局公钥,并向相应的属性授权机构发出用户私钥获取请求和属性列表;After the user terminal logs in to the system, downloading the organization public key and the global public key from the cloud, and issuing a user private key acquisition request and an attribute list to the corresponding attribute authority;所述相应的属性授权机构接收到所述用户私钥获取请求后,根据所述属性列表,利用所述全局公钥、所述用户公钥、所述机构密钥生成与用户对应的用户私钥,并发送给相应的用户终端; After receiving the user private key obtaining request, the corresponding attribute authority generates a user private key corresponding to the user by using the global public key, the user public key, and the institution key according to the attribute list. And sent to the corresponding user terminal;用户终端根据所述机构公钥、所述全局公钥和所述用户私钥,实现用户数据的加密上传或共享数据的解密下载。The user terminal implements encrypted uploading of user data or decryption downloading of shared data according to the organization public key, the global public key, and the user private key.
- 如权利要求3所述的云存储服务平台的访问控制系统的访问控制方法,其特征在于,所述认证中心注册各用户终端和各属性授权机构,并生成全局公钥、全局主密钥、用户公钥,之后将全局公钥上传到云端,将所述用户公钥发送给相应的属性授权机构的步骤包括以下步骤:The access control method of the access control system of the cloud storage service platform according to claim 3, wherein the authentication center registers each user terminal and each attribute authority, and generates a global public key, a global master key, and a user. The public key, after the global public key is uploaded to the cloud, the step of sending the user public key to the corresponding attribute authority includes the following steps:认证中心选择阶为素数p的乘法群和
g为乘法群
的生成元,定义双线性映射e:
选取随机数
为整数群{0,…,p-1},同时选取一哈希函数H:
The certification center selects the multiplicative group of prime p
withg is a multiplicative groupThe generator, defining the bilinear map e:Select random numberFor the integer group {0,...,p-1}, select a hash function H at the same time:认证中心根据公式计算得到全局公钥GPK,并根据公式GMK=(β,gα),计算得到全局主密钥GMK;Certification Center according to the formula
Calculating the global public key GPK, and calculating the global master key GMK according to the formula GMK=(β, g α );认证中心接收各用户终端和各属性授权机构发送的注册信息,验证通过后,为每一属性授权机构分配唯一标识符aid,为每一用户终端分配唯一标识符uid,之后认证中心为每一用户终端选择对应的随机数根据公式
计算得到对应的用户公钥PKuid,并将用户公钥PKuid发送给对应的属性授权机构,将全局公钥GPK上传到云端。The authentication center receives the registration information sent by each user terminal and each attribute authorization authority. After the verification is passed, each attribute authority is assigned a unique identifier aid, and each user terminal is assigned a unique identifier uid, and then the authentication center is each user. The terminal selects the corresponding random number
According to the formulaThe corresponding user public key PK uid is calculated, and the user public key PK uid is sent to the corresponding attribute authority, and the global public key GPK is uploaded to the cloud. - 如权利要求4所述的云存储服务平台的访问控制系统的访问控制方法,其特征在于,所述属性授权机构管理各自的属性集合,并生成机构公钥和机构密钥,之后将所述机构公钥上传到所述云端的步骤包括以下步骤:The access control system for an access control system of a cloud storage service platform according to claim 4, wherein the attribute authority manages respective attribute sets, and generates an organization public key and an organization key, and then the institution The step of uploading the public key to the cloud includes the following steps:属性授权机构AAaid管理属性集合Said,并为属性集合Said中的权重属性分配权重;The attribute authority AA aid manages the attribute set S aid and assigns a weight to the weight attribute in the attribute set S aid ;属性授权机构AAaid选择随机数根据公式
计算得到机构密钥SKaid,并根据公式
计算得到机构公钥PKaid,之后将机构公钥PKaid上传到所述云端。Attribute authority AA aid selects random number
According to the formulaCalculate the organization key SK aid and according to the formulaThe organization public key PK aid is calculated, and then the organization public key PK aid is uploaded to the cloud. - 如权利要求5所述的云存储服务平台的访问控制系统的访问控制方法, 其特征在于,所述相应的属性授权机构接收到所述用户私钥获取请求后,根据所述属性列表,利用所述全局公钥、所述用户公钥、所述机构密钥生成与用户对应的用户私钥,并发送给相应的用户终端的步骤包括以下步骤:The access control method of the access control system of the cloud storage service platform according to claim 5, The corresponding attribute authority receives the user private key acquisition request, and generates, according to the attribute list, the global public key, the user public key, and the organization key to generate a corresponding to the user. The user private key and the step of sending it to the corresponding user terminal includes the following steps:属性授权机构AAaid选取随机数并为任意属性x∈Suid,aid选取随机数
若属性x为权重属性,属性授权机构AAaid设置属性x对应的权重wx∈[1,n];Attribute authority AA aid selects random number
And select a random number for any attribute x∈S uid, aidIf the attribute x is a weight attribute, the attribute authority AA aid sets the weight corresponding to the attribute x w x ∈ [1, n];属性授权机构AAaid根据计算用户私钥SKuid,aid,表示为:The attribute authority AA aid is expressed according to the calculation user private key SK uid, aid , as:
其中,Kuid,aid、K'uid,aid、Kx,uid、以及K'x,uid均为所述乘法群上的元素,rx为所述整数群
上的随机数;Where K uid, aid , K' uid, aid , K x, uid , and K' x, uid are all the multiplicative groups
The upper element, r x is the integer groupRandom number on;属性授权机构AAaid将用户私钥SKuid,aid发送给用户终端uid。The attribute authority AA aid sends the user private key SK uid, aid to the user terminal uid. - 如权利要求6所述的云存储服务平台的访问控制系统的访问控制方法,其特征在于,当所述用户终端作为数据属主时,所述用户终端根据所述机构公钥、所述全局公钥和所述用户私钥,实现用户数据的加密上传或共享数据的解密下载的步骤包括以下步骤:The access control system of the access control system of the cloud storage service platform according to claim 6, wherein when the user terminal is the data owner, the user terminal is based on the public key of the organization and the global public The key and the user private key, the encrypted upload of the user data or the decrypted download of the shared data includes the following steps:输入明文M、全局公钥GPK、参与加密的所有属性授权机构的集合IAA、对应的机构公钥的集合以及访问控制策略Γ;Input plaintext M, global public key GPK, set of all attribute authority participating in encryption I AA , corresponding set of institutional public keys
And access control strategiesΓ;用户终端利用全局公钥GPK、参与加密的所有属性授权机构的集合IAA、对应的机构公钥的集合以及访问控制策略Γ,对密文M进行加密,计算得到密文CT,之后将密文CT上传到所述云端。The user terminal utilizes the global public key GPK, the set of all attribute authority participating in the encryption, I AA , and the corresponding set of institutional public keys.
And the access control policy, encrypting the ciphertext M, calculating the ciphertext CT, and then uploading the ciphertext CT to the cloud. - 如权利要求7所述的云存储服务平台的访问控制系统的访问控制方法,其特征在于,所述对密文M进行加密,计算得到密文CT的步骤表示为: The access control system of the access control system of the cloud storage service platform according to claim 7, wherein the step of encrypting the ciphertext M and calculating the ciphertext CT is as follows:
其中,Y为访问控制策略Γ的叶子节点的集合,叶子节点y∈Y的属性为att(y),其权重属性att(y)的权重为wy,C为对消息的计算,IA为属性授权机构A的属性集合,C'和C”均为对根节点的计算,Cy和C'y为对应属性值的计算,Cy,j为属性对应权重的计算,qy(0)为属性y所对应的属性值,wj为属性的权重值。Where Y is the set of leaf nodes of the access control policy, the attribute of the leaf node y∈Y is att(y), the weight of the weight attribute att(y) is w y , C is the calculation of the message, and I A is The attribute set of the attribute authority A, C' and C" are the calculations for the root node, C y and C' y are the calculations of the corresponding attribute values, and C y, j are the calculations of the attribute corresponding weights, q y (0) For the attribute value corresponding to the attribute y, w j is the weight value of the attribute. - 如权利要求6所述的云存储服务平台的访问控制系统的访问控制方法,其特征在于,当所述用户终端作为共享用户时,所述用户终端根据所述机构公钥、所述全局公钥和所述用户私钥,实现用户数据的加密上传或共享数据的解密下载的步骤包括以下步骤:The access control method of the access control system of the cloud storage service platform according to claim 6, wherein when the user terminal is a shared user, the user terminal is based on the institution public key and the global public key. And the user private key, the step of implementing encrypted upload of user data or decryption downloading of shared data includes the following steps:用户终端从所述云端下载密文CT,并输入全局公钥GPK、对应的用户密钥访问控制策略Γ、和访问控制策略Γ中的一个节点x,并定义nA=|IAA|,所述nA表示属性授权机构AA包含的属性个数;The user terminal downloads the ciphertext CT from the cloud, and inputs the global public key GPK and the corresponding user key.
Accessing a control node Γ, and a node x in the access control policy 并, and defining n A =|I AA |, the n A representing the number of attributes included in the attribute authority AA;用户终端调用预先定义的递归函数DecryptNode(CT,SK,x),若用户终端的属性集满足访问控制策略Γ,则计算解密信息A为:The user terminal invokes a predefined recursive function DecryptNode(CT, SK, x) if the attribute set of the user terminal
After satisfying the access control policy, the decryption information A is calculated as:
其中,qx(0)为属性x所对应的属性值;Where q x (0) is the attribute value corresponding to the attribute x;由多项式插值定理求得之后计算
并结合下式求得
Obtained by the polynomial interpolation theorem
After calculationAnd combined with the following formula to obtain
用户终端计算明文M,表示为:The user terminal calculates the plaintext M, which is expressed as:
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510326044.8A CN104917772B (en) | 2015-06-12 | 2015-06-12 | A kind of access control method of the access control system of cloud storage service platform |
| CN201510326044.8 | 2015-06-12 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2016197770A1 true WO2016197770A1 (en) | 2016-12-15 |
Family
ID=54086478
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2016/081388 WO2016197770A1 (en) | 2015-06-12 | 2016-05-09 | Access control system and access control method thereof for cloud storage service platform |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN104917772B (en) |
| WO (1) | WO2016197770A1 (en) |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110719176A (en) * | 2019-10-22 | 2020-01-21 | 黑龙江工业学院 | Logistics privacy protection method and system based on block chain and readable storage medium |
| CN111310245A (en) * | 2020-03-05 | 2020-06-19 | 之江实验室 | Data encryption storage method for mimicry defense system |
| CN111619475A (en) * | 2019-02-28 | 2020-09-04 | 上海新微技术研发中心有限公司 | Method for automobile CAN bus safety access |
| CN111786786A (en) * | 2020-07-27 | 2020-10-16 | 国网河南省电力公司郑州供电公司 | Agent re-encryption method and system supporting equation judgment in cloud computing environment |
| CN111953483A (en) * | 2020-07-29 | 2020-11-17 | 哈尔滨工程大学 | Multi-authority access control method based on criterion |
| CN112035853A (en) * | 2020-08-13 | 2020-12-04 | 潘显富 | Storage data access control system based on enterprise cloud disk |
| CN112104619A (en) * | 2020-08-27 | 2020-12-18 | 西南大学 | Data access control system and method based on outsourcing ciphertext attribute encryption |
| CN112118101A (en) * | 2020-09-23 | 2020-12-22 | 山东建筑大学 | Post-quantum secure dynamic data sharing method |
| CN112257112A (en) * | 2020-11-16 | 2021-01-22 | 国网河南省电力公司信息通信公司 | Data access control method based on block chain |
| CN112383391A (en) * | 2020-11-12 | 2021-02-19 | 北京安御道合科技有限公司 | Data security protection method based on data attribute authorization, storage medium and terminal |
| CN112380553A (en) * | 2020-11-25 | 2021-02-19 | 华南理工大学 | Multi-key searchable encryption method and system based on attribute access control structure |
| CN112784230A (en) * | 2021-01-21 | 2021-05-11 | 北京启明星辰信息安全技术有限公司 | Network security data sharing and control method and system |
| CN112926066A (en) * | 2021-02-23 | 2021-06-08 | 华能(浙江)能源开发有限公司玉环分公司 | Proxy re-encryption method for access control |
| CN113098849A (en) * | 2021-03-23 | 2021-07-09 | 鹏城实验室 | Access control method based on attribute and identity encryption, terminal and storage medium |
| CN113489732A (en) * | 2021-07-13 | 2021-10-08 | 郑州轻工业大学 | Content sharing privacy protection method for resisting collusion attack |
| CN113708917A (en) * | 2021-08-18 | 2021-11-26 | 上海应用技术大学 | APP user data access control system and method based on attribute encryption |
| CN114065265A (en) * | 2021-11-29 | 2022-02-18 | 重庆邮电大学 | Fine-grained cloud storage access control method, system and equipment based on block chain technology |
| CN114143094A (en) * | 2021-12-02 | 2022-03-04 | 兰州理工大学 | Multi-authorization attribute-based verifiable encryption method based on block chain |
| CN114172696A (en) * | 2021-11-23 | 2022-03-11 | 国网江西省电力有限公司电力科学研究院 | Terminal authentication method for cloud-side cooperative dual authentication in power Internet of things |
| CN114567500A (en) * | 2022-03-04 | 2022-05-31 | 南京联成科技发展股份有限公司 | Encryption method for data transmission of centralized control center |
| CN114598535A (en) * | 2022-03-14 | 2022-06-07 | 太原科技大学 | CP-ABE agent re-encryption method based on cloud computing multiple authorization centers |
| CN114978578A (en) * | 2022-04-06 | 2022-08-30 | 中债金科信息技术有限公司 | Data unauthorized access control method and device based on attribute key derivation |
| CN115174580A (en) * | 2022-09-05 | 2022-10-11 | 睿至科技集团有限公司 | Data processing method and system based on big data |
| CN115250205A (en) * | 2022-09-22 | 2022-10-28 | 湖北省楚天云有限公司 | Data sharing method and system based on alliance chain, electronic device and storage medium |
| CN115695035A (en) * | 2022-11-10 | 2023-02-03 | 山东云科汉威软件有限公司 | Oil and gas field business data authorization method and device based on cloud storage, electronic equipment and readable medium |
| CN116405929A (en) * | 2023-06-09 | 2023-07-07 | 贵州联广科技股份有限公司 | Secure access processing method and system suitable for cluster communication |
| CN117278216A (en) * | 2023-11-23 | 2023-12-22 | 三亚学院 | Encryption system based on cloud computing virtualization and network storage files |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104917772B (en) * | 2015-06-12 | 2017-12-08 | 深圳大学 | A kind of access control method of the access control system of cloud storage service platform |
| CN105812388B (en) * | 2016-05-13 | 2018-12-07 | 中国农业银行股份有限公司 | A kind of management method and system of user certificate and private key |
| CN106055931B (en) * | 2016-05-18 | 2017-06-16 | 北京芯盾时代科技有限公司 | Mobile terminal software safe component system and the cipher key system for the system |
| CN106612321B (en) * | 2016-07-05 | 2019-12-17 | 趣增信息科技(上海)有限公司 | Access authority management method in cloud storage |
| CN106059763B (en) * | 2016-07-29 | 2019-05-03 | 南京邮电大学 | The properties base multi-mechanism hierarchical Ciphertext policy weight encryption method of cloud environment |
| CN106487792A (en) * | 2016-10-19 | 2017-03-08 | 云南电网有限责任公司电力科学研究院 | A kind of power marketing cloud storage encryption method and system |
| CN108540444A (en) * | 2018-02-24 | 2018-09-14 | 中山大学 | A kind of information transmission storage method and device |
| CN109121269B (en) * | 2018-09-13 | 2020-02-21 | 江苏科技大学 | Port intelligent lighting management system and access control method thereof |
| CN111163036B (en) * | 2018-11-07 | 2022-03-29 | 中移(苏州)软件技术有限公司 | Data sharing method, device, client, storage medium and system |
| CN109743292A (en) * | 2018-12-12 | 2019-05-10 | 杭州安恒信息技术股份有限公司 | A kind of method and system of shared data cascade protection |
| CN111953482B (en) * | 2020-07-29 | 2022-06-17 | 哈尔滨工程大学 | Multi-mechanism weighting criterion encryption method for cloud storage |
| CN115712660B (en) * | 2022-01-29 | 2023-05-30 | 杭州宇信数字科技有限公司 | Data storage method, device, server and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101807991A (en) * | 2009-02-18 | 2010-08-18 | 上海交通大学 | Ciphertext policy attribute-based encryption system and method |
| CN103618729A (en) * | 2013-09-03 | 2014-03-05 | 南京邮电大学 | Multi-mechanism hierarchical attribute-based encryption method applied to cloud storage |
| US20140289513A1 (en) * | 2013-03-15 | 2014-09-25 | Arizona Board Of Regents On Behalf Of Arizona State University | Enabling Comparable Data Access Control for Lightweight Mobile Devices in Clouds |
| CN104917772A (en) * | 2015-06-12 | 2015-09-16 | 深圳大学 | Access control system for cloud store service platform and access control method thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468615B (en) * | 2014-12-25 | 2018-03-20 | 西安电子科技大学 | file access and modification authority control method based on data sharing |
-
2015
- 2015-06-12 CN CN201510326044.8A patent/CN104917772B/en active Active
-
2016
- 2016-05-09 WO PCT/CN2016/081388 patent/WO2016197770A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101807991A (en) * | 2009-02-18 | 2010-08-18 | 上海交通大学 | Ciphertext policy attribute-based encryption system and method |
| US20140289513A1 (en) * | 2013-03-15 | 2014-09-25 | Arizona Board Of Regents On Behalf Of Arizona State University | Enabling Comparable Data Access Control for Lightweight Mobile Devices in Clouds |
| CN103618729A (en) * | 2013-09-03 | 2014-03-05 | 南京邮电大学 | Multi-mechanism hierarchical attribute-based encryption method applied to cloud storage |
| CN104917772A (en) * | 2015-06-12 | 2015-09-16 | 深圳大学 | Access control system for cloud store service platform and access control method thereof |
Non-Patent Citations (3)
| Title |
|---|
| LIU, XIMENG ET AL.: "Ciphertext-policy Weighted Attribute-based Encryption Scheme in Cloud Computing", JOURNAL OF SICHUAN UNIVERSITY (ENGINEERING SCIENCE EDITION, vol. 45, no. 6, 30 November 2013 (2013-11-30), pages 21 - 26 * |
| MA, DANDAN ET AL.: "Ciphertext Policy Encryption Mechanism Based on Multi-attribute Authority", COMPUTER ENGINEERING, vol. 38, no. 10, 31 May 2012 (2012-05-31), pages 114 - 116 * |
| WANG, YUN ET AL.: "Multi-authority Based Weighted Attribute Encryption Scheme in Cloud Computing", 10TH INTERNATIONAL CONFERENCE ON NATURAL COMPUTATION, 31 December 2014 (2014-12-31), pages 1033 - 1038, XP032697520 * |
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111619475A (en) * | 2019-02-28 | 2020-09-04 | 上海新微技术研发中心有限公司 | Method for automobile CAN bus safety access |
| CN110719176A (en) * | 2019-10-22 | 2020-01-21 | 黑龙江工业学院 | Logistics privacy protection method and system based on block chain and readable storage medium |
| CN111310245A (en) * | 2020-03-05 | 2020-06-19 | 之江实验室 | Data encryption storage method for mimicry defense system |
| CN111310245B (en) * | 2020-03-05 | 2022-07-15 | 之江实验室 | Data encryption storage method for mimicry defense system |
| CN111786786A (en) * | 2020-07-27 | 2020-10-16 | 国网河南省电力公司郑州供电公司 | Agent re-encryption method and system supporting equation judgment in cloud computing environment |
| CN111953483A (en) * | 2020-07-29 | 2020-11-17 | 哈尔滨工程大学 | Multi-authority access control method based on criterion |
| CN111953483B (en) * | 2020-07-29 | 2022-07-15 | 哈尔滨工程大学 | Multi-authority access control method based on criterion |
| CN112035853A (en) * | 2020-08-13 | 2020-12-04 | 潘显富 | Storage data access control system based on enterprise cloud disk |
| CN112104619A (en) * | 2020-08-27 | 2020-12-18 | 西南大学 | Data access control system and method based on outsourcing ciphertext attribute encryption |
| CN112118101B (en) * | 2020-09-23 | 2023-07-28 | 山东建筑大学 | Post quantum security dynamic data sharing method |
| CN112118101A (en) * | 2020-09-23 | 2020-12-22 | 山东建筑大学 | Post-quantum secure dynamic data sharing method |
| CN112383391A (en) * | 2020-11-12 | 2021-02-19 | 北京安御道合科技有限公司 | Data security protection method based on data attribute authorization, storage medium and terminal |
| CN112383391B (en) * | 2020-11-12 | 2024-03-19 | 北京安御道合科技有限公司 | Data security protection method based on data attribute authorization, storage medium and terminal |
| CN112257112A (en) * | 2020-11-16 | 2021-01-22 | 国网河南省电力公司信息通信公司 | Data access control method based on block chain |
| CN112257112B (en) * | 2020-11-16 | 2022-10-14 | 国网河南省电力公司信息通信公司 | Data access control method based on block chain |
| CN112380553A (en) * | 2020-11-25 | 2021-02-19 | 华南理工大学 | Multi-key searchable encryption method and system based on attribute access control structure |
| CN112784230B (en) * | 2021-01-21 | 2024-02-09 | 北京启明星辰信息安全技术有限公司 | Network security data sharing and controlling method and system |
| CN112784230A (en) * | 2021-01-21 | 2021-05-11 | 北京启明星辰信息安全技术有限公司 | Network security data sharing and control method and system |
| CN112926066A (en) * | 2021-02-23 | 2021-06-08 | 华能(浙江)能源开发有限公司玉环分公司 | Proxy re-encryption method for access control |
| CN113098849A (en) * | 2021-03-23 | 2021-07-09 | 鹏城实验室 | Access control method based on attribute and identity encryption, terminal and storage medium |
| CN113489732A (en) * | 2021-07-13 | 2021-10-08 | 郑州轻工业大学 | Content sharing privacy protection method for resisting collusion attack |
| CN113708917A (en) * | 2021-08-18 | 2021-11-26 | 上海应用技术大学 | APP user data access control system and method based on attribute encryption |
| CN113708917B (en) * | 2021-08-18 | 2022-12-09 | 上海应用技术大学 | APP user data access control system and method based on attribute encryption |
| CN114172696A (en) * | 2021-11-23 | 2022-03-11 | 国网江西省电力有限公司电力科学研究院 | Terminal authentication method for cloud-side cooperative dual authentication in power Internet of things |
| CN114172696B (en) * | 2021-11-23 | 2023-09-12 | 国网江西省电力有限公司电力科学研究院 | Terminal authentication method for cloud edge end cooperative dual authentication in electric power Internet of things |
| CN114065265B (en) * | 2021-11-29 | 2024-04-16 | 重庆邮电大学 | Fine-grained cloud storage access control method, system and equipment based on blockchain technology |
| CN114065265A (en) * | 2021-11-29 | 2022-02-18 | 重庆邮电大学 | Fine-grained cloud storage access control method, system and equipment based on block chain technology |
| CN114143094A (en) * | 2021-12-02 | 2022-03-04 | 兰州理工大学 | Multi-authorization attribute-based verifiable encryption method based on block chain |
| CN114567500A (en) * | 2022-03-04 | 2022-05-31 | 南京联成科技发展股份有限公司 | Encryption method for data transmission of centralized control center |
| CN114598535B (en) * | 2022-03-14 | 2023-12-15 | 太原科技大学 | CP-ABE agent re-encryption method based on cloud computing multi-authorization center |
| CN114598535A (en) * | 2022-03-14 | 2022-06-07 | 太原科技大学 | CP-ABE agent re-encryption method based on cloud computing multiple authorization centers |
| CN114978578B (en) * | 2022-04-06 | 2023-09-19 | 中债金科信息技术有限公司 | Data unauthorized access control method and device based on attribute key derivation |
| CN114978578A (en) * | 2022-04-06 | 2022-08-30 | 中债金科信息技术有限公司 | Data unauthorized access control method and device based on attribute key derivation |
| CN115174580A (en) * | 2022-09-05 | 2022-10-11 | 睿至科技集团有限公司 | Data processing method and system based on big data |
| CN115250205A (en) * | 2022-09-22 | 2022-10-28 | 湖北省楚天云有限公司 | Data sharing method and system based on alliance chain, electronic device and storage medium |
| CN115695035A (en) * | 2022-11-10 | 2023-02-03 | 山东云科汉威软件有限公司 | Oil and gas field business data authorization method and device based on cloud storage, electronic equipment and readable medium |
| CN115695035B (en) * | 2022-11-10 | 2024-04-19 | 山东云科汉威软件有限公司 | Cloud storage-based oil and gas field service data authorization method and device, electronic equipment and readable medium |
| CN116405929A (en) * | 2023-06-09 | 2023-07-07 | 贵州联广科技股份有限公司 | Secure access processing method and system suitable for cluster communication |
| CN116405929B (en) * | 2023-06-09 | 2023-08-15 | 贵州联广科技股份有限公司 | Secure access processing method and system suitable for cluster communication |
| CN117278216A (en) * | 2023-11-23 | 2023-12-22 | 三亚学院 | Encryption system based on cloud computing virtualization and network storage files |
| CN117278216B (en) * | 2023-11-23 | 2024-02-13 | 三亚学院 | Encryption system based on cloud computing virtualization and network storage files |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104917772A (en) | 2015-09-16 |
| CN104917772B (en) | 2017-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2016197770A1 (en) | Access control system and access control method thereof for cloud storage service platform | |
| WO2016197680A1 (en) | Access control system for cloud storage service platform and access control method therefor | |
| Zhu et al. | A secure anti-collusion data sharing scheme for dynamic groups in the cloud | |
| Zuo et al. | Fine-grained two-factor protection mechanism for data sharing in cloud storage | |
| WO2018045568A1 (en) | Access control method oriented to cloud storage service platform and system thereof | |
| CN109145612B (en) | Block chain-based cloud data sharing method for preventing data tampering and user collusion | |
| US20160055347A1 (en) | Data access control method in cloud | |
| CN108600171B (en) | Cloud data deterministic deletion method supporting fine-grained access | |
| Pu et al. | R²PEDS: a recoverable and revocable privacy-preserving edge data sharing scheme | |
| Li et al. | Two-factor data access control with efficient revocation for multi-authority cloud storage systems | |
| Premkamal et al. | Enhanced attribute based access control with secure deduplication for big data storage in cloud | |
| CN107465681B (en) | Cloud computing big data privacy protection method | |
| CN107332858B (en) | Cloud data storage method | |
| Guo et al. | Accountable attribute-based data-sharing scheme based on blockchain for vehicular ad hoc network | |
| Chaudhary et al. | RMA-CPABE: A multi-authority CPABE scheme with reduced ciphertext size for IoT devices | |
| Zhang et al. | Efficient hierarchical and time-sensitive data sharing with user revocation in mobile crowdsensing | |
| CN107395609B (en) | Data encryption method | |
| Wang et al. | A role-based access control system using attribute-based encryption | |
| CN106790100B (en) | Data storage and access control method based on asymmetric cryptographic algorithm | |
| Wang et al. | Revocable, dynamic and decentralized data access control in cloud storage | |
| Yang et al. | Public auditing scheme for cloud data with user revocation and data dynamics | |
| CN114124392A (en) | Data controlled circulation method, system, device and medium supporting access control | |
| Wang et al. | Public key based searchable encryption with fine-grained sender permission control | |
| Reddy et al. | Access control and data security in online document verification system | |
| Patil et al. | Survey Paper On Modoc: Multi Owner Data Sharing Over Cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16806668 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 30/05/2018) |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 16806668 Country of ref document: EP Kind code of ref document: A1 |