WO2018045568A1 - Access control method oriented to cloud storage service platform and system thereof - Google Patents
Access control method oriented to cloud storage service platform and system thereof Download PDFInfo
- Publication number
- WO2018045568A1 WO2018045568A1 PCT/CN2016/098600 CN2016098600W WO2018045568A1 WO 2018045568 A1 WO2018045568 A1 WO 2018045568A1 CN 2016098600 W CN2016098600 W CN 2016098600W WO 2018045568 A1 WO2018045568 A1 WO 2018045568A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- cloud storage
- storage service
- private key
- client
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
Definitions
- the present invention relates to the field of cloud storage service technologies, and in particular, to an access control method and system for a cloud storage service platform.
- the cloud storage service provider is the physical owner of the data, and is not in the same trust domain as the data owner.
- a cloud storage service provider manages multiple users and their resources. When users access other user resources across borders, they need to adopt certain access control policies to control access to data and services.
- the cloud storage service platform adopts the virtualized storage technology, the cloud storage service is loosely coupled with the underlying hardware environment, and the data of different users lacks a fixed security boundary, thereby increasing the cloud storage. The difficulty of the service platform to implement access control on data.
- the data owner can set the read/write attribute of the user data uploaded by it, for example, setting the read/write attribute to public read/private write or public read/public write, to a certain extent Data read and write permissions, but because user data is still stored in clear text on the cloud storage service platform, lack of effective privacy protection mechanism, can not effectively resist the access of illegal users and make user data leak.
- the object of the present invention is to provide an access control method and system for a cloud storage service platform, which aims to solve the problem that the existing cloud storage service platform stores user data in a plaintext form with poor privacy and security. problem.
- the invention provides an access control method for a cloud storage service platform, which is applied to a cloud storage service platform including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third party operation server.
- Access control system wherein the method comprises:
- the authorization center operation management end generates a public key, a primary private key, a signature public key, and a signature private key, and uploads the public key and the signature public key to a cloud storage service platform;
- the data belonging to the main running client requests authorization from the authorization center operation management terminal and issues data upload request information
- the authorization center operation management terminal verifies the identity of the data owner running client, and sends the signature private key to the data owner running client after verifying the pass;
- the data belonging to the main running client encrypts the plaintext by using the public key and the signature private key, generates the ciphertext to be uploaded, and uploads the ciphertext as shared data to the cloud storage service platform;
- the data user running client requests authorization from the authorization center operation management terminal;
- the authorization center operation management terminal verifies that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the master private key after verifying the pass, and the user private key and the conversion key. Sending to the data user to run the client;
- the data user running client downloads the shared data from the cloud storage service platform, and sends the shared data and the conversion key to the third-party running server;
- the third-party running server uses the conversion key and partially decrypts the shared data based on a conversion algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and transmits the partially decrypted ciphertext to The data user runs a client;
- the data user running client uses the user private key to perform final decryption on the partially decrypted ciphertext.
- the step of generating, by the authorization center, the management terminal, the public key, the primary private key, the signature public key, and the signature private key includes:
- the step of generating the corresponding user private key in combination with the primary private key specifically includes:
- the step of encrypting the plaintext by using the public key and the signature private key to generate the ciphertext to be uploaded specifically includes:
- the step of the third-party running server executing the conversion algorithm specifically includes:
- the step of performing the final decryption of the partially decrypted ciphertext by using the user private key comprises:
- the present invention further provides an access control system for a cloud storage service platform, including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third-party operation server, wherein
- the authorization center runs a management end, and is configured to generate a public key, a primary private key, a signature public key, and a signature private key, and upload the public key and the signature public key to a cloud storage service platform;
- the data belongs to the main running client, and is used to request authorization from the operation center of the authorization center and issue data upload request information;
- the authorization center runs a management terminal, and is further configured to verify the identity of the data owner running client, And sending the signed private key to the data owner running client after verifying the pass;
- the data belongs to the main running client, and is further configured to encrypt the plaintext by using the public key and the signature private key, generate the ciphertext to be uploaded, and upload the ciphertext as the shared data to the cloud storage service. platform;
- the data user runs a client, and is used to request authorization from the operation center of the authorization center;
- the authorization center runs a management terminal, and is further configured to verify that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the primary private key after verifying the pass, and the user private key is generated. And the conversion key is sent to the data user to run the client;
- the data user runs the client, and is further configured to download the shared data from the cloud storage service platform, and send the shared data and the conversion key to the third-party running server;
- the third-party running server is configured to partially decrypt the shared data by using the conversion key and based on a transformation algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and decrypt the partial ciphertext Transmitting to the data user to run the client;
- the data user runs the client, and is further configured to perform final decryption on the partially decrypted ciphertext by using the user private key.
- the cloud storage service platform is an Amazon Cloud OSS cloud storage service platform.
- the technical solution provided by the invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, thereby realizing effective privacy protection for the shared data on the cloud storage service platform and improving the cloud storage.
- the security of the service at the same time, the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved.
- the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext.
- the security of the entire program is not limited to:
- FIG. 1 is a flowchart of an access control method for a cloud storage service platform according to an embodiment of the present invention
- FIG. 2 is a schematic diagram showing the internal structure of an access control system 10 for a cloud storage service platform according to an embodiment of the present invention.
- the access control system and the access control method for the cloud storage service platform proposed by the present invention are based on an outsourced decryption attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform.
- FIG. 1 is a flowchart of an access control method for a cloud storage service platform according to an embodiment of the present invention.
- the access control method for the cloud storage service platform is applied to a cloud storage service including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third party operation server.
- Platform access control system Platform access control system.
- step S1 the authorization center operation management terminal generates a public key, a master private key, a signature public key, and a signature private key, and uploads the public key and the signature public key to the cloud storage service platform.
- the cloud storage service platform is an Amazon Cloud OSS cloud storage service platform, and may be other cloud storage service platforms, which are not limited herein.
- the step S1 is a step of system initialization
- the step S1 of generating the public key, the master private key, the signature public key and the signature private key by the authorization center running management terminal specifically includes:
- step S2 the data owner running client requests authorization from the authorization center operation management terminal and issues data upload request information.
- step S3 the authorization center operation management terminal verifies that the data belongs to the main operation client. Identity, and after the verification is passed, the signed private key is sent to the data owner running client.
- step S4 the data owner running client encrypts the plaintext by using the public key and the signature private key, generates a ciphertext to be uploaded, and uploads the ciphertext as shared data to the cloud storage.
- Service Platform the public key and the signature private key
- the step of encrypting the plaintext by using the public key and the signature private key to generate the ciphertext to be uploaded specifically includes:
- step S5 the data user running client requests authorization from the authorization center operation management terminal.
- step S6 the authorization center operation management terminal verifies that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the master private key after verifying the pass, and the private user is private.
- the key and conversion key are sent to the data user to run the client.
- the step of generating the corresponding user private key in combination with the primary private key specifically includes:
- step S7 the data user running client downloads the shared data from the cloud storage service platform, and sends the shared data and the conversion key to the third-party running server.
- step S8 the third party runs the server, utilizes the conversion key and is based on the outsourcing solution.
- the conversion algorithm in the secret attribute encryption mechanism partially decrypts the shared data to obtain a partially decrypted ciphertext, and transmits the partially decrypted ciphertext to the data user running client.
- the step of the third-party running server executing the conversion algorithm specifically includes:
- step S9 the data user running client performs final decryption on the partially decrypted ciphertext by using the user private key.
- the step of performing final decryption on the partially decrypted ciphertext by using the user private key includes:
- the access control method for the cloud storage service platform provided by the present invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, and thus can share the data on the cloud storage service platform. Achieve effective privacy protection and improve the security of cloud storage services.
- the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved.
- the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext.
- the security of the entire program is not limited to:
- FIG. 2 a schematic structural diagram of an access control system 10 for a cloud storage service platform according to an embodiment of the present invention is shown.
- the access control system 10 for the cloud storage service platform is in communication with the cloud storage service platform, and mainly includes an authorization center operation management terminal 11, a data owner operation client terminal 12, a third party operation server terminal 13, and a data user. Run client 14.
- the authorization center runs the management terminal 11 for generating a public key, a primary private key, a signature public key, and a signature private key, and uploading the public key and the signature public key to the cloud storage service platform;
- the data belonging to the main running client 12 is configured to request authorization from the authorization center operation management terminal and issue data upload request information;
- the authorization center operation management terminal 11 is further configured to verify the identity of the data owner running client, and send the signature private key to the data owner running client after verifying the pass;
- the data belongs to the main running client 12, and is further configured to encrypt the plaintext by using the public key and the signature private key, generate the ciphertext to be uploaded, and upload the ciphertext as the shared data to the cloud storage service platform. ;
- the data user runs the client 14 for requesting authorization from the authorization center running management terminal;
- the authorization center runs the management terminal 11 and is further configured to verify that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the primary private key after verifying the verification, and the user private key is Translating a secret key to the data user to run the client;
- the data user runs the client 14 and is further configured to download the shared data from the cloud storage service platform, and send the shared data and the conversion key to the third-party running server;
- the third-party running server 13 is configured to perform partial decryption on the shared data by using the conversion key and based on a transformation algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and transmit the partially decrypted ciphertext Running the client to the data user;
- the data user runs the client 14 and is further configured to perform final decryption of the partially decrypted ciphertext by using the user private key.
- the cloud storage service platform is an Amazon Cloud OSS cloud storage service platform.
- the access control system 10 for the cloud storage service platform provided by the present invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, and thus can share on the cloud storage service platform. Data achieves effective privacy protection and improves the security of cloud storage services.
- the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved.
- the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext.
- the security of the entire program is not limited to:
- the proposed scheme can not only guarantee data confidentiality, but also resist collusion attacks.
- this outsourced decryption CP-ABE scheme can successfully prevent unauthorized users and semi-trusted third parties from obtaining encrypted data information.
- the attribute set owned by the user cannot match the ciphertext-related access control policy, then the user cannot obtain e(g, g) ⁇ s , where ⁇ is a random number unique to each user. This value is different for any two users. Therefore, an unauthorized user cannot decrypt the ciphertext.
- semi-trusted third parties may cause another type of attack.
- this outsourced decryption CP-ABE solution is able to resist collusion attacks between users.
- the secret shared value s is hidden in the ciphertext, not in the user's key.
- the attacker In order to decrypt the ciphertext, the attacker must recover e(g,g) ⁇ s .
- the collusion attacker In order to obtain e(g,g) ⁇ s , the collusion attacker needs to obtain Collusion attack is associated with this need to perform the operation of bilinear, i.e. from ciphertext C x D x and from other colluder.
- each user's key is calculated and generated by the random number r.
- collusion attackers are legally authorized users, they cannot recover e(g,g) rs and cannot further recover e(g,g) ⁇ s . Therefore, all colluders cannot jointly recover e(g,g) ⁇ s even if they share their keys.
Abstract
The present invention relates to the field of cloud storage service technology, and provided are an access control system oriented to a cloud storage service platform and an access control method therefor. In the method and system, a data owner, on the basis of an attribute encryption mechanism, encrypting user data needing to be uploaded and then storing in a cloud storage service platform, thereby being able to carry out effective privacy protection for shared data in the cloud storage service platform and improving security of cloud storage service. Meanwhile, since most of the decryption operations are outsourced to a third party, the burden of decryption of a data user is visibly reduced, thereby achieving a goal of allowing the user to quickly decrypt. In addition, while a cleartext is encrypted in an encryption phase, the cleartext is signed so that the data user may verify correctness of the cleartext obtained by the decryption, thereby preventing possible tampering of the cleartext or ciphertext by the cloud server and the third party and improving security of the entire program.
Description
本发明涉及云存储服务技术领域,尤其涉及一种面向云存储服务平台的访问控制方法及其系统。The present invention relates to the field of cloud storage service technologies, and in particular, to an access control method and system for a cloud storage service platform.
在云存储服务平台中,由于采用数据远程托管技术,云存储服务提供商是数据的物理拥有者,与数据属主并不在同一个信任域中。云存储服务提供商管理着多个用户及其资源,当用户跨边界访问其它用户资源时,需要采用一定的访问控制策略来控制对数据和服务的访问。但实际中,由于云存储服务平台是采用虚拟化存储技术,云存储服务同底层硬件环境之间是松耦合的,不同用户的数据间缺乏固定不变的安全边界,由此增加了在云存储服务平台对数据实施访问控制的难度。In the cloud storage service platform, because of the data remote hosting technology, the cloud storage service provider is the physical owner of the data, and is not in the same trust domain as the data owner. A cloud storage service provider manages multiple users and their resources. When users access other user resources across borders, they need to adopt certain access control policies to control access to data and services. However, in practice, because the cloud storage service platform adopts the virtualized storage technology, the cloud storage service is loosely coupled with the underlying hardware environment, and the data of different users lacks a fixed security boundary, thereby increasing the cloud storage. The difficulty of the service platform to implement access control on data.
现有技术中,虽然数据属主可对其上传的用户数据的读/写属性进行设置,例如将读/写属性设置为公有读/私有写或公有读/公有写,以在一定程度上限制数据的读写权限,但由于用户数据仍旧是以明文形式存储在云存储服务平台上的,缺乏有效的隐私保护机制,不能有效抵御非法用户的访问而使得用户数据泄露。In the prior art, although the data owner can set the read/write attribute of the user data uploaded by it, for example, setting the read/write attribute to public read/private write or public read/public write, to a certain extent Data read and write permissions, but because user data is still stored in clear text on the cloud storage service platform, lack of effective privacy protection mechanism, can not effectively resist the access of illegal users and make user data leak.
发明内容Summary of the invention
有鉴于此,本发明的目的在于提供一种面向云存储服务平台的访问控制方法及其系统,旨在解决解决现有的云存储服务平台是以明文形式存储用户数据,隐私性和安全性差的问题。In view of this, the object of the present invention is to provide an access control method and system for a cloud storage service platform, which aims to solve the problem that the existing cloud storage service platform stores user data in a plaintext form with poor privacy and security. problem.
本发明提出一种面向云存储服务平台的访问控制方法,应用于包括授权中心运行管理端、数据属主运行客户端、数据用户运行客户端、第三方运行服务端在内的面向云存储服务平台的访问控制系统,其中,所述方法包括:The invention provides an access control method for a cloud storage service platform, which is applied to a cloud storage service platform including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third party operation server. Access control system, wherein the method comprises:
所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台;
The authorization center operation management end generates a public key, a primary private key, a signature public key, and a signature private key, and uploads the public key and the signature public key to a cloud storage service platform;
所述数据属主运行客户端向所述授权中心运行管理端请求授权并发出数据上传请求信息;The data belonging to the main running client requests authorization from the authorization center operation management terminal and issues data upload request information;
所述授权中心运行管理端核实所述数据属主运行客户端的身份,并在核实通过后将所述签名私钥发送给数据属主运行客户端;The authorization center operation management terminal verifies the identity of the data owner running client, and sends the signature private key to the data owner running client after verifying the pass;
所述数据属主运行客户端利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台;The data belonging to the main running client encrypts the plaintext by using the public key and the signature private key, generates the ciphertext to be uploaded, and uploads the ciphertext as shared data to the cloud storage service platform;
所述数据用户运行客户端向所述授权中心运行管理端请求授权;The data user running client requests authorization from the authorization center operation management terminal;
所述授权中心运行管理端核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端;The authorization center operation management terminal verifies that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the master private key after verifying the pass, and the user private key and the conversion key. Sending to the data user to run the client;
所述数据用户运行客户端从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端;The data user running client downloads the shared data from the cloud storage service platform, and sends the shared data and the conversion key to the third-party running server;
所述第三方运行服务端,利用所述转化密钥并基于外包解密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端;The third-party running server uses the conversion key and partially decrypts the shared data based on a conversion algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and transmits the partially decrypted ciphertext to The data user runs a client;
所述数据用户运行客户端利用所述用户私钥对所述部分解密密文进行最终解密。The data user running client uses the user private key to perform final decryption on the partially decrypted ciphertext.
优选的,所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥的步骤具体包括:Preferably, the step of generating, by the authorization center, the management terminal, the public key, the primary private key, the signature public key, and the signature private key includes:
输入安全参数λ,构造阶为素数p、生成元为g的双线性群,定义双线性映射选取随机数计算公钥PK和主私钥MK分别为:Enter the safety parameter λ, the bilinear group whose construction order is prime p and generator is g , defining a bilinear map Select random number The calculation public key PK and the primary private key MK are respectively:
PK=(g,h=gβ,e(g,g)α)PK=(g,h=g β ,e(g,g) α )
MSK=(β,gα)MSK=(β,g α )
然后选取计算签名公钥SPK与签名私钥SSK分别为:Then select The calculation signature public key SPK and the signature private key SSK are respectively:
SPK=(gx,gy),SSK=(x,y)。SPK = (g x , g y ), SSK = (x, y).
优选的,所述结合所述主私钥生成对应的用户私钥的步骤具体包括:Preferably, the step of generating the corresponding user private key in combination with the primary private key specifically includes:
首先选择一个随机值然后对每个属性k∈S随机选择最后生成对应的用户私钥为:First choose a random value Then randomly select each attribute k∈S Finally, generate the corresponding user private key as:
优选的,所述利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文的步骤具体包括:Preferably, the step of encrypting the plaintext by using the public key and the signature private key to generate the ciphertext to be uploaded specifically includes:
在访问结构下加密消息M,为每个节点n选择一个多项式qn,从树的根节点R开始,自上而下选择多项式,节点n的多项式qn的度dn比该节点的门限值kn少1,即dn=kn-1;Access structure Encrypt message M, as Each node n selects a polynomial q n , starting from the root node R of the tree, selecting a polynomial from top to bottom, and the degree d n of the polynomial q n of the node n is less than the threshold k n of the node, ie d n =k n -1;
从根节点R开始选择随机数并设置qR(0)=s,随机选择多项式qR上的dR个点完全定义qR,对于其它的顶点n,令qn(0)=qparent(n)(index(n)),随机选择其它dn个顶点完全定义qn;Select random number from root node R And set q R (0)=s, randomly select d R points on the polynomial q R to completely define q R , for other vertices n, let q n (0)=q parent(n) (index(n)) , randomly select other d n vertices to completely define q n ;
设中所有叶子节点的集合为J,由签名私钥SSK=(x,y),明文M和随机选择计算签名在给定的树形访问结构下计算所需上传的密文:Assume The set of all leaf nodes in it is J, signed private key SSK=(x, y), plaintext M and randomly selected Calculation signature Given a tree access structure Calculate the ciphertext you want to upload:
优选的,所述第三方运行服务端执行转化算法的步骤具体包括:Preferably, the step of the third-party running server executing the conversion algorithm specifically includes:
定义递归算法Transform(SK′,CT,n),用密文与属性集合S相关联的部分密钥SK′,中的节点n作为输入;Define the recursive algorithm Transform(SK', CT, n), using ciphertext a partial key SK' associated with the attribute set S, Node n in the input;
当节点n是叶子节点时,令i=att(n),如果i∈S,那么When node n is a leaf node, let i=att(n), if i∈S, then
当节点n是非叶子节点时,算法Transform(SK′,CT,n)工作方式如下:对于n的所有子节点u,计算Fu=Transform(SK′,CT,u),令Sn为Kn大小的满足Fu≠⊥的子节点u的集合,如果不存在这样的集合,那么这样的节点不满足,函数返回⊥,否则计算
When node n is a non-leaf node, the algorithm Transform(SK', CT, n) works as follows: For all child nodes u of n, calculate F u =Transform(SK',CT,u), let S n be K n The size of the set of child nodes u satisfying F u ,, if there is no such set, then such a node is not satisfied, the function returns ⊥, otherwise the calculation
并返回结果,其中i=index(u),Sn′={index(u),u∈Sn};And return the result, where i=index(u), S n '={index(u), u∈S n };
调用Transform(SK′,CT,R),R是树的根节点,如果树满足S且Call Transform(SK', CT, R), where R is the root node of the tree, if the tree satisfies S and
优选的,所述利用所述用户私钥对所述部分解密密文进行最终解密的步骤具体包括:Preferably, the step of performing the final decryption of the partially decrypted ciphertext by using the user private key comprises:
解密得到明文M;Decrypted to get plaintext M;
最后输入SPK,验证e(σ,gx·gM·gyθ)=e(g,g),若e(σ,gx·gM·gyθ)=e(g,g)等式成立,则说明解密正确,输出明文M;否则解密失败,输出⊥。Finally, enter SPK and verify that e(σ, g x ·g M ·g yθ )=e(g,g), if e(σ,g x ·g M ·g yθ )=e(g,g) , indicating that the decryption is correct, and the plaintext M is output; otherwise, the decryption fails, and the output is ⊥.
另一方面,本发明还提供一种面向云存储服务平台的访问控制系统,包括授权中心运行管理端、数据属主运行客户端、数据用户运行客户端以及第三方运行服务端,其中,In another aspect, the present invention further provides an access control system for a cloud storage service platform, including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third-party operation server, wherein
所述授权中心运行管理端,用于生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台;The authorization center runs a management end, and is configured to generate a public key, a primary private key, a signature public key, and a signature private key, and upload the public key and the signature public key to a cloud storage service platform;
所述数据属主运行客户端,用于向所述授权中心运行管理端请求授权并发出数据上传请求信息;The data belongs to the main running client, and is used to request authorization from the operation center of the authorization center and issue data upload request information;
所述授权中心运行管理端,还用于核实所述数据属主运行客户端的身份,
并在核实通过后将所述签名私钥发送给数据属主运行客户端;The authorization center runs a management terminal, and is further configured to verify the identity of the data owner running client,
And sending the signed private key to the data owner running client after verifying the pass;
所述数据属主运行客户端,还用于利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台;The data belongs to the main running client, and is further configured to encrypt the plaintext by using the public key and the signature private key, generate the ciphertext to be uploaded, and upload the ciphertext as the shared data to the cloud storage service. platform;
所述数据用户运行客户端,用于向所述授权中心运行管理端请求授权;The data user runs a client, and is used to request authorization from the operation center of the authorization center;
所述授权中心运行管理端,还用于核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端;The authorization center runs a management terminal, and is further configured to verify that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the primary private key after verifying the pass, and the user private key is generated. And the conversion key is sent to the data user to run the client;
所述数据用户运行客户端,还用于从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端;The data user runs the client, and is further configured to download the shared data from the cloud storage service platform, and send the shared data and the conversion key to the third-party running server;
所述第三方运行服务端,用于利用所述转化密钥并基于外包解密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端;The third-party running server is configured to partially decrypt the shared data by using the conversion key and based on a transformation algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and decrypt the partial ciphertext Transmitting to the data user to run the client;
所述数据用户运行客户端,还用于利用所述用户私钥对所述部分解密密文进行最终解密。The data user runs the client, and is further configured to perform final decryption on the partially decrypted ciphertext by using the user private key.
优选的,所述云存储服务平台为阿里云OSS云存储服务平台。Preferably, the cloud storage service platform is an Alibaba Cloud OSS cloud storage service platform.
本发明提供的技术方案基于外包解密属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上,因而可对云存储服务平台上的共享数据实现有效的隐私保护,提高了云存储服务的安全性。同时,本发明提供的技术方案由于将大部分解密运算外包给第三方,使得数据用户的解密负担明显减小,实现了用户快速解密的目的。另外,在加密阶段对明文进行加密的同时,对明文进行签名,使得数据用户可以对解密所得明文的正确性进行验证,防止了云服务端及第三方对明文或密文可能进行的篡改,提高了整个方案的安全性。The technical solution provided by the invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, thereby realizing effective privacy protection for the shared data on the cloud storage service platform and improving the cloud storage. The security of the service. At the same time, the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved. In addition, while encrypting the plaintext in the encryption phase, the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext. The security of the entire program.
图1为本发明一实施方式中面向云存储服务平台的访问控制方法流程图;1 is a flowchart of an access control method for a cloud storage service platform according to an embodiment of the present invention;
图2为本发明一实施方式中面向云存储服务平台的访问控制系统10的内部结构示意图。
FIG. 2 is a schematic diagram showing the internal structure of an access control system 10 for a cloud storage service platform according to an embodiment of the present invention.
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
为了解决现有技术存在的问题,本发明提出的面向云存储服务平台的访问控制系统及其访问控制方法基于外包解密属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上。In order to solve the problems existing in the prior art, the access control system and the access control method for the cloud storage service platform proposed by the present invention are based on an outsourced decryption attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform.
以下将对本发明所提供的一种面向云存储服务平台的访问控制方法进行详细说明。The access control method for the cloud storage service platform provided by the present invention will be described in detail below.
请参阅图1,为本发明一实施方式中面向云存储服务平台的访问控制方法流程图。Please refer to FIG. 1 , which is a flowchart of an access control method for a cloud storage service platform according to an embodiment of the present invention.
在本实施方式中,面向云存储服务平台的访问控制方法,应用于包括授权中心运行管理端、数据属主运行客户端、数据用户运行客户端、第三方运行服务端在内的面向云存储服务平台的访问控制系统。In this embodiment, the access control method for the cloud storage service platform is applied to a cloud storage service including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third party operation server. Platform access control system.
在步骤S1中,所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台。In step S1, the authorization center operation management terminal generates a public key, a master private key, a signature public key, and a signature private key, and uploads the public key and the signature public key to the cloud storage service platform.
在本实施方式中,所述云存储服务平台为阿里云OSS云存储服务平台,当然也可以是其他的云存储服务平台,在此不做限定。In this embodiment, the cloud storage service platform is an Alibaba Cloud OSS cloud storage service platform, and may be other cloud storage service platforms, which are not limited herein.
在本实施方式中,步骤S1为系统初始化的步骤,所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥的步骤S1具体包括:In this embodiment, the step S1 is a step of system initialization, and the step S1 of generating the public key, the master private key, the signature public key and the signature private key by the authorization center running management terminal specifically includes:
输入安全参数λ,构造阶为素数p、生成元为g的双线性群定义双线性映射选取随机数计算公钥PK和主私钥MK分别为:Enter the safety parameter λ, the bilinear group whose construction order is prime p and generator is g Defining bilinear mapping Select random number The calculation public key PK and the primary private key MK are respectively:
PK=(g,h=gβ,e(g,g)α)PK=(g,h=g β ,e(g,g) α )
MSK=(β,gα)MSK=(β,g α )
然后选取计算签名公钥SPK与签名私钥SSK分别为:Then select The calculation signature public key SPK and the signature private key SSK are respectively:
SPK=(gx,gy),SSK=(x,y)。SPK = (g x , g y ), SSK = (x, y).
在步骤S2中,所述数据属主运行客户端向所述授权中心运行管理端请求授权并发出数据上传请求信息。In step S2, the data owner running client requests authorization from the authorization center operation management terminal and issues data upload request information.
在步骤S3中,所述授权中心运行管理端核实所述数据属主运行客户端的
身份,并在核实通过后将所述签名私钥发送给数据属主运行客户端。In step S3, the authorization center operation management terminal verifies that the data belongs to the main operation client.
Identity, and after the verification is passed, the signed private key is sent to the data owner running client.
在步骤S4中,所述数据属主运行客户端利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台。In step S4, the data owner running client encrypts the plaintext by using the public key and the signature private key, generates a ciphertext to be uploaded, and uploads the ciphertext as shared data to the cloud storage. Service Platform.
在本实施方式中,所述利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文的步骤具体包括:In this embodiment, the step of encrypting the plaintext by using the public key and the signature private key to generate the ciphertext to be uploaded specifically includes:
在访问结构下加密消息M,为每个节点n选择一个多项式qn,从树的根节点R开始,自上而下选择多项式,节点n的多项式qn的度dn比该节点的门限值kn少1,即dn=kn-1;Access structure Encrypt message M, as Each node n selects a polynomial q n , starting from the root node R of the tree, selecting a polynomial from top to bottom, and the degree d n of the polynomial q n of the node n is less than the threshold k n of the node, ie d n =k n -1;
从根节点R开始选择随机数并设置qR(0)=s,随机选择多项式qR上的dR个点完全定义qR,对于其它的顶点n,令qn(0)=qparent(n)(index(n)),随机选择其它dn个顶点完全定义qn;Select random number from root node R And set q R (0)=s, randomly select d R points on the polynomial q R to completely define q R , for other vertices n, let q n (0)=q parent(n) (index(n)) , randomly select other d n vertices to completely define q n ;
设中所有叶子节点的集合为J,由签名私钥SSK=(x,y),明文M和随机选择计算签名在给定的树形访问结构下计算所需上传的密文:Assume The set of all leaf nodes in it is J, signed private key SSK=(x, y), plaintext M and randomly selected Calculation signature Given a tree access structure Calculate the ciphertext you want to upload:
在步骤S5中,所述数据用户运行客户端向所述授权中心运行管理端请求授权。In step S5, the data user running client requests authorization from the authorization center operation management terminal.
在步骤S6中,所述授权中心运行管理端核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端。In step S6, the authorization center operation management terminal verifies that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the master private key after verifying the pass, and the private user is private. The key and conversion key are sent to the data user to run the client.
在本实施方式中,所述结合所述主私钥生成对应的用户私钥的步骤具体包括:In this embodiment, the step of generating the corresponding user private key in combination with the primary private key specifically includes:
首先选择一个随机值然后对每个属性k∈S随机选择最后生成对应的用户私钥为:First choose a random value Then randomly select each attribute k∈S Finally, generate the corresponding user private key as:
在步骤S7中,所述数据用户运行客户端从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端。In step S7, the data user running client downloads the shared data from the cloud storage service platform, and sends the shared data and the conversion key to the third-party running server.
在步骤S8中,所述第三方运行服务端,利用所述转化密钥并基于外包解
密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端。In step S8, the third party runs the server, utilizes the conversion key and is based on the outsourcing solution.
The conversion algorithm in the secret attribute encryption mechanism partially decrypts the shared data to obtain a partially decrypted ciphertext, and transmits the partially decrypted ciphertext to the data user running client.
在本实施方式中,所述第三方运行服务端执行转化算法的步骤具体包括:In this implementation manner, the step of the third-party running server executing the conversion algorithm specifically includes:
定义递归算法Transform(SK′,CT,n),用密文与属性集合S相关联的部分密钥SK′,中的节点n作为输入;Define the recursive algorithm Transform(SK', CT, n), using ciphertext a partial key SK' associated with the attribute set S, Node n in the input;
当节点n是叶子节点时,令i=att(n),如果i∈S,那么When node n is a leaf node, let i=att(n), if i∈S, then
当节点n是非叶子节点时,算法Transform(SK′,CT,n)工作方式如下:对于n的所有子节点u,计算Fu=Transform(SK′,CT,u),令Sn为Kn大小的满足Fu≠⊥的子节点u的集合,如果不存在这样的集合,那么这样的节点不满足,函数返回⊥,否则计算When node n is a non-leaf node, the algorithm Transform(SK', CT, n) works as follows: For all child nodes u of n, calculate F u =Transform(SK',CT,u), let S n be K n The size of the set of child nodes u satisfying F u ,, if there is no such set, then such a node is not satisfied, the function returns ⊥, otherwise the calculation
并返回结果,其中i=index(u),Sn′={index(u),u∈Sn};And return the result, where i=index(u), S n '={index(u), u∈S n };
调用Transform(SK′,CT,R),R是树的根节点,如果树满足S且Call Transform(SK', CT, R), where R is the root node of the tree, if the tree satisfies S and
在步骤S9中,所述数据用户运行客户端利用所述用户私钥对所述部分解密密文进行最终解密。In step S9, the data user running client performs final decryption on the partially decrypted ciphertext by using the user private key.
在本实施方式中,所述利用所述用户私钥对所述部分解密密文进行最终解密的步骤具体包括:In this embodiment, the step of performing final decryption on the partially decrypted ciphertext by using the user private key includes:
解密得到明文M;Decrypted to get plaintext M;
最后输入SPK,验证e(σ,gx·gM·gyθ)=e(g,g),若e(σ,gx·gM·gyθ)=e(g,g)等式成立,则说明解密正确,输出明文M;否则解密失败,输出⊥。Finally, enter SPK and verify that e(σ, g x ·g M ·g yθ )=e(g,g), if e(σ,g x ·g M ·g yθ )=e(g,g) , indicating that the decryption is correct, and the plaintext M is output; otherwise, the decryption fails, and the output is ⊥.
本发明提供的一种面向云存储服务平台的访问控制方法,基于外包解密属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上,因而可对云存储服务平台上的共享数据实现有效的隐私保护,提高了云存储服务的安全性。同时,本发明提供的技术方案由于将大部分解密运算外包给第三方,使得数据用户的解密负担明显减小,实现了用户快速解密的目的。另外,在加密阶段对明文进行加密的同时,对明文进行签名,使得数据用户可以对解密所得明文的正确性进行验证,防止了云服务端及第三方对明文或密文可能进行的篡改,提高了整个方案的安全性。The access control method for the cloud storage service platform provided by the present invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, and thus can share the data on the cloud storage service platform. Achieve effective privacy protection and improve the security of cloud storage services. At the same time, the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved. In addition, while encrypting the plaintext in the encryption phase, the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext. The security of the entire program.
请参阅图2,所示为本发明一实施方式中面向云存储服务平台的访问控制系统10的结构示意图。在本实施方式中,面向云存储服务平台的访问控制系统10与云存储服务平台通信连接,主要包括授权中心运行管理端11、数据属主运行客户端12、第三方运行服务端13以及数据用户运行客户端14。Referring to FIG. 2, a schematic structural diagram of an access control system 10 for a cloud storage service platform according to an embodiment of the present invention is shown. In this embodiment, the access control system 10 for the cloud storage service platform is in communication with the cloud storage service platform, and mainly includes an authorization center operation management terminal 11, a data owner operation client terminal 12, a third party operation server terminal 13, and a data user. Run client 14.
授权中心运行管理端11,用于生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台;The authorization center runs the management terminal 11 for generating a public key, a primary private key, a signature public key, and a signature private key, and uploading the public key and the signature public key to the cloud storage service platform;
数据属主运行客户端12,用于向所述授权中心运行管理端请求授权并发出数据上传请求信息;The data belonging to the main running client 12 is configured to request authorization from the authorization center operation management terminal and issue data upload request information;
授权中心运行管理端11,还用于核实所述数据属主运行客户端的身份,并在核实通过后将所述签名私钥发送给数据属主运行客户端;The authorization center operation management terminal 11 is further configured to verify the identity of the data owner running client, and send the signature private key to the data owner running client after verifying the pass;
数据属主运行客户端12,还用于利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台;The data belongs to the main running client 12, and is further configured to encrypt the plaintext by using the public key and the signature private key, generate the ciphertext to be uploaded, and upload the ciphertext as the shared data to the cloud storage service platform. ;
数据用户运行客户端14,用于向所述授权中心运行管理端请求授权;
The data user runs the client 14 for requesting authorization from the authorization center running management terminal;
授权中心运行管理端11,还用于核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端;The authorization center runs the management terminal 11 and is further configured to verify that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the primary private key after verifying the verification, and the user private key is Translating a secret key to the data user to run the client;
数据用户运行客户端14,还用于从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端;The data user runs the client 14 and is further configured to download the shared data from the cloud storage service platform, and send the shared data and the conversion key to the third-party running server;
第三方运行服务端13,用于利用所述转化密钥并基于外包解密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端;The third-party running server 13 is configured to perform partial decryption on the shared data by using the conversion key and based on a transformation algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and transmit the partially decrypted ciphertext Running the client to the data user;
数据用户运行客户端14,还用于利用所述用户私钥对所述部分解密密文进行最终解密。The data user runs the client 14 and is further configured to perform final decryption of the partially decrypted ciphertext by using the user private key.
在本实施方式中,所述云存储服务平台为阿里云OSS云存储服务平台。In this embodiment, the cloud storage service platform is an Alibaba Cloud OSS cloud storage service platform.
本发明提供的一种面向云存储服务平台的访问控制系统10,基于外包解密属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上,因而可对云存储服务平台上的共享数据实现有效的隐私保护,提高了云存储服务的安全性。同时,本发明提供的技术方案由于将大部分解密运算外包给第三方,使得数据用户的解密负担明显减小,实现了用户快速解密的目的。另外,在加密阶段对明文进行加密的同时,对明文进行签名,使得数据用户可以对解密所得明文的正确性进行验证,防止了云服务端及第三方对明文或密文可能进行的篡改,提高了整个方案的安全性。The access control system 10 for the cloud storage service platform provided by the present invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, and thus can share on the cloud storage service platform. Data achieves effective privacy protection and improves the security of cloud storage services. At the same time, the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved. In addition, while encrypting the plaintext in the encryption phase, the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext. The security of the entire program.
以下对上述面向云存储服务平台的访问控制方法及其系统的安全性进行分析:The following is an analysis of the above-mentioned access control method for the cloud storage service platform and the security of the system:
本发明所提方案不仅可以保证数据机密性,还可以抵抗共谋攻击。The proposed scheme can not only guarantee data confidentiality, but also resist collusion attacks.
分析:关于数据的机密性,本外包解密CP-ABE方案可以成功阻止非授权用户和半可信第三方获取加密的数据信息。一方面,若用户所拥有的属性集合与密文相关的访问控制策略不能够匹配的时候,那么该用户不能够获得e(g,g)αs,这里α是每个用户所独有的随机数,任何两个用户的这个值都是不同的。因此,非授权用户就不能够解密密文。另一方面,半可信第三方有可能引起另外一种攻击。当用户的属性能够满足密文中所嵌入的的访问策略时,被委托的第三方就可以利用转化密钥得到中间结果T0=M·e(g,g)αs和T1=e(g,g)rs。因此,无论是
非授权用户,还是被委托第三方都没有足够的信息来解密密文。Analysis: Regarding the confidentiality of data, this outsourced decryption CP-ABE scheme can successfully prevent unauthorized users and semi-trusted third parties from obtaining encrypted data information. On the one hand, if the attribute set owned by the user cannot match the ciphertext-related access control policy, then the user cannot obtain e(g, g) αs , where α is a random number unique to each user. This value is different for any two users. Therefore, an unauthorized user cannot decrypt the ciphertext. On the other hand, semi-trusted third parties may cause another type of attack. When the user's attributes can satisfy the access policy embedded in the ciphertext, the delegated third party can use the conversion key to get the intermediate result T 0 =M·e(g,g) αs and T 1 =e(g, g) rs . Therefore, neither the unauthorized user nor the trusted third party has enough information to decrypt the ciphertext.
另外,本外包解密CP-ABE方案能够抵抗用户之间的共谋攻击。与原始的CP-ABE方案相同,在所提出的方案中,秘密共享值s是隐藏在密文中的,而不是在用户的密钥中。要想解密密文,共谋攻击者就必须恢复e(g,g)αs。为了获得e(g,g)αs,共谋攻击者需要获得共谋攻击者需要执行与此相关的双线性对操作,也就是来自密文的Cx和来自其它共谋者的Dx。但是,因为每个用户的密钥都是由随机数r计算并产生的。因此,虽然共谋攻击者都是合法授权用户,但是他们不能恢复e(g,g)rs,就不能进一步恢复e(g,g)αs。所以,所有共谋者即使共享其密钥,也不能彼此联合恢复e(g,g)αs。In addition, this outsourced decryption CP-ABE solution is able to resist collusion attacks between users. As in the original CP-ABE scheme, in the proposed scheme, the secret shared value s is hidden in the ciphertext, not in the user's key. In order to decrypt the ciphertext, the attacker must recover e(g,g) αs . In order to obtain e(g,g) αs , the collusion attacker needs to obtain Collusion attack is associated with this need to perform the operation of bilinear, i.e. from ciphertext C x D x and from other colluder. However, because each user's key is calculated and generated by the random number r. Therefore, although the collusion attackers are legally authorized users, they cannot recover e(g,g) rs and cannot further recover e(g,g) αs . Therefore, all colluders cannot jointly recover e(g,g) αs even if they share their keys.
另外,本领域普通技术人员可以理解实现上述各实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,相应的程序可以存储于一计算机可读取存储介质中,所述的存储介质,如ROM/RAM、磁盘或光盘等。In addition, those skilled in the art can understand that all or part of the steps of implementing the above embodiments may be completed by a program to instruct related hardware, and the corresponding program may be stored in a computer readable storage medium. Storage medium, such as ROM/RAM, disk or CD.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。
The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. Within the scope.
Claims (8)
- 一种面向云存储服务平台的访问控制方法,应用于包括授权中心运行管理端、数据属主运行客户端、数据用户运行客户端、第三方运行服务端在内的面向云存储服务平台的访问控制系统,其特征在于,所述方法包括:An access control method for a cloud storage service platform, which is applied to an access control system for a cloud storage service platform including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third party operation server. A system, the method comprising:所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台;The authorization center operation management end generates a public key, a primary private key, a signature public key, and a signature private key, and uploads the public key and the signature public key to a cloud storage service platform;所述数据属主运行客户端向所述授权中心运行管理端请求授权并发出数据上传请求信息;The data belonging to the main running client requests authorization from the authorization center operation management terminal and issues data upload request information;所述授权中心运行管理端核实所述数据属主运行客户端的身份,并在核实通过后将所述签名私钥发送给数据属主运行客户端;The authorization center operation management terminal verifies the identity of the data owner running client, and sends the signature private key to the data owner running client after verifying the pass;所述数据属主运行客户端利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台;The data belonging to the main running client encrypts the plaintext by using the public key and the signature private key, generates the ciphertext to be uploaded, and uploads the ciphertext as shared data to the cloud storage service platform;所述数据用户运行客户端向所述授权中心运行管理端请求授权;The data user running client requests authorization from the authorization center operation management terminal;所述授权中心运行管理端核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端;The authorization center operation management terminal verifies that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the master private key after verifying the pass, and the user private key and the conversion key. Sending to the data user to run the client;所述数据用户运行客户端从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端;The data user running client downloads the shared data from the cloud storage service platform, and sends the shared data and the conversion key to the third-party running server;所述第三方运行服务端,利用所述转化密钥并基于外包解密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端;The third-party running server uses the conversion key and partially decrypts the shared data based on a conversion algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and transmits the partially decrypted ciphertext to The data user runs a client;所述数据用户运行客户端利用所述用户私钥对所述部分解密密文进行最终解密。The data user running client uses the user private key to perform final decryption on the partially decrypted ciphertext.
- 如权利要求1所述的面向云存储服务平台的访问控制方法,其特征在于,所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥的步骤具体包括:The access control method for the cloud storage service platform according to claim 1, wherein the step of the authorization center running the management terminal to generate the public key, the primary private key, the signature public key, and the signature private key comprises:输入安全参数λ,构造阶为素数p、生成元为g的双线性群定义双线性映射选取随机数计算公钥PK和主私钥MK分别为:Enter the safety parameter λ, the bilinear group whose construction order is prime p and generator is g Defining bilinear mapping Select random number The calculation public key PK and the primary private key MK are respectively:PK=(g,h=gβ,e(g,g)α) PK=(g,h=g β ,e(g,g) α )MSK=(β,gα)MSK=(β,g α )然后选取计算签名公钥SPK与签名私钥SSK分别为:Then select The calculation signature public key SPK and the signature private key SSK are respectively:SPK=(gx,gy),SSK=(x,y)。SPK = (g x , g y ), SSK = (x, y).
- 如权利要求2所述的面向云存储服务平台的访问控制方法,其特征在于,所述结合所述主私钥生成对应的用户私钥的步骤具体包括:The access control method for the cloud storage service platform according to claim 2, wherein the step of generating the corresponding user private key in combination with the primary private key comprises:首先选择一个随机值然后对每个属性k∈S随机选择最后生成对应的用户私钥为:First choose a random value Then randomly select each attribute k∈S Finally, generate the corresponding user private key as:
- 如权利要求3所述的面向云存储服务平台的访问控制方法,其特征在于,所述利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文的步骤具体包括:The access control method for the cloud storage service platform according to claim 3, wherein the step of encrypting the plaintext by using the public key and the signature private key to generate the ciphertext to be uploaded specifically includes :在访问结构下加密消息M,为每个节点n选择一个多项式qn,从树的根节点R开始,自上而下选择多项式,节点n的多项式qn的度dn比该节点的门限值kn少1,即dn=kn-1;Access structure Encrypt message M, as Each node n selects a polynomial q n , starting from the root node R of the tree, selecting a polynomial from top to bottom, and the degree d n of the polynomial q n of the node n is less than the threshold k n of the node, ie d n =k n -1;从根节点R开始选择随机数并设置qR(0)=s,随机选择多项式qR上的dR个点完全定义qR,对于其它的顶点n,令qn(0)=qparent(n)(index(n)),随机选择其它dn个顶点完全定义qn;Select random number from root node R And set q R (0)=s, randomly select d R points on the polynomial q R to completely define q R , for other vertices n, let q n (0)=q parent(n) (index(n)) , randomly select other d n vertices to completely define q n ;设中所有叶子节点的集合为J,由签名私钥SSK=(x,y),明文M和随机选择计算签名在给定的树形访问结构下计算所需上传的密文:Assume The set of all leaf nodes in it is J, signed private key SSK=(x, y), plaintext M and randomly selected Calculation signature Given a tree access structure Calculate the ciphertext you want to upload:
- 如权利要求4所述的面向云存储服务平台的访问控制方法,其特征在于,所述第三方运行服务端执行转化算法的步骤具体包括:The access control method for the cloud storage service platform according to claim 4, wherein the step of the third party running server executing the conversion algorithm specifically includes:定义递归算法Transform(SK′,CT,n),用密文与属性集合S相关联的部分密钥SK′,中的节点n作为输入;Define the recursive algorithm Transform(SK', CT, n), using ciphertext a partial key SK' associated with the attribute set S, Node n in the input;当节点n是叶子节点时,令i=att(n),如果i∈S,那么 When node n is a leaf node, let i=att(n), if i∈S, then当节点n是非叶子节点时,算法Transform(SK′,CT,n)工作方式如下:对于n的所有子节点u,计算Fu=Transform(SK′,CT,u),令Sn为Kn大小的满足Fu≠⊥的子节点u的集合,如果不存在这样的集合,那么这样的节点不满足,函数返回⊥,否则计算When node n is a non-leaf node, the algorithm Transform(SK', CT, n) works as follows: For all child nodes u of n, calculate F u =Transform(SK',CT,u), let S n be K n The size of the set of child nodes u satisfying F u ,, if there is no such set, then such a node is not satisfied, the function returns ⊥, otherwise the calculation并返回结果,其中i=index(u),Sn′={index(u),u∈Sn};And return the result, where i=index(u), S n '={index(u), u∈S n };调用Transform(SK′,CT,R),R是树的根节点,如果树满足S且Call Transform(SK', CT, R), where R is the root node of the tree, if the tree satisfies S and
- 如权利要求5所述的面向云存储服务平台的访问控制方法,其特征在于,所述利用所述用户私钥对所述部分解密密文进行最终解密的步骤具体包括:The access control method for the cloud storage service platform according to claim 5, wherein the step of performing final decryption on the partially decrypted ciphertext by using the user private key comprises:解密得到明文M;Decrypted to get plaintext M;最后输入SPK,验证e(σ,gx·gM·gyθ)=e(g,g),若e(σ,gx·gM·gyθ)=e(g,g)等式成立,则说明解密正确,输出明文M;否则解密失败,输出⊥。Finally, enter SPK and verify that e(σ, g x ·g M ·g yθ )=e(g,g), if e(σ,g x ·g M ·g yθ )=e(g,g) , indicating that the decryption is correct, and the plaintext M is output; otherwise, the decryption fails, and the output is ⊥.
- 一种面向云存储服务平台的访问控制系统,其特征在于,所述系统包括 授权中心运行管理端、数据属主运行客户端、数据用户运行客户端以及第三方运行服务端,其中,An access control system for a cloud storage service platform, characterized in that the system comprises The authorization center runs the management terminal, the data owner runs the client, the data user runs the client, and the third party runs the server, where所述授权中心运行管理端,用于生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台;The authorization center runs a management end, and is configured to generate a public key, a primary private key, a signature public key, and a signature private key, and upload the public key and the signature public key to a cloud storage service platform;所述数据属主运行客户端,用于向所述授权中心运行管理端请求授权并发出数据上传请求信息;The data belongs to the main running client, and is used to request authorization from the operation center of the authorization center and issue data upload request information;所述授权中心运行管理端,还用于核实所述数据属主运行客户端的身份,并在核实通过后将所述签名私钥发送给数据属主运行客户端;The authorization center operation management terminal is further configured to verify the identity of the data owner running client, and send the signature private key to the data owner running client after verifying the pass;所述数据属主运行客户端,还用于利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台;The data belongs to the main running client, and is further configured to encrypt the plaintext by using the public key and the signature private key, generate the ciphertext to be uploaded, and upload the ciphertext as the shared data to the cloud storage service. platform;所述数据用户运行客户端,用于向所述授权中心运行管理端请求授权;The data user runs a client, and is used to request authorization from the operation center of the authorization center;所述授权中心运行管理端,还用于核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端;The authorization center runs a management terminal, and is further configured to verify that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the primary private key after verifying the pass, and the user private key is generated. And the conversion key is sent to the data user to run the client;所述数据用户运行客户端,还用于从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端;The data user runs the client, and is further configured to download the shared data from the cloud storage service platform, and send the shared data and the conversion key to the third-party running server;所述第三方运行服务端,用于利用所述转化密钥并基于外包解密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端;The third-party running server is configured to partially decrypt the shared data by using the conversion key and based on a transformation algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and decrypt the partial ciphertext Transmitting to the data user to run the client;所述数据用户运行客户端,还用于利用所述用户私钥对所述部分解密密文进行最终解密。The data user runs the client, and is further configured to perform final decryption on the partially decrypted ciphertext by using the user private key.
- 如权利要求7所述的面向云存储服务平台的访问控制系统,其特征在于,所述云存储服务平台为阿里云OSS云存储服务平台。 The access control system for a cloud storage service platform according to claim 7, wherein the cloud storage service platform is an Alibaba Cloud OSS cloud storage service platform.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2016/098600 WO2018045568A1 (en) | 2016-09-09 | 2016-09-09 | Access control method oriented to cloud storage service platform and system thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2016/098600 WO2018045568A1 (en) | 2016-09-09 | 2016-09-09 | Access control method oriented to cloud storage service platform and system thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018045568A1 true WO2018045568A1 (en) | 2018-03-15 |
Family
ID=61562411
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/098600 WO2018045568A1 (en) | 2016-09-09 | 2016-09-09 | Access control method oriented to cloud storage service platform and system thereof |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2018045568A1 (en) |
Cited By (46)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108600174A (en) * | 2018-03-26 | 2018-09-28 | 西安交通大学 | A kind of access control mechanisms and its implementation of big merger network |
CN108647525A (en) * | 2018-05-09 | 2018-10-12 | 西安电子科技大学 | The secret protection single layer perceptron batch training method that can verify that |
CN110008717A (en) * | 2019-02-26 | 2019-07-12 | 东北大学 | Support the decision tree classification service system and method for secret protection |
CN110309663A (en) * | 2019-06-25 | 2019-10-08 | 湖南搜云网络科技股份有限公司 | Privacy authenticating method and system based on block chain |
CN110460604A (en) * | 2019-08-15 | 2019-11-15 | 广东工业大学 | A kind of encryption of cloud storage, decryption and verification method and system |
CN110489947A (en) * | 2019-07-05 | 2019-11-22 | 北京中电飞华通信股份有限公司 | A kind of safety office managing and control system |
CN110781524A (en) * | 2019-10-29 | 2020-02-11 | 陕西师范大学 | Integrity verification method for data in hybrid cloud storage |
CN111552979A (en) * | 2020-04-21 | 2020-08-18 | 东南大学 | Non-interactive lightweight privacy protection auditing method for image |
CN111598701A (en) * | 2020-05-22 | 2020-08-28 | 深圳市网心科技有限公司 | Information monitoring method, system, equipment and storage medium |
CN111641943A (en) * | 2020-05-19 | 2020-09-08 | 南京信息工程大学 | Real-time safety data aggregation and recovery method based on vehicle cloud |
CN111861467A (en) * | 2020-07-23 | 2020-10-30 | 浙江永旗区块链科技有限公司 | Supply chain financial transaction privacy protection method and system |
CN111860708A (en) * | 2020-06-21 | 2020-10-30 | 深圳华物信联科技有限公司 | System and method for commodity management |
CN111967514A (en) * | 2020-08-14 | 2020-11-20 | 安徽大学 | Data packaging-based sample classification method for privacy protection decision tree |
CN111988138A (en) * | 2020-08-13 | 2020-11-24 | 潘显富 | Information encryption system based on education cloud |
CN112069513A (en) * | 2020-08-12 | 2020-12-11 | 福建师范大学 | Encryption method and system capable of sharing decryption |
CN112187798A (en) * | 2020-09-28 | 2021-01-05 | 安徽大学 | Bidirectional access control method and system applied to cloud-side data sharing |
CN112235113A (en) * | 2020-07-15 | 2021-01-15 | 秦绪祥 | Wisdom community endowment service platform |
CN112491904A (en) * | 2020-12-01 | 2021-03-12 | 德州职业技术学院(德州市技师学院) | Big data privacy protection sharing method and system |
CN112883399A (en) * | 2021-03-11 | 2021-06-01 | 郑州信大捷安信息技术股份有限公司 | Method and system for realizing secure sharing of encrypted file |
CN112925850A (en) * | 2021-02-25 | 2021-06-08 | 京信数据科技有限公司 | Block chain data encryption uplink method, uplink sharing method and device |
CN112991136A (en) * | 2021-03-26 | 2021-06-18 | 中国科学技术大学 | Secure plaintext image cloud storage and processing method based on watermark |
CN113094750A (en) * | 2021-04-20 | 2021-07-09 | 西安交通大学 | Block chain-based compression and privacy industrial data sharing implementation method |
CN113360944A (en) * | 2021-06-25 | 2021-09-07 | 华北电力大学 | Dynamic access control system and method for power internet of things |
CN113612750A (en) * | 2021-07-27 | 2021-11-05 | 长安大学 | User identity privacy protection method facing mobile crowd sensing network |
CN113660197A (en) * | 2021-07-02 | 2021-11-16 | 西安电子科技大学广州研究院 | Obfuscated data aggregation privacy protection method, system, device, medium and terminal |
CN114024686A (en) * | 2021-11-03 | 2022-02-08 | 北京邮电大学 | Intelligent community Internet of things information sharing model based on block chain |
CN114039737A (en) * | 2020-07-20 | 2022-02-11 | 中国科学院信息工程研究所 | Attribute-based shared data storage and access method and system for resisting selected plaintext attack |
CN114124392A (en) * | 2021-11-01 | 2022-03-01 | 广州大学 | Data controlled circulation method, system, device and medium supporting access control |
CN114172710A (en) * | 2021-12-01 | 2022-03-11 | 深圳市电子商务安全证书管理有限公司 | Data decryption method, device, equipment and storage medium |
CN114189340A (en) * | 2021-12-09 | 2022-03-15 | 电子科技大学 | Attribute-based signature method based on prime order group |
CN114338025A (en) * | 2021-06-23 | 2022-04-12 | 河南科技大学 | Ciphertext equivalence testing method in cloud environment |
CN114726530A (en) * | 2022-04-19 | 2022-07-08 | 电子科技大学 | Intelligent vehicle networking heterogeneous signcryption method based on identity and public key in cloud edge fusion environment |
CN114785610A (en) * | 2022-05-10 | 2022-07-22 | 广东南华工商职业学院 | Data security transmission system based on cloud computing |
CN114826759A (en) * | 2022-05-11 | 2022-07-29 | 贵州大学 | Verifiable fine-grained access control inner product function encryption method |
CN114884982A (en) * | 2022-03-28 | 2022-08-09 | 江苏徐工工程机械研究院有限公司 | Multi-mine user online management method and system based on cloud service |
CN115001744A (en) * | 2022-04-27 | 2022-09-02 | 中国科学院信息工程研究所 | Cloud platform data integrity verification method and system |
CN115086356A (en) * | 2022-06-14 | 2022-09-20 | 北京大学深圳研究生院 | Cloud data management method based on competition management platform |
CN115150142A (en) * | 2022-06-24 | 2022-10-04 | 深圳市北科瑞声科技股份有限公司 | Data access processing method, system, equipment and storage medium |
CN115150183A (en) * | 2022-07-25 | 2022-10-04 | 黄涌瀚 | Multivariable public key communication information transmission method based on cloud computing and cloud storage |
CN115225669A (en) * | 2022-07-14 | 2022-10-21 | 山东大学 | Distributed private data processing system and method |
CN115396689A (en) * | 2022-08-24 | 2022-11-25 | 珠海安士佳电子有限公司 | Intelligent cloud video transmission and storage method and system |
CN115473699A (en) * | 2022-08-22 | 2022-12-13 | 湖北工业大学 | Privacy protection pairing T inspection method and device based on distribution |
CN115550605A (en) * | 2022-08-19 | 2022-12-30 | 南京邮电大学 | Fault detection method of power grid multimedia dispatching system and automatic detection equipment thereof |
CN115714669A (en) * | 2022-10-20 | 2023-02-24 | 云南师范大学 | Private data cross-domain sharing method based on PURH-CP-ABE under block chain |
CN115955489A (en) * | 2023-03-15 | 2023-04-11 | 中国民航大学 | Cloud storage-oriented onboard software possession proving method |
CN116405320A (en) * | 2023-05-31 | 2023-07-07 | 北京电科智芯科技有限公司 | Data transmission method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102769620A (en) * | 2012-07-19 | 2012-11-07 | 广州大学 | Safely outsourced attribute-based encryption method |
CN104022868A (en) * | 2014-02-18 | 2014-09-03 | 杭州师范大学 | Outsourcing decryption method of attribute-based encryption based on ciphertext policy |
CN104486315A (en) * | 2014-12-08 | 2015-04-01 | 北京航空航天大学 | Revocable key external package decryption method based on content attributes |
-
2016
- 2016-09-09 WO PCT/CN2016/098600 patent/WO2018045568A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102769620A (en) * | 2012-07-19 | 2012-11-07 | 广州大学 | Safely outsourced attribute-based encryption method |
CN104022868A (en) * | 2014-02-18 | 2014-09-03 | 杭州师范大学 | Outsourcing decryption method of attribute-based encryption based on ciphertext policy |
CN104486315A (en) * | 2014-12-08 | 2015-04-01 | 北京航空航天大学 | Revocable key external package decryption method based on content attributes |
Non-Patent Citations (1)
Title |
---|
DING, XIAOHONG ET AL.: "Attribute-based Encryption Scheme with Outsourcing Decryption Method", COMPUTER SCIENCE, vol. 43, no. 6A, 30 June 2016 (2016-06-30) * |
Cited By (77)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108600174A (en) * | 2018-03-26 | 2018-09-28 | 西安交通大学 | A kind of access control mechanisms and its implementation of big merger network |
CN108600174B (en) * | 2018-03-26 | 2020-07-28 | 西安交通大学 | Access control mechanism of large cooperative network and implementation method thereof |
CN108647525A (en) * | 2018-05-09 | 2018-10-12 | 西安电子科技大学 | The secret protection single layer perceptron batch training method that can verify that |
CN108647525B (en) * | 2018-05-09 | 2022-02-01 | 西安电子科技大学 | Verifiable privacy protection single-layer perceptron batch training method |
CN110008717A (en) * | 2019-02-26 | 2019-07-12 | 东北大学 | Support the decision tree classification service system and method for secret protection |
CN110008717B (en) * | 2019-02-26 | 2023-04-11 | 东北大学 | Decision tree classification service system and method supporting privacy protection |
CN110309663B (en) * | 2019-06-25 | 2023-03-03 | 湖南搜云网络科技股份有限公司 | Privacy authentication method and system based on block chain |
CN110309663A (en) * | 2019-06-25 | 2019-10-08 | 湖南搜云网络科技股份有限公司 | Privacy authenticating method and system based on block chain |
CN110489947A (en) * | 2019-07-05 | 2019-11-22 | 北京中电飞华通信股份有限公司 | A kind of safety office managing and control system |
CN110489947B (en) * | 2019-07-05 | 2022-07-15 | 北京中电飞华通信股份有限公司 | Safe office management and control system |
CN110460604A (en) * | 2019-08-15 | 2019-11-15 | 广东工业大学 | A kind of encryption of cloud storage, decryption and verification method and system |
CN110781524A (en) * | 2019-10-29 | 2020-02-11 | 陕西师范大学 | Integrity verification method for data in hybrid cloud storage |
CN110781524B (en) * | 2019-10-29 | 2023-05-05 | 陕西师范大学 | Integrity verification method for data in hybrid cloud storage |
CN111552979B (en) * | 2020-04-21 | 2022-11-15 | 东南大学 | Non-interactive lightweight privacy protection auditing method for image |
CN111552979A (en) * | 2020-04-21 | 2020-08-18 | 东南大学 | Non-interactive lightweight privacy protection auditing method for image |
CN111641943A (en) * | 2020-05-19 | 2020-09-08 | 南京信息工程大学 | Real-time safety data aggregation and recovery method based on vehicle cloud |
CN111598701A (en) * | 2020-05-22 | 2020-08-28 | 深圳市网心科技有限公司 | Information monitoring method, system, equipment and storage medium |
CN111598701B (en) * | 2020-05-22 | 2023-09-19 | 深圳市迅雷网络技术有限公司 | Information monitoring method, system, equipment and storage medium |
CN111860708A (en) * | 2020-06-21 | 2020-10-30 | 深圳华物信联科技有限公司 | System and method for commodity management |
CN111860708B (en) * | 2020-06-21 | 2023-09-22 | 深圳盈达信息科技有限公司 | Commodity management system and commodity management method |
CN112235113A (en) * | 2020-07-15 | 2021-01-15 | 秦绪祥 | Wisdom community endowment service platform |
CN114039737B (en) * | 2020-07-20 | 2023-08-08 | 中国科学院信息工程研究所 | Attribute-based shared data storage and access method and system for resisting selective plaintext attack |
CN114039737A (en) * | 2020-07-20 | 2022-02-11 | 中国科学院信息工程研究所 | Attribute-based shared data storage and access method and system for resisting selected plaintext attack |
CN111861467A (en) * | 2020-07-23 | 2020-10-30 | 浙江永旗区块链科技有限公司 | Supply chain financial transaction privacy protection method and system |
CN112069513A (en) * | 2020-08-12 | 2020-12-11 | 福建师范大学 | Encryption method and system capable of sharing decryption |
CN112069513B (en) * | 2020-08-12 | 2022-09-27 | 福建师范大学 | Encryption method and system capable of sharing decryption |
CN111988138B (en) * | 2020-08-13 | 2023-09-22 | 广东介诚信息服务有限公司 | Information encryption system based on education cloud |
CN111988138A (en) * | 2020-08-13 | 2020-11-24 | 潘显富 | Information encryption system based on education cloud |
CN111967514B (en) * | 2020-08-14 | 2023-11-17 | 安徽大学 | Sample classification method of privacy protection decision tree based on data packaging |
CN111967514A (en) * | 2020-08-14 | 2020-11-20 | 安徽大学 | Data packaging-based sample classification method for privacy protection decision tree |
CN112187798A (en) * | 2020-09-28 | 2021-01-05 | 安徽大学 | Bidirectional access control method and system applied to cloud-side data sharing |
CN112491904B (en) * | 2020-12-01 | 2022-05-20 | 德州职业技术学院(德州市技师学院) | Big data privacy protection sharing method and system |
CN112491904A (en) * | 2020-12-01 | 2021-03-12 | 德州职业技术学院(德州市技师学院) | Big data privacy protection sharing method and system |
CN112925850A (en) * | 2021-02-25 | 2021-06-08 | 京信数据科技有限公司 | Block chain data encryption uplink method, uplink sharing method and device |
CN112883399B (en) * | 2021-03-11 | 2022-03-25 | 郑州信大捷安信息技术股份有限公司 | Method and system for realizing secure sharing of encrypted file |
CN112883399A (en) * | 2021-03-11 | 2021-06-01 | 郑州信大捷安信息技术股份有限公司 | Method and system for realizing secure sharing of encrypted file |
CN112991136A (en) * | 2021-03-26 | 2021-06-18 | 中国科学技术大学 | Secure plaintext image cloud storage and processing method based on watermark |
CN113094750B (en) * | 2021-04-20 | 2024-02-09 | 西安交通大学 | Implementation method for compressing and sharing privacy industrial data based on block chain |
CN113094750A (en) * | 2021-04-20 | 2021-07-09 | 西安交通大学 | Block chain-based compression and privacy industrial data sharing implementation method |
CN114338025A (en) * | 2021-06-23 | 2022-04-12 | 河南科技大学 | Ciphertext equivalence testing method in cloud environment |
CN113360944B (en) * | 2021-06-25 | 2024-03-22 | 华北电力大学 | Dynamic access control system and method for electric power Internet of things |
CN113360944A (en) * | 2021-06-25 | 2021-09-07 | 华北电力大学 | Dynamic access control system and method for power internet of things |
CN113660197B (en) * | 2021-07-02 | 2022-11-22 | 西安电子科技大学广州研究院 | Obfuscated data aggregation privacy protection method, system, device, medium and terminal |
CN113660197A (en) * | 2021-07-02 | 2021-11-16 | 西安电子科技大学广州研究院 | Obfuscated data aggregation privacy protection method, system, device, medium and terminal |
CN113612750A (en) * | 2021-07-27 | 2021-11-05 | 长安大学 | User identity privacy protection method facing mobile crowd sensing network |
CN114124392A (en) * | 2021-11-01 | 2022-03-01 | 广州大学 | Data controlled circulation method, system, device and medium supporting access control |
CN114124392B (en) * | 2021-11-01 | 2022-09-06 | 广州大学 | Data controlled circulation method, system, device and medium supporting access control |
CN114024686A (en) * | 2021-11-03 | 2022-02-08 | 北京邮电大学 | Intelligent community Internet of things information sharing model based on block chain |
CN114024686B (en) * | 2021-11-03 | 2023-09-26 | 北京邮电大学 | Intelligent community Internet of things information sharing model based on block chain |
CN114172710A (en) * | 2021-12-01 | 2022-03-11 | 深圳市电子商务安全证书管理有限公司 | Data decryption method, device, equipment and storage medium |
CN114172710B (en) * | 2021-12-01 | 2024-01-30 | 深圳市电子商务安全证书管理有限公司 | Data decryption method, device, equipment and storage medium |
CN114189340B (en) * | 2021-12-09 | 2023-05-23 | 电子科技大学 | Attribute-based signature method based on prime order group |
CN114189340A (en) * | 2021-12-09 | 2022-03-15 | 电子科技大学 | Attribute-based signature method based on prime order group |
CN114884982B (en) * | 2022-03-28 | 2023-11-07 | 江苏徐工工程机械研究院有限公司 | Multi-mine user online management method and system based on cloud service |
CN114884982A (en) * | 2022-03-28 | 2022-08-09 | 江苏徐工工程机械研究院有限公司 | Multi-mine user online management method and system based on cloud service |
CN114726530A (en) * | 2022-04-19 | 2022-07-08 | 电子科技大学 | Intelligent vehicle networking heterogeneous signcryption method based on identity and public key in cloud edge fusion environment |
CN115001744A (en) * | 2022-04-27 | 2022-09-02 | 中国科学院信息工程研究所 | Cloud platform data integrity verification method and system |
CN115001744B (en) * | 2022-04-27 | 2023-08-29 | 中国科学院信息工程研究所 | Cloud platform data integrity verification method and system |
CN114785610A (en) * | 2022-05-10 | 2022-07-22 | 广东南华工商职业学院 | Data security transmission system based on cloud computing |
CN114785610B (en) * | 2022-05-10 | 2023-01-10 | 深圳市聚迅科技有限公司 | Data security transmission system based on cloud computing |
CN114826759A (en) * | 2022-05-11 | 2022-07-29 | 贵州大学 | Verifiable fine-grained access control inner product function encryption method |
CN114826759B (en) * | 2022-05-11 | 2023-10-03 | 贵州大学 | Verifiable fine grain access control inner product function encryption method |
CN115086356A (en) * | 2022-06-14 | 2022-09-20 | 北京大学深圳研究生院 | Cloud data management method based on competition management platform |
CN115150142A (en) * | 2022-06-24 | 2022-10-04 | 深圳市北科瑞声科技股份有限公司 | Data access processing method, system, equipment and storage medium |
CN115225669B (en) * | 2022-07-14 | 2024-04-05 | 山东大学 | Distributed privacy data processing system and method |
CN115225669A (en) * | 2022-07-14 | 2022-10-21 | 山东大学 | Distributed private data processing system and method |
CN115150183A (en) * | 2022-07-25 | 2022-10-04 | 黄涌瀚 | Multivariable public key communication information transmission method based on cloud computing and cloud storage |
CN115550605A (en) * | 2022-08-19 | 2022-12-30 | 南京邮电大学 | Fault detection method of power grid multimedia dispatching system and automatic detection equipment thereof |
CN115473699A (en) * | 2022-08-22 | 2022-12-13 | 湖北工业大学 | Privacy protection pairing T inspection method and device based on distribution |
CN115473699B (en) * | 2022-08-22 | 2024-04-30 | 湖北工业大学 | Distributed privacy protection pairing T-test method and device |
CN115396689A (en) * | 2022-08-24 | 2022-11-25 | 珠海安士佳电子有限公司 | Intelligent cloud video transmission and storage method and system |
CN115396689B (en) * | 2022-08-24 | 2023-06-30 | 珠海安士佳电子有限公司 | Intelligent cloud video transmission and storage method and system |
CN115714669A (en) * | 2022-10-20 | 2023-02-24 | 云南师范大学 | Private data cross-domain sharing method based on PURH-CP-ABE under block chain |
CN115714669B (en) * | 2022-10-20 | 2024-02-06 | 云南师范大学 | Private data cross-domain sharing method based on PURH-CP-ABE under blockchain |
CN115955489A (en) * | 2023-03-15 | 2023-04-11 | 中国民航大学 | Cloud storage-oriented onboard software possession proving method |
CN116405320B (en) * | 2023-05-31 | 2023-08-22 | 北京电科智芯科技有限公司 | Data transmission method and device |
CN116405320A (en) * | 2023-05-31 | 2023-07-07 | 北京电科智芯科技有限公司 | Data transmission method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2018045568A1 (en) | Access control method oriented to cloud storage service platform and system thereof | |
JP6941146B2 (en) | Data security service | |
CN111130757B (en) | Multi-cloud CP-ABE access control method based on block chain | |
Michalas | The lord of the shares: Combining attribute-based encryption and searchable encryption for flexible data sharing | |
Sanka et al. | Secure data access in cloud computing | |
WO2016197770A1 (en) | Access control system and access control method thereof for cloud storage service platform | |
US9646168B2 (en) | Data access control method in cloud | |
Yu et al. | A view about cloud data security from data life cycle | |
WO2016197680A1 (en) | Access control system for cloud storage service platform and access control method therefor | |
KR20200126321A (en) | How to securely execute smart contract actions in a trusted execution environment | |
JP6678457B2 (en) | Data security services | |
WO2016106752A1 (en) | Shared data access control method, device and system | |
US20140112470A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
Saroj et al. | Threshold cryptography based data security in cloud computing | |
Nirmala et al. | Data confidentiality and integrity verification using user authenticator scheme in cloud | |
US20220014367A1 (en) | Decentralized computing systems and methods for performing actions using stored private data | |
CN106341236A (en) | Access control method facing cloud storage service platform and system thereof | |
CN108632385B (en) | Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure | |
Hussein et al. | A survey of cryptography cloud storage techniques | |
CN109327448B (en) | Cloud file sharing method, device, equipment and storage medium | |
WO2021098152A1 (en) | Blockchain-based data processing method, device, and computer apparatus | |
Patil et al. | Secured cloud architecture for cloud service provider | |
Hussien et al. | Scheme for ensuring data security on cloud data storage in a semi-trusted third party auditor | |
CN106790100B (en) | Data storage and access control method based on asymmetric cryptographic algorithm | |
Xu et al. | NC-MACPABE: Non-centered multi-authority proxy re-encryption based on CP-ABE for cloud storage systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16915502 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 09.07.2019) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16915502 Country of ref document: EP Kind code of ref document: A1 |