WO2018045568A1 - Access control method oriented to cloud storage service platform and system thereof - Google Patents

Access control method oriented to cloud storage service platform and system thereof Download PDF

Info

Publication number
WO2018045568A1
WO2018045568A1 PCT/CN2016/098600 CN2016098600W WO2018045568A1 WO 2018045568 A1 WO2018045568 A1 WO 2018045568A1 CN 2016098600 W CN2016098600 W CN 2016098600W WO 2018045568 A1 WO2018045568 A1 WO 2018045568A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
cloud storage
storage service
private key
client
Prior art date
Application number
PCT/CN2016/098600
Other languages
French (fr)
Chinese (zh)
Inventor
刘宏伟
王雪原
Original Assignee
深圳大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳大学 filed Critical 深圳大学
Priority to PCT/CN2016/098600 priority Critical patent/WO2018045568A1/en
Publication of WO2018045568A1 publication Critical patent/WO2018045568A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present invention relates to the field of cloud storage service technologies, and in particular, to an access control method and system for a cloud storage service platform.
  • the cloud storage service provider is the physical owner of the data, and is not in the same trust domain as the data owner.
  • a cloud storage service provider manages multiple users and their resources. When users access other user resources across borders, they need to adopt certain access control policies to control access to data and services.
  • the cloud storage service platform adopts the virtualized storage technology, the cloud storage service is loosely coupled with the underlying hardware environment, and the data of different users lacks a fixed security boundary, thereby increasing the cloud storage. The difficulty of the service platform to implement access control on data.
  • the data owner can set the read/write attribute of the user data uploaded by it, for example, setting the read/write attribute to public read/private write or public read/public write, to a certain extent Data read and write permissions, but because user data is still stored in clear text on the cloud storage service platform, lack of effective privacy protection mechanism, can not effectively resist the access of illegal users and make user data leak.
  • the object of the present invention is to provide an access control method and system for a cloud storage service platform, which aims to solve the problem that the existing cloud storage service platform stores user data in a plaintext form with poor privacy and security. problem.
  • the invention provides an access control method for a cloud storage service platform, which is applied to a cloud storage service platform including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third party operation server.
  • Access control system wherein the method comprises:
  • the authorization center operation management end generates a public key, a primary private key, a signature public key, and a signature private key, and uploads the public key and the signature public key to a cloud storage service platform;
  • the data belonging to the main running client requests authorization from the authorization center operation management terminal and issues data upload request information
  • the authorization center operation management terminal verifies the identity of the data owner running client, and sends the signature private key to the data owner running client after verifying the pass;
  • the data belonging to the main running client encrypts the plaintext by using the public key and the signature private key, generates the ciphertext to be uploaded, and uploads the ciphertext as shared data to the cloud storage service platform;
  • the data user running client requests authorization from the authorization center operation management terminal;
  • the authorization center operation management terminal verifies that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the master private key after verifying the pass, and the user private key and the conversion key. Sending to the data user to run the client;
  • the data user running client downloads the shared data from the cloud storage service platform, and sends the shared data and the conversion key to the third-party running server;
  • the third-party running server uses the conversion key and partially decrypts the shared data based on a conversion algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and transmits the partially decrypted ciphertext to The data user runs a client;
  • the data user running client uses the user private key to perform final decryption on the partially decrypted ciphertext.
  • the step of generating, by the authorization center, the management terminal, the public key, the primary private key, the signature public key, and the signature private key includes:
  • the step of generating the corresponding user private key in combination with the primary private key specifically includes:
  • the step of encrypting the plaintext by using the public key and the signature private key to generate the ciphertext to be uploaded specifically includes:
  • the step of the third-party running server executing the conversion algorithm specifically includes:
  • the step of performing the final decryption of the partially decrypted ciphertext by using the user private key comprises:
  • the present invention further provides an access control system for a cloud storage service platform, including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third-party operation server, wherein
  • the authorization center runs a management end, and is configured to generate a public key, a primary private key, a signature public key, and a signature private key, and upload the public key and the signature public key to a cloud storage service platform;
  • the data belongs to the main running client, and is used to request authorization from the operation center of the authorization center and issue data upload request information;
  • the authorization center runs a management terminal, and is further configured to verify the identity of the data owner running client, And sending the signed private key to the data owner running client after verifying the pass;
  • the data belongs to the main running client, and is further configured to encrypt the plaintext by using the public key and the signature private key, generate the ciphertext to be uploaded, and upload the ciphertext as the shared data to the cloud storage service. platform;
  • the data user runs a client, and is used to request authorization from the operation center of the authorization center;
  • the authorization center runs a management terminal, and is further configured to verify that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the primary private key after verifying the pass, and the user private key is generated. And the conversion key is sent to the data user to run the client;
  • the data user runs the client, and is further configured to download the shared data from the cloud storage service platform, and send the shared data and the conversion key to the third-party running server;
  • the third-party running server is configured to partially decrypt the shared data by using the conversion key and based on a transformation algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and decrypt the partial ciphertext Transmitting to the data user to run the client;
  • the data user runs the client, and is further configured to perform final decryption on the partially decrypted ciphertext by using the user private key.
  • the cloud storage service platform is an Amazon Cloud OSS cloud storage service platform.
  • the technical solution provided by the invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, thereby realizing effective privacy protection for the shared data on the cloud storage service platform and improving the cloud storage.
  • the security of the service at the same time, the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved.
  • the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext.
  • the security of the entire program is not limited to:
  • FIG. 1 is a flowchart of an access control method for a cloud storage service platform according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram showing the internal structure of an access control system 10 for a cloud storage service platform according to an embodiment of the present invention.
  • the access control system and the access control method for the cloud storage service platform proposed by the present invention are based on an outsourced decryption attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform.
  • FIG. 1 is a flowchart of an access control method for a cloud storage service platform according to an embodiment of the present invention.
  • the access control method for the cloud storage service platform is applied to a cloud storage service including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third party operation server.
  • Platform access control system Platform access control system.
  • step S1 the authorization center operation management terminal generates a public key, a master private key, a signature public key, and a signature private key, and uploads the public key and the signature public key to the cloud storage service platform.
  • the cloud storage service platform is an Amazon Cloud OSS cloud storage service platform, and may be other cloud storage service platforms, which are not limited herein.
  • the step S1 is a step of system initialization
  • the step S1 of generating the public key, the master private key, the signature public key and the signature private key by the authorization center running management terminal specifically includes:
  • step S2 the data owner running client requests authorization from the authorization center operation management terminal and issues data upload request information.
  • step S3 the authorization center operation management terminal verifies that the data belongs to the main operation client. Identity, and after the verification is passed, the signed private key is sent to the data owner running client.
  • step S4 the data owner running client encrypts the plaintext by using the public key and the signature private key, generates a ciphertext to be uploaded, and uploads the ciphertext as shared data to the cloud storage.
  • Service Platform the public key and the signature private key
  • the step of encrypting the plaintext by using the public key and the signature private key to generate the ciphertext to be uploaded specifically includes:
  • step S5 the data user running client requests authorization from the authorization center operation management terminal.
  • step S6 the authorization center operation management terminal verifies that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the master private key after verifying the pass, and the private user is private.
  • the key and conversion key are sent to the data user to run the client.
  • the step of generating the corresponding user private key in combination with the primary private key specifically includes:
  • step S7 the data user running client downloads the shared data from the cloud storage service platform, and sends the shared data and the conversion key to the third-party running server.
  • step S8 the third party runs the server, utilizes the conversion key and is based on the outsourcing solution.
  • the conversion algorithm in the secret attribute encryption mechanism partially decrypts the shared data to obtain a partially decrypted ciphertext, and transmits the partially decrypted ciphertext to the data user running client.
  • the step of the third-party running server executing the conversion algorithm specifically includes:
  • step S9 the data user running client performs final decryption on the partially decrypted ciphertext by using the user private key.
  • the step of performing final decryption on the partially decrypted ciphertext by using the user private key includes:
  • the access control method for the cloud storage service platform provided by the present invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, and thus can share the data on the cloud storage service platform. Achieve effective privacy protection and improve the security of cloud storage services.
  • the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved.
  • the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext.
  • the security of the entire program is not limited to:
  • FIG. 2 a schematic structural diagram of an access control system 10 for a cloud storage service platform according to an embodiment of the present invention is shown.
  • the access control system 10 for the cloud storage service platform is in communication with the cloud storage service platform, and mainly includes an authorization center operation management terminal 11, a data owner operation client terminal 12, a third party operation server terminal 13, and a data user. Run client 14.
  • the authorization center runs the management terminal 11 for generating a public key, a primary private key, a signature public key, and a signature private key, and uploading the public key and the signature public key to the cloud storage service platform;
  • the data belonging to the main running client 12 is configured to request authorization from the authorization center operation management terminal and issue data upload request information;
  • the authorization center operation management terminal 11 is further configured to verify the identity of the data owner running client, and send the signature private key to the data owner running client after verifying the pass;
  • the data belongs to the main running client 12, and is further configured to encrypt the plaintext by using the public key and the signature private key, generate the ciphertext to be uploaded, and upload the ciphertext as the shared data to the cloud storage service platform. ;
  • the data user runs the client 14 for requesting authorization from the authorization center running management terminal;
  • the authorization center runs the management terminal 11 and is further configured to verify that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the primary private key after verifying the verification, and the user private key is Translating a secret key to the data user to run the client;
  • the data user runs the client 14 and is further configured to download the shared data from the cloud storage service platform, and send the shared data and the conversion key to the third-party running server;
  • the third-party running server 13 is configured to perform partial decryption on the shared data by using the conversion key and based on a transformation algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and transmit the partially decrypted ciphertext Running the client to the data user;
  • the data user runs the client 14 and is further configured to perform final decryption of the partially decrypted ciphertext by using the user private key.
  • the cloud storage service platform is an Amazon Cloud OSS cloud storage service platform.
  • the access control system 10 for the cloud storage service platform provided by the present invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, and thus can share on the cloud storage service platform. Data achieves effective privacy protection and improves the security of cloud storage services.
  • the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved.
  • the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext.
  • the security of the entire program is not limited to:
  • the proposed scheme can not only guarantee data confidentiality, but also resist collusion attacks.
  • this outsourced decryption CP-ABE scheme can successfully prevent unauthorized users and semi-trusted third parties from obtaining encrypted data information.
  • the attribute set owned by the user cannot match the ciphertext-related access control policy, then the user cannot obtain e(g, g) ⁇ s , where ⁇ is a random number unique to each user. This value is different for any two users. Therefore, an unauthorized user cannot decrypt the ciphertext.
  • semi-trusted third parties may cause another type of attack.
  • this outsourced decryption CP-ABE solution is able to resist collusion attacks between users.
  • the secret shared value s is hidden in the ciphertext, not in the user's key.
  • the attacker In order to decrypt the ciphertext, the attacker must recover e(g,g) ⁇ s .
  • the collusion attacker In order to obtain e(g,g) ⁇ s , the collusion attacker needs to obtain Collusion attack is associated with this need to perform the operation of bilinear, i.e. from ciphertext C x D x and from other colluder.
  • each user's key is calculated and generated by the random number r.
  • collusion attackers are legally authorized users, they cannot recover e(g,g) rs and cannot further recover e(g,g) ⁇ s . Therefore, all colluders cannot jointly recover e(g,g) ⁇ s even if they share their keys.

Abstract

The present invention relates to the field of cloud storage service technology, and provided are an access control system oriented to a cloud storage service platform and an access control method therefor. In the method and system, a data owner, on the basis of an attribute encryption mechanism, encrypting user data needing to be uploaded and then storing in a cloud storage service platform, thereby being able to carry out effective privacy protection for shared data in the cloud storage service platform and improving security of cloud storage service. Meanwhile, since most of the decryption operations are outsourced to a third party, the burden of decryption of a data user is visibly reduced, thereby achieving a goal of allowing the user to quickly decrypt. In addition, while a cleartext is encrypted in an encryption phase, the cleartext is signed so that the data user may verify correctness of the cleartext obtained by the decryption, thereby preventing possible tampering of the cleartext or ciphertext by the cloud server and the third party and improving security of the entire program.

Description

一种面向云存储服务平台的访问控制方法及其系统Access control method and system for cloud storage service platform 技术领域Technical field
本发明涉及云存储服务技术领域,尤其涉及一种面向云存储服务平台的访问控制方法及其系统。The present invention relates to the field of cloud storage service technologies, and in particular, to an access control method and system for a cloud storage service platform.
背景技术Background technique
在云存储服务平台中,由于采用数据远程托管技术,云存储服务提供商是数据的物理拥有者,与数据属主并不在同一个信任域中。云存储服务提供商管理着多个用户及其资源,当用户跨边界访问其它用户资源时,需要采用一定的访问控制策略来控制对数据和服务的访问。但实际中,由于云存储服务平台是采用虚拟化存储技术,云存储服务同底层硬件环境之间是松耦合的,不同用户的数据间缺乏固定不变的安全边界,由此增加了在云存储服务平台对数据实施访问控制的难度。In the cloud storage service platform, because of the data remote hosting technology, the cloud storage service provider is the physical owner of the data, and is not in the same trust domain as the data owner. A cloud storage service provider manages multiple users and their resources. When users access other user resources across borders, they need to adopt certain access control policies to control access to data and services. However, in practice, because the cloud storage service platform adopts the virtualized storage technology, the cloud storage service is loosely coupled with the underlying hardware environment, and the data of different users lacks a fixed security boundary, thereby increasing the cloud storage. The difficulty of the service platform to implement access control on data.
现有技术中,虽然数据属主可对其上传的用户数据的读/写属性进行设置,例如将读/写属性设置为公有读/私有写或公有读/公有写,以在一定程度上限制数据的读写权限,但由于用户数据仍旧是以明文形式存储在云存储服务平台上的,缺乏有效的隐私保护机制,不能有效抵御非法用户的访问而使得用户数据泄露。In the prior art, although the data owner can set the read/write attribute of the user data uploaded by it, for example, setting the read/write attribute to public read/private write or public read/public write, to a certain extent Data read and write permissions, but because user data is still stored in clear text on the cloud storage service platform, lack of effective privacy protection mechanism, can not effectively resist the access of illegal users and make user data leak.
发明内容Summary of the invention
有鉴于此,本发明的目的在于提供一种面向云存储服务平台的访问控制方法及其系统,旨在解决解决现有的云存储服务平台是以明文形式存储用户数据,隐私性和安全性差的问题。In view of this, the object of the present invention is to provide an access control method and system for a cloud storage service platform, which aims to solve the problem that the existing cloud storage service platform stores user data in a plaintext form with poor privacy and security. problem.
本发明提出一种面向云存储服务平台的访问控制方法,应用于包括授权中心运行管理端、数据属主运行客户端、数据用户运行客户端、第三方运行服务端在内的面向云存储服务平台的访问控制系统,其中,所述方法包括:The invention provides an access control method for a cloud storage service platform, which is applied to a cloud storage service platform including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third party operation server. Access control system, wherein the method comprises:
所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台; The authorization center operation management end generates a public key, a primary private key, a signature public key, and a signature private key, and uploads the public key and the signature public key to a cloud storage service platform;
所述数据属主运行客户端向所述授权中心运行管理端请求授权并发出数据上传请求信息;The data belonging to the main running client requests authorization from the authorization center operation management terminal and issues data upload request information;
所述授权中心运行管理端核实所述数据属主运行客户端的身份,并在核实通过后将所述签名私钥发送给数据属主运行客户端;The authorization center operation management terminal verifies the identity of the data owner running client, and sends the signature private key to the data owner running client after verifying the pass;
所述数据属主运行客户端利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台;The data belonging to the main running client encrypts the plaintext by using the public key and the signature private key, generates the ciphertext to be uploaded, and uploads the ciphertext as shared data to the cloud storage service platform;
所述数据用户运行客户端向所述授权中心运行管理端请求授权;The data user running client requests authorization from the authorization center operation management terminal;
所述授权中心运行管理端核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端;The authorization center operation management terminal verifies that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the master private key after verifying the pass, and the user private key and the conversion key. Sending to the data user to run the client;
所述数据用户运行客户端从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端;The data user running client downloads the shared data from the cloud storage service platform, and sends the shared data and the conversion key to the third-party running server;
所述第三方运行服务端,利用所述转化密钥并基于外包解密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端;The third-party running server uses the conversion key and partially decrypts the shared data based on a conversion algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and transmits the partially decrypted ciphertext to The data user runs a client;
所述数据用户运行客户端利用所述用户私钥对所述部分解密密文进行最终解密。The data user running client uses the user private key to perform final decryption on the partially decrypted ciphertext.
优选的,所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥的步骤具体包括:Preferably, the step of generating, by the authorization center, the management terminal, the public key, the primary private key, the signature public key, and the signature private key includes:
输入安全参数λ,构造阶为素数p、生成元为g的双线性群
Figure PCTCN2016098600-appb-000001
,定义双线性映射
Figure PCTCN2016098600-appb-000002
选取随机数
Figure PCTCN2016098600-appb-000003
计算公钥PK和主私钥MK分别为:Enter the safety parameter λ, the bilinear group whose construction order is prime p and generator is g
Figure PCTCN2016098600-appb-000001
, defining a bilinear map
Figure PCTCN2016098600-appb-000002
Select random number
Figure PCTCN2016098600-appb-000003
The calculation public key PK and the primary private key MK are respectively:
PK=(g,h=gβ,e(g,g)α)PK=(g,h=g β ,e(g,g) α )
MSK=(β,gα)MSK=(β,g α )
然后选取
Figure PCTCN2016098600-appb-000004
计算签名公钥SPK与签名私钥SSK分别为:Then select
Figure PCTCN2016098600-appb-000004
The calculation signature public key SPK and the signature private key SSK are respectively:
SPK=(gx,gy),SSK=(x,y)。SPK = (g x , g y ), SSK = (x, y).
优选的,所述结合所述主私钥生成对应的用户私钥的步骤具体包括:Preferably, the step of generating the corresponding user private key in combination with the primary private key specifically includes:
首先选择一个随机值
Figure PCTCN2016098600-appb-000005
然后对每个属性k∈S随机选择
Figure PCTCN2016098600-appb-000006
最后生成对应的用户私钥为:First choose a random value
Figure PCTCN2016098600-appb-000005
Then randomly select each attribute k∈S
Figure PCTCN2016098600-appb-000006
Finally, generate the corresponding user private key as:
Figure PCTCN2016098600-appb-000007
Figure PCTCN2016098600-appb-000007
优选的,所述利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文的步骤具体包括:Preferably, the step of encrypting the plaintext by using the public key and the signature private key to generate the ciphertext to be uploaded specifically includes:
在访问结构
Figure PCTCN2016098600-appb-000008
下加密消息M,为
Figure PCTCN2016098600-appb-000009
每个节点n选择一个多项式qn,从树的根节点R开始,自上而下选择多项式,节点n的多项式qn的度dn比该节点的门限值kn少1,即dn=kn-1;Access structure
Figure PCTCN2016098600-appb-000008
Encrypt message M, as
Figure PCTCN2016098600-appb-000009
Each node n selects a polynomial q n , starting from the root node R of the tree, selecting a polynomial from top to bottom, and the degree d n of the polynomial q n of the node n is less than the threshold k n of the node, ie d n =k n -1;
从根节点R开始选择随机数
Figure PCTCN2016098600-appb-000010
并设置qR(0)=s,随机选择多项式qR上的dR个点完全定义qR,对于其它的顶点n,令qn(0)=qparent(n)(index(n)),随机选择其它dn个顶点完全定义qnSelect random number from root node R
Figure PCTCN2016098600-appb-000010
And set q R (0)=s, randomly select d R points on the polynomial q R to completely define q R , for other vertices n, let q n (0)=q parent(n) (index(n)) , randomly select other d n vertices to completely define q n ;
Figure PCTCN2016098600-appb-000011
中所有叶子节点的集合为J,由签名私钥SSK=(x,y),明文M和随机选择
Figure PCTCN2016098600-appb-000012
计算签名
Figure PCTCN2016098600-appb-000013
在给定的树形访问结构
Figure PCTCN2016098600-appb-000014
下计算所需上传的密文:Assume
Figure PCTCN2016098600-appb-000011
The set of all leaf nodes in it is J, signed private key SSK=(x, y), plaintext M and randomly selected
Figure PCTCN2016098600-appb-000012
Calculation signature
Figure PCTCN2016098600-appb-000013
Given a tree access structure
Figure PCTCN2016098600-appb-000014
Calculate the ciphertext you want to upload:
Figure PCTCN2016098600-appb-000015
Figure PCTCN2016098600-appb-000015
优选的,所述第三方运行服务端执行转化算法的步骤具体包括:Preferably, the step of the third-party running server executing the conversion algorithm specifically includes:
定义递归算法Transform(SK′,CT,n),用密文
Figure PCTCN2016098600-appb-000016
与属性集合S相关联的部分密钥SK′,
Figure PCTCN2016098600-appb-000017
中的节点n作为输入;Define the recursive algorithm Transform(SK', CT, n), using ciphertext
Figure PCTCN2016098600-appb-000016
a partial key SK' associated with the attribute set S,
Figure PCTCN2016098600-appb-000017
Node n in the input;
当节点n是叶子节点时,令i=att(n),如果i∈S,那么When node n is a leaf node, let i=att(n), if i∈S, then
Figure PCTCN2016098600-appb-000018
Figure PCTCN2016098600-appb-000018
当节点n是非叶子节点时,算法Transform(SK′,CT,n)工作方式如下:对于n的所有子节点u,计算Fu=Transform(SK′,CT,u),令Sn为Kn大小的满足Fu≠⊥的子节点u的集合,如果不存在这样的集合,那么这样的节点不满足,函数返回⊥,否则计算 When node n is a non-leaf node, the algorithm Transform(SK', CT, n) works as follows: For all child nodes u of n, calculate F u =Transform(SK',CT,u), let S n be K n The size of the set of child nodes u satisfying F u ,, if there is no such set, then such a node is not satisfied, the function returns ⊥, otherwise the calculation
Figure PCTCN2016098600-appb-000019
Figure PCTCN2016098600-appb-000019
并返回结果,其中i=index(u),Sn′={index(u),u∈Sn};And return the result, where i=index(u), S n '={index(u), u∈S n };
调用Transform(SK′,CT,R),R是树的根节点,如果树满足S且Call Transform(SK', CT, R), where R is the root node of the tree, if the tree satisfies S and
Figure PCTCN2016098600-appb-000020
Figure PCTCN2016098600-appb-000020
Figure PCTCN2016098600-appb-000021
then
Figure PCTCN2016098600-appb-000021
优选的,所述利用所述用户私钥对所述部分解密密文进行最终解密的步骤具体包括:Preferably, the step of performing the final decryption of the partially decrypted ciphertext by using the user private key comprises:
输入SK,输入
Figure PCTCN2016098600-appb-000022
利用下式:Enter SK, enter
Figure PCTCN2016098600-appb-000022
Use the following formula:
Figure PCTCN2016098600-appb-000023
Figure PCTCN2016098600-appb-000023
解密得到明文M;Decrypted to get plaintext M;
最后输入SPK,验证e(σ,gx·gM·g)=e(g,g),若e(σ,gx·gM·g)=e(g,g)等式成立,则说明解密正确,输出明文M;否则解密失败,输出⊥。Finally, enter SPK and verify that e(σ, g x ·g M ·g )=e(g,g), if e(σ,g x ·g M ·g )=e(g,g) , indicating that the decryption is correct, and the plaintext M is output; otherwise, the decryption fails, and the output is ⊥.
另一方面,本发明还提供一种面向云存储服务平台的访问控制系统,包括授权中心运行管理端、数据属主运行客户端、数据用户运行客户端以及第三方运行服务端,其中,In another aspect, the present invention further provides an access control system for a cloud storage service platform, including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third-party operation server, wherein
所述授权中心运行管理端,用于生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台;The authorization center runs a management end, and is configured to generate a public key, a primary private key, a signature public key, and a signature private key, and upload the public key and the signature public key to a cloud storage service platform;
所述数据属主运行客户端,用于向所述授权中心运行管理端请求授权并发出数据上传请求信息;The data belongs to the main running client, and is used to request authorization from the operation center of the authorization center and issue data upload request information;
所述授权中心运行管理端,还用于核实所述数据属主运行客户端的身份, 并在核实通过后将所述签名私钥发送给数据属主运行客户端;The authorization center runs a management terminal, and is further configured to verify the identity of the data owner running client, And sending the signed private key to the data owner running client after verifying the pass;
所述数据属主运行客户端,还用于利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台;The data belongs to the main running client, and is further configured to encrypt the plaintext by using the public key and the signature private key, generate the ciphertext to be uploaded, and upload the ciphertext as the shared data to the cloud storage service. platform;
所述数据用户运行客户端,用于向所述授权中心运行管理端请求授权;The data user runs a client, and is used to request authorization from the operation center of the authorization center;
所述授权中心运行管理端,还用于核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端;The authorization center runs a management terminal, and is further configured to verify that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the primary private key after verifying the pass, and the user private key is generated. And the conversion key is sent to the data user to run the client;
所述数据用户运行客户端,还用于从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端;The data user runs the client, and is further configured to download the shared data from the cloud storage service platform, and send the shared data and the conversion key to the third-party running server;
所述第三方运行服务端,用于利用所述转化密钥并基于外包解密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端;The third-party running server is configured to partially decrypt the shared data by using the conversion key and based on a transformation algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and decrypt the partial ciphertext Transmitting to the data user to run the client;
所述数据用户运行客户端,还用于利用所述用户私钥对所述部分解密密文进行最终解密。The data user runs the client, and is further configured to perform final decryption on the partially decrypted ciphertext by using the user private key.
优选的,所述云存储服务平台为阿里云OSS云存储服务平台。Preferably, the cloud storage service platform is an Alibaba Cloud OSS cloud storage service platform.
本发明提供的技术方案基于外包解密属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上,因而可对云存储服务平台上的共享数据实现有效的隐私保护,提高了云存储服务的安全性。同时,本发明提供的技术方案由于将大部分解密运算外包给第三方,使得数据用户的解密负担明显减小,实现了用户快速解密的目的。另外,在加密阶段对明文进行加密的同时,对明文进行签名,使得数据用户可以对解密所得明文的正确性进行验证,防止了云服务端及第三方对明文或密文可能进行的篡改,提高了整个方案的安全性。The technical solution provided by the invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, thereby realizing effective privacy protection for the shared data on the cloud storage service platform and improving the cloud storage. The security of the service. At the same time, the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved. In addition, while encrypting the plaintext in the encryption phase, the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext. The security of the entire program.
附图说明DRAWINGS
图1为本发明一实施方式中面向云存储服务平台的访问控制方法流程图;1 is a flowchart of an access control method for a cloud storage service platform according to an embodiment of the present invention;
图2为本发明一实施方式中面向云存储服务平台的访问控制系统10的内部结构示意图。 FIG. 2 is a schematic diagram showing the internal structure of an access control system 10 for a cloud storage service platform according to an embodiment of the present invention.
具体实施方式detailed description
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
为了解决现有技术存在的问题,本发明提出的面向云存储服务平台的访问控制系统及其访问控制方法基于外包解密属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上。In order to solve the problems existing in the prior art, the access control system and the access control method for the cloud storage service platform proposed by the present invention are based on an outsourced decryption attribute encryption mechanism, and the user data to be uploaded is encrypted and stored on the cloud storage service platform.
以下将对本发明所提供的一种面向云存储服务平台的访问控制方法进行详细说明。The access control method for the cloud storage service platform provided by the present invention will be described in detail below.
请参阅图1,为本发明一实施方式中面向云存储服务平台的访问控制方法流程图。Please refer to FIG. 1 , which is a flowchart of an access control method for a cloud storage service platform according to an embodiment of the present invention.
在本实施方式中,面向云存储服务平台的访问控制方法,应用于包括授权中心运行管理端、数据属主运行客户端、数据用户运行客户端、第三方运行服务端在内的面向云存储服务平台的访问控制系统。In this embodiment, the access control method for the cloud storage service platform is applied to a cloud storage service including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third party operation server. Platform access control system.
在步骤S1中,所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台。In step S1, the authorization center operation management terminal generates a public key, a master private key, a signature public key, and a signature private key, and uploads the public key and the signature public key to the cloud storage service platform.
在本实施方式中,所述云存储服务平台为阿里云OSS云存储服务平台,当然也可以是其他的云存储服务平台,在此不做限定。In this embodiment, the cloud storage service platform is an Alibaba Cloud OSS cloud storage service platform, and may be other cloud storage service platforms, which are not limited herein.
在本实施方式中,步骤S1为系统初始化的步骤,所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥的步骤S1具体包括:In this embodiment, the step S1 is a step of system initialization, and the step S1 of generating the public key, the master private key, the signature public key and the signature private key by the authorization center running management terminal specifically includes:
输入安全参数λ,构造阶为素数p、生成元为g的双线性群
Figure PCTCN2016098600-appb-000024
定义双线性映射
Figure PCTCN2016098600-appb-000025
选取随机数
Figure PCTCN2016098600-appb-000026
计算公钥PK和主私钥MK分别为:Enter the safety parameter λ, the bilinear group whose construction order is prime p and generator is g
Figure PCTCN2016098600-appb-000024
Defining bilinear mapping
Figure PCTCN2016098600-appb-000025
Select random number
Figure PCTCN2016098600-appb-000026
The calculation public key PK and the primary private key MK are respectively:
PK=(g,h=gβ,e(g,g)α)PK=(g,h=g β ,e(g,g) α )
MSK=(β,gα)MSK=(β,g α )
然后选取
Figure PCTCN2016098600-appb-000027
计算签名公钥SPK与签名私钥SSK分别为:Then select
Figure PCTCN2016098600-appb-000027
The calculation signature public key SPK and the signature private key SSK are respectively:
SPK=(gx,gy),SSK=(x,y)。SPK = (g x , g y ), SSK = (x, y).
在步骤S2中,所述数据属主运行客户端向所述授权中心运行管理端请求授权并发出数据上传请求信息。In step S2, the data owner running client requests authorization from the authorization center operation management terminal and issues data upload request information.
在步骤S3中,所述授权中心运行管理端核实所述数据属主运行客户端的 身份,并在核实通过后将所述签名私钥发送给数据属主运行客户端。In step S3, the authorization center operation management terminal verifies that the data belongs to the main operation client. Identity, and after the verification is passed, the signed private key is sent to the data owner running client.
在步骤S4中,所述数据属主运行客户端利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台。In step S4, the data owner running client encrypts the plaintext by using the public key and the signature private key, generates a ciphertext to be uploaded, and uploads the ciphertext as shared data to the cloud storage. Service Platform.
在本实施方式中,所述利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文的步骤具体包括:In this embodiment, the step of encrypting the plaintext by using the public key and the signature private key to generate the ciphertext to be uploaded specifically includes:
在访问结构
Figure PCTCN2016098600-appb-000028
下加密消息M,为
Figure PCTCN2016098600-appb-000029
每个节点n选择一个多项式qn,从树的根节点R开始,自上而下选择多项式,节点n的多项式qn的度dn比该节点的门限值kn少1,即dn=kn-1;Access structure
Figure PCTCN2016098600-appb-000028
Encrypt message M, as
Figure PCTCN2016098600-appb-000029
Each node n selects a polynomial q n , starting from the root node R of the tree, selecting a polynomial from top to bottom, and the degree d n of the polynomial q n of the node n is less than the threshold k n of the node, ie d n =k n -1;
从根节点R开始选择随机数
Figure PCTCN2016098600-appb-000030
并设置qR(0)=s,随机选择多项式qR上的dR个点完全定义qR,对于其它的顶点n,令qn(0)=qparent(n)(index(n)),随机选择其它dn个顶点完全定义qnSelect random number from root node R
Figure PCTCN2016098600-appb-000030
And set q R (0)=s, randomly select d R points on the polynomial q R to completely define q R , for other vertices n, let q n (0)=q parent(n) (index(n)) , randomly select other d n vertices to completely define q n ;
Figure PCTCN2016098600-appb-000031
中所有叶子节点的集合为J,由签名私钥SSK=(x,y),明文M和随机选择
Figure PCTCN2016098600-appb-000032
计算签名
Figure PCTCN2016098600-appb-000033
在给定的树形访问结构
Figure PCTCN2016098600-appb-000034
下计算所需上传的密文:Assume
Figure PCTCN2016098600-appb-000031
The set of all leaf nodes in it is J, signed private key SSK=(x, y), plaintext M and randomly selected
Figure PCTCN2016098600-appb-000032
Calculation signature
Figure PCTCN2016098600-appb-000033
Given a tree access structure
Figure PCTCN2016098600-appb-000034
Calculate the ciphertext you want to upload:
Figure PCTCN2016098600-appb-000035
Figure PCTCN2016098600-appb-000035
在步骤S5中,所述数据用户运行客户端向所述授权中心运行管理端请求授权。In step S5, the data user running client requests authorization from the authorization center operation management terminal.
在步骤S6中,所述授权中心运行管理端核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端。In step S6, the authorization center operation management terminal verifies that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the master private key after verifying the pass, and the private user is private. The key and conversion key are sent to the data user to run the client.
在本实施方式中,所述结合所述主私钥生成对应的用户私钥的步骤具体包括:In this embodiment, the step of generating the corresponding user private key in combination with the primary private key specifically includes:
首先选择一个随机值
Figure PCTCN2016098600-appb-000036
然后对每个属性k∈S随机选择
Figure PCTCN2016098600-appb-000037
最后生成对应的用户私钥为:First choose a random value
Figure PCTCN2016098600-appb-000036
Then randomly select each attribute k∈S
Figure PCTCN2016098600-appb-000037
Finally, generate the corresponding user private key as:
Figure PCTCN2016098600-appb-000038
Figure PCTCN2016098600-appb-000038
在步骤S7中,所述数据用户运行客户端从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端。In step S7, the data user running client downloads the shared data from the cloud storage service platform, and sends the shared data and the conversion key to the third-party running server.
在步骤S8中,所述第三方运行服务端,利用所述转化密钥并基于外包解 密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端。In step S8, the third party runs the server, utilizes the conversion key and is based on the outsourcing solution. The conversion algorithm in the secret attribute encryption mechanism partially decrypts the shared data to obtain a partially decrypted ciphertext, and transmits the partially decrypted ciphertext to the data user running client.
在本实施方式中,所述第三方运行服务端执行转化算法的步骤具体包括:In this implementation manner, the step of the third-party running server executing the conversion algorithm specifically includes:
定义递归算法Transform(SK′,CT,n),用密文
Figure PCTCN2016098600-appb-000039
与属性集合S相关联的部分密钥SK′,
Figure PCTCN2016098600-appb-000040
中的节点n作为输入;Define the recursive algorithm Transform(SK', CT, n), using ciphertext
Figure PCTCN2016098600-appb-000039
a partial key SK' associated with the attribute set S,
Figure PCTCN2016098600-appb-000040
Node n in the input;
当节点n是叶子节点时,令i=att(n),如果i∈S,那么When node n is a leaf node, let i=att(n), if i∈S, then
Figure PCTCN2016098600-appb-000041
Figure PCTCN2016098600-appb-000041
当节点n是非叶子节点时,算法Transform(SK′,CT,n)工作方式如下:对于n的所有子节点u,计算Fu=Transform(SK′,CT,u),令Sn为Kn大小的满足Fu≠⊥的子节点u的集合,如果不存在这样的集合,那么这样的节点不满足,函数返回⊥,否则计算When node n is a non-leaf node, the algorithm Transform(SK', CT, n) works as follows: For all child nodes u of n, calculate F u =Transform(SK',CT,u), let S n be K n The size of the set of child nodes u satisfying F u ,, if there is no such set, then such a node is not satisfied, the function returns ⊥, otherwise the calculation
Figure PCTCN2016098600-appb-000042
Figure PCTCN2016098600-appb-000042
并返回结果,其中i=index(u),Sn′={index(u),u∈Sn};And return the result, where i=index(u), S n '={index(u), u∈S n };
调用Transform(SK′,CT,R),R是树的根节点,如果树满足S且Call Transform(SK', CT, R), where R is the root node of the tree, if the tree satisfies S and
Figure PCTCN2016098600-appb-000043
Figure PCTCN2016098600-appb-000043
Figure PCTCN2016098600-appb-000044
then
Figure PCTCN2016098600-appb-000044
在步骤S9中,所述数据用户运行客户端利用所述用户私钥对所述部分解密密文进行最终解密。In step S9, the data user running client performs final decryption on the partially decrypted ciphertext by using the user private key.
在本实施方式中,所述利用所述用户私钥对所述部分解密密文进行最终解密的步骤具体包括:In this embodiment, the step of performing final decryption on the partially decrypted ciphertext by using the user private key includes:
输入SK,输入
Figure PCTCN2016098600-appb-000045
利用下式: Enter SK, enter
Figure PCTCN2016098600-appb-000045
Use the following formula:
Figure PCTCN2016098600-appb-000046
Figure PCTCN2016098600-appb-000046
解密得到明文M;Decrypted to get plaintext M;
最后输入SPK,验证e(σ,gx·gM·g)=e(g,g),若e(σ,gx·gM·g)=e(g,g)等式成立,则说明解密正确,输出明文M;否则解密失败,输出⊥。Finally, enter SPK and verify that e(σ, g x ·g M ·g )=e(g,g), if e(σ,g x ·g M ·g )=e(g,g) , indicating that the decryption is correct, and the plaintext M is output; otherwise, the decryption fails, and the output is ⊥.
本发明提供的一种面向云存储服务平台的访问控制方法,基于外包解密属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上,因而可对云存储服务平台上的共享数据实现有效的隐私保护,提高了云存储服务的安全性。同时,本发明提供的技术方案由于将大部分解密运算外包给第三方,使得数据用户的解密负担明显减小,实现了用户快速解密的目的。另外,在加密阶段对明文进行加密的同时,对明文进行签名,使得数据用户可以对解密所得明文的正确性进行验证,防止了云服务端及第三方对明文或密文可能进行的篡改,提高了整个方案的安全性。The access control method for the cloud storage service platform provided by the present invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, and thus can share the data on the cloud storage service platform. Achieve effective privacy protection and improve the security of cloud storage services. At the same time, the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved. In addition, while encrypting the plaintext in the encryption phase, the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext. The security of the entire program.
请参阅图2,所示为本发明一实施方式中面向云存储服务平台的访问控制系统10的结构示意图。在本实施方式中,面向云存储服务平台的访问控制系统10与云存储服务平台通信连接,主要包括授权中心运行管理端11、数据属主运行客户端12、第三方运行服务端13以及数据用户运行客户端14。Referring to FIG. 2, a schematic structural diagram of an access control system 10 for a cloud storage service platform according to an embodiment of the present invention is shown. In this embodiment, the access control system 10 for the cloud storage service platform is in communication with the cloud storage service platform, and mainly includes an authorization center operation management terminal 11, a data owner operation client terminal 12, a third party operation server terminal 13, and a data user. Run client 14.
授权中心运行管理端11,用于生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台;The authorization center runs the management terminal 11 for generating a public key, a primary private key, a signature public key, and a signature private key, and uploading the public key and the signature public key to the cloud storage service platform;
数据属主运行客户端12,用于向所述授权中心运行管理端请求授权并发出数据上传请求信息;The data belonging to the main running client 12 is configured to request authorization from the authorization center operation management terminal and issue data upload request information;
授权中心运行管理端11,还用于核实所述数据属主运行客户端的身份,并在核实通过后将所述签名私钥发送给数据属主运行客户端;The authorization center operation management terminal 11 is further configured to verify the identity of the data owner running client, and send the signature private key to the data owner running client after verifying the pass;
数据属主运行客户端12,还用于利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台;The data belongs to the main running client 12, and is further configured to encrypt the plaintext by using the public key and the signature private key, generate the ciphertext to be uploaded, and upload the ciphertext as the shared data to the cloud storage service platform. ;
数据用户运行客户端14,用于向所述授权中心运行管理端请求授权; The data user runs the client 14 for requesting authorization from the authorization center running management terminal;
授权中心运行管理端11,还用于核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端;The authorization center runs the management terminal 11 and is further configured to verify that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the primary private key after verifying the verification, and the user private key is Translating a secret key to the data user to run the client;
数据用户运行客户端14,还用于从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端;The data user runs the client 14 and is further configured to download the shared data from the cloud storage service platform, and send the shared data and the conversion key to the third-party running server;
第三方运行服务端13,用于利用所述转化密钥并基于外包解密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端;The third-party running server 13 is configured to perform partial decryption on the shared data by using the conversion key and based on a transformation algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and transmit the partially decrypted ciphertext Running the client to the data user;
数据用户运行客户端14,还用于利用所述用户私钥对所述部分解密密文进行最终解密。The data user runs the client 14 and is further configured to perform final decryption of the partially decrypted ciphertext by using the user private key.
在本实施方式中,所述云存储服务平台为阿里云OSS云存储服务平台。In this embodiment, the cloud storage service platform is an Alibaba Cloud OSS cloud storage service platform.
本发明提供的一种面向云存储服务平台的访问控制系统10,基于外包解密属性加密机制,将需上传的用户数据加密后存储到云存储服务平台上,因而可对云存储服务平台上的共享数据实现有效的隐私保护,提高了云存储服务的安全性。同时,本发明提供的技术方案由于将大部分解密运算外包给第三方,使得数据用户的解密负担明显减小,实现了用户快速解密的目的。另外,在加密阶段对明文进行加密的同时,对明文进行签名,使得数据用户可以对解密所得明文的正确性进行验证,防止了云服务端及第三方对明文或密文可能进行的篡改,提高了整个方案的安全性。The access control system 10 for the cloud storage service platform provided by the present invention is based on the encryption mechanism of the outsourced decryption attribute, encrypts the user data to be uploaded and stores it on the cloud storage service platform, and thus can share on the cloud storage service platform. Data achieves effective privacy protection and improves the security of cloud storage services. At the same time, the technical solution provided by the present invention outsources most of the decryption operation to a third party, so that the decryption burden of the data user is significantly reduced, and the purpose of fast decryption by the user is achieved. In addition, while encrypting the plaintext in the encryption phase, the plaintext is signed, so that the data user can verify the correctness of the decrypted plaintext, thereby preventing the cloud server and the third party from tampering with the plaintext or the ciphertext. The security of the entire program.
以下对上述面向云存储服务平台的访问控制方法及其系统的安全性进行分析:The following is an analysis of the above-mentioned access control method for the cloud storage service platform and the security of the system:
本发明所提方案不仅可以保证数据机密性,还可以抵抗共谋攻击。The proposed scheme can not only guarantee data confidentiality, but also resist collusion attacks.
分析:关于数据的机密性,本外包解密CP-ABE方案可以成功阻止非授权用户和半可信第三方获取加密的数据信息。一方面,若用户所拥有的属性集合与密文相关的访问控制策略不能够匹配的时候,那么该用户不能够获得e(g,g)αs,这里α是每个用户所独有的随机数,任何两个用户的这个值都是不同的。因此,非授权用户就不能够解密密文。另一方面,半可信第三方有可能引起另外一种攻击。当用户的属性能够满足密文中所嵌入的的访问策略时,被委托的第三方就可以利用转化密钥得到中间结果T0=M·e(g,g)αs和T1=e(g,g)rs。因此,无论是 非授权用户,还是被委托第三方都没有足够的信息来解密密文。Analysis: Regarding the confidentiality of data, this outsourced decryption CP-ABE scheme can successfully prevent unauthorized users and semi-trusted third parties from obtaining encrypted data information. On the one hand, if the attribute set owned by the user cannot match the ciphertext-related access control policy, then the user cannot obtain e(g, g) αs , where α is a random number unique to each user. This value is different for any two users. Therefore, an unauthorized user cannot decrypt the ciphertext. On the other hand, semi-trusted third parties may cause another type of attack. When the user's attributes can satisfy the access policy embedded in the ciphertext, the delegated third party can use the conversion key to get the intermediate result T 0 =M·e(g,g) αs and T 1 =e(g, g) rs . Therefore, neither the unauthorized user nor the trusted third party has enough information to decrypt the ciphertext.
另外,本外包解密CP-ABE方案能够抵抗用户之间的共谋攻击。与原始的CP-ABE方案相同,在所提出的方案中,秘密共享值s是隐藏在密文中的,而不是在用户的密钥中。要想解密密文,共谋攻击者就必须恢复e(g,g)αs。为了获得e(g,g)αs,共谋攻击者需要获得
Figure PCTCN2016098600-appb-000047
共谋攻击者需要执行与此相关的双线性对操作,也就是来自密文的Cx和来自其它共谋者的Dx。但是,因为每个用户的密钥都是由随机数r计算并产生的。因此,虽然共谋攻击者都是合法授权用户,但是他们不能恢复e(g,g)rs,就不能进一步恢复e(g,g)αs。所以,所有共谋者即使共享其密钥,也不能彼此联合恢复e(g,g)αsIn addition, this outsourced decryption CP-ABE solution is able to resist collusion attacks between users. As in the original CP-ABE scheme, in the proposed scheme, the secret shared value s is hidden in the ciphertext, not in the user's key. In order to decrypt the ciphertext, the attacker must recover e(g,g) αs . In order to obtain e(g,g) αs , the collusion attacker needs to obtain
Figure PCTCN2016098600-appb-000047
Collusion attack is associated with this need to perform the operation of bilinear, i.e. from ciphertext C x D x and from other colluder. However, because each user's key is calculated and generated by the random number r. Therefore, although the collusion attackers are legally authorized users, they cannot recover e(g,g) rs and cannot further recover e(g,g) αs . Therefore, all colluders cannot jointly recover e(g,g) αs even if they share their keys.
另外,本领域普通技术人员可以理解实现上述各实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,相应的程序可以存储于一计算机可读取存储介质中,所述的存储介质,如ROM/RAM、磁盘或光盘等。In addition, those skilled in the art can understand that all or part of the steps of implementing the above embodiments may be completed by a program to instruct related hardware, and the corresponding program may be stored in a computer readable storage medium. Storage medium, such as ROM/RAM, disk or CD.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。 The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. Within the scope.

Claims (8)

  1. 一种面向云存储服务平台的访问控制方法,应用于包括授权中心运行管理端、数据属主运行客户端、数据用户运行客户端、第三方运行服务端在内的面向云存储服务平台的访问控制系统,其特征在于,所述方法包括:An access control method for a cloud storage service platform, which is applied to an access control system for a cloud storage service platform including an authorization center operation management terminal, a data owner operation client, a data user operation client, and a third party operation server. A system, the method comprising:
    所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台;The authorization center operation management end generates a public key, a primary private key, a signature public key, and a signature private key, and uploads the public key and the signature public key to a cloud storage service platform;
    所述数据属主运行客户端向所述授权中心运行管理端请求授权并发出数据上传请求信息;The data belonging to the main running client requests authorization from the authorization center operation management terminal and issues data upload request information;
    所述授权中心运行管理端核实所述数据属主运行客户端的身份,并在核实通过后将所述签名私钥发送给数据属主运行客户端;The authorization center operation management terminal verifies the identity of the data owner running client, and sends the signature private key to the data owner running client after verifying the pass;
    所述数据属主运行客户端利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台;The data belonging to the main running client encrypts the plaintext by using the public key and the signature private key, generates the ciphertext to be uploaded, and uploads the ciphertext as shared data to the cloud storage service platform;
    所述数据用户运行客户端向所述授权中心运行管理端请求授权;The data user running client requests authorization from the authorization center operation management terminal;
    所述授权中心运行管理端核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端;The authorization center operation management terminal verifies that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the master private key after verifying the pass, and the user private key and the conversion key. Sending to the data user to run the client;
    所述数据用户运行客户端从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端;The data user running client downloads the shared data from the cloud storage service platform, and sends the shared data and the conversion key to the third-party running server;
    所述第三方运行服务端,利用所述转化密钥并基于外包解密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端;The third-party running server uses the conversion key and partially decrypts the shared data based on a conversion algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and transmits the partially decrypted ciphertext to The data user runs a client;
    所述数据用户运行客户端利用所述用户私钥对所述部分解密密文进行最终解密。The data user running client uses the user private key to perform final decryption on the partially decrypted ciphertext.
  2. 如权利要求1所述的面向云存储服务平台的访问控制方法,其特征在于,所述授权中心运行管理端生成公钥、主私钥、签名公钥与签名私钥的步骤具体包括:The access control method for the cloud storage service platform according to claim 1, wherein the step of the authorization center running the management terminal to generate the public key, the primary private key, the signature public key, and the signature private key comprises:
    输入安全参数λ,构造阶为素数p、生成元为g的双线性群
    Figure PCTCN2016098600-appb-100001
    定义双线性映射
    Figure PCTCN2016098600-appb-100002
    选取随机数
    Figure PCTCN2016098600-appb-100003
    计算公钥PK和主私钥MK分别为:    Enter the safety parameter λ, the bilinear group whose construction order is prime p and generator is g
    Figure PCTCN2016098600-appb-100001
    Defining bilinear mapping
    Figure PCTCN2016098600-appb-100002
    Select random number
    Figure PCTCN2016098600-appb-100003
    The calculation public key PK and the primary private key MK are respectively:
    PK=(g,h=gβ,e(g,g)α) PK=(g,h=g β ,e(g,g) α )
    MSK=(β,gα)MSK=(β,g α )
    然后选取
    Figure PCTCN2016098600-appb-100004
    计算签名公钥SPK与签名私钥SSK分别为:    Then select
    Figure PCTCN2016098600-appb-100004
    The calculation signature public key SPK and the signature private key SSK are respectively:
    SPK=(gx,gy),SSK=(x,y)。SPK = (g x , g y ), SSK = (x, y).
  3. 如权利要求2所述的面向云存储服务平台的访问控制方法,其特征在于,所述结合所述主私钥生成对应的用户私钥的步骤具体包括:The access control method for the cloud storage service platform according to claim 2, wherein the step of generating the corresponding user private key in combination with the primary private key comprises:
    首先选择一个随机值
    Figure PCTCN2016098600-appb-100005
    然后对每个属性k∈S随机选择
    Figure PCTCN2016098600-appb-100006
    最后生成对应的用户私钥为:    First choose a random value
    Figure PCTCN2016098600-appb-100005
    Then randomly select each attribute k∈S
    Figure PCTCN2016098600-appb-100006
    Finally, generate the corresponding user private key as:
    Figure PCTCN2016098600-appb-100007
    Figure PCTCN2016098600-appb-100007
  4. 如权利要求3所述的面向云存储服务平台的访问控制方法,其特征在于,所述利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文的步骤具体包括:The access control method for the cloud storage service platform according to claim 3, wherein the step of encrypting the plaintext by using the public key and the signature private key to generate the ciphertext to be uploaded specifically includes :
    在访问结构
    Figure PCTCN2016098600-appb-100008
    下加密消息M,为
    Figure PCTCN2016098600-appb-100009
    每个节点n选择一个多项式qn,从树的根节点R开始,自上而下选择多项式,节点n的多项式qn的度dn比该节点的门限值kn少1,即dn=kn-1;    Access structure
    Figure PCTCN2016098600-appb-100008
    Encrypt message M, as
    Figure PCTCN2016098600-appb-100009
    Each node n selects a polynomial q n , starting from the root node R of the tree, selecting a polynomial from top to bottom, and the degree d n of the polynomial q n of the node n is less than the threshold k n of the node, ie d n =k n -1;
    从根节点R开始选择随机数
    Figure PCTCN2016098600-appb-100010
    并设置qR(0)=s,随机选择多项式qR上的dR个点完全定义qR,对于其它的顶点n,令qn(0)=qparent(n)(index(n)),随机选择其它dn个顶点完全定义qn    Select random number from root node R
    Figure PCTCN2016098600-appb-100010
    And set q R (0)=s, randomly select d R points on the polynomial q R to completely define q R , for other vertices n, let q n (0)=q parent(n) (index(n)) , randomly select other d n vertices to completely define q n ;
    Figure PCTCN2016098600-appb-100011
    中所有叶子节点的集合为J,由签名私钥SSK=(x,y),明文M和随机选择
    Figure PCTCN2016098600-appb-100012
    计算签名
    Figure PCTCN2016098600-appb-100013
    在给定的树形访问结构
    Figure PCTCN2016098600-appb-100014
    下计算所需上传的密文:    Assume
    Figure PCTCN2016098600-appb-100011
    The set of all leaf nodes in it is J, signed private key SSK=(x, y), plaintext M and randomly selected
    Figure PCTCN2016098600-appb-100012
    Calculation signature
    Figure PCTCN2016098600-appb-100013
    Given a tree access structure
    Figure PCTCN2016098600-appb-100014
    Calculate the ciphertext you want to upload:
    Figure PCTCN2016098600-appb-100015
    Figure PCTCN2016098600-appb-100015
  5. 如权利要求4所述的面向云存储服务平台的访问控制方法,其特征在于,所述第三方运行服务端执行转化算法的步骤具体包括:The access control method for the cloud storage service platform according to claim 4, wherein the step of the third party running server executing the conversion algorithm specifically includes:
    定义递归算法Transform(SK′,CT,n),用密文
    Figure PCTCN2016098600-appb-100016
    与属性集合S相关联的部分密钥SK′,
    Figure PCTCN2016098600-appb-100017
    中的节点n作为输入;    Define the recursive algorithm Transform(SK', CT, n), using ciphertext
    Figure PCTCN2016098600-appb-100016
    a partial key SK' associated with the attribute set S,
    Figure PCTCN2016098600-appb-100017
    Node n in the input;
    当节点n是叶子节点时,令i=att(n),如果i∈S,那么 When node n is a leaf node, let i=att(n), if i∈S, then
    Figure PCTCN2016098600-appb-100018
    Figure PCTCN2016098600-appb-100018
    当节点n是非叶子节点时,算法Transform(SK′,CT,n)工作方式如下:对于n的所有子节点u,计算Fu=Transform(SK′,CT,u),令Sn为Kn大小的满足Fu≠⊥的子节点u的集合,如果不存在这样的集合,那么这样的节点不满足,函数返回⊥,否则计算When node n is a non-leaf node, the algorithm Transform(SK', CT, n) works as follows: For all child nodes u of n, calculate F u =Transform(SK',CT,u), let S n be K n The size of the set of child nodes u satisfying F u ,, if there is no such set, then such a node is not satisfied, the function returns ⊥, otherwise the calculation
    Figure PCTCN2016098600-appb-100019
    Figure PCTCN2016098600-appb-100019
    并返回结果,其中i=index(u),Sn′={index(u),u∈Sn};And return the result, where i=index(u), S n '={index(u), u∈S n };
    调用Transform(SK′,CT,R),R是树的根节点,如果树满足S且Call Transform(SK', CT, R), where R is the root node of the tree, if the tree satisfies S and
    Figure PCTCN2016098600-appb-100020
    Figure PCTCN2016098600-appb-100020
    Figure PCTCN2016098600-appb-100021
    then
    Figure PCTCN2016098600-appb-100021
  6. 如权利要求5所述的面向云存储服务平台的访问控制方法,其特征在于,所述利用所述用户私钥对所述部分解密密文进行最终解密的步骤具体包括:The access control method for the cloud storage service platform according to claim 5, wherein the step of performing final decryption on the partially decrypted ciphertext by using the user private key comprises:
    输入SK,输入
    Figure PCTCN2016098600-appb-100022
    利用下式:    Enter SK, enter
    Figure PCTCN2016098600-appb-100022
    Use the following formula:
    Figure PCTCN2016098600-appb-100023
    Figure PCTCN2016098600-appb-100023
    解密得到明文M;Decrypted to get plaintext M;
    最后输入SPK,验证e(σ,gx·gM·g)=e(g,g),若e(σ,gx·gM·g)=e(g,g)等式成立,则说明解密正确,输出明文M;否则解密失败,输出⊥。Finally, enter SPK and verify that e(σ, g x ·g M ·g )=e(g,g), if e(σ,g x ·g M ·g )=e(g,g) , indicating that the decryption is correct, and the plaintext M is output; otherwise, the decryption fails, and the output is ⊥.
  7. 一种面向云存储服务平台的访问控制系统,其特征在于,所述系统包括 授权中心运行管理端、数据属主运行客户端、数据用户运行客户端以及第三方运行服务端,其中,An access control system for a cloud storage service platform, characterized in that the system comprises The authorization center runs the management terminal, the data owner runs the client, the data user runs the client, and the third party runs the server, where
    所述授权中心运行管理端,用于生成公钥、主私钥、签名公钥与签名私钥,并将所述公钥和所述签名公钥上传至云存储服务平台;The authorization center runs a management end, and is configured to generate a public key, a primary private key, a signature public key, and a signature private key, and upload the public key and the signature public key to a cloud storage service platform;
    所述数据属主运行客户端,用于向所述授权中心运行管理端请求授权并发出数据上传请求信息;The data belongs to the main running client, and is used to request authorization from the operation center of the authorization center and issue data upload request information;
    所述授权中心运行管理端,还用于核实所述数据属主运行客户端的身份,并在核实通过后将所述签名私钥发送给数据属主运行客户端;The authorization center operation management terminal is further configured to verify the identity of the data owner running client, and send the signature private key to the data owner running client after verifying the pass;
    所述数据属主运行客户端,还用于利用所述公钥与所述签名私钥对明文进行加密,产生所需上传的密文,并将所述密文作为共享数据上传至云存储服务平台;The data belongs to the main running client, and is further configured to encrypt the plaintext by using the public key and the signature private key, generate the ciphertext to be uploaded, and upload the ciphertext as the shared data to the cloud storage service. platform;
    所述数据用户运行客户端,用于向所述授权中心运行管理端请求授权;The data user runs a client, and is used to request authorization from the operation center of the authorization center;
    所述授权中心运行管理端,还用于核实所述数据用户运行客户端身份,并在核实通过后结合所述主私钥生成对应的用户私钥与转化秘钥,并将所述用户私钥与转化秘钥发送给所述数据用户运行客户端;The authorization center runs a management terminal, and is further configured to verify that the data user runs the client identity, and generates a corresponding user private key and a conversion key in combination with the primary private key after verifying the pass, and the user private key is generated. And the conversion key is sent to the data user to run the client;
    所述数据用户运行客户端,还用于从云存储服务平台下载所述共享数据,并将所述共享数据与所述转化密钥发送给所述第三方运行服务端;The data user runs the client, and is further configured to download the shared data from the cloud storage service platform, and send the shared data and the conversion key to the third-party running server;
    所述第三方运行服务端,用于利用所述转化密钥并基于外包解密属性加密机制中的转化算法对所述共享数据进行部分解密以得到部分解密密文,并将所述部分解密密文传送给所述数据用户运行客户端;The third-party running server is configured to partially decrypt the shared data by using the conversion key and based on a transformation algorithm in an outsourced decryption attribute encryption mechanism to obtain a partially decrypted ciphertext, and decrypt the partial ciphertext Transmitting to the data user to run the client;
    所述数据用户运行客户端,还用于利用所述用户私钥对所述部分解密密文进行最终解密。The data user runs the client, and is further configured to perform final decryption on the partially decrypted ciphertext by using the user private key.
  8. 如权利要求7所述的面向云存储服务平台的访问控制系统,其特征在于,所述云存储服务平台为阿里云OSS云存储服务平台。 The access control system for a cloud storage service platform according to claim 7, wherein the cloud storage service platform is an Alibaba Cloud OSS cloud storage service platform.
PCT/CN2016/098600 2016-09-09 2016-09-09 Access control method oriented to cloud storage service platform and system thereof WO2018045568A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/098600 WO2018045568A1 (en) 2016-09-09 2016-09-09 Access control method oriented to cloud storage service platform and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/098600 WO2018045568A1 (en) 2016-09-09 2016-09-09 Access control method oriented to cloud storage service platform and system thereof

Publications (1)

Publication Number Publication Date
WO2018045568A1 true WO2018045568A1 (en) 2018-03-15

Family

ID=61562411

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/098600 WO2018045568A1 (en) 2016-09-09 2016-09-09 Access control method oriented to cloud storage service platform and system thereof

Country Status (1)

Country Link
WO (1) WO2018045568A1 (en)

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108600174A (en) * 2018-03-26 2018-09-28 西安交通大学 A kind of access control mechanisms and its implementation of big merger network
CN108647525A (en) * 2018-05-09 2018-10-12 西安电子科技大学 The secret protection single layer perceptron batch training method that can verify that
CN110008717A (en) * 2019-02-26 2019-07-12 东北大学 Support the decision tree classification service system and method for secret protection
CN110309663A (en) * 2019-06-25 2019-10-08 湖南搜云网络科技股份有限公司 Privacy authenticating method and system based on block chain
CN110460604A (en) * 2019-08-15 2019-11-15 广东工业大学 A kind of encryption of cloud storage, decryption and verification method and system
CN110489947A (en) * 2019-07-05 2019-11-22 北京中电飞华通信股份有限公司 A kind of safety office managing and control system
CN110781524A (en) * 2019-10-29 2020-02-11 陕西师范大学 Integrity verification method for data in hybrid cloud storage
CN111552979A (en) * 2020-04-21 2020-08-18 东南大学 Non-interactive lightweight privacy protection auditing method for image
CN111598701A (en) * 2020-05-22 2020-08-28 深圳市网心科技有限公司 Information monitoring method, system, equipment and storage medium
CN111641943A (en) * 2020-05-19 2020-09-08 南京信息工程大学 Real-time safety data aggregation and recovery method based on vehicle cloud
CN111861467A (en) * 2020-07-23 2020-10-30 浙江永旗区块链科技有限公司 Supply chain financial transaction privacy protection method and system
CN111860708A (en) * 2020-06-21 2020-10-30 深圳华物信联科技有限公司 System and method for commodity management
CN111967514A (en) * 2020-08-14 2020-11-20 安徽大学 Data packaging-based sample classification method for privacy protection decision tree
CN111988138A (en) * 2020-08-13 2020-11-24 潘显富 Information encryption system based on education cloud
CN112069513A (en) * 2020-08-12 2020-12-11 福建师范大学 Encryption method and system capable of sharing decryption
CN112187798A (en) * 2020-09-28 2021-01-05 安徽大学 Bidirectional access control method and system applied to cloud-side data sharing
CN112235113A (en) * 2020-07-15 2021-01-15 秦绪祥 Wisdom community endowment service platform
CN112491904A (en) * 2020-12-01 2021-03-12 德州职业技术学院(德州市技师学院) Big data privacy protection sharing method and system
CN112883399A (en) * 2021-03-11 2021-06-01 郑州信大捷安信息技术股份有限公司 Method and system for realizing secure sharing of encrypted file
CN112925850A (en) * 2021-02-25 2021-06-08 京信数据科技有限公司 Block chain data encryption uplink method, uplink sharing method and device
CN112991136A (en) * 2021-03-26 2021-06-18 中国科学技术大学 Secure plaintext image cloud storage and processing method based on watermark
CN113094750A (en) * 2021-04-20 2021-07-09 西安交通大学 Block chain-based compression and privacy industrial data sharing implementation method
CN113360944A (en) * 2021-06-25 2021-09-07 华北电力大学 Dynamic access control system and method for power internet of things
CN113612750A (en) * 2021-07-27 2021-11-05 长安大学 User identity privacy protection method facing mobile crowd sensing network
CN113660197A (en) * 2021-07-02 2021-11-16 西安电子科技大学广州研究院 Obfuscated data aggregation privacy protection method, system, device, medium and terminal
CN114024686A (en) * 2021-11-03 2022-02-08 北京邮电大学 Intelligent community Internet of things information sharing model based on block chain
CN114039737A (en) * 2020-07-20 2022-02-11 中国科学院信息工程研究所 Attribute-based shared data storage and access method and system for resisting selected plaintext attack
CN114124392A (en) * 2021-11-01 2022-03-01 广州大学 Data controlled circulation method, system, device and medium supporting access control
CN114172710A (en) * 2021-12-01 2022-03-11 深圳市电子商务安全证书管理有限公司 Data decryption method, device, equipment and storage medium
CN114189340A (en) * 2021-12-09 2022-03-15 电子科技大学 Attribute-based signature method based on prime order group
CN114338025A (en) * 2021-06-23 2022-04-12 河南科技大学 Ciphertext equivalence testing method in cloud environment
CN114726530A (en) * 2022-04-19 2022-07-08 电子科技大学 Intelligent vehicle networking heterogeneous signcryption method based on identity and public key in cloud edge fusion environment
CN114785610A (en) * 2022-05-10 2022-07-22 广东南华工商职业学院 Data security transmission system based on cloud computing
CN114826759A (en) * 2022-05-11 2022-07-29 贵州大学 Verifiable fine-grained access control inner product function encryption method
CN114884982A (en) * 2022-03-28 2022-08-09 江苏徐工工程机械研究院有限公司 Multi-mine user online management method and system based on cloud service
CN115001744A (en) * 2022-04-27 2022-09-02 中国科学院信息工程研究所 Cloud platform data integrity verification method and system
CN115086356A (en) * 2022-06-14 2022-09-20 北京大学深圳研究生院 Cloud data management method based on competition management platform
CN115150142A (en) * 2022-06-24 2022-10-04 深圳市北科瑞声科技股份有限公司 Data access processing method, system, equipment and storage medium
CN115150183A (en) * 2022-07-25 2022-10-04 黄涌瀚 Multivariable public key communication information transmission method based on cloud computing and cloud storage
CN115225669A (en) * 2022-07-14 2022-10-21 山东大学 Distributed private data processing system and method
CN115396689A (en) * 2022-08-24 2022-11-25 珠海安士佳电子有限公司 Intelligent cloud video transmission and storage method and system
CN115473699A (en) * 2022-08-22 2022-12-13 湖北工业大学 Privacy protection pairing T inspection method and device based on distribution
CN115550605A (en) * 2022-08-19 2022-12-30 南京邮电大学 Fault detection method of power grid multimedia dispatching system and automatic detection equipment thereof
CN115714669A (en) * 2022-10-20 2023-02-24 云南师范大学 Private data cross-domain sharing method based on PURH-CP-ABE under block chain
CN115955489A (en) * 2023-03-15 2023-04-11 中国民航大学 Cloud storage-oriented onboard software possession proving method
CN116405320A (en) * 2023-05-31 2023-07-07 北京电科智芯科技有限公司 Data transmission method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102769620A (en) * 2012-07-19 2012-11-07 广州大学 Safely outsourced attribute-based encryption method
CN104022868A (en) * 2014-02-18 2014-09-03 杭州师范大学 Outsourcing decryption method of attribute-based encryption based on ciphertext policy
CN104486315A (en) * 2014-12-08 2015-04-01 北京航空航天大学 Revocable key external package decryption method based on content attributes

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102769620A (en) * 2012-07-19 2012-11-07 广州大学 Safely outsourced attribute-based encryption method
CN104022868A (en) * 2014-02-18 2014-09-03 杭州师范大学 Outsourcing decryption method of attribute-based encryption based on ciphertext policy
CN104486315A (en) * 2014-12-08 2015-04-01 北京航空航天大学 Revocable key external package decryption method based on content attributes

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DING, XIAOHONG ET AL.: "Attribute-based Encryption Scheme with Outsourcing Decryption Method", COMPUTER SCIENCE, vol. 43, no. 6A, 30 June 2016 (2016-06-30) *

Cited By (77)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108600174A (en) * 2018-03-26 2018-09-28 西安交通大学 A kind of access control mechanisms and its implementation of big merger network
CN108600174B (en) * 2018-03-26 2020-07-28 西安交通大学 Access control mechanism of large cooperative network and implementation method thereof
CN108647525A (en) * 2018-05-09 2018-10-12 西安电子科技大学 The secret protection single layer perceptron batch training method that can verify that
CN108647525B (en) * 2018-05-09 2022-02-01 西安电子科技大学 Verifiable privacy protection single-layer perceptron batch training method
CN110008717A (en) * 2019-02-26 2019-07-12 东北大学 Support the decision tree classification service system and method for secret protection
CN110008717B (en) * 2019-02-26 2023-04-11 东北大学 Decision tree classification service system and method supporting privacy protection
CN110309663B (en) * 2019-06-25 2023-03-03 湖南搜云网络科技股份有限公司 Privacy authentication method and system based on block chain
CN110309663A (en) * 2019-06-25 2019-10-08 湖南搜云网络科技股份有限公司 Privacy authenticating method and system based on block chain
CN110489947A (en) * 2019-07-05 2019-11-22 北京中电飞华通信股份有限公司 A kind of safety office managing and control system
CN110489947B (en) * 2019-07-05 2022-07-15 北京中电飞华通信股份有限公司 Safe office management and control system
CN110460604A (en) * 2019-08-15 2019-11-15 广东工业大学 A kind of encryption of cloud storage, decryption and verification method and system
CN110781524A (en) * 2019-10-29 2020-02-11 陕西师范大学 Integrity verification method for data in hybrid cloud storage
CN110781524B (en) * 2019-10-29 2023-05-05 陕西师范大学 Integrity verification method for data in hybrid cloud storage
CN111552979B (en) * 2020-04-21 2022-11-15 东南大学 Non-interactive lightweight privacy protection auditing method for image
CN111552979A (en) * 2020-04-21 2020-08-18 东南大学 Non-interactive lightweight privacy protection auditing method for image
CN111641943A (en) * 2020-05-19 2020-09-08 南京信息工程大学 Real-time safety data aggregation and recovery method based on vehicle cloud
CN111598701A (en) * 2020-05-22 2020-08-28 深圳市网心科技有限公司 Information monitoring method, system, equipment and storage medium
CN111598701B (en) * 2020-05-22 2023-09-19 深圳市迅雷网络技术有限公司 Information monitoring method, system, equipment and storage medium
CN111860708A (en) * 2020-06-21 2020-10-30 深圳华物信联科技有限公司 System and method for commodity management
CN111860708B (en) * 2020-06-21 2023-09-22 深圳盈达信息科技有限公司 Commodity management system and commodity management method
CN112235113A (en) * 2020-07-15 2021-01-15 秦绪祥 Wisdom community endowment service platform
CN114039737B (en) * 2020-07-20 2023-08-08 中国科学院信息工程研究所 Attribute-based shared data storage and access method and system for resisting selective plaintext attack
CN114039737A (en) * 2020-07-20 2022-02-11 中国科学院信息工程研究所 Attribute-based shared data storage and access method and system for resisting selected plaintext attack
CN111861467A (en) * 2020-07-23 2020-10-30 浙江永旗区块链科技有限公司 Supply chain financial transaction privacy protection method and system
CN112069513A (en) * 2020-08-12 2020-12-11 福建师范大学 Encryption method and system capable of sharing decryption
CN112069513B (en) * 2020-08-12 2022-09-27 福建师范大学 Encryption method and system capable of sharing decryption
CN111988138B (en) * 2020-08-13 2023-09-22 广东介诚信息服务有限公司 Information encryption system based on education cloud
CN111988138A (en) * 2020-08-13 2020-11-24 潘显富 Information encryption system based on education cloud
CN111967514B (en) * 2020-08-14 2023-11-17 安徽大学 Sample classification method of privacy protection decision tree based on data packaging
CN111967514A (en) * 2020-08-14 2020-11-20 安徽大学 Data packaging-based sample classification method for privacy protection decision tree
CN112187798A (en) * 2020-09-28 2021-01-05 安徽大学 Bidirectional access control method and system applied to cloud-side data sharing
CN112491904B (en) * 2020-12-01 2022-05-20 德州职业技术学院(德州市技师学院) Big data privacy protection sharing method and system
CN112491904A (en) * 2020-12-01 2021-03-12 德州职业技术学院(德州市技师学院) Big data privacy protection sharing method and system
CN112925850A (en) * 2021-02-25 2021-06-08 京信数据科技有限公司 Block chain data encryption uplink method, uplink sharing method and device
CN112883399B (en) * 2021-03-11 2022-03-25 郑州信大捷安信息技术股份有限公司 Method and system for realizing secure sharing of encrypted file
CN112883399A (en) * 2021-03-11 2021-06-01 郑州信大捷安信息技术股份有限公司 Method and system for realizing secure sharing of encrypted file
CN112991136A (en) * 2021-03-26 2021-06-18 中国科学技术大学 Secure plaintext image cloud storage and processing method based on watermark
CN113094750B (en) * 2021-04-20 2024-02-09 西安交通大学 Implementation method for compressing and sharing privacy industrial data based on block chain
CN113094750A (en) * 2021-04-20 2021-07-09 西安交通大学 Block chain-based compression and privacy industrial data sharing implementation method
CN114338025A (en) * 2021-06-23 2022-04-12 河南科技大学 Ciphertext equivalence testing method in cloud environment
CN113360944B (en) * 2021-06-25 2024-03-22 华北电力大学 Dynamic access control system and method for electric power Internet of things
CN113360944A (en) * 2021-06-25 2021-09-07 华北电力大学 Dynamic access control system and method for power internet of things
CN113660197B (en) * 2021-07-02 2022-11-22 西安电子科技大学广州研究院 Obfuscated data aggregation privacy protection method, system, device, medium and terminal
CN113660197A (en) * 2021-07-02 2021-11-16 西安电子科技大学广州研究院 Obfuscated data aggregation privacy protection method, system, device, medium and terminal
CN113612750A (en) * 2021-07-27 2021-11-05 长安大学 User identity privacy protection method facing mobile crowd sensing network
CN114124392A (en) * 2021-11-01 2022-03-01 广州大学 Data controlled circulation method, system, device and medium supporting access control
CN114124392B (en) * 2021-11-01 2022-09-06 广州大学 Data controlled circulation method, system, device and medium supporting access control
CN114024686A (en) * 2021-11-03 2022-02-08 北京邮电大学 Intelligent community Internet of things information sharing model based on block chain
CN114024686B (en) * 2021-11-03 2023-09-26 北京邮电大学 Intelligent community Internet of things information sharing model based on block chain
CN114172710A (en) * 2021-12-01 2022-03-11 深圳市电子商务安全证书管理有限公司 Data decryption method, device, equipment and storage medium
CN114172710B (en) * 2021-12-01 2024-01-30 深圳市电子商务安全证书管理有限公司 Data decryption method, device, equipment and storage medium
CN114189340B (en) * 2021-12-09 2023-05-23 电子科技大学 Attribute-based signature method based on prime order group
CN114189340A (en) * 2021-12-09 2022-03-15 电子科技大学 Attribute-based signature method based on prime order group
CN114884982B (en) * 2022-03-28 2023-11-07 江苏徐工工程机械研究院有限公司 Multi-mine user online management method and system based on cloud service
CN114884982A (en) * 2022-03-28 2022-08-09 江苏徐工工程机械研究院有限公司 Multi-mine user online management method and system based on cloud service
CN114726530A (en) * 2022-04-19 2022-07-08 电子科技大学 Intelligent vehicle networking heterogeneous signcryption method based on identity and public key in cloud edge fusion environment
CN115001744A (en) * 2022-04-27 2022-09-02 中国科学院信息工程研究所 Cloud platform data integrity verification method and system
CN115001744B (en) * 2022-04-27 2023-08-29 中国科学院信息工程研究所 Cloud platform data integrity verification method and system
CN114785610A (en) * 2022-05-10 2022-07-22 广东南华工商职业学院 Data security transmission system based on cloud computing
CN114785610B (en) * 2022-05-10 2023-01-10 深圳市聚迅科技有限公司 Data security transmission system based on cloud computing
CN114826759A (en) * 2022-05-11 2022-07-29 贵州大学 Verifiable fine-grained access control inner product function encryption method
CN114826759B (en) * 2022-05-11 2023-10-03 贵州大学 Verifiable fine grain access control inner product function encryption method
CN115086356A (en) * 2022-06-14 2022-09-20 北京大学深圳研究生院 Cloud data management method based on competition management platform
CN115150142A (en) * 2022-06-24 2022-10-04 深圳市北科瑞声科技股份有限公司 Data access processing method, system, equipment and storage medium
CN115225669B (en) * 2022-07-14 2024-04-05 山东大学 Distributed privacy data processing system and method
CN115225669A (en) * 2022-07-14 2022-10-21 山东大学 Distributed private data processing system and method
CN115150183A (en) * 2022-07-25 2022-10-04 黄涌瀚 Multivariable public key communication information transmission method based on cloud computing and cloud storage
CN115550605A (en) * 2022-08-19 2022-12-30 南京邮电大学 Fault detection method of power grid multimedia dispatching system and automatic detection equipment thereof
CN115473699A (en) * 2022-08-22 2022-12-13 湖北工业大学 Privacy protection pairing T inspection method and device based on distribution
CN115473699B (en) * 2022-08-22 2024-04-30 湖北工业大学 Distributed privacy protection pairing T-test method and device
CN115396689A (en) * 2022-08-24 2022-11-25 珠海安士佳电子有限公司 Intelligent cloud video transmission and storage method and system
CN115396689B (en) * 2022-08-24 2023-06-30 珠海安士佳电子有限公司 Intelligent cloud video transmission and storage method and system
CN115714669A (en) * 2022-10-20 2023-02-24 云南师范大学 Private data cross-domain sharing method based on PURH-CP-ABE under block chain
CN115714669B (en) * 2022-10-20 2024-02-06 云南师范大学 Private data cross-domain sharing method based on PURH-CP-ABE under blockchain
CN115955489A (en) * 2023-03-15 2023-04-11 中国民航大学 Cloud storage-oriented onboard software possession proving method
CN116405320B (en) * 2023-05-31 2023-08-22 北京电科智芯科技有限公司 Data transmission method and device
CN116405320A (en) * 2023-05-31 2023-07-07 北京电科智芯科技有限公司 Data transmission method and device

Similar Documents

Publication Publication Date Title
WO2018045568A1 (en) Access control method oriented to cloud storage service platform and system thereof
JP6941146B2 (en) Data security service
CN111130757B (en) Multi-cloud CP-ABE access control method based on block chain
Michalas The lord of the shares: Combining attribute-based encryption and searchable encryption for flexible data sharing
Sanka et al. Secure data access in cloud computing
WO2016197770A1 (en) Access control system and access control method thereof for cloud storage service platform
US9646168B2 (en) Data access control method in cloud
Yu et al. A view about cloud data security from data life cycle
WO2016197680A1 (en) Access control system for cloud storage service platform and access control method therefor
KR20200126321A (en) How to securely execute smart contract actions in a trusted execution environment
JP6678457B2 (en) Data security services
WO2016106752A1 (en) Shared data access control method, device and system
US20140112470A1 (en) Method and system for key generation, backup, and migration based on trusted computing
Saroj et al. Threshold cryptography based data security in cloud computing
Nirmala et al. Data confidentiality and integrity verification using user authenticator scheme in cloud
US20220014367A1 (en) Decentralized computing systems and methods for performing actions using stored private data
CN106341236A (en) Access control method facing cloud storage service platform and system thereof
CN108632385B (en) Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure
Hussein et al. A survey of cryptography cloud storage techniques
CN109327448B (en) Cloud file sharing method, device, equipment and storage medium
WO2021098152A1 (en) Blockchain-based data processing method, device, and computer apparatus
Patil et al. Secured cloud architecture for cloud service provider
Hussien et al. Scheme for ensuring data security on cloud data storage in a semi-trusted third party auditor
CN106790100B (en) Data storage and access control method based on asymmetric cryptographic algorithm
Xu et al. NC-MACPABE: Non-centered multi-authority proxy re-encryption based on CP-ABE for cloud storage systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16915502

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 09.07.2019)

122 Ep: pct application non-entry in european phase

Ref document number: 16915502

Country of ref document: EP

Kind code of ref document: A1