CN102244660A - Encryption method for realizing support of FGAC (Fine Grained Access Control) - Google Patents
Encryption method for realizing support of FGAC (Fine Grained Access Control) Download PDFInfo
- Publication number
- CN102244660A CN102244660A CN2011101934486A CN201110193448A CN102244660A CN 102244660 A CN102244660 A CN 102244660A CN 2011101934486 A CN2011101934486 A CN 2011101934486A CN 201110193448 A CN201110193448 A CN 201110193448A CN 102244660 A CN102244660 A CN 102244660A
- Authority
- CN
- China
- Prior art keywords
- attribute
- access control
- function
- extended
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to an encryption method for realizing support of FGAC (Fine Grained Access Control), wherein an access control structure is an access control tree in an attribute-based encryption system, extended attribute nodes are represented by using a range of k being less than 0, and k represents an operation identifier corresponding to a specific operation (or function); leaf nodes of k being less than 0 are called extended attribute leaf nodes, and subnodes of the extended attribute leaf nodes include one or more attributes and attribute value pairs. The data in the subnodes are input parameters needed by the operation function corresponding to the operation identifier k. The output of the function corresponds to the attribute values of the extended attribute nodes, and an extended operation comprises a matching function and a logical operator. The encryption method leads an attribute-based encryption algorithm to support abundant operations, and facilitates a flexible FGAC capability of the improved attribute-based encryption algorithm.
Description
Technical field
The present invention relates to a kind of under distributed environment, requirement at file-sharing and safe storage, propose a kind of flexibly, fine-grained access control method, mainly set and realize fine-grained access control by the expansion of expanding former cryptographic algorithm based on attribute.
Background technology
In distributed environment, especially in the service model of cloud computing, after user data is concentrated, guarantee the safety management of operation service provider inside and the demand for security that access control mechanisms meets the user, avoiding the potential risk that the multi-user exists jointly or shared data brings in the distributed environment, is the security challenge that faces in the distributed environment.
At present, data center's protecting data is mainly by dual mode access control and encryption.Access control scheme commonly used has autonomous access control policy (DAC), force access control policy (MAC) or based on role's access control policy (RBAC) etc.Under the situation that system runs well, the good access control system of design can prevent the unauthorized access to data of user or Malware, in case and system by illegal invasion or control, these access control systems will lose efficacy.In order to remedy the deficiency of access control technology, encryption is that protected data is not by another common technology of unauthorized access.Yet, conventional encryption technology comprises that symmetric cryptosystem and public key cryptography all can only carry out dull encryption to file, the distribution of key is comparatively complicated with management in distributed environment, and can not realize the flexible controlled function that access control technology has.Recently the encryption system based on attribute (ABE) that proposes can be realized the access control based on cryptographic algorithm, need not the key management and the key distribution mechanism of load, but be based on the encryption attribute algorithm be merely able to support with or and the thresholding computing, can not realize fine-grained access control, and autgmentability is poor.
Summary of the invention
The problem that technology of the present invention solves: overcome the deficiencies in the prior art, by expansion ciphertext strategy based on the access control structure in the encryption attribute algorithm, make it have abundant access control operational capability, thereby realize fine-grained, access control flexibly.
Technical solution of the present invention: a kind of encryption method that realizes supporting the fine granularity access control is characterized in that following aspect:
(1) realizes the operator expansion by adding virtual leaf node
Former ciphertext strategy based on access control structure Design in the cryptographic algorithm of attribute based on the threshold secret sharing system, its access control structure is access control tree, as shown in Figure 1.Node comprises threshold value k and two attributes of son node number num, wherein 0<k<num in the access control tree.The present invention uses the scope of k<0 to represent the extended attribute node, and k represents arithmetic identifier, and corresponding to specific computing (or function), the leaf node of extended attribute is that one or more attributes and property value are right, as shown in Figure 2.The extended attribute node is equivalent to the leaf node in the original scheme, and<attribute-name, property value〉right, be equivalent to the required input parameter of function that k refers to.The output of function is corresponding to the property value of extended attribute node.
(2) key generates the checking that user's extended attribute is responsible at center (PKG)
In the cryptographic algorithm based on attribute of former ciphertext strategy, PKG is responsible for open parameter distribution, the private key systematic function is outer and the function of user property extraction, in this expansion scheme, PKG is except above function, also be responsible for arithmetic identifier, use corresponding operation function that the extended attribute that the user provides is carried out dynamic authentication according to expansion.
(3) form of extended arithmetic function reaches the access control computing of having expanded
The function of extended arithmetic correspondence has prototype: f:(attrbute_name, attribute_value ...) → Requred Attribute|Empyte String.Wherein function parameter is one or more<attribute-name, property value〉right, the character string of the return value of function for determining.
The computing of expansion comprises adaptation function and logical operator.Specific as follows:
A, adaptation function:<,>,≤, 〉=, in_range, regex_match
B, logical operator: Not
Wherein,<,>,≤and 〉=be the arithmetic comparison operator; In_range is whether within the specific limits a function of certificate parameter; Regex_match is the regular expression adaptation function, and regular expression uses the reference format of Java regular expression.
The operation function of expansion is defined as follows:
(4) decrypt ciphertext and private key acquisition process
Carry out decipherment algorithm and must obtain the private key of setting at the access control of having expanded in the ciphertext, its process is as follows: extract operation function identifier k from the access control tree, with be stored in the virtual leaf node<attribute-name, property value〉right, they and subscriber identity information are sent to key generation center, and key generation center generates corresponding private key and also returns to the user;
The process that key generation center generates private key is as follows: key generates at first identifying user identity of center, if authentication not by refuse this request; After authentication, key generates the center and determines corresponding access control operation function according to the arithmetic identifier that the user submits to, key generates the property set S that the center has from the customer attribute information user then, move this function and obtain corresponding output, if output is not sky then this extended attribute is added among the property set S; After all extended attributes checkings that the user submits to all are performed, with property set S serve as input operation ciphertext strategy generate private key based on key schedule in the cryptographic algorithm of attribute;
Be convenient to expand the new access control computing of interpolation
Because the present invention uses the scope of k<0 to represent extended arithmetic, thus can by agreement new (k operator) to defining new access control spread function, realizes the expansion of access control computing.
The present invention's advantage compared with prior art is: by the expansion of access control tree, realized abundant access control computing, thereby realized flexibly, fine-grained access control function.Simultaneously, this scheme is easy to expansion, adds new access control computing, satisfies specific access control demand.
Description of drawings
Fig. 1 is basic access control tree
Fig. 2 is the access control tree of expansion;
Fig. 3 file encryption flow chart;
Fig. 4 file decryption flow chart;
Fig. 5 private key obtains sequence chart;
Fig. 6 access control tree data format.
Embodiment
Below with reference to accompanying drawing, embodiments of the invention are described in detail.
The core concept that the present invention mainly comprises: former in access control tree in the encryption attribute system scheme by expanding, the scope of usage threshold value k<0 is represented the access control computing expanded, realize the access control computing enriched, thereby realize flexibly, fine-grained access control based on cryptographic algorithm.
Before description scheme, be defined as follows entity and method earlier:
1. key generates center (PKG): be responsible for the open parameter of issue, generate the extended attribute that private key, leading subscriber attribute information and checking user submit to, it must be believable.
2. the threshold value of establishing node is k, wherein the scope of 0<k<num represent with or and the thresholding computing, the arithmetic identifier of expanding among orientation references the present invention of k≤-1.
3. the number of establishing child node is num, wherein num>k
4. extended attribute checking function false code is as follows:
The input parameter of function is with<attribute-name, property value〉be the tabulation of element.This function at first extracts the user property collection, verifies then whether the value of user property correspondence satisfies the requirement of corresponding attribute in the function input parameter, returns predefined character string if satisfy, if do not satisfy then return empty string.
5. it is as follows to obtain the function false code (fetch_key) of private key from PKG:
The function input parameter is the access control tree.At first, the extended attribute node from access control tree extracts in operation function identifier and its leaf node<attribute-name, property value〉right, send it to key then and generate the center, obtain private key.
The invention process process is as follows:
1.PKG the execution initialization algorithm generates the open parameter that needs in encryption in the ABE scheme, deciphering and the private key generative process.
2. the user obtains available attribute and access control arithmetic identifier from PKG, formulates access control policy, and access control policy is represented with the form of the access control tree of expansion.
3. set as the cryptographic algorithm in the former scheme of access control policy execution ABE with this access control, the ABE cryptographic algorithm as shown in Figure 3.The access control tree of the access control tree that wherein embeds for expanding among the present invention.The form of the access control tree of expansion as shown in Figure 2.
4. after the user obtains ciphertext, must obtain private key before the execution decipherment algorithm at the access control tree that has expanded in the ciphertext.Its process is as follows: (1) is extracted operation function identifier k and is stored in the virtual leaf node<attribute-name property value from access control tree〉right, they and subscriber identity information are sent to PKG, PKG execution in step 5, and will be distributed to the user.Its concrete operation process approach is shown in false code 5.Obtain the ABE decipherment algorithm of carrying out behind the private key as shown in Figure 4.
5.PKG process user is obtained the private key request.PKG is identifying user identity at first, if authentication not by refuse this request.After authentication, PKG determines corresponding access control operation function according to the arithmetic identifier that the user submits to, PKG moves this function and obtains corresponding output from the property set S that the customer attribute information user has then, if output is not sky then this extended attribute is added among the property set S.After all extended attributes checkings that the user submits to all are performed, with property set S serve as input operation ciphertext strategy based on key schedule in the cryptographic algorithm of attribute.The running of access control operation function is shown in algorithm 4:fun.
The difference of algorithm of the present invention and original algorithm maximum is: the encipherment scheme based on attribute of original ciphertext strategy can only realize with or and the thresholding computing, this expansion scheme by access control tree can realize logical operator not sum arithmetic comparison operator>,<, ≤, 〉=, computings such as canonical coupling.This scheme is easy to expansion simultaneously, can add the new computing of expansion.
This algorithm is guaranteeing to have realized fine-grained flexibly access control on the basis that original algorithm is realized visiting based on cryptographic algorithm.
What may be obvious that for the person of ordinary skill of the art draws other advantages and modification.Therefore, the present invention with wider aspect is not limited to shown and described specifying and exemplary embodiment here.Therefore, under situation about not breaking away from, can make various modifications to it by the spirit and scope of claim and the defined general inventive concept of equivalents thereof subsequently.
Claims (1)
1. encryption method that realizes supporting the fine granularity access control, its feature is as follows:
(1) realizes the operator expansion by adding virtual leaf node
Former ciphertext strategy based on access control structure Design in the encryption system of attribute based on the threshold secret sharing system, its access control structure is an access control tree, node comprises threshold value k and two attributes of son node number num in the access control tree, 0<k≤num wherein, use the scope of k<0 to represent the extended attribute node, k represents arithmetic identifier, corresponding to specific computing or function; The leaf node of extended attribute is that one or more attributes and property value are right, the extended attribute node be equivalent to the ciphertext strategy based on the leaf node in the encryption system of attribute, and<attribute-name, property value〉be equivalent to the required input parameter of function that k refers to, the output of function is corresponding to the property value of extended attribute node;
(2) key generates the checking that center P KG is responsible for user's extended attribute
PKG has open parameter distribution, private key generates and the function of user's extended attribute extraction, and simultaneously, PKG also is responsible for the arithmetic identifier according to expansion, uses corresponding operation function that the extended attribute that the user provides is carried out dynamic authentication;
(3) form of extended arithmetic function reaches the access control computing of having expanded
The function of extended arithmetic correspondence has following prototype: f:(attribute_name, attribute_value...) → Requred Attribute|Empty String, wherein function parameter is one or more<attribute-name, property value〉right, the character string of the return value of function for determining;
The computing of expansion comprises adaptation function and logical operator, and is specific as follows:
A. adaptation function:<,>,≤, 〉=, in_range, regex_match;
B. logical operator: Not;
Wherein,<,>,≤and 〉=be the arithmetic comparison operator; In_range is whether within the specific limits a function of certificate parameter; Regex_match is the regular expression adaptation function, and regular expression uses the reference format of Java regular expression;
(4) decrypt ciphertext and private key acquisition process
Carry out decipherment algorithm and must obtain the private key of setting at the access control of having expanded in the ciphertext, its process is as follows: extract operation function identifier k from the access control tree, with be stored in the virtual leaf node<attribute-name, property value〉right, they and subscriber identity information are sent to key generation center, and key generation center generates corresponding private key and also returns to the user;
The process that key generation center generates private key is as follows: key generates at first identifying user identity of center, if authentication not by refuse this request; After authentication, key generates the center and determines corresponding access control operation function according to the arithmetic identifier that the user submits to, key generates the property set S that the center has from the customer attribute information user then, move this function and obtain corresponding output, if output is not sky then this extended attribute is added among the property set S; After all extended attributes checkings that the user submits to all are performed, with property set S serve as input operation ciphertext strategy generate private key based on key schedule in the cryptographic algorithm of attribute.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110193448 CN102244660B (en) | 2011-07-12 | 2011-07-12 | Encryption method for realizing support of FGAC (Fine Grained Access Control) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110193448 CN102244660B (en) | 2011-07-12 | 2011-07-12 | Encryption method for realizing support of FGAC (Fine Grained Access Control) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102244660A true CN102244660A (en) | 2011-11-16 |
| CN102244660B CN102244660B (en) | 2012-12-12 |
Family
ID=44962495
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110193448 Expired - Fee Related CN102244660B (en) | 2011-07-12 | 2011-07-12 | Encryption method for realizing support of FGAC (Fine Grained Access Control) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102244660B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624522A (en) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | Key encryption method based on file attribution |
| CN102945356A (en) * | 2012-12-12 | 2013-02-27 | 上海交通大学 | Access control method and system for search engine under cloud environment |
| CN103368901A (en) * | 2012-03-27 | 2013-10-23 | 复旦大学 | Cloud computing system based on large-scale discrete data |
| CN103391192A (en) * | 2013-07-16 | 2013-11-13 | 国家电网公司 | Cross-safety-domain access control system and method based on privacy protection |
| CN104038344A (en) * | 2014-06-19 | 2014-09-10 | 电子科技大学 | Identity authentication method based on regular expression |
| CN104901948A (en) * | 2015-04-15 | 2015-09-09 | 南方电网科学研究院有限责任公司 | Hierarchic attribute based encryption access control system and method in smart grid |
| CN104993929A (en) * | 2015-05-15 | 2015-10-21 | 西安邮电大学 | Attribute-based encryption system and method supporting system attribute expansion |
| CN109347833A (en) * | 2018-10-24 | 2019-02-15 | 中国科学院信息工程研究所 | The access control method and system being used under machine learning environment based on encryption attribute |
| CN114826759A (en) * | 2022-05-11 | 2022-07-29 | 贵州大学 | Verifiable fine-grained access control inner product function encryption method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488847A (en) * | 2008-01-18 | 2009-07-22 | 华为技术有限公司 | Method, apparatus and system for data ciphering |
| US20100024027A1 (en) * | 2003-12-18 | 2010-01-28 | Casey Bahr | Client-side security management for an operations, administration, and maintenance system for wireless clients |
-
2011
- 2011-07-12 CN CN 201110193448 patent/CN102244660B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100024027A1 (en) * | 2003-12-18 | 2010-01-28 | Casey Bahr | Client-side security management for an operations, administration, and maintenance system for wireless clients |
| CN101488847A (en) * | 2008-01-18 | 2009-07-22 | 华为技术有限公司 | Method, apparatus and system for data ciphering |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368901A (en) * | 2012-03-27 | 2013-10-23 | 复旦大学 | Cloud computing system based on large-scale discrete data |
| CN102624522A (en) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | Key encryption method based on file attribution |
| CN102624522B (en) * | 2012-03-30 | 2015-08-19 | 华中科技大学 | A kind of key encryption method based on file attribute |
| CN102945356B (en) * | 2012-12-12 | 2015-11-18 | 上海交通大学 | The access control method of search engine under cloud environment and system |
| CN102945356A (en) * | 2012-12-12 | 2013-02-27 | 上海交通大学 | Access control method and system for search engine under cloud environment |
| CN103391192A (en) * | 2013-07-16 | 2013-11-13 | 国家电网公司 | Cross-safety-domain access control system and method based on privacy protection |
| CN103391192B (en) * | 2013-07-16 | 2016-09-21 | 国家电网公司 | A kind of based on secret protection across security domain access control system and control method thereof |
| CN104038344A (en) * | 2014-06-19 | 2014-09-10 | 电子科技大学 | Identity authentication method based on regular expression |
| CN104038344B (en) * | 2014-06-19 | 2017-03-22 | 电子科技大学 | Identity authentication method based on regular expression |
| CN104901948A (en) * | 2015-04-15 | 2015-09-09 | 南方电网科学研究院有限责任公司 | Hierarchic attribute based encryption access control system and method in smart grid |
| CN104901948B (en) * | 2015-04-15 | 2017-11-10 | 南方电网科学研究院有限责任公司 | Hierarchy attributes encrypted access control system and method are based in intelligent grid |
| CN104993929A (en) * | 2015-05-15 | 2015-10-21 | 西安邮电大学 | Attribute-based encryption system and method supporting system attribute expansion |
| CN104993929B (en) * | 2015-05-15 | 2018-05-18 | 西安邮电大学 | A kind of attribute-based encryption system that system property is supported to extend and method |
| CN109347833A (en) * | 2018-10-24 | 2019-02-15 | 中国科学院信息工程研究所 | The access control method and system being used under machine learning environment based on encryption attribute |
| CN114826759A (en) * | 2022-05-11 | 2022-07-29 | 贵州大学 | Verifiable fine-grained access control inner product function encryption method |
| CN114826759B (en) * | 2022-05-11 | 2023-10-03 | 贵州大学 | Verifiable fine grain access control inner product function encryption method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102244660B (en) | 2012-12-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102244660B (en) | Encryption method for realizing support of FGAC (Fine Grained Access Control) | |
| Bird et al. | The kryptoknight family of light-weight protocols for authentication and key distribution | |
| US11880831B2 (en) | Encryption system, encryption key wallet and method | |
| CN103414682B (en) | The method for cloud storage of a kind of data and system | |
| CN111130757A (en) | Multi-cloud CP-ABE access control method based on block chain | |
| CN105100083B (en) | A kind of secret protection and support user's revocation based on encryption attribute method and system | |
| JP2018182736A (en) | Private and mutually authenticated key exchange | |
| CN107733654B (en) | Intelligent equipment firmware updating and official user certificate distribution method based on combined key | |
| CN102567688B (en) | File confidentiality keeping system and file confidentiality keeping method on Android operating system | |
| CN104363215A (en) | Encryption method and system based on attributes | |
| CN103067160A (en) | Method and system of generation of dynamic encrypt key of encryption secure digital memory card (SD) | |
| CN104601571A (en) | Data encryption system and method for interaction between tenants and cloud server memory | |
| CN106059752B (en) | A kind of whitepack password encipher-decipher method based on expansion ciphertext | |
| Huang et al. | EABDS: Attribute‐Based Secure Data Sharing with Efficient Revocation in Cloud Computing | |
| CN105933345A (en) | Verifiable outsourcing attribute-based encryption method based on linear secret sharing | |
| CN102013975A (en) | Secret key management method and system | |
| CN104637117A (en) | Intelligent lock pin realization method, key realization method, intelligent lock pin, lock and key | |
| CN105915333B (en) | A kind of efficient key distribution method based on encryption attribute | |
| CN109934001A (en) | A kind of data ciphering method based on normal cloud model | |
| WO2023226641A1 (en) | Blockchain privacy data access control method and system | |
| CN112818332A (en) | Password management service platform for intelligent manufacturing | |
| Almuzaini et al. | Key aggregation cryptosystem and double encryption method for cloud-based intelligent machine learning techniques-based health monitoring systems | |
| CN109743162A (en) | A kind of operated using ideal lattice carries out the matched encryption method of identity attribute | |
| CN114244567B (en) | CP-ABE method for supporting circuit structure in cloud environment | |
| KR101760376B1 (en) | Terminal and method for providing secure messenger service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121212 Termination date: 20130712 |