CN102244660B - Encryption method for realizing support of FGAC (Fine Grained Access Control) - Google Patents
Encryption method for realizing support of FGAC (Fine Grained Access Control) Download PDFInfo
- Publication number
- CN102244660B CN102244660B CN 201110193448 CN201110193448A CN102244660B CN 102244660 B CN102244660 B CN 102244660B CN 201110193448 CN201110193448 CN 201110193448 CN 201110193448 A CN201110193448 A CN 201110193448A CN 102244660 B CN102244660 B CN 102244660B
- Authority
- CN
- China
- Prior art keywords
- attribute
- access control
- function
- extended
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to an encryption method for realizing support of FGAC (Fine Grained Access Control), wherein an access control structure is an access control tree in an attribute-based encryption system, extended attribute nodes are represented by using a range of k being less than 0, and k represents an operation identifier corresponding to a specific operation (or function); leaf nodes of k being less than 0 are called extended attribute leaf nodes, and subnodes of the extended attribute leaf nodes include one or more attributes and attribute value pairs. The data in the subnodes are input parameters needed by the operation function corresponding to the operation identifier k. The output of the function corresponds to the attribute values of the extended attribute nodes, and an extended operation comprises a matching function and a logical operator. The encryption method leads an attribute-based encryption algorithm to support abundant operations, and facilitates a flexible FGAC capability of the improved attribute-based encryption algorithm.
Description
Technical field
The present invention relates to a kind of under distributed environment; Requirement to file-sharing and safe storage; Propose a kind of flexibly, fine-grained access control method, mainly set and realize fine-grained access control through the expansion of expanding former AES based on attribute.
Background technology
In distributed environment; Especially in the service model of cloud computing; After user data is concentrated; Guaranteeing that operation service provider inner safety management and access control mechanisms meet the user's security demand, avoid the potential risk that the multi-user exists jointly or shared data brings in the distributed environment, is the security challenge that faces in the distributed environment.
At present, data center's protecting data is mainly through dual mode access control and encryption.Access control scheme commonly used has autonomous access control policy (DAC), force access control policy (MAC) or based on role's access control policy (RBAC) etc.Under the situation that system runs well, the good access control system of design can prevent the unauthorized access to data of user or Malware, in case and system by illegal invasion or control, these access control systems will lose efficacy.In order to remedy the deficiency of access control technology, encryption is that protected data is not by another common technology of unauthorized access.Yet; Conventional encryption technology comprises that symmetric cryptosystem and public key cryptography all can only carry out the encryption of dullness to file; The distribution of key is comparatively complicated with management in distributed environment, and can not realize the flexible controlled function that access control technology has.Recently the encryption system based on attribute (ABE) that proposes can be realized the access control based on AES; Need not the key management and the key distribution mechanism of load; But be based on the encryption attribute algorithm be merely able to support with or and the thresholding computing; Can not realize fine-grained access control, and autgmentability is poor.
Summary of the invention
The problem that technology of the present invention solves: overcome the deficiency of prior art, through expansion ciphertext strategy based on the access control structure in the encryption attribute algorithm, make it have abundant access control operational capability, thereby realize fine-grained, access control flexibly.
Technical solution of the present invention: a kind of encryption method that realizes supporting the fine granularity access control is characterized in that following aspect:
(1) realizes the operator expansion through adding virtual leaf node
Former ciphertext strategy based on access control structure Design in the AES of attribute based on the threshold secret sharing system, its access control structure is access control tree, and is as shown in Figure 1.Node comprises threshold value k and two attributes of son node number num, wherein 0<k<num in the access control tree.The present invention uses the scope of k<0 to represent the extended attribute node, and k representes arithmetic identifier, and corresponding to specific computing (or function), the leaf node of extended attribute is that one or more attributes and property value are right, as shown in Figure 2.The extended attribute node is equivalent to the leaf node in the original scheme, and < attribute-name, property value>is right, is equivalent to the required input parameter of function that k refers to.The output of function is corresponding to the property value of extended attribute node.
(2) key generates the checking that user's extended attribute is responsible at center (PKG)
In the AES based on attribute of former ciphertext strategy; PKG is responsible for the open parameters distribution, the private key systematic function is outer and the function of user property extraction; In this expansion scheme; PKG also is responsible for the arithmetic identifier according to expansion except above function, uses corresponding operation function that the extended attribute that the user provides is carried out dynamic authentication.
(3) form of extended arithmetic function reaches the access control computing of having expanded
The function that extended arithmetic is corresponding has prototype: f: (attrbute_name, attribute_value ...) → Requred Attribute|Empyte String.Wherein function parameter is that one or more < attribute-name, property values>are right, the character string of the return value of function for confirming.
The computing of expansion comprises adaptation function and logical operator.Specific as follows:
A, adaptation function:<,>,≤,>=, in_range, regex_match
B, logical operator: Not
Wherein,<,>,≤and>=be the arithmetic comparison operator; In_range is whether within the specific limits a function of certificate parameter; Regex_match is the regular expression adaptation function, and regular expression uses the reference format of Java regular expression.
The operation function of expansion is concrete to be defined as follows:
(4) decrypt ciphertext and private key acquisition process
Carry out decipherment algorithm and must obtain private key to the access control tree that has expanded in the ciphertext; Its process is following: from the access control tree, extract operation function identifier k; With < the attribute-name that is stored in the virtual leaf node; Property value>right, they and subscriber identity information are sent to key generate the center, key generation center generates corresponding private key and returns to the user;
The process that key generation center generates private key is following: key generation center is identifying user identity at first, and refusal should be asked if authentication is not passed through; After authentication; Key generates the center and confirms corresponding access control operation function according to the arithmetic identifier that the user submits to; Key generates the property set S that the center has from the customer attribute information user then; Move this function and obtain corresponding output, if output is not sky then this extended attribute is added among the property set S; After all extended attributes checkings that the user submits to all are performed, with property set S serve as input operation ciphertext strategy generate private key based on key schedule in the AES of attribute;
Be convenient to expand the new access control computing of interpolation
Because the present invention uses the scope of k<0 to represent extended arithmetic, thus can through agreement new (k operator) to defining new access control spread function, realizes the expansion of access control computing.
The present invention's advantage compared with prior art is: through the expansion of access control tree, realized abundant access control computing, thereby realized flexibly, fine-grained access control function.Simultaneously, this scheme is easy to expansion, adds new access control computing, satisfies specific access control demand.
Description of drawings
Fig. 1 is basic access control tree
Fig. 2 is the access control tree of expansion;
Fig. 3 file encryption flow chart;
Fig. 4 file decryption flow chart;
Fig. 5 private key obtains sequence chart;
Fig. 6 access control tree data format.
Embodiment
With reference to accompanying drawing, embodiments of the invention are carried out detailed explanation below.
The core concept that the present invention mainly comprises: former in access control tree in the encryption attribute system scheme through expanding; The scope of usage threshold value k<0 is represented the access control computing expanded; Realize the access control computing enriched, thereby realize flexibly, fine-grained access control based on AES.
Before description scheme, define following entity and method earlier:
1. key generates center (PKG): be responsible for the extended attribute that issue open parameters, generation private key, leading subscriber attribute information and checking user submit to, it must be believable.
2. the threshold value of establishing node is k, wherein the scope of 0<k<num represent with or and the thresholding computing, the arithmetic identifier of expanding among orientation references the present invention of k≤-1.
3. the number of establishing child node is num, wherein num>k
4. extended attribute checking function false code is following:
The input parameter of function is to be the tabulation of element with < attribute-name, property value >.This function at first extracts the user property collection, verifies then whether the corresponding value of user property satisfies the requirement of corresponding attribute in the function input parameter, returns predefined character string if satisfy, if do not satisfy then return empty string.
5. the function false code (fetch_key) of obtaining private key from PKG is as follows:
The function input parameter is the access control tree.At first, < attribute-name, the property value>that the extended attribute node from the access control tree extracts in operation function identifier and its leaf node is right, sends it to key then and generates the center, obtains private key.
Implementation process of the present invention is following:
1.PKG the execution initialization algorithm generates the open parameters that needs in encryption in the ABE scheme, deciphering and the private key generative process.
2. the user obtains available attribute and access control arithmetic identifier from PKG, formulates access control policy, and access control policy is represented with the form of the access control tree of expansion.
3. carry out the AES in the former scheme of ABE with this access control tree as access control policy, the ABE AES is as shown in Figure 3.The access control tree of the access control tree that wherein embeds for expanding among the present invention.The form of the access control tree of expansion is as shown in Figure 2.
4. after the user obtains ciphertext, must obtain private key before the execution decipherment algorithm to the access control tree that has expanded in the ciphertext.Its process is following: (1) from access control tree, extract operation function identifier k and < attribute-name, the property value>that be stored in the virtual leaf node right, they and subscriber identity information are sent to PKG, PKG execution in step 5, and will be distributed to the user.Its concrete operation process approach is shown in false code 5.Carry out ABE decipherment algorithm as shown in Figure 4 after obtaining private key.
5.PKG process user is obtained the private key request.PKG is identifying user identity at first, and refusal should request if authentication is not passed through.After authentication; PKG confirms corresponding access control operation function according to the arithmetic identifier that the user submits to; PKG moves this function and obtains corresponding output from the property set S that the customer attribute information user has then, if output is not sky then this extended attribute is added among the property set S.After all extended attributes checkings that the user submits to all are performed, with property set S serve as input operation ciphertext strategy based on key schedule in the AES of attribute.The running of access control operation function is shown in algorithm 4:fun.
The maximum difference of algorithm of the present invention and original algorithm is: the encipherment scheme based on attribute of original ciphertext strategy can only realize with or and the thresholding computing; This expansion scheme through access control tree can realize logical operator not sum arithmetic comparison operator>;<;≤,>=, computings such as canonical coupling.This scheme is easy to expansion simultaneously, can add the new computing of expansion.
This algorithm is guaranteeing to have realized fine-grained flexibly access control on the basis that original algorithm is realized visiting based on AES.
What may be obvious that for the person of ordinary skill of the art draws other advantages and modification.Therefore, having more extensively, the present invention of aspect is not limited to shown and described specifying and exemplary embodiment here.Therefore, under situation about not breaking away from, can make various modifications to it by the spirit of claim and the defined general inventive concept of equivalents thereof subsequently and scope.
Claims (1)
1. encryption method that realizes supporting the fine granularity access control, its characteristic is following:
(1) realizes the operator expansion through adding virtual leaf node
Former ciphertext strategy based on access control structure Design in the encryption system of attribute based on the threshold secret sharing system; Its access control structure is an access control tree; Node comprises threshold value k and two attributes of son node number num in the access control tree, wherein 0 < k≤num, and < 0 scope is represented the extended attribute node to use k; K representes arithmetic identifier, corresponding to specific computing or function; The leaf node of extended attribute is that one or more attributes and property value are right; The extended attribute node be equivalent to the ciphertext strategy based on the leaf node in the encryption system of attribute; And < attribute-name; Property value>be equivalent to the required input parameter of function that k refers to, the output of function is corresponding to the property value of extended attribute node;
(2) key generates the checking that center P KG is responsible for user's extended attribute
PKG has the open parameters distribution, private key generates and the function of user's extended attribute extraction, and simultaneously, PKG also is responsible for the arithmetic identifier according to expansion, uses corresponding operation function that the extended attribute that the user provides is carried out dynamic authentication;
(3) form of extended arithmetic function reaches the access control computing of having expanded
The function that extended arithmetic is corresponding has following prototype: f: (attribute_name; Attribute_value ...) → Requred Attribute|Empty String; Wherein function parameter is that one or more < attribute-name, property values>are right, and the return value of function is predefined character string or empty string;
The computing of expansion comprises adaptation function and logical operator, and is specific as follows:
A. adaptation function:<,>,≤,>=, in_range, regex_match;
B. logical operator: Not;
Wherein,, ,≤and>=be the arithmetic comparison operator; In_range is whether within the specific limits a function of certificate parameter; Regex_match is the regular expression adaptation function, and regular expression uses the reference format of Java regular expression;
(4) decrypt ciphertext and private key acquisition process
Carry out decipherment algorithm and must obtain private key to the access control tree that has expanded in the ciphertext; Its process is following: from the access control tree, extract operation token symbol k; With < the attribute-name that is stored in the virtual leaf node; Property value>right, they and subscriber identity information are sent to key generate the center, key generation center generates corresponding private key and returns to the user;
The process that key generation center generates private key is following: key generation center is identifying user identity at first, and refusal should be asked if authentication is not passed through; After authentication; Key generates the center and confirms corresponding access control operation function according to the arithmetic identifier that the user submits to; Key generates the property set S that the center has from the customer attribute information user then; Move this function and obtain corresponding output, if output is not sky then this extended attribute is added among the property set S; After all extended attributes checkings that the user submits to all are performed, with property set S serve as input operation ciphertext strategy generate private key based on key schedule in the AES of attribute.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110193448 CN102244660B (en) | 2011-07-12 | 2011-07-12 | Encryption method for realizing support of FGAC (Fine Grained Access Control) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110193448 CN102244660B (en) | 2011-07-12 | 2011-07-12 | Encryption method for realizing support of FGAC (Fine Grained Access Control) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102244660A CN102244660A (en) | 2011-11-16 |
| CN102244660B true CN102244660B (en) | 2012-12-12 |
Family
ID=44962495
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110193448 Expired - Fee Related CN102244660B (en) | 2011-07-12 | 2011-07-12 | Encryption method for realizing support of FGAC (Fine Grained Access Control) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102244660B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368901A (en) * | 2012-03-27 | 2013-10-23 | 复旦大学 | Cloud computing system based on large-scale discrete data |
| CN102624522B (en) * | 2012-03-30 | 2015-08-19 | 华中科技大学 | A kind of key encryption method based on file attribute |
| CN102945356B (en) * | 2012-12-12 | 2015-11-18 | 上海交通大学 | The access control method of search engine under cloud environment and system |
| CN103391192B (en) * | 2013-07-16 | 2016-09-21 | 国家电网公司 | A kind of based on secret protection across security domain access control system and control method thereof |
| CN104038344B (en) * | 2014-06-19 | 2017-03-22 | 电子科技大学 | Identity authentication method based on regular expression |
| CN104901948B (en) * | 2015-04-15 | 2017-11-10 | 南方电网科学研究院有限责任公司 | Hierarchy attributes encrypted access control system and method are based in intelligent grid |
| CN104993929B (en) * | 2015-05-15 | 2018-05-18 | 西安邮电大学 | A kind of attribute-based encryption system that system property is supported to extend and method |
| CN109347833B (en) * | 2018-10-24 | 2020-05-22 | 中国科学院信息工程研究所 | Access control method and system used in machine learning environment based on attribute encryption |
| CN114826759B (en) * | 2022-05-11 | 2023-10-03 | 贵州大学 | Verifiable fine grain access control inner product function encryption method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7434256B2 (en) * | 2003-12-18 | 2008-10-07 | Intel Corporation | Security management for wireless clients |
| CN101488847B (en) * | 2008-01-18 | 2011-09-14 | 华为技术有限公司 | Method, apparatus and system for data ciphering |
-
2011
- 2011-07-12 CN CN 201110193448 patent/CN102244660B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN102244660A (en) | 2011-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102244660B (en) | Encryption method for realizing support of FGAC (Fine Grained Access Control) | |
| Bird et al. | The kryptoknight family of light-weight protocols for authentication and key distribution | |
| US11880831B2 (en) | Encryption system, encryption key wallet and method | |
| CN105049401B (en) | A kind of safety communicating method based on intelligent vehicle | |
| Förster et al. | PUCA: A pseudonym scheme with user-controlled anonymity for vehicular ad-hoc networks (VANET) | |
| CN105100083B (en) | A kind of secret protection and support user's revocation based on encryption attribute method and system | |
| CN109981641A (en) | A kind of safe distribution subscription system and distribution subscription method based on block chain technology | |
| JP2018182736A (en) | Private and mutually authenticated key exchange | |
| CN107733654B (en) | Intelligent equipment firmware updating and official user certificate distribution method based on combined key | |
| CN106612271A (en) | Encryption and access control method for cloud storage | |
| CN106059752B (en) | A kind of whitepack password encipher-decipher method based on expansion ciphertext | |
| CN105933345A (en) | Verifiable outsourcing attribute-based encryption method based on linear secret sharing | |
| Huang et al. | EABDS: Attribute‐Based Secure Data Sharing with Efficient Revocation in Cloud Computing | |
| CN102013975A (en) | Secret key management method and system | |
| CN114826766B (en) | Block chain cross-chain based security verifiable service providing method and system | |
| CN101938353B (en) | Method for remotely resetting personal identification number (PIN) of key device | |
| CN115426136A (en) | Cross-domain access control method and system based on block chain | |
| Feiri et al. | Efficient and secure storage of private keys for pseudonymous vehicular communication | |
| Almuzaini et al. | Key aggregation cryptosystem and double encryption method for cloud-based intelligent machine learning techniques-based health monitoring systems | |
| CN109743162A (en) | A kind of operated using ideal lattice carries out the matched encryption method of identity attribute | |
| CN114244567B (en) | CP-ABE method for supporting circuit structure in cloud environment | |
| KR101760376B1 (en) | Terminal and method for providing secure messenger service | |
| CN114244509A (en) | Method for carrying out SM2 one-time pad bidirectional authentication unlocking by using mobile terminal | |
| CN106230595B (en) | A kind of authorized agreement of credible platform control module | |
| CN102255724A (en) | Hypergraph-model-based multicast key management method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121212 Termination date: 20130712 |