CN103152322A - Method of data encryption protection and system thereof - Google Patents

Method of data encryption protection and system thereof Download PDF

Info

Publication number
CN103152322A
CN103152322A CN2013100328859A CN201310032885A CN103152322A CN 103152322 A CN103152322 A CN 103152322A CN 2013100328859 A CN2013100328859 A CN 2013100328859A CN 201310032885 A CN201310032885 A CN 201310032885A CN 103152322 A CN103152322 A CN 103152322A
Authority
CN
China
Prior art keywords
ciphertext
access
user
deciphering
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2013100328859A
Other languages
Chinese (zh)
Inventor
彭志明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN2013100328859A priority Critical patent/CN103152322A/en
Publication of CN103152322A publication Critical patent/CN103152322A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party

Abstract

The invention discloses a method of data encryption protection and a system of the data encryption protection. The method of the data encryption protection comprises the following steps: encrypting a plaintext and a specific access structure so as to obtain a ciphertext, wherein the access structure is used for showing users having the right to decipher the ciphertext; and deciphering the ciphertext to obtain the plaintext and the access structure. By means of the method of the data encryption protection and the system of the data encryption protection, an attribute encryption algorithm of ciphertext-policy attribute-based encryption (CP-ABE) based on a ciphertext strategy is modified, the access structure is encrypted as a part of a message, the problem that the efficiency of encryption information shared in a cloud storage system among multiple users is low can be solved, and not only the safety of the data can be guaranteed, and information shared among the multiple users under low computational overhead and communication overhead can be achieved, but also fine-grained access control of a storage file in the cloud storage system can be achieved.

Description

The protecting data encryption method and system
Technical field
The present invention relates to the communications field, in particular to a kind of protecting data encryption method and system.
Background technology
Cloud computing is as the technological change of a new generation, and its development receives the concern of all trades and professions, along with the development of cloud computing, the cloud storage occurred again thereupon.
The cloud storage is in the conceptive extension of cloud computing (cloud computing) and a development new concept out, refer to by functions such as cluster application, grid or distributed file systems, a large amount of various dissimilar memory devices in network are gathered collaborative work by application software, a system of data storage and Operational Visit function externally is provided jointly.When the core of cloud computing system computing and processing is the store and management of mass data, just need a large amount of memory device of configuration in cloud computing system, so, cloud computing system just is transformed into a cloud storage system.So the cloud storage is a cloud computing system take the data store and management as core.
Cloud storage can more conveniently realize data sharing there is no regional limits, and only needing can connecting Internet, visit data whenever and wherever possible just, just can use cloud storage system.The most representative cloud stores service has Google Drive, Dropbox and Sky Drive now.
Prerequisite several fundamental characteristics in the cloud storage: confidentiality: the cloud storage provider can not be known user's information; Integrality: the user can perceive the information of oneself and illegally be distorted; Feasibility: the user can be anywhere or anytime, the data of access oneself within the effective time; Reliability: effectively back up user's data, prevent the loss of information; But sharing: the user can share with believable user the data of oneself.
When using the cloud stores service, need to consider fail safe, the user profile leakage of data, or incredible third party might sell user data and obtains interests, in order to prevent these situations, adopts cryptographic algorithm to encrypt storage to data and is necessary.When adopting traditional asymmetric cryptographic algorithm to encrypt, the user A encrypted private key user data of oneself, ciphertext is stored on Cloud Server, if user B need to access these data, A must give B with the private key of encrypting so, and B obtains expressly with the private key decrypting ciphertext of A, and B just can check all information after A encrypts like this, comprise that those A do not wish the sensitive information that B sees, can not realize the fine granularity access control.Also namely: use cryptographic algorithm to the data encryption storage in the cloud storage, if the data after the user need to access encryption are arranged, must use decruption key that the data of encrypting are decrypted, his all data after can access decryption so are in the situation that between a plurality of user, data sharing can not be controlled user's access rights.
The another kind of method that solves the cloud storage security is to control the user to the access rights of data in the cloud storage by an access control server, at first to all users in system for various resource allocation of access rights, control the user to the access of data according to user's access rights.The fail safe of this method guarantees by the access control server fully, if the access control server goes wrong, Information Security also can not get any assurance.
Important target of cloud stores service realizes that exactly user data is shared, if the data rivest, shamir, adelman in the cloud storage is encrypted, to give other users with data sharing, at this moment these users must determine, be necessary for each user and increase information in ciphertext, the user obtains encryption key by this segment information deciphering, and this segment information is the session key with deciphering person's public key encryption.Fig. 1 is according to the enciphered data of correlation technique and realizes the schematic flow sheet of data sharing, as shown in Figure 1, traditional encryption and realize that the implementation of information sharing is: select a session key K that plaintext M is encrypted and obtain ciphertext C, and then distinguish encrypted session key K with each user's PKI, send portion for each user the session key K after ciphertext C and encryption, the user obtains session key K with the private key S deciphering of oneself, and then obtains plaintext M with session key K deciphering C.
But between this multi-user of realization, the mode of information sharing has two obvious defectives: at first, the user who shares must determine, and will be with each user's public key encryption session key.Secondly, if shared number of users is larger, additionally needs the message of shared session key just very large, and be linear growth with number of users, cause communication efficiency very low.
For the low problem of enciphered message sharing efficiency between the multi-user in cloud storage system in correlation technique, effective solution is proposed not yet at present.
Summary of the invention
The invention provides a kind of protecting data encryption method and system, to solve at least in correlation technique the low problem of enciphered message sharing efficiency between the multi-user in cloud storage system.
According to an aspect of the present invention, provide a kind of protecting data encryption method, having comprised: the access structure of encrypting plaintext and appointment, obtain ciphertext, wherein, described access structure is used for the user that expression has the described ciphertext of authority deciphering; Decipher described ciphertext, obtain described plaintext and described access structure.
Preferably, decipher described ciphertext and comprise: utilize active user's private key session key, wherein, described session key is used for deciphering described ciphertext; If calculate described session key, utilize the described ciphertext of described session key deciphering.
Preferably, before the described ciphertext of deciphering, described method also comprises: the private key that generates described active user according to the main private key of described active user's property set and system.
Preferably, before the main private key according to described active user's described property set and system generated described active user's private key, described method also comprised: the described active user's of checking property set is true.
Preferably, in the described ciphertext of deciphering, after obtaining described plaintext and described access structure, described method also comprises: encrypt the plaintext after described access structure and described active user edit; The ciphertext that obtains after encrypting is sent to memory preserves.
Preferably, described protecting data encryption method is applied to cloud storage system.
According to a further aspect in the invention, provide a kind of protecting data encryption system, having comprised: encrypting module, be used for the access structure of encrypting plaintext and appointment, obtain ciphertext, wherein, described access structure is used for the user that expression has the described ciphertext of authority deciphering; Deciphering module is used for deciphering described ciphertext, obtains described plaintext and described access structure.
Preferably, described deciphering module comprises: computing unit, and for the private key session key of utilizing the active user, wherein, described session key is used for deciphering described ciphertext; Decrypting device is used for utilizing the described ciphertext of described session key deciphering in the situation that calculate described session key.
Preferably, described system also comprises: the private key generation module is used for generating according to the main private key of described active user's property set and system described active user's private key.
Preferably, described system also comprises: authentication module is used for verifying that described active user's property set is true.
Preferably, described encrypting module is also for the plaintext of encrypting after described access structure and described active user edit; Described system also comprises: sending module, the ciphertext that obtains after being used for encrypting is sent to memory and preserves.
Preferably, described protecting data encryption system applies is in cloud storage system.
By the present invention, improvement is based on encryption attribute (the Ciphertext-Policy Attribute-Based Encryption of ciphertext strategy, referred to as CP-ABE) algorithm, access structure is encrypted together as the part of message, solved the low problem of enciphered message sharing efficiency between the multi-user in the cloud storage system, can guarantee the fail safe of data, also can realize the information sharing between the multi-user under lower computing cost and communication-cost, also realize the fine granularity access control to storage file in cloud storage system.
Description of drawings
Accompanying drawing described herein is used to provide a further understanding of the present invention, consists of the application's a part, and illustrative examples of the present invention and explanation thereof are used for explaining the present invention, do not consist of improper restriction of the present invention.In the accompanying drawings:
Fig. 1 is according to the enciphered data of correlation technique and realizes the schematic flow sheet of data sharing;
Fig. 2 is the flow chart according to the protecting data encryption method of the embodiment of the present invention;
Fig. 3 is the structured flowchart according to the protecting data encryption system of the embodiment of the present invention;
Fig. 4 is the preferred structure block diagram one according to the protecting data encryption system of the embodiment of the present invention;
Fig. 5 is the preferred structure block diagram two according to the protecting data encryption system of the embodiment of the present invention;
Fig. 6 is structure and the workflow schematic diagram thereof of protecting data encryption system according to the preferred embodiment of the invention;
Fig. 7 is the flow chart that private key generates in the protecting data encryption method according to the preferred embodiment of the invention;
Fig. 8 is the schematic diagram of the On Binary Tree Representation of access structure in the protecting data encryption method according to the preferred embodiment of the invention;
Fig. 9 is the flow chart of data encryption according to the preferred embodiment of the invention;
Figure 10 is data deciphering and the flow chart shared according to the preferred embodiment of the invention;
Figure 11 is the general flow chart of protecting data encryption method according to the preferred embodiment of the invention.
Embodiment
Need to prove, in the situation that do not conflict, embodiment and the feature in embodiment in the application can make up mutually.Describe below with reference to the accompanying drawings and in conjunction with the embodiments the present invention in detail.
The embodiment of the present invention provides a kind of protecting data encryption method, and Fig. 2 is the flow chart according to the protecting data encryption method of the embodiment of the present invention, as shown in Figure 2, comprises that following step S202 is to step S204.
Step S202, the access structure of encrypting plaintext and appointment obtains ciphertext, and wherein, access structure is used for expression has authority to decipher the user of this ciphertext.
Step S204 deciphers above-mentioned ciphertext, obtains expressly and access structure.
Pass through above-mentioned steps, improve CP-ABE, access structure is encrypted together as the part of message, solved the low problem of enciphered message sharing efficiency between the multi-user in the cloud storage system, can guarantee the fail safe of data, also can realize the information sharing between the multi-user under lower computing cost and communication-cost, also realize the fine granularity access control to storage file in cloud storage system.
In a preferred implementation, in step S204, decrypting ciphertext comprises: utilize active user's private key session key, wherein, session key is used for decrypting ciphertext; If calculate session key, utilize the session key decrypting ciphertext.
Preferably, before the described ciphertext of deciphering, said method also comprises: the private key that generates the active user according to the main private key of active user's property set and system.
Need to prove, each user has one group of attribute, generate corresponding private key according to user's attribute for each user, specifying an access structure to describe which user when encrypting can decipher and obtain clear-text message, if be the access structure of user's attribute appointment when satisfy encrypting, can decipher and obtain plaintext and access structure, otherwise can not decipher.
In a preferred implementation, before the main private key according to active user's property set and system generates active user's private key, need also to verify whether active user's property set is true.If true, enter the flow process that private key for user generates, if not true, authentication failed, return messages are to the user.This preferred implementation just generates private key in the situation that user's property set is true, can guarantee the accuracy of the private key that generates.
The user of decrypting ciphertext success can edit the plaintext that obtains according to its demand, need to the plaintext after editor be encrypted, and be stored to cloud storage system, so that other users share the data after editing, can realize by following steps: at decrypting ciphertext, after obtaining plaintext and access structure, the plaintext after encrypted access structure and active user edit; The ciphertext that obtains after encrypting is sent to memory preserves.In fact, encryption herein is similarly with the process of encrypting before original plaintext, utilizes same encrypting module to realize.For cloud storage system, the data re-encrypted after editor is kept on the cloud storage server shares for other user.
Preferably, above-mentioned protecting data encryption method can be applied to cloud storage system.
Need to prove; this method is the improvement to the CP-ABE algorithm; improvement is access structure is encrypted together as the part of message; in said method; concrete how to realize encrypting, the generation of deciphering and private key for user all realizes according to the CP-ABE algorithm, is not protecting data encryption method outline of the present invention.
It is structured flowchart according to the protecting data encryption system of the embodiment of the present invention that the embodiment of the present invention also provides a kind of protecting data encryption system, Fig. 3, and as shown in Figure 3, this protecting data encryption system comprises: encrypting module 32 and deciphering module 34.The below is described in detail its structure.
Encrypting module 32, the access structure for encrypting plaintext and appointment obtains ciphertext, and wherein, access structure is used for expression has authority to decipher the user of this ciphertext; Deciphering module 34 is coupled to encrypting module 32, is used for deciphering above-mentioned ciphertext, obtains expressly and access structure.
By above-mentioned protecting data encryption system; improve CP-ABE; encrypting module 12 is encrypted access structure together as the part of message; solved the low problem of enciphered message sharing efficiency between the multi-user in the cloud storage system; can guarantee the fail safe of data; also can realize the information sharing between the multi-user under lower computing cost and communication-cost, also realize the fine granularity access control to storage file in cloud storage system.
As shown in Figure 4, deciphering module 34 comprises: computing unit 342, and for the private key session key of utilizing the active user, wherein, session key is used for decrypting ciphertext; Decrypting device 344 is coupled to computing unit 342, is used for utilizing the session key decrypting ciphertext in the situation that calculate session key.
As shown in Figure 5, said system also comprises: private key generation module 36, be coupled to deciphering module 34, and be used for generating according to the main private key of active user's property set and system active user's private key.
Preferably, said system also comprises: authentication module 38, be coupled to private key generation module 36, and the property set that is used for the checking active user is true.
Preferably, encrypting module 32 also is used for the plaintext after encrypted access structure and active user edit; Said system also comprises: sending module 39(is not shown), be coupled to encrypting module 32, the ciphertext that obtains after being used for encrypting is sent to memory and preserves.
Preferably, above-mentioned protecting data encryption system applies is in cloud storage system.
Need to prove, the protecting data encryption system that device is described in embodiment is corresponding to above-mentioned embodiment of the method, and its concrete implementation procedure had been carried out detailed description in embodiment of the method, do not repeat them here.
In order to make technical scheme of the present invention and implementation method clearer, below in conjunction with preferred embodiment, its implementation procedure is described in detail.
According to the preferred embodiment of the present invention; a kind of protecting data encryption method and system are provided; this system has solved the problem of the encipherment protection enhancing Information Security of data in the cloud storage; guaranteed the confidentiality of data in the cloud storage system; can realize the fine granularity access control again, provide a kind of feasible method for more safely realizing data sharing.Fig. 6 is structure and the workflow schematic diagram thereof of protecting data encryption system according to the preferred embodiment of the invention, and as shown in Figure 6, this system mainly comprises as lower module:
System initialization module 602 is for main private key (Master Key is referred to as MK) and the PKI (Public Key is referred to as PK) of generation system.
Attribute authentication module 604(has realized the function of above-mentioned authentication module 38), be called again attribute authentication center (Attribute Certificate Authority is referred to as ACA), whether the attribute that is used for responsible authentication of users is true.
Private key generation module (Key Produce Group referred to as KPG, has realized the function of above-mentioned private key generation module 36) 606 is used for system master's private key MK and property set S according to input, generates private key SK corresponding to this attribute.
Data encryption module 608(has realized the function of above-mentioned encrypting module 32), be used for the access structure T satisfied according to the PKI PK that inputs, message m, deciphering person's attribute needs B, the output ciphertext.
Data deciphering module 610(has realized the function of above-mentioned deciphering module 34), be used for the private key SK according to input B(being the private key of user B) and ciphertext corresponding to message m satisfy access structure T at the attribute of user B BSituation under, decipher above-mentioned ciphertext, and successful output message m.
Above preferred embodiment has adopted the CP-ABE algorithm to be encrypted storage to data, has both guaranteed the encryption storage of data, can realize the fine granularity access control again, especially in the situation that between the multi-user, data sharing can better the protected data fail safe.Particularly, all the data CP-ABE in Cloud Server (being the data storage server of cloud storage system) encrypt storage, the access structure of having specified the user's who accesses these data attribute to satisfy during encryption, as long as satisfying access structure specified when encrypting, user's attribute just can obtain expressly solving the problem that under the multi-user, data security is shared by decrypting ciphertext.Particularly the data sharing in large user group is than traditional lower communication overhead that has.
More preferably, the workflow of the modules in above preferred embodiment is as follows:
Step 1, the PKI PK of system initialization module 602 generation systems and the master of system private key MK.
Step 2, attribute authentication module 604 be responsible for user's set of properties S is verified, confirms whether the set of properties that the user provides is true.
Step 3, after the set of properties S of attribute authentication module 604 authenticated user is true, send this user's set of properties S to private key generation module 606, the MK that private key generation module 606 uses system initialization module 602 to generate generates private key SK corresponding to this set of properties S and returns to attribute authentication module 604.
Step 4; the access structure T that the attribute that needs the data M of encipherment protection and deciphering person must be satisfied is input to encrypting module 608; then use the PK that system initialization module 602 generates to use the CP-ABE algorithm for encryption to data M and above-mentioned access structure T in encrypting module 608; the ciphertext that obtains after final output is encrypted is stored on Cloud Server.
Step 5, when the user need to access data in cloud storage, need to be to the deciphering module 610 own private keys of input, if the access structure of appointment when the attribute when generating this private key for user satisfies the data M encryption, after deciphering module 610 decrypting ciphertexts obtain expressly, return to the user.In order to realize the data sharing between the multi-user, all right after deciphering is obtained expressly, utilize the access structure in ciphertext again the data encryption after editor to be stored in Cloud Server.Can conveniently realize by the way the data sharing between the multi-user, and more safer than traditional approach, further improve the utilance of communication overhead.
Fig. 7 is the flow chart that private key generates in the protecting data encryption method according to the preferred embodiment of the invention, as shown in Figure 7, can produce the PKI PK of system and the master of system private key MK when system initialization, and MK is synchronized to KPG, and PK is synchronized to data encryption module 608.In the private key product process, comprise the following steps:
Step S702, the user submits to attribute authentication center (being attribute authentication module, attribute authentication center) 604 with property set (being set of properties) S and authenticates, if authentification failure directly returns.
Step S704 is in the situation that 604 pairs of attribute authentication successs of attribute authentication center are issued private key generation module 606 with property set S.
Step S706, private key generation module 606 private key SK corresponding to computation attribute collection S, and SK is returned to attribute authentication center 604.
Step S708, attribute authentication center 604 returns to the user with private key SK.
Because the access structure that need to specify deciphering person's attribute (property set, set of properties) to satisfy when encrypting, access structure can be by an On Binary Tree Representation here.Fig. 8 is the schematic diagram of the On Binary Tree Representation of access structure in the protecting data encryption method according to the preferred embodiment of the invention; as shown in Figure 8; the leaf node of this binary tree represents attribute, and non-leaf node is logical relation, be generally " with " and the logical relation of "or".Access structure shown in Figure 8 can be expressed as a matrix, and is as follows:
M A = 1 1 0 0 0 1 0 0 1 0 1 0 0 0 1 0 1 0 0 1 1 0 0 1 0 0 0 1
If user's property set satisfies this access structure, the row that this property set is corresponding can linear expression vector, for example [1,0,0,0].
Fig. 9 is the flow chart of data encryption according to the preferred embodiment of the invention, as shown in Figure 9, in encryption flow, comprises the following steps:
The access structure T that step S902, user will need the data M of encrypting and deciphering person's attribute to satisfy sends to data encryption module 608.
Step S904, data encryption module 608 uses the CP-ABE algorithm that data M is encrypted, and access structure T also is kept in ciphertext.
Step S906, the encrypt data that data encryption module 608 will obtain after encrypting is sent to Cloud Server.
Step S908, Cloud Server is preserved the encrypt data after encrypting.
Figure 10 is data deciphering and the flow chart shared according to the preferred embodiment of the invention, as shown in figure 10, in deciphering and the flow process shared, comprises the following steps:
Step S1002, the user is to the Cloud Server request content.
Step S1004, Cloud Server return to ciphertext C to the user.
Step S1006, the user issues data deciphering module 610 with oneself private key SK and ciphertext C.
Step S1008, data deciphering module 610 use private key SK decrypting ciphertext C obtain plaintext M and access structure T, and plaintext M and access structure T are returned to the user.
Step S1010, the user reads plaintext M, and can edit plaintext M.
Step S1012 need to edit plaintext M the user, and the data after wishing to edit are kept at Cloud Server and neutralize in the situation that other users share, and plaintext M and access structure T after editing issue data encryption module 608.
Step S1014, data encryption module 608 adopts the CP-ABE algorithm that plaintext M is encrypted.
Step S1016, the data C after data encryption module 608 will be encrypted is kept on Cloud Server.
Figure 11 is the general flow chart of protecting data encryption method according to the preferred embodiment of the invention, and as shown in figure 11, the complete skill scheme with above-mentioned Fig. 7, Fig. 9, flow process shown in Figure 10 combine and just obtained this preferred embodiment repeats no more herein.
Need to prove, can carry out in the computer system such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing, and, although there is shown logical order in flow process, but in some cases, can carry out step shown or that describe with the order that is different from herein.
In sum; the above embodiment of the present invention or preferred implementation relate to cloud computing, cloud is stored and other need to store data in the application of third-party platform; the fail safe that is stored in so third-party data is proposed a kind of data protection system and corresponding encrypting and decrypting method thereof of cloud storage system; particularly in the incredible situation of third party; this cover system can satisfy confidentiality, the integrality of the sharing of data, access control flexibly and data, prevents loss and harm that information leakage is brought.And can realize multi-user's information sharing under lower communication overhead, then the data laggard edlin of user in obtaining the cloud storage again adopt the CP-ABE algorithm for encryption to be kept at and share to other users in Cloud Server.
The embodiment of the present invention will be stored in the data CP-ABE algorithm for encryption storage on Cloud Server, can realize the fine granularity access control, both guarantee the confidentiality of data, can more safely realize data sharing again.In the above embodiment of the present invention, the PKI that only need to specify an access structure T(rather than user when encrypting), as long as user's attribute can satisfy this access structure, just can decipher and get expressly, re-use access structure T encrypting storing after deciphering in Cloud Server, this has just realized the information sharing under multi-user, and ciphertext storage during the data of preserving, and has guaranteed the confidentiality of information.And be indifferent to concrete which user and can decipher, irrelevant with number of users, ciphertext length is also irrelevant with number of users, and the information security that is particularly suitable under the large user is shared.
obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with general calculation element, they can concentrate on single calculation element, perhaps be distributed on the network that a plurality of calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in storage device and be carried out by calculation element, perhaps they are made into respectively each integrated circuit modules, perhaps a plurality of modules in them or step being made into the single integrated circuit module realizes.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is only the preferred embodiments of the present invention, is not limited to the present invention, and for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.

Claims (12)

1. protecting data encryption method is characterized in that comprising:
The access structure of encrypting plaintext and appointment obtains ciphertext, and wherein, described access structure is used for the user that expression has the described ciphertext of authority deciphering;
Decipher described ciphertext, obtain described plaintext and described access structure.
2. method according to claim 1, is characterized in that, deciphers described ciphertext and comprise:
Utilize active user's private key session key, wherein, described session key is used for deciphering described ciphertext;
If calculate described session key, utilize the described ciphertext of described session key deciphering.
3. method according to claim 2, is characterized in that, before the described ciphertext of deciphering, described method also comprises:
Generate described active user's private key according to the main private key of described active user's property set and system.
4. method according to claim 3, is characterized in that, before the main private key according to described active user's described property set and system generated described active user's private key, described method also comprised:
The property set of verifying described active user is true.
5. the described method of any one according to claim 1 to 4, is characterized in that, in the described ciphertext of deciphering, after obtaining described plaintext and described access structure, described method also comprises:
Encrypt the plaintext after described access structure and described active user edit;
The ciphertext that obtains after encrypting is sent to memory preserves.
6. the described method of any one according to claim 1 to 4, is characterized in that, described protecting data encryption method is applied to cloud storage system.
7. protecting data encryption system is characterized in that comprising:
Encrypting module, the access structure for encrypting plaintext and appointment obtains ciphertext, and wherein, described access structure is used for the user that expression has the described ciphertext of authority deciphering;
Deciphering module is used for deciphering described ciphertext, obtains described plaintext and described access structure.
8. system according to claim 7, is characterized in that, described deciphering module comprises:
Computing unit, for the private key session key of utilizing the active user, wherein, described session key is used for deciphering described ciphertext;
Decrypting device is used for utilizing the described ciphertext of described session key deciphering in the situation that calculate described session key.
9. system according to claim 8, is characterized in that, described system also comprises:
The private key generation module is used for generating according to the main private key of described active user's property set and system described active user's private key.
10. system according to claim 9, is characterized in that, described system also comprises:
Authentication module is used for verifying that described active user's property set is true.
11. any one described system according to claim 7 to 10 is characterized in that,
Described encrypting module is also for the plaintext of encrypting after described access structure and described active user edit;
Described system also comprises: sending module, the ciphertext that obtains after being used for encrypting is sent to memory and preserves.
12. any one described system according to claim 7 to 10 is characterized in that described protecting data encryption system applies is in cloud storage system.
CN2013100328859A 2013-01-28 2013-01-28 Method of data encryption protection and system thereof Pending CN103152322A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2013100328859A CN103152322A (en) 2013-01-28 2013-01-28 Method of data encryption protection and system thereof

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2013100328859A CN103152322A (en) 2013-01-28 2013-01-28 Method of data encryption protection and system thereof
PCT/CN2013/082486 WO2014114080A1 (en) 2013-01-28 2013-08-28 Method and system for data encryption protection

Publications (1)

Publication Number Publication Date
CN103152322A true CN103152322A (en) 2013-06-12

Family

ID=48550185

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2013100328859A Pending CN103152322A (en) 2013-01-28 2013-01-28 Method of data encryption protection and system thereof

Country Status (2)

Country Link
CN (1) CN103152322A (en)
WO (1) WO2014114080A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014114080A1 (en) * 2013-01-28 2014-07-31 中兴通讯股份有限公司 Method and system for data encryption protection
CN104144056A (en) * 2014-07-10 2014-11-12 北京大学 Self-authorized CP-ABE system and method
CN104639322A (en) * 2013-11-13 2015-05-20 航天信息股份有限公司 Identity-based encryption method with certificates and attributes
CN104935576A (en) * 2015-04-28 2015-09-23 广州大学 Data safe divided storage and assigned user sharing system
CN106131013A (en) * 2016-07-06 2016-11-16 杨炳 A kind of protecting data encryption system
CN103746962B (en) * 2013-12-12 2017-01-25 华南理工大学 GOOSE electric real-time message encryption and decryption method
CN106487763A (en) * 2015-08-31 2017-03-08 腾讯科技(深圳)有限公司 A kind of data access method based on cloud computing platform and user terminal
CN106790273A (en) * 2017-02-17 2017-05-31 深圳市中博睿存信息技术有限公司 The encryption storage method and device of stream medium data in distributed file system
EP3082123A4 (en) * 2013-12-11 2017-06-21 Mitsubishi Electric Corporation File storage system, file storage apparatus, and user terminal
CN108200181A (en) * 2018-01-11 2018-06-22 中国人民解放军战略支援部队信息工程大学 A kind of revocable attribute-based encryption system and method towards cloud storage
CN109951498A (en) * 2019-04-18 2019-06-28 中央财经大学 A kind of block chain access control method and device based on ciphertext policy ABE encryption

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112737785B (en) * 2021-01-06 2021-09-28 江西清能高科技术有限公司 Attribute-based encryption method, system and equipment for complex access policy

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101799853A (en) * 2010-03-05 2010-08-11 中国人民解放军国防科学技术大学 Hierarchical information encryption sharing method
CN102546764A (en) * 2011-12-20 2012-07-04 华中科技大学 Safe access method of cloud storage system
CN102624522A (en) * 2012-03-30 2012-08-01 华中科技大学 Key encryption method based on file attribution
WO2012161417A1 (en) * 2011-05-26 2012-11-29 동국대학교 경주캠퍼스 산학협력단 Method and device for managing the distribution of access rights in a cloud computing environment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152322A (en) * 2013-01-28 2013-06-12 中兴通讯股份有限公司 Method of data encryption protection and system thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101799853A (en) * 2010-03-05 2010-08-11 中国人民解放军国防科学技术大学 Hierarchical information encryption sharing method
WO2012161417A1 (en) * 2011-05-26 2012-11-29 동국대학교 경주캠퍼스 산학협력단 Method and device for managing the distribution of access rights in a cloud computing environment
CN102546764A (en) * 2011-12-20 2012-07-04 华中科技大学 Safe access method of cloud storage system
CN102624522A (en) * 2012-03-30 2012-08-01 华中科技大学 Key encryption method based on file attribution

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014114080A1 (en) * 2013-01-28 2014-07-31 中兴通讯股份有限公司 Method and system for data encryption protection
CN104639322A (en) * 2013-11-13 2015-05-20 航天信息股份有限公司 Identity-based encryption method with certificates and attributes
CN104639322B (en) * 2013-11-13 2018-08-24 航天信息股份有限公司 The method of the Identity-based encryption containing attribute with certificate
CN105830133B (en) * 2013-12-11 2019-03-12 三菱电机株式会社 File safeguard system and user terminal
US10140460B2 (en) 2013-12-11 2018-11-27 Mitsubishi Electric Corporation File storage system and user terminal
EP3082123A4 (en) * 2013-12-11 2017-06-21 Mitsubishi Electric Corporation File storage system, file storage apparatus, and user terminal
CN103746962B (en) * 2013-12-12 2017-01-25 华南理工大学 GOOSE electric real-time message encryption and decryption method
CN104144056B (en) * 2014-07-10 2017-05-17 北京大学 Self-authorized CP-ABE system and method
CN104144056A (en) * 2014-07-10 2014-11-12 北京大学 Self-authorized CP-ABE system and method
CN104935576A (en) * 2015-04-28 2015-09-23 广州大学 Data safe divided storage and assigned user sharing system
CN106487763A (en) * 2015-08-31 2017-03-08 腾讯科技(深圳)有限公司 A kind of data access method based on cloud computing platform and user terminal
CN106487763B (en) * 2015-08-31 2020-01-10 腾讯科技(深圳)有限公司 Data access method based on cloud computing platform and user terminal
CN106131013A (en) * 2016-07-06 2016-11-16 杨炳 A kind of protecting data encryption system
CN106790273A (en) * 2017-02-17 2017-05-31 深圳市中博睿存信息技术有限公司 The encryption storage method and device of stream medium data in distributed file system
CN106790273B (en) * 2017-02-17 2020-08-21 北京同有飞骥科技股份有限公司 Encryption storage method and device for streaming media data in distributed file system
CN108200181A (en) * 2018-01-11 2018-06-22 中国人民解放军战略支援部队信息工程大学 A kind of revocable attribute-based encryption system and method towards cloud storage
CN108200181B (en) * 2018-01-11 2021-03-19 中国人民解放军战略支援部队信息工程大学 Cloud storage oriented revocable attribute-based encryption system and method
CN109951498A (en) * 2019-04-18 2019-06-28 中央财经大学 A kind of block chain access control method and device based on ciphertext policy ABE encryption

Also Published As

Publication number Publication date
WO2014114080A1 (en) 2014-07-31

Similar Documents

Publication Publication Date Title
CN103152322A (en) Method of data encryption protection and system thereof
Zhao et al. Trusted data sharing over untrusted cloud storage providers
Barsoum et al. Enabling dynamic data and indirect mutual trust for cloud computing storage systems
CN102624522B (en) A kind of key encryption method based on file attribute
JP2021083076A (en) Data transmission method, apparatus and system
CN108881314B (en) Privacy protection method and system based on CP-ABE ciphertext under fog computing environment
CN105871538A (en) Quantum key distribution system, quantum key distribution method and device
CN103957109A (en) Cloud data privacy protection security re-encryption method
CN105743646A (en) Encryption method and system based on identity
CN104253694A (en) Encrypting method for network data transmission
KR101615137B1 (en) Data access method based on attributed
CN106650482A (en) Electronic file encryption method and device, electronic file decryption method and device and electronic file encryption and decryption system
CN103414682A (en) Method for cloud storage of data and system
Kaaniche et al. ID based cryptography for cloud data storage
CN109831430A (en) Safely controllable efficient data sharing method and system under a kind of cloud computing environment
CN110855671B (en) Trusted computing method and system
CN101808089A (en) Secret data transmission protection method based on isomorphism of asymmetrical encryption algorithm
CN104901968A (en) Method for managing and distributing secret keys in secure cloud storage system
Kumar et al. Data outsourcing: A threat to confidentiality, integrity, and availability
CN109547413A (en) The access control method of convertible data cloud storage with data source authentication
CN104184736B (en) A kind of method and system realizing secure cloud and calculate
CN106257859A (en) A kind of password using method
Senthil Kumari et al. Key derivation policy for data security and data integrity in cloud computing
Sarhan et al. An Approach to identity management in clouds without trusted third parties
KR101595056B1 (en) System and method for data sharing of intercloud enviroment

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20130612

RJ01 Rejection of invention patent application after publication