CN103227789B - The fine-grained access control method of lightweight under a kind of cloud environment - Google Patents
The fine-grained access control method of lightweight under a kind of cloud environment Download PDFInfo
- Publication number
- CN103227789B CN103227789B CN201310138434.3A CN201310138434A CN103227789B CN 103227789 B CN103227789 B CN 103227789B CN 201310138434 A CN201310138434 A CN 201310138434A CN 103227789 B CN103227789 B CN 103227789B
- Authority
- CN
- China
- Prior art keywords
- data
- mirror image
- private key
- control
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
A kind of fine-grained access control method of lightweight under the present invention relates to cloud storage environment, belongs to secure cloud field of storage, comprises the following steps: 1. data upload; 2. the mandate of data; 3. the access of data; 4. authorize and cancel; 5. Data Update; The invention provides a kind of lightweight, fine-grained access control method, build data image and control of authority layer, effectively can realize sharing without copy data and the control of fine-grained data access, and guarantee the fail safe of data encryption key.
Description
Technical field
The invention belongs to secure cloud field of storage, particularly relate to private data lightweight, fine granularity, flexibly data access control method.
Background technology
Cloud computing once proposition, just obtains academia as a kind of new network computing model, the very big concern of industrial quarters.Cloud stores service is developed rapidly with its distinctive good autgmentability, easily deployment and cheap cost, and academia or industrial quarters all achieve significant achievement.
Although cloud stores service obtains so many remarkable achievement within the so short time, but its institute's problems faced in evolution still governs further developing of cloud storage, and the bottleneck of the restriction cloud stores service development of generally acknowledging at present is problem of data safety, although have a lot of safe practice at present to guarantee data security, but most technology more attention is the threat from outside, and is not effectively paid close attention to for the inside threat of cloud storage provider.
Current mainly through resisting internaling attack from cloud storage provider to the local encryption and decryption technology of data.Although current local encryption and decryption technology has effectively been resisted from the attack in cloud service provider inside and network, have impact on greatly data among different users share.Although key agreement mechanisms can solve sharing of encrypt data, but this mechanism can cause the height of each data grant to assess the cost, and cannot effectively carry out mandate and cancel or upgrade, and can only cancel by carrying out mandate to the mode of data re-encrypted or upgrade.
Carrying out analysis for current encrypt data access control method to find, there is following subject matter in current encrypt data access control method:
1. the prerequisite guaranteed data security, the encrypt data that the effective mechanism of neither one solves without copy is shared.
2. current data grant major part is all role based on static state or Attribute transposition, cannot carry out flexibly, fine-grained data grant for data.
3. once after carrying out data grant to ciphertext, especially after repeatedly authorizing for same data, effectively can not carry out mandate for data to cancel, current major part adopts carries out re-encryption mechanism to data, has greatly increased the weight of calculation cost and the key of other addressable users can be caused to change.
Summary of the invention
For solving the problem, the invention provides the fine-grained access control method of lightweight under a kind of cloud environment, comprising the following steps:
Step 1: uploading data and initialization, its implementation is:
On the one hand, the clear data that data owner will be uploaded by the PKI local cipher of oneself, obtains encrypt data; Then described encrypt data is uploaded to high in the clouds;
On the other hand, according to the access control demand of data owner, construct corresponding control of authority node layer;
Step 2: the mandate of data, its implementation comprises the steps:
Step 2.1: determine authorization data, for each data that will authorize, generate a corresponding data image, if described data need repeatedly to be authorized, the then multiple mirror image of corresponding generation, described data owner is that described each mirror image generates a public private key pair;
Step 2.2: data described in calculating and act on behalf of re-encrypted private key between its mirror image, is stored in high in the clouds;
Step 2.3: session key, for each authorized user, described data owner goes out a session key by the private key of oneself and the PKI of described authorized user and open parametric configuration, and described user refers to a single user or a groups of users;
Step 2.4: be encrypted by the private key of described session key to described mirror image, is stored in described control of authority node by the ciphertext after encryption, upgrades the described authorization user information described in control of authority node simultaneously;
Step 3: the reading of data:
Described user asks certain data described in reading, whether the active user described in first system judges according to described control of authority node has this data access authority, if had, then the mirror image private key that the data that described user asks are encrypted in the re-encryption and its control of authority node of mirror image is sent to described user, described user then deciphers the mirror image private key described in obtaining by the first round in client, then utilizes this private key to carry out second and takes turns the clear data of deciphering also described in final acquisition; Otherwise, the user's request described in refusal;
Step 4: authorize and cancel:
Whether the described requested revocation of authorized user, exist access path between the authorized user described in system judges and described data, if there is no, and the request described in refusal; If existed, whether the control of authority node described in system judges exists this user profile, if had:
If a described data only corresponding mirror image, then directly delete this data image from high in the clouds, and empty its control of authority nodal information;
If described data are a corresponding mirror image only, but only perform mandate for certain customers to cancel, then first empty the corresponding user information in control of authority node, secondly public private key pair is regenerated to current mirror image, and generate the re-encrypted private key being target with this public private key pair, and its private key of encryption, the authorized user message in final updating control of authority node is the mirror image private key after encryption;
If described data correspond to multiple mirror image, and need to cancel all mirror image execution mandates, then delete corresponding mirror image, and upgrade the authorized user profile in control of authority node;
If described data correspond to multiple mirror image, but the mandate performing many mirror images partial user is cancelled, then for each relevant mirror image, first the corresponding user information in control of authority node is emptied, secondly public private key pair is regenerated to current mirror image, and generate the re-encrypted private key being target with this public private key pair, and its private key of encryption, the authorized user message in final updating control of authority node is the mirror image private key after encryption;
Otherwise, the request described in refusal;
Step 5: Data Update, when to high in the clouds some described in data upgrade after,
If remain unchanged to its access authorization, then do not perform any operation;
If need the mandate cancelled described in some, then cancel execution according to the mandate in described step 4;
If need newly-increased access authorization, then perform according to the data grant in described step 2.
As preferably, the corresponding control of authority node layer of the structure described in step 1, described each node is endowed the relevant information of authorized user.
As preferably, along with the operation of system, and the change of authority, can described control of authority node be dynamically updated.
The present invention has the following advantages compared with existing authorization access control:
1. realize repeatedly authorizing without the data of copy by data image, lightweight data sharing;
2. according to the mandate of demand flexible data.User not only can divide according to group, again can also divide, and can carry out transience mandate for casual user according to different role in group;
3. authorize easily and cancel.According to demand, by adjustment data image and control of authority nodal value, the recovery of access rights is performed.
Accompanying drawing explanation
Fig. 1: support lightweight of the present invention, fine-grained data access control hierarchy structure chart.
Fig. 2: data upload of the present invention and initialization flowchart.
Fig. 3: the fine granularity control of authority node data structures figure of the specific embodiment of the invention.
Fig. 4: data grant flow chart of the present invention.
Fig. 5: digital independent flow chart of the present invention.
Fig. 6: flow chart is cancelled in mandate of the present invention.
Embodiment
Below in conjunction with concrete example and accompanying drawing, the present invention will be further described.
The invention provides the fine-grained access control method of lightweight under a kind of cloud environment, comprise the following steps:
Step 1: uploading data and initialization, its implementation is:
On the one hand, the clear data that data owner will be uploaded by the PKI local cipher of oneself, obtains encrypt data; Then encrypt data is uploaded to high in the clouds;
On the other hand, according to the access control demand of data owner, construct corresponding control of authority node layer, each node is endowed the relevant information of authorized user, along with the operation of system, and the change of authority, can dynamically update control of authority node;
Step 2: the mandate of data, its implementation comprises the steps:
Step 2.1: determine authorization data, for each data that will authorize, generates a corresponding data image, if data need repeatedly to be authorized, then and the multiple mirror image of corresponding generation, data owner generates a public private key pair for each mirror image;
Step 2.2: act on behalf of re-encrypted private key between calculated data and its mirror image, is stored in high in the clouds;
Step 2.3: session key, for each authorized user, data owner goes out a session key by the private key of oneself and the PKI of authorized user and open parametric configuration, and user refers to a single user or a groups of users;
Step 2.4: be encrypted by the private key of session key to mirror image, is stored in control of authority node by the ciphertext after encryption, upgrades authorization user information in control of authority node simultaneously;
Step 3: the reading of data:
User asks to read certain data, according to control of authority node, first system judges whether active user has this data access authority, if had, then the mirror image private key that the data that user asks are encrypted in the re-encryption and its control of authority node of mirror image is sent to user, user then obtains mirror image private key by first round deciphering in client, then utilizes this private key to carry out second and takes turns deciphering and finally obtain clear data; Otherwise, refuse user's request;
Step 4: authorize and cancel:
The authorized requested revocation of user, system judges to be authorized to whether there is access path between user and data, if there is no, refusal request; If existed, system judges whether control of authority node exists this user profile, if had:
If a data only corresponding mirror image, then directly delete this data image from high in the clouds, and empty its control of authority nodal information;
If data are a corresponding mirror image only, but only perform mandate for certain customers to cancel, then first empty the corresponding user information in control of authority node, secondly public private key pair is regenerated to current mirror image, and generate the re-encrypted private key being target with this public private key pair, and its private key of encryption, the authorized user message in final updating control of authority node is the mirror image private key after encryption;
If data correspond to multiple mirror image, and need to cancel all mirror image execution mandates, then delete corresponding mirror image, and upgrade the authorized user profile in control of authority node;
If data correspond to multiple mirror image, but the mandate performing many mirror images partial user is cancelled, then for each relevant mirror image, first the corresponding user information in control of authority node is emptied, secondly public private key pair is regenerated to current mirror image, and generate the re-encrypted private key being target with this public private key pair, and its private key of encryption, the authorized user message in final updating control of authority node is the mirror image private key after encryption;
Otherwise, refusal request;
Step 5: Data Update, after some data in high in the clouds are upgraded,
If remain unchanged to its access authorization, then do not perform any operation;
If need to cancel some to authorize, then cancel execution according to the mandate in step 4;
If need newly-increased access authorization, then perform according to the data grant in step 2.
Ask for an interview Fig. 1, be support lightweight of the present invention, fine-grained data access control hierarchy structure chart, comprise physical layer, data image layer, control of authority layer, client layer.
Ask for an interview Fig. 2, for data are submitted to and initialization procedure flow chart, data owner (data owner) is first encrypted data f1 ~ f6 at the PKI locally through oneself, specifically, adopts asymmetrical RSA cryptographic algorithms to be encrypted data here.First according to the security parameters λ certainty annuity parameter SP:={p of system, q, n}, here n=pq, and p, q are two Big prime meeting security of system parameter lambda.When user registers, system is that each user distributes a pair public and private key (ek, dk)=(<e, n>, <d, n>), and e is here
in select at random, wherein
then calculate corresponding according to e
wherein <e, n> are PKI, and <d, n> are private key.Suppose to be expressly m, then the ciphertext after encryption is c=m
emodn.
Then by encryption after data upload to high in the clouds.According to system requirements, access rights are divided, the control of authority node in the control of authority layer namely in structural map 1.Asking for an interview Fig. 3, is the concrete data structure diagram of control of authority node, record associated user authorization message.Along with the operation of system, and the demand such as the change of authority, control of authority node can be dynamically updated, realize fine-grained data access whereby and control.
Asking for an interview Fig. 4, is data grant process flow diagram, and here so that data f1 is licensed to U1, U3 is example.First data owner determines that the data that will authorize are f1, system is that f1 generates corresponding mirror image, data owner generates a public private key pair (ek1 for each mirror image, dk1), to be generated complete, in Fig. 1, in data image layer, the mirror image of corresponding f1 generates complete, then calculates f1 and acts on behalf of re-encrypted private key to its corresponding mirror image, be specifically calculated as follows: set user key to as (eu here
i, du
i)=(<eu
i, n>, <du
i, n>), corresponding mirror image double secret key is (eu
j, du
j)=(<eu
j, n>, <du
j, n>), so corresponding re-encrypted private key is
and by corresponding re-encrypted private key rk
i-jbe uploaded to high in the clouds to be stored in mirror nodes.Then respectively according to the PKI eu of authorized user U1, U3
1, eu
2, as session key, utilize session key mirror image private key du
j, be specifically calculated as follows:
And by the private key after encryption
be stored in corresponding control of authority node.
Asking for an interview Fig. 5, is data read process flow chart, and first user U1 sends visit data f1 and asks, system judges whether there is access path between U1 and f1, if existed, then remove the control of authority node searched on current path, judge whether U1 has the granted access of f1.If had, then high in the clouds utilizes re-encrypted private key in mirror image to carry out re-encryption to data f1 and obtains F1, the private key after encrypting accordingly together with U1 in control of authority node
send to user U1.User U1 utilizes the private key of oneself first to decipher the ciphertext of f1 mirror image corresponding private key
, then utilize the mirror image private key du decrypted
jdata decryption F1 obtains data clear text f1.Otherwise, denied access.
Ask for an interview Fig. 6, detailed process flow chart is cancelled for authorizing, if we cancel the mandate of f1 to U1 with reference to Fig. 1, first we empty the pertinent authorization information of U1 in the control of authority node on f1 to U1 path, path, then for the mirror image of f1 generates new public private key pair, and calculate with it and new act on behalf of re-encrypted private key, finally by the session key that the new private key of mirror image is calculated by data owner and authorized user, upgrade the information of other users in control of authority node.So far, the mandate for U1 is cancelled complete, and on other users without any impact.If cancel the mandate of f7 for U8, mirror image corresponding for f7 is deleted by we, and to empty on this path the corresponding authorization message of U8 in control of authority node.
Above content is the further description done the present invention in conjunction with optimum implementation, can not assert that specific embodiment of the invention is only limited to these explanations.It should be appreciated by those skilled in the art, when do not depart from be defined by the appended claims, various amendment can be carried out in detail, all should be considered as belonging to protection scope of the present invention.
Claims (3)
1. the fine-grained access control method of lightweight under cloud environment, is characterized in that, comprise the following steps:
Step 1: uploading data and initialization, its implementation is:
On the one hand, the clear data that data owner will be uploaded by the PKI local cipher of oneself, obtains encrypt data; Then described encrypt data is uploaded to high in the clouds;
On the other hand, according to the access control demand of data owner, construct corresponding control of authority node layer;
Step 2: the mandate of data, its implementation comprises the steps:
Step 2.1: determine authorization data, for each data that will authorize, generate a corresponding data image, if described data need repeatedly to be authorized, the then multiple mirror image of corresponding generation, described data owner is that described each mirror image generates a public private key pair;
Step 2.2: data described in calculating and act on behalf of re-encrypted private key between its mirror image, is stored in high in the clouds;
Step 2.3: session key, for each authorized user, described data owner goes out a session key by the private key of oneself and the PKI of described authorized user and open parametric configuration, and described user refers to a single user or a groups of users;
Step 2.4: be encrypted by the private key of described session key to described mirror image, is stored in described control of authority node by the ciphertext after encryption, upgrades the described authorization user information described in control of authority node simultaneously;
Step 3: the reading of data:
Described user asks to read certain data, according to described control of authority node, first system judges whether active user has this data access authority, if had, then the mirror image private key that the data that described user asks are encrypted in the re-encryption and its control of authority node of mirror image is sent to described user, described user then deciphers the mirror image private key described in obtaining by the first round in client, then utilizes this private key to carry out second and takes turns the clear data of deciphering also described in final acquisition; Otherwise, the user's request described in refusal;
Step 4: authorize and cancel:
Whether the described requested revocation of authorized user, exist access path between the authorized user described in system judges and described data, if there is no, and the request described in refusal; If existed, whether the control of authority node described in system judges exists this user profile, if had:
If a described data only corresponding mirror image, then directly delete this data image from high in the clouds, and empty its control of authority nodal information;
If described data are a corresponding mirror image only, but only perform mandate for certain customers to cancel, then first empty the corresponding user information in control of authority node, secondly public private key pair is regenerated to current mirror image, and generate the re-encrypted private key being target with this public private key pair, and its private key of encryption, the authorized user message in final updating control of authority node is the mirror image private key after encryption;
If described data correspond to multiple mirror image, and need to cancel all mirror image execution mandates, then delete corresponding mirror image, and upgrade the authorized user profile in control of authority node;
If described data correspond to multiple mirror image, but the mandate performing many mirror images partial user is cancelled, then for each relevant mirror image, first the corresponding user information in control of authority node is emptied, secondly public private key pair is regenerated to current mirror image, and generate the re-encrypted private key being target with this public private key pair, and its private key of encryption, the authorized user message in final updating control of authority node is the mirror image private key after encryption;
Otherwise, the request described in refusal;
Step 5: Data Update, when to high in the clouds some described in data upgrade after,
If remain unchanged to its access authorization, then do not perform any operation;
If need the mandate cancelled described in some, then cancel execution according to the mandate in described step 4;
If need newly-increased access authorization, then perform according to the data grant in described step 2.
2. the fine-grained access control method of lightweight under cloud environment according to claim 1, it is characterized in that: the corresponding control of authority node layer of the structure described in step 1, described each node is endowed the relevant information of authorized user.
3. the fine-grained access control method of lightweight under cloud environment according to claim 1, is characterized in that: along with the operation of system, and the change of authority, can dynamically update described control of authority node.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310138434.3A CN103227789B (en) | 2013-04-19 | 2013-04-19 | The fine-grained access control method of lightweight under a kind of cloud environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310138434.3A CN103227789B (en) | 2013-04-19 | 2013-04-19 | The fine-grained access control method of lightweight under a kind of cloud environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103227789A CN103227789A (en) | 2013-07-31 |
| CN103227789B true CN103227789B (en) | 2015-09-16 |
Family
ID=48838050
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310138434.3A Active CN103227789B (en) | 2013-04-19 | 2013-04-19 | The fine-grained access control method of lightweight under a kind of cloud environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103227789B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980477B (en) * | 2014-04-14 | 2019-07-09 | 航天信息股份有限公司 | Data access control method and system under cloud storage environment |
| CN104009987B (en) * | 2014-05-21 | 2017-02-22 | 南京邮电大学 | Fine-grained cloud platform security access control method based on user identity capacity |
| CN105072180B (en) * | 2015-08-06 | 2018-02-09 | 武汉科技大学 | A kind of cloud storage data safety sharing method for having permission time control |
| CN106610839B (en) * | 2015-10-21 | 2020-10-30 | 阿里巴巴集团控股有限公司 | Method for issuing upgrade package, lightweight upgrade method, device and system |
| CN106788988B (en) * | 2016-11-28 | 2019-09-17 | 暨南大学 | Voidable key polymerize encryption method under cloud environment |
| CN107370595A (en) * | 2017-06-06 | 2017-11-21 | 福建中经汇通有限责任公司 | One kind is based on fine-grained ciphertext access control method |
| CN107659567A (en) * | 2017-09-19 | 2018-02-02 | 北京许继电气有限公司 | The ciphertext access control method and system of fine granularity lightweight based on public key cryptosyst |
| CN109614779A (en) * | 2018-12-28 | 2019-04-12 | 北京航天数据股份有限公司 | A kind of secure data operation method, device, equipment and medium |
| CN111083140A (en) * | 2019-12-13 | 2020-04-28 | 北京网聘咨询有限公司 | Data sharing method under hybrid cloud environment |
| CN111190738B (en) * | 2019-12-31 | 2023-09-08 | 北京仁科互动网络技术有限公司 | User mirroring method, device and system under multi-tenant system |
| KR20240078135A (en) * | 2022-11-25 | 2024-06-03 | 국민대학교산학협력단 | Cloud data acquisition device and method through dpapi-based data regeneration |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739689A (en) * | 2012-07-16 | 2012-10-17 | 四川师范大学 | File data transmission device and method used for cloud storage system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8745384B2 (en) * | 2011-08-11 | 2014-06-03 | Cisco Technology, Inc. | Security management in a group based environment |
-
2013
- 2013-04-19 CN CN201310138434.3A patent/CN103227789B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739689A (en) * | 2012-07-16 | 2012-10-17 | 四川师范大学 | File data transmission device and method used for cloud storage system |
Non-Patent Citations (1)
| Title |
|---|
| 《一种在云计算下的细粒度数据访问控制算法》;韩德志等;《华中科技大学学报》;20121215;第40卷;1-4页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103227789A (en) | 2013-07-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103227789B (en) | The fine-grained access control method of lightweight under a kind of cloud environment | |
| CN110099043B (en) | Multi-authorization-center access control method supporting policy hiding and cloud storage system | |
| CN108390876B (en) | Multi-authorization-center access control method capable of supporting outsourcing revocation and verification and cloud server | |
| Ma et al. | Attribute-based secure announcement sharing among vehicles using blockchain | |
| WO2018045568A1 (en) | Access control method oriented to cloud storage service platform and system thereof | |
| CN103179114B (en) | Data fine-grained access control method during a kind of cloud stores | |
| CN108600171B (en) | Cloud data deterministic deletion method supporting fine-grained access | |
| CN104009987B (en) | Fine-grained cloud platform security access control method based on user identity capacity | |
| CN102655508B (en) | Method for protecting privacy data of users in cloud environment | |
| WO2016197770A1 (en) | Access control system and access control method thereof for cloud storage service platform | |
| CN108810004A (en) | More authorization center access control methods, cloud storage system can be revoked based on agency | |
| EP3831013A1 (en) | System and method to protect data privacy of lightweight devices using blockchain and multi-party computation | |
| WO2016106752A1 (en) | Shared data access control method, device and system | |
| CN114039790B (en) | Fine-grained cloud storage security access control method based on blockchain | |
| CN115242555A (en) | Supervisable cross-chain private data sharing method and device | |
| CN108111540A (en) | The hierarchical access control system and method for data sharing are supported in a kind of cloud storage | |
| CN108632385B (en) | Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure | |
| WO2017061950A1 (en) | Data security system and method for operation thereof | |
| Yan et al. | Controlling cloud data access based on reputation | |
| CN109617855B (en) | File sharing method, device, equipment and medium based on CP-ABE layered access control | |
| CN104901968A (en) | Method for managing and distributing secret keys in secure cloud storage system | |
| Tu et al. | A secure, efficient and verifiable multimedia data sharing scheme in fog networking system | |
| CN110933052A (en) | Encryption and policy updating method based on time domain in edge environment | |
| CN110611571A (en) | Revocable access control method of smart grid system based on fog | |
| CN106603544A (en) | Data storage and cloud control method capable of lightweight auditing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |