CN103327002A - Cloud storage access control system based on attribute - Google Patents
Cloud storage access control system based on attribute Download PDFInfo
- Publication number
- CN103327002A CN103327002A CN2013100716642A CN201310071664A CN103327002A CN 103327002 A CN103327002 A CN 103327002A CN 2013100716642 A CN2013100716642 A CN 2013100716642A CN 201310071664 A CN201310071664 A CN 201310071664A CN 103327002 A CN103327002 A CN 103327002A
- Authority
- CN
- China
- Prior art keywords
- user
- access control
- module
- attribute
- token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a cloud storage access control system based on an attribute. The cloud storage access control system based on the attribute comprises a security token unit (1), a main body information management unit (2), an access control unit (3), an attribute base encryption and decryption unit (4) and a cloud storage unit (5), wherein the security token unit (1) is used for achieving the function of identity authentication, the function of token distribution and the function of token verification, the main body information management unit (2) is used for achieving the function of generating a user private key, the function of storing user attribute information and the user private key, and the function of symmetric keys after encryption of an access control policy, the access control unit (3) is used for achieving the function of access control based on the attribute, and the function of user customization of the access control policy, the attribute base encryption and decryption unit (4) is used for achieving the function of encryption and decryption of files, and the function of using the access control policy and the user private key to carry out encryption and decryption on the symmetric keys, and the cloud storage unit (5) is used for achieving the function of storage of plaintext and ciphertext. The cloud storage access control system based on the attribute has the advantages of being fine in grit, real-time, dynamic, extensible, safe and the like, and can be used for achieving access control in the cloud storage environment.
Description
Technical field
The invention belongs to network and information safe practice field, relate to the data access control technology, is a kind of cloud memory access control system of introducing under the XACML framework based on the encryption of attribute specifically, and data are provided access control and guarantee the confidentiality of data.
Background technology
Cloud storage is an emerging cloud service that emerged over the past two years, and the user is accessing Internet whenever and wherever possible, uses hand-held mobile terminal or PC, with the personal document of speed access oneself very efficiently, so has obtained supporting widely and using.But in easy-to-use, the cloud storage has also caused the extensive worry of user to data safety and secret protection fail safe.Amazon in 2009, Google, the safety problem of user data and privacy leakage appearred in many families such as LinkUp famous cloud stores service commercial city, and had caused serious consequence; Sony in 2011 " door of divulging a secret " sounds the alarm to the cloud storage security again.Chinese cloud computing safety survey analysis report in 2012 shows that 79% user still is unwilling sensitive data is deposited under the cloud environment.Potential safety hazard has become the extensive significant obstacle of popularizing of cloud storage, how to protect the confidentiality of privacy of user and sensitive data to become the primary safety problem that solution is needed in the cloud storage badly.
Cryptographic system based on attribute began one's study from 2005, and it has developed traditional based on the concept of identification cipher system about identity, identity is regarded as the set of a series of attributes.American scholar Sahai and Waters have proposed based on fuzzy identity ciphering biological characteristics directly to be applied in the ID-based encipherment scheme as identity information for the first time, and Sahai has introduced the concept of attribute in paper.2007, the people such as Bethencourt proposed the encipherment scheme based on attribute of ciphertext strategy: CP ?ABE, Ciphertext ?Policy Attribute ?Based Encryption, identification presentation with the user in this scheme is the set of an attribute, enciphered data then joins with the access control structurally associated, whether the user can decipher, and depends on whether community set and access control structure corresponding to user identity that ciphertext is associated mate.
Adopted the access control system based on attribute of ciphertext strategy based on above-mentioned cryptographic system, the data encryption of combination based on the access control policy of attribute can be provided, but not all data all need to encrypt storage in the practical application, when data volume is very large, directly the encryption and decryption data expense is large, the access control system performance is low, therefore, existing ciphertext strategy based on the access control solution of attribute can't provide fine-grained, dynamic on the basis that guarantees user data and personal secrets, can expand, efficiently access control.
XACML (eXtensible Access Control Markup Language) is the Descriptive strategies of OASIS (Organization for the Advancement of Structured Information Standards) proposition and the language of access control; the access control system frame application that realizes based on XACML in web services can provide fine-grained, dynamic, can expand, efficient ABAC(Attribute Based Access Control), but can not provide encipherment protection to the privacy of user data.
Summary of the invention
The object of the invention is to the deficiency for above-mentioned prior art, propose a kind of cloud storage based on attribute and visited control system, can not only provide fine-grained, dynamic, extendible, efficient safe access control for sensitive data and nonsensitive data, and can guarantee the confidentiality of sensitive data.
Technical scheme of the present invention is achieved in that
One. know-why
The present invention will combine with the ABAC that realizes by XACML based on the ABAC of ciphertext strategy, by sharing the realization of property set and set of strategies to the access control of plaintext and ciphertext.Because the two core that realizes ABAC all is the property set of entity, and set of strategies, therefore is easy to both combinations, make up cloud memory access control system.The present invention uses ABAC mechanism that XACML realizes to the request of accessing all plaintexts or the encrypt data control that conducts interviews, use is based on the control that conducts interviews of obtaining to the symmetric key of sensitive data of the ABAC mechanism of ciphertext strategy, only have the symmetric key of the user's ability enabling decryption of encrypted plaintext that satisfies respective attributes in the access control policy and then obtain plaintext, prevent the leakage of symmetric key, thereby improved the fail safe of sensitive data.
Two. system forms
According to above-mentioned principle, the present invention is based on the cloud memory access control system of attribute, comprising: security token unit 1, main information administrative unit 2, access control unit 3, attribute base encryption/decryption element 4 and cloud memory cell 5 is characterized in that:
Described main information administrative unit 2 be used for to generate private key for user, store and management customer attribute information, private key for user and encrypt with access control policy after symmetric key;
Described access control unit 3 comprises:
Token extracts authentication module 31, is used for extracting the token of user's request, and to the security token service unit 1 checking token, if the token authentication success then sends to access decision module 32 with subscriber identity information and the user's request that obtains; If the token authentication failure then sends the token authentication failure response to the user;
Access decision module 32 according to extracting the subscriber identity information that authentication module 31 obtains from token, is retrieved main information administrative unit 2, obtains user's attribute information; According to the resource information that will access the user's request that obtains from token extraction authentication module 31 tactful memory module 35 is retrieved, obtain the access control policy information of corresponding resource, if user property meets then granted access of access control policy, do not authorize if meet then; Take the result of decision, user request information, subscriber identity information as parameter, call decision-making Executive Module 33;
Decision-making Executive Module 33, be used for the result of decision and solicited message according to access decision module 32, and the structurized access control policy in the solicited message, finish respectively reading and writing data, call attribute base encryption/decryption element 4 and carry out data encrypting and deciphering, regulative strategy generation module 34 and generate these three kinds of functions of access control policy file;
Strategy generation module 34 is used for the Structured Interview control strategy of solicited message with grouping text string, is converted into the access control policy file of describing with extensible access control markup language XACML, and stores in the policy store module 35;
Policy store module 35 is used for memory access control strategy file;
Described attribute base encryption/decryption element 4 comprises:
Symmetrical encryption and decryption module 41 is used for generating symmetric key, and with symmetric key encryption expressly, decrypting ciphertext;
Attribute base encrypting module 42, by the Structured Interview control strategy in the request, operation CP ?the ABE cryptographic algorithm symmetric key is encrypted, the symmetric key after obtaining access control policy and encrypting also stores in the main information administrative unit 2;
Attribute base deciphering module 43, according to identity user profile main information administrative unit 2 is retrieved, obtain the symmetric key after private key for user and strategy are encrypted, the symmetric key after user's private key operation CP ?ABE decipherment algorithm countermeasure is slightly encrypted is decrypted and obtains symmetric key;
Described cloud memory cell 5 is used for ciphertext that storage encrypted through attribute base encryption/decryption element 4 or not encrypted directly by the plaintext of access control unit 3 storages, and whether process encryption of markup document in file index information.
The above-mentioned cloud memory access control system based on attribute, the Executive Module 33 that it is characterized in that making a strategic decision comprises:
Carry out judge module 331, be used for according to the result of decision, user request information and subscriber identity information, judge whether to call File Upload and Download module 332, tactful generation module 34 and attribute base encryption/decryption element 4, and return response to the user; When the result of decision is granted access, call then that File Upload and Download module 332 is uploaded or download file and to the response of user's return authorization, if unauthorizedly then return unauthorized response to the user; When having the access control policy of band structure in the solicited message, then regulative strategy generation module 34 generates the access control policy file; When user request information is upload file request and when specify to need encrypting, then call attribute base encryption/decryption element 4 and encrypt upload files; When user request information is that the file of download file request and request is during encrypt file, then call attribute base encryption/decryption element 4 deciphering download files:
File Upload and Download module 332 is used for receiving user file, to cloud memory cell 5 writing in files, and from cloud memory cell 5 file readings, to user's Transmit message.
Above-mentioned cloud memory access control system based on attribute is characterized in that security token unit 1, comprising:
Authentication module 11 is used for the identity information of the authentication request that authenticated user sends, and gives user's distribution of access token of authentication success, and this identity information is by user name, and password forms or the letter of identity of Third Party Authentication;
Token authentication module 12 is used for the token authentication request that response access control unit 3 sends, if be proved to be successful the information of then returning owner of a token, if the unsuccessful token authentication failure response that then returns.
The above-mentioned cloud memory access control system based on attribute is characterized in that main information administrative unit 2, comprising:
Private key for user generation module 21, according to the user property in the main information memory module 23, use based on the cryptographic algorithm CP of attribute ?ABE generate private key for user and be stored in main information memory module 23;
Attribute monitoring modular 22 is used for the change of monitoring main information memory module 23 user property values, and invoke user private key generation module 21 upgrades private key for user if user property changes then;
Main information memory module 23, be used for storage customer attribute information, private key for user and encrypt with access control policy after symmetric key.
The present invention has following advantage:
1) the present invention be one integrate token authentication, based on the access control of attribute and the cloud security access control system of attribute base encryption and decryption, be under the cloud environment protection user data a whole set of system;
2) the present invention will be owing to will be combined with the ABAC that realizes by XACML based on the ABAC of ciphertext strategy, realized sharing of customer attribute information and policy information, the user who only meets access control policy could decipher and obtain symmetric key, and finally obtain ciphertext, realize access control and encrypted the interlock of storage, increased the difficulty that the invader obtains user storage information;
3) the present invention is owing to having used user's attribute information when carrying out access control function, realized the access control based on attribute, than traditional access control based on the role fine granularity, real-time, dynamic, extendible advantage have been arranged, be highly suitable under the large-scale distributed environment and dispose;
4) the present invention is owing to can specify the access of access control policy control user data in user access request information, realized that the user specifies the function of access control policy, the access control policy of user's appointment not only is used for the generation of access control policy file, and for encrypted symmetric key, make the family to customizing access control policy and encryption policy, on top of the safety of private data has increased the flexibility of using, ease for use;
5) the present invention is owing to whether the accessing request information the user can need to encrypt by specific data, realized that whether the user specifies the function of enciphered data, realize the different demands for security of different user to sensitive data and nonsensitive data, also be convenient to the commercialization customization;
6) the present invention is because each service unit is separate, each unit can provide separately service, also can be with other safety system collaborative works, be easy to configuration deployment, safe, flexibly fast, and practical function, reliable safe access control can be provided and encrypt storage to ensure under cloud environment.
Description of drawings
Fig. 1 is entire system structure chart of the present invention;
Fig. 2 is security token cellular construction figure of the present invention;
Fig. 3 is main information administrative unit structure chart of the present invention;
Fig. 4 is access control unit structure chart of the present invention;
Fig. 5 is decision-making Executive Module structure chart of the present invention;
Fig. 6 is attribute base encryption/decryption element structure chart of the present invention.
Embodiment
Referring to accompanying drawing the present invention is described in further details:
With reference to Fig. 1, the present invention comprises five unit: security token unit 1, main information administrative unit 2, access control unit 3, attribute base encryption/decryption element 4 and cloud memory cell 5.Wherein:
Security token service 1, one receives the user and sends ID authentication request, if the success of authenticated user identity is then returned token response to the user, if authenticate unsuccessful then to user's return authentication failure response; The 2nd, receive the token authentication request of access control unit 3, if effectively sending out, token authentication then send subscriber identity information corresponding to token to access control unit 3, if the invalid token authentication null response that then sends of token authentication is to access control unit 3.
Main information administrative unit 2 provides customer attribute information for access control unit 3, gives the symmetric key after attribute encryption/decryption element 4 provides private key for user and strategy encryption.
Access control unit 3 receives user access request, and the 1 authentication of users token to the security token service unit is if the token authentication failure sends the token authentication null response to the user, if the token authentication success then obtains subscriber identity information from security token service unit 1; Retrieve and obtain customer attribute information by subscriber identity information to main information administrative unit 2; According to the access control policy that finds by the access request target in customer attribute information and the access control unit, determine whether access request authorizes, if authorize then to send authorization response and to carry out Authorized operation to the user, comprise generate access control policy, call attribute base encryption/decryption element 4 encryption and decryption datas and upload or the download user file to cloud memory cell 5.
Attribute base encryption/decryption element 4, when the file of uploading the user need to be encrypted, the encrypting user file; When the file of user's download need to be deciphered, the decrypted user file.
Cloud memory cell 5 is stored plaintext or ciphertext that access control unit 3 sends.
Above-mentioned five cellular constructions and operation principle are as follows:
With reference to Fig. 2, described security token unit 1 comprises: authentication module 11 and token authentication module 12.Wherein: authentication module 11, to the security token unit 1 when sending ID authentication request, by the user name in the authentication request, password or third party's certificate carry out authentication to the user, if authentication success is then distributed token to the user the user; If authentification failure, then return authentication failure response; Token authentication module 12, to the security token unit 1 when sending the token authentication request, whether the checking token is effective, if effectively then return owner of a token information, if the invalid token authentication null response that then returns at access control unit 2.
With reference to Fig. 3, described main information administrative unit 2 comprises: private key for user generation module 21, attribute monitoring modular 22 and main information memory module 23.Wherein: private key for user generation module 21, according to the user property in the main information memory module 23, use based on the cryptographic algorithm CP of attribute ?ABE generate private key for user and be stored in main information memory module 23 for each user; Attribute monitoring modular 22, the change of user property value in the monitoring main information memory module 23, invoke user private key generation module 21 upgrades private key for user if user property changes then; Main information memory module 23, storage customer attribute information, private key for user and encrypt with access control policy after symmetric key.
With reference to Fig. 4, described access control unit 3 comprises: token extracts authentication module 31, access decision module 32, decision-making Executive Module 33, tactful generation module 34 and policy store module 35.Wherein:
Token extracts authentication module 31, extract the token in user's request, the 1 checking token to the security token service unit is if token authentication success then sends to access decision module 32 with subscriber identity information and the user's request that obtains, if unsuccessfully then send the token authentication failure response to the user.
Access decision module 32, one according to extracting the subscriber identity information that authentication module 31 obtains from token, is retrieved main information administrative unit 2, obtains user's attribute information; The 2nd, according to the resource information that will access the user's request that obtains from token extraction authentication module 31 tactful memory module 35 is retrieved, obtain the access control policy information of corresponding resource, if user property meets then granted access of access control policy, do not authorize if meet then; The 3rd, take the result of decision, user request information, subscriber identity information as parameter, 33 work of regulative strategy Executive Module.
Decision-making Executive Module 33, the result of decision and solicited message according to access decision module 32, and the structurized access control policy in the solicited message, finish respectively reading and writing data, call attribute base encryption/decryption element 4 and carry out data encrypting and deciphering, regulative strategy generation module 34 and generate these three kinds of functions of access control policy file.This decision-making Executive Module 33 comprises carries out judge module 331 and File Upload and Download module 332, as shown in Figure 5.
This carries out judge module 331, according to the result of decision, user request information and subscriber identity information, judges whether to call File Upload and Download module 332, tactful generation module 34 and attribute base encryption/decryption element 4, and returns response to the user; When the result of decision is granted access, call then that File Upload and Download module 332 is uploaded or download file and to the response of user's return authorization, if unauthorizedly then return unauthorized response to the user; When having the access control policy of band structure in the solicited message, then regulative strategy generation module 34 generates the access control policy file; When user request information is upload file request and when specify to need encrypting, then call attribute base encryption/decryption element 4 and encrypt upload files; When user request information is that the file of download file request and request is during encrypt file, then call attribute base encryption/decryption element 4 deciphering download files;
This document is uploaded download module 332, receives user file when user's upload file, to cloud memory cell 5 writing in files, during user's download file from cloud memory cell 5 file readings, to user's Transmit message.
Strategy generation module 34, with in the solicited message with the Structured Interview control strategy of grouping text string, be converted into the access control policy file of describing with extensible access control markup language XACML, and store in the policy store module 35;
With reference to Fig. 6, described attribute base encryption/decryption element 4 comprises: symmetrical encryption and decryption module 41, attribute base encrypting module 42 and attribute base deciphering module 43.Wherein:
Symmetrical encryption and decryption module 41 generates symmetric key, and with symmetric key encryption expressly, decrypting ciphertext;
Attribute base encrypting module 42, by the Structured Interview control strategy in the request, operation CP ?the ABE cryptographic algorithm symmetric key that symmetrical encryption and decryption module 41 generates is encrypted, obtain the symmetric key after access control policy is encrypted and store in the main information administrative unit 2;
Attribute base deciphering module 43, according to subscriber identity information main information administrative unit 2 is retrieved, obtain the symmetric key after private key for user and strategy are encrypted, user's private key operation CP ?the symmetric key of ABE decipherment algorithm after access control policy is encrypted be decrypted and obtain symmetric key.
Above description only is example of the present invention; do not consist of any limitation of the invention; obviously for those skilled in the art; after understanding content of the present invention and principle; all may be in the situation that do not deviate from the principle of the invention, structure; carry out various corrections and change on form and the details, but these are based on the correction of inventive concept with change still within claim protection range of the present invention.
Claims (3)
1. cloud memory access control system based on attribute, comprise security token unit (1), main information administrative unit (2), access control unit (3), attribute base encryption/decryption element (4) and cloud memory cell (5), it is characterized in that:
Described main information administrative unit (2) is used for generating private key for user, store and management customer attribute information, private key for user and the symmetric key of encrypting with access control policy;
Described access control unit (3) comprising:
Token extracts authentication module (31), be used for extracting the token of user's request, and to security token service unit (1) checking token, if the token authentication success then sends to access decision module (32) with subscriber identity information and the user's request that obtains, if the token authentication failure then sends the token authentication failure response to the user;
Access decision module (32) according to extracting the subscriber identity information that authentication module (31) obtains from token, is retrieved main information administrative unit (2), obtains user's attribute information; According to the resource information that will access the user's request that obtains from token extraction authentication module (31) tactful memory module (35) is retrieved, obtain the access control policy information of corresponding resource, if user property meets then granted access of access control policy, do not authorize if meet then; Take the result of decision, user request information, subscriber identity information as parameter, call decision-making Executive Module (33);
Decision-making Executive Module (33), be used for the result of decision and solicited message according to access decision module (32), and the structurized access control policy in the solicited message, finish respectively reading and writing data, call attribute base encryption/decryption element (4) and carry out data encrypting and deciphering, regulative strategy generation module (34) and generate these three kinds of functions of access control policy file;
Strategy generation module (34), be used for the Structured Interview control strategy of solicited message with grouping text string, be converted into the access control policy file of describing with extensible access control markup language XACML, and store in the policy store module (35);
Policy store module (35) is used for memory access control strategy file;
Described attribute base encryption/decryption element (4) comprising:
Symmetrical encryption and decryption module (41) is used for generating symmetric key, and with symmetric key encryption expressly, decrypting ciphertext;
Attribute base encrypting module (42), by the Structured Interview control strategy in the request, operation CP-ABE cryptographic algorithm is encrypted symmetric key, obtains the symmetric key after access control policy is encrypted and stores in the main information administrative unit (2);
Attribute base deciphering module (43), according to identity user profile main information administrative unit (2) is retrieved, obtain the symmetric key after private key for user and strategy are encrypted, the symmetric key after user's private key operation CP-ABE decipherment algorithm countermeasure is slightly encrypted is decrypted and obtains symmetric key;
Described cloud memory cell (5) is used for ciphertext that storage encrypted through attribute base encryption/decryption element (4) or not encrypted directly by the plaintext of access control unit (3) storage, and whether process encryption of markup document in file index information.
2. the cloud memory access control system based on attribute according to claim 1, the Executive Module (33) that it is characterized in that making a strategic decision comprising:
Carry out judge module (331), be used for according to the result of decision, user request information and subscriber identity information, judge whether to call File Upload and Download module (332), tactful generation module (34) and attribute base encryption/decryption element (4), and return response to the user; When the result of decision is granted access, call then that File Upload and Download module (332) is uploaded or download file and to the response of user's return authorization, if unauthorizedly then return unauthorized response to the user; When having structurized access control policy in the solicited message, then regulative strategy generation module (34) generates the access control policy file; When user request information is upload file request and when specify to need encrypting, then call attribute base encryption/decryption element (4) and encrypt upload file; When user request information is that the file of download file request and request is during encrypt file, then call attribute base encryption/decryption element (4) deciphering download file;
File Upload and Download module (332) is used for receiving user file, to cloud memory cell (5) writing in files, and from cloud memory cell (5) file reading, to user's Transmit message.
3. the cloud memory access control system based on attribute according to claim 1 is characterized in that security token unit (1), comprising:
Authentication module (11) is used for the identity information of the authentication request that authenticated user sends, and gives user's distribution of access token of authentication success, and this identity information is by user name, and password forms or the letter of identity of Third Party Authentication;
Token authentication module (12) is used for the token authentication request that response access control unit (3) sends, if be proved to be successful the information of then returning owner of a token, if the unsuccessful token authentication failure response that then returns.
3. the cloud memory access control system based on attribute according to claim 1 is characterized in that main information administrative unit (2), comprising:
Private key for user generation module (21) according to the user property in the main information memory module (23), uses the cryptographic algorithm CP-ABE based on attribute to generate private key for user and be stored in main information memory module (23);
Attribute monitoring modular (22) is used for the change of monitoring main information memory module (23) user property value, and invoke user private key generation module (21) upgrades private key for user if user property changes then;
Main information memory module (23), be used for storage customer attribute information, private key for user and encrypt with access control policy after symmetric key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310071664.2A CN103327002B (en) | 2013-03-06 | 2013-03-06 | Based on the cloud memory access control system of attribute |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310071664.2A CN103327002B (en) | 2013-03-06 | 2013-03-06 | Based on the cloud memory access control system of attribute |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103327002A true CN103327002A (en) | 2013-09-25 |
| CN103327002B CN103327002B (en) | 2016-04-27 |
Family
ID=49195535
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310071664.2A Active CN103327002B (en) | 2013-03-06 | 2013-03-06 | Based on the cloud memory access control system of attribute |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103327002B (en) |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
| CN103763355A (en) * | 2014-01-07 | 2014-04-30 | 天地融科技股份有限公司 | Cloud data uploading and access control method |
| CN103905557A (en) * | 2014-04-09 | 2014-07-02 | 曙光云计算技术有限公司 | Data storage method and device used for cloud environment and downloading method and device |
| CN104333542A (en) * | 2014-10-23 | 2015-02-04 | 张勇平 | Cloud computing access control system and method |
| CN104735020A (en) * | 2013-12-18 | 2015-06-24 | 深圳市腾讯计算机系统有限公司 | Method, device and system for acquiring sensitive data |
| CN104967591A (en) * | 2014-09-26 | 2015-10-07 | 浙江大华技术股份有限公司 | Cloud storage data read-write method and device, and read-write control method and device |
| CN104980401A (en) * | 2014-04-09 | 2015-10-14 | 北京亿赛通科技发展有限责任公司 | Secure data storage system and secure data storage and reading method of NAS server |
| CN104993929A (en) * | 2015-05-15 | 2015-10-21 | 西安邮电大学 | Attribute-based encryption system and method supporting system attribute expansion |
| CN105100248A (en) * | 2015-07-30 | 2015-11-25 | 国家电网公司 | Cloud storage security realization method based on data encryption and access control |
| CN105357201A (en) * | 2015-11-12 | 2016-02-24 | 中国科学院信息工程研究所 | Access control method and system for object cloud storage |
| CN105681355A (en) * | 2016-03-25 | 2016-06-15 | 西安电子科技大学 | Attribute-based encryption access control system of cloud storage digit library, and access control method thereof |
| CN105991278A (en) * | 2016-07-11 | 2016-10-05 | 河北省科学院应用数学研究所 | Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption) |
| CN106059763A (en) * | 2016-07-29 | 2016-10-26 | 南京邮电大学 | Attribute-based multi-mechanism hierarchical ciphertext-policy weight encryption method under cloud environment |
| CN106330871A (en) * | 2016-08-17 | 2017-01-11 | 成都聚美优品科技有限公司 | Sensitive data protection method |
| CN107196967A (en) * | 2017-07-10 | 2017-09-22 | 南京邮电大学 | A kind of logistics big data information security access control system |
| CN107317787A (en) * | 2016-04-26 | 2017-11-03 | 北京京东尚科信息技术有限公司 | Service credit method, equipment and system |
| CN107370595A (en) * | 2017-06-06 | 2017-11-21 | 福建中经汇通有限责任公司 | One kind is based on fine-grained ciphertext access control method |
| CN107846397A (en) * | 2017-09-30 | 2018-03-27 | 北京理工大学 | A kind of cloud storage access control method based on the encryption of attribute base |
| CN107864139A (en) * | 2017-11-09 | 2018-03-30 | 北京科技大学 | A kind of cryptography attribute base access control method and system based on dynamic rules |
| CN109067868A (en) * | 2018-07-31 | 2018-12-21 | 佛山市苔藓云链科技有限公司 | A kind of method and system for being stored to cloud data |
| CN109743331A (en) * | 2019-01-29 | 2019-05-10 | 杭州电子科技大学 | One kind being based on matched access control method |
| CN110889130A (en) * | 2018-12-10 | 2020-03-17 | 北京炼石网络技术有限公司 | Database-based fine-grained data encryption method, system and device |
| CN111212084A (en) * | 2020-01-15 | 2020-05-29 | 广西师范大学 | Attribute encryption access control method facing edge calculation |
| CN111245933A (en) * | 2020-01-10 | 2020-06-05 | 上海德拓信息技术股份有限公司 | Log-based object storage additional writing implementation method |
| CN111737752A (en) * | 2020-07-23 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Monitoring data access control method, device and equipment and storage medium |
| CN112887273A (en) * | 2021-01-11 | 2021-06-01 | 苏州浪潮智能科技有限公司 | Key management method and related equipment |
| CN113612775A (en) * | 2021-08-04 | 2021-11-05 | 西安思安云创科技有限公司 | 4C remote control safety protection method, device and system based on Internet of things equipment |
| US11228597B2 (en) | 2019-02-12 | 2022-01-18 | Nutanix, Inc. | Providing control to tenants over user access of content hosted in cloud infrastructures |
| US11615206B2 (en) * | 2020-07-22 | 2023-03-28 | Mastercard International Incorporated | Systems and methods for tokenization of personally identifiable information (PII) |
| US11835996B2 (en) | 2020-07-22 | 2023-12-05 | Mastercard International Incorporated | Systems and methods for tokenization of personally identifiable information (PII) and personal health information (PHI) |
| US12026137B1 (en) * | 2023-02-17 | 2024-07-02 | Dell Product L.P. | Method and system for secure and efficient federated data deduplication in a storage area network (SAN) infrastructure |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101771683A (en) * | 2009-01-07 | 2010-07-07 | 北京航空航天大学 | Method and device for generating access controlling policy |
-
2013
- 2013-03-06 CN CN201310071664.2A patent/CN103327002B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101771683A (en) * | 2009-01-07 | 2010-07-07 | 北京航空航天大学 | Method and device for generating access controlling policy |
Non-Patent Citations (4)
| Title |
|---|
| BETHENCOURT J, SAHAI A, WATERS B.: "《Ciphertext-policy attribute-based encryption》", 《PROCEEDINGS OF 2007 IEEE SYMPOSIUM ON SECURITY AND PRIVACY》 * |
| YU S C, WANG C,REN K.: "《Achieving secure, scalable, and fine-grained》", 《PROCEEDINGS OF THE 2010》 * |
| 李晓峰: "《基于属性的访问控制模型》", 《通信学报》 * |
| 王小明: "《基于属性的访问控制研究进展》", 《电子学报》 * |
Cited By (48)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103532981B (en) * | 2013-10-31 | 2016-08-17 | 中国科学院信息工程研究所 | A kind of identity trustship towards many tenants authenticates cloud resource access control system and control method |
| CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
| CN104735020A (en) * | 2013-12-18 | 2015-06-24 | 深圳市腾讯计算机系统有限公司 | Method, device and system for acquiring sensitive data |
| CN103763355A (en) * | 2014-01-07 | 2014-04-30 | 天地融科技股份有限公司 | Cloud data uploading and access control method |
| CN103763355B (en) * | 2014-01-07 | 2017-02-01 | 天地融科技股份有限公司 | Cloud data uploading and access control method |
| CN104980401A (en) * | 2014-04-09 | 2015-10-14 | 北京亿赛通科技发展有限责任公司 | Secure data storage system and secure data storage and reading method of NAS server |
| CN103905557A (en) * | 2014-04-09 | 2014-07-02 | 曙光云计算技术有限公司 | Data storage method and device used for cloud environment and downloading method and device |
| CN104980401B (en) * | 2014-04-09 | 2018-05-01 | 北京亿赛通科技发展有限责任公司 | Nas server date safety storing system, secure storage and read method |
| CN104967591A (en) * | 2014-09-26 | 2015-10-07 | 浙江大华技术股份有限公司 | Cloud storage data read-write method and device, and read-write control method and device |
| CN104333542A (en) * | 2014-10-23 | 2015-02-04 | 张勇平 | Cloud computing access control system and method |
| CN104993929A (en) * | 2015-05-15 | 2015-10-21 | 西安邮电大学 | Attribute-based encryption system and method supporting system attribute expansion |
| CN104993929B (en) * | 2015-05-15 | 2018-05-18 | 西安邮电大学 | A kind of attribute-based encryption system that system property is supported to extend and method |
| CN105100248A (en) * | 2015-07-30 | 2015-11-25 | 国家电网公司 | Cloud storage security realization method based on data encryption and access control |
| CN105357201A (en) * | 2015-11-12 | 2016-02-24 | 中国科学院信息工程研究所 | Access control method and system for object cloud storage |
| CN105357201B (en) * | 2015-11-12 | 2019-04-16 | 中国科学院信息工程研究所 | A kind of object cloud storage access control method and system |
| CN105681355A (en) * | 2016-03-25 | 2016-06-15 | 西安电子科技大学 | Attribute-based encryption access control system of cloud storage digit library, and access control method thereof |
| CN105681355B (en) * | 2016-03-25 | 2019-02-01 | 西安电子科技大学 | The access control system and its access control method of cloud storage digital library based on encryption attribute |
| CN107317787A (en) * | 2016-04-26 | 2017-11-03 | 北京京东尚科信息技术有限公司 | Service credit method, equipment and system |
| CN105991278A (en) * | 2016-07-11 | 2016-10-05 | 河北省科学院应用数学研究所 | Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption) |
| CN105991278B (en) * | 2016-07-11 | 2019-06-28 | 河北省科学院应用数学研究所 | A kind of ciphertext access control method based on CP-ABE |
| CN106059763B (en) * | 2016-07-29 | 2019-05-03 | 南京邮电大学 | The properties base multi-mechanism hierarchical Ciphertext policy weight encryption method of cloud environment |
| CN106059763A (en) * | 2016-07-29 | 2016-10-26 | 南京邮电大学 | Attribute-based multi-mechanism hierarchical ciphertext-policy weight encryption method under cloud environment |
| CN106330871A (en) * | 2016-08-17 | 2017-01-11 | 成都聚美优品科技有限公司 | Sensitive data protection method |
| CN107370595A (en) * | 2017-06-06 | 2017-11-21 | 福建中经汇通有限责任公司 | One kind is based on fine-grained ciphertext access control method |
| CN107196967A (en) * | 2017-07-10 | 2017-09-22 | 南京邮电大学 | A kind of logistics big data information security access control system |
| CN107196967B (en) * | 2017-07-10 | 2019-10-01 | 南京邮电大学 | A kind of logistics big data information security access control system |
| CN107846397A (en) * | 2017-09-30 | 2018-03-27 | 北京理工大学 | A kind of cloud storage access control method based on the encryption of attribute base |
| CN107864139B (en) * | 2017-11-09 | 2020-05-12 | 北京科技大学 | Cryptographic attribute base access control method and system based on dynamic rules |
| US11425171B2 (en) | 2017-11-09 | 2022-08-23 | University Of Science & Technology Beijing | Method and system for cryptographic attribute-based access control supporting dynamic rules |
| WO2019090988A1 (en) * | 2017-11-09 | 2019-05-16 | 北京科技大学 | Cryptography attribute-based access control method and system based on dynamic rule |
| CN107864139A (en) * | 2017-11-09 | 2018-03-30 | 北京科技大学 | A kind of cryptography attribute base access control method and system based on dynamic rules |
| CN109067868A (en) * | 2018-07-31 | 2018-12-21 | 佛山市苔藓云链科技有限公司 | A kind of method and system for being stored to cloud data |
| CN110889130A (en) * | 2018-12-10 | 2020-03-17 | 北京炼石网络技术有限公司 | Database-based fine-grained data encryption method, system and device |
| CN110889130B (en) * | 2018-12-10 | 2023-03-28 | 北京炼石网络技术有限公司 | Database-based fine-grained data encryption method, system and device |
| CN109743331A (en) * | 2019-01-29 | 2019-05-10 | 杭州电子科技大学 | One kind being based on matched access control method |
| US11228597B2 (en) | 2019-02-12 | 2022-01-18 | Nutanix, Inc. | Providing control to tenants over user access of content hosted in cloud infrastructures |
| CN111245933A (en) * | 2020-01-10 | 2020-06-05 | 上海德拓信息技术股份有限公司 | Log-based object storage additional writing implementation method |
| CN111212084A (en) * | 2020-01-15 | 2020-05-29 | 广西师范大学 | Attribute encryption access control method facing edge calculation |
| US11615206B2 (en) * | 2020-07-22 | 2023-03-28 | Mastercard International Incorporated | Systems and methods for tokenization of personally identifiable information (PII) |
| US11835996B2 (en) | 2020-07-22 | 2023-12-05 | Mastercard International Incorporated | Systems and methods for tokenization of personally identifiable information (PII) and personal health information (PHI) |
| CN111737752B (en) * | 2020-07-23 | 2021-02-26 | 杭州海康威视数字技术股份有限公司 | Monitoring data access control method, device and equipment and storage medium |
| CN111737752A (en) * | 2020-07-23 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Monitoring data access control method, device and equipment and storage medium |
| CN112887273A (en) * | 2021-01-11 | 2021-06-01 | 苏州浪潮智能科技有限公司 | Key management method and related equipment |
| CN112887273B (en) * | 2021-01-11 | 2022-05-20 | 苏州浪潮智能科技有限公司 | Key management method and related equipment |
| US11943345B2 (en) | 2021-01-11 | 2024-03-26 | Inspur Suzhou Intelligent Technology Co., Ltd. | Key management method and related device |
| CN113612775A (en) * | 2021-08-04 | 2021-11-05 | 西安思安云创科技有限公司 | 4C remote control safety protection method, device and system based on Internet of things equipment |
| CN113612775B (en) * | 2021-08-04 | 2023-04-07 | 西安思安云创科技有限公司 | 4C remote control safety protection method, device and system based on Internet of things equipment |
| US12026137B1 (en) * | 2023-02-17 | 2024-07-02 | Dell Product L.P. | Method and system for secure and efficient federated data deduplication in a storage area network (SAN) infrastructure |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103327002B (en) | 2016-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103327002B (en) | Based on the cloud memory access control system of attribute | |
| CN103179114B (en) | Data fine-grained access control method during a kind of cloud stores | |
| CN1939028B (en) | Accessing protected data on network storage from multiple devices | |
| KR101769282B1 (en) | Data security service | |
| CN104486315B (en) | A kind of revocable key outsourcing decryption method based on contents attribute | |
| CN103763319B (en) | Method for safely sharing mobile cloud storage light-level data | |
| CN109559124A (en) | A kind of cloud data safety sharing method based on block chain | |
| US8984611B2 (en) | System, apparatus and method for securing electronic data independent of their location | |
| CN105100083B (en) | A kind of secret protection and support user's revocation based on encryption attribute method and system | |
| Helil et al. | CP‐ABE access control scheme for sensitive data set constraint with hidden access policy and constraint policy | |
| CN103391192B (en) | A kind of based on secret protection across security domain access control system and control method thereof | |
| CN102196422B (en) | Method for preventing leakage of lost file of handheld communication terminal | |
| CN104063334A (en) | Encryption method and system based on data attributions | |
| CN107395568A (en) | A kind of cipher text retrieval method of more data owner's certifications | |
| CN103731475B (en) | A kind of data protection system | |
| CN104756441A (en) | Methods and apparatus for data access control | |
| CN202455386U (en) | Safety system for cloud storage | |
| Murala et al. | Secure dynamic groups data sharing with modified revocable attribute-based encryption in cloud | |
| CN107333263A (en) | A kind of follow-on SIM card and mobile communication personal identification method and system | |
| CN107124409A (en) | A kind of access authentication method and device | |
| CN115473715A (en) | Forward security ciphertext equivalence test public key encryption method, device, system and medium | |
| KR101033475B1 (en) | Personal information protection apparatus and method for managing distribution channel of personal information efficiently and safely | |
| CN107046524A (en) | It is a kind of based on ultrasonic wave use intelligent entrance guard method and system | |
| CN102831360A (en) | Personal electronic document safety management system and management method thereof | |
| JP3989340B2 (en) | Database security system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |