CN103428299A - Cloud storage access control method - Google Patents
Cloud storage access control method Download PDFInfo
- Publication number
- CN103428299A CN103428299A CN2013103976088A CN201310397608A CN103428299A CN 103428299 A CN103428299 A CN 103428299A CN 2013103976088 A CN2013103976088 A CN 2013103976088A CN 201310397608 A CN201310397608 A CN 201310397608A CN 103428299 A CN103428299 A CN 103428299A
- Authority
- CN
- China
- Prior art keywords
- centerdot
- access control
- mod
- private data
- rightarrow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a cloud storage access control method based on a cloud storage access control system which is composed of a cloud storage service provider CSP, a data owner A and a plurality of users. The cloud storage access control method is characterized in that linear transformation is used for realizing encryption of a dataset, a dot product operation is used for realizing decryption of certain private data in the dataset, and therefore a cloud storage access control policy is realized. The cloud storage access control method can effectively solve the problems that in an existing ciphertext access control method based on cloud storage, a decryption process is complex for the users and the ciphertext access control method is difficult to realize, thereby lowering the computation complexity of encryption and particularly decryption, and improving the efficiency of encryption and decryption.
Description
Technical field
The present invention relates to data encryption and access control technology field, specifically a kind of ciphertext access control method based on the cloud storage of protecting the privacy of user data.
Background technology
The cloud storage is in the conceptive extension of cloud computing and a derivative development new concept out.Cloud storage relies on it highly reliable, low-cost and non-maintaining stores service to be realized to revolutionary change.In the service mode of cloud storage, due to data, in the uncontrollable scope of user, how to protect the confidentiality of private data and Lawful access to become the problem that the user pays close attention to the most.
Access control mechanisms can be authorized the validated user access certain resources, refuses disabled user's access simultaneously.Although existing a lot of cloud stores service all provide simple access control function, for example, for file arranges access rights, this depends on the control of server end, and its fail safe is based upon on the trust to cloud stores service business.The ciphertext access control technology can guarantee the confidentiality of data and the Lawful access of data in the incredible environment of server end.The data owner was encrypted it in advance before data are stored, and by controlling the user key was obtained to realize the access control target.
At present, in various ciphertext access control policies, the scheme based on encryption attribute accounts for main flow.Yet in these schemes, generation and the administration overhead of key are large, and encrypt and decrypt efficiency is low.Particularly decrypting process is very complicated, and this is forbidding for general domestic consumer, is difficult to realize.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of simple and reliable cloud memory access control method, can effectively solve and have user's decrypting process complexity in the ciphertext access control method of storing based on cloud now, be difficult to the problems such as realization, reduce encryption, the especially computation complexity of deciphering, improved the efficiency that realizes encrypt and decrypt.
The present invention is that the technical solution problem adopts following technical scheme to be:
A kind of cloud memory access of the present invention control method, be based on the cloud memory access control system that cloud stores service business CSP, a data owner A and several users form, be characterized in, set up a finite field gf (p), wherein p is a large prime number, and large prime number p is open to all users; Described cloud memory access control method is carried out as follows:
Step 1, data owner A adopt the method for linear transformation to be encrypted the generating ciphertext collection to the private data collection;
Step 2, data owner A are committed to described cloud stores service business CSP by described ciphertext collection and are stored, described ciphertext collection is checked or downloaded to the cloud storage server that any use can provide by described cloud stores service business CSP per family online, but can not revise described ciphertext collection;
I the element that step 3, certain user U concentrate to data owner A request access private data, described data owner A is after authentication of users U has access rights, to the secret decruption key of providing i element of user U;
Step 4, user U utilize described decruption key and ciphertext collection, adopt the dot-product operation deciphering to obtain i the element that private data is concentrated.
The characteristics of cloud memory access control method of the present invention also are:
In described step 1, adopting the method for linear transformation to be encrypted the generating ciphertext collection to the private data collection is to carry out as follows:
1) suppose that the private data collection that described data owner A has is { x
1, x
2..., x
n, described private data is concentrated i element x
i∈ GF (p) (1≤i≤n); Setting the concentrated effective element number of described private data is n-1, remains an element and generates at random; The n of data owner A full rank of random generation on finite field gf (p) * n matrix
A in described matrix A
Ij∈ GF (p) (1≤i≤n, 1≤j≤n);
2) described data owner A generates expressly vector
Described plaintext vector
I component be i the element x that described private data is concentrated
i(1≤i≤n),
3) upper at described finite field gf (p), data owner A utilizes formula (1) to obtain cyphertext vector
Described private data collection { x
1, x
2..., x
nCorresponding ciphertext collection is { y
1, y
2..., y
n.
Decruption key in described step 3 is to generate as follows:
In formula (2), A
TFor the transposed matrix of matrix A,
It is the n dimension unit vector that i component is 1, other component is 0;
The concentrated effective element number according to described private data, setting data owner A at most only distributes n-1 decruption key.
In described step 4, adopting the dot-product operation deciphering to obtain i concentrated element of private data is to carry out as follows:
User U utilizes formula (4) to obtain i the element x that described private data is concentrated
i:
Compared with the prior art, beneficial effect of the present invention is embodied in:
1, data owner of the present invention utilizes the method for linear transformation to realize the encryption to the private data collection, has guaranteed the confidentiality of private data.Can expressly collect one and change the ciphertext collection into based on a scrambled matrix.Same scrambled matrix can be reused repeatedly again, and in order to resist known plain text attack, scrambled matrix A can reuse at most time n-1, if one-time pad can reach unconditional security.
2, user of the present invention only need adopt dot-product operation can realize private data is concentrated the deciphering of certain data, the complicated crypto-operation without other, thereby simple to operate, be easy to realize.
3, the present invention is because having limited the concentrated effective element number of private data, and concentrates to mix at random at valid data and insert a random number, thereby can resist user's collusion, thus the fail safe that has improved system.
Embodiment
In the present embodiment, a kind of cloud memory access control method is based on the cloud memory access control system of cloud stores service business CSP, a data owner A and several users formation, at first, system need be set up a finite field gf (p), wherein p is a large prime number, and large prime number p is open to all users; Finite field and large prime number are the well-known concepts of information security field;
Large prime number p is to generate as follows:
A) determine the long d in position of large prime number p; For example, according to concrete demand for security, the long d in position can be set as to 256,512 or 1024 etc.;
B) generate at random the long first place for the d bit, a position and end and be 1 odd number q;
C) adopt the prime number detection method to judge whether q is prime number, if make p=q, otherwise re-execute step b.
Cloud memory access control method is carried out according to the following procedure:
Step 1, data owner A adopt the method for linear transformation to be encrypted the generating ciphertext collection to the private data collection;
1.1) the private data collection that has of tentation data owner A is { x
1, x
2..., x
n, private data is concentrated i element x
i∈ GF (p) (1≤i≤n); In order to resist collusion, setting the concentrated effective element number of described private data is n-1, for example { x
1, x
2..., x
N-1Be the valid data collection, remain an element x
nFor random generation; Like this, at most only need n-1 decruption key of distribution.For example, even all user's collusions, also can only obtain at most n-1 decruption key,
Thereby set up following equation:
In formula (1), the total number of known equation is (n-1) * n, and total number of known variables is n * n(, is the element number of scrambled matrix A); Because the total number of equation is less than total number of known variables, can't calculate scrambled matrix A.
The n of data owner A full rank of random generation on finite field gf (p) * n matrix
A in matrix A
Ij∈ GF (p) (1≤i≤n, 1≤j≤n);
1.2) data owner A generation plaintext vector
Expressly vectorial
I component be i the element x that private data is concentrated
i(1≤i≤n),
Private data collection { x
1, x
2..., x
nCorresponding ciphertext collection is { y
1, y
2..., y
n.
Step 2, data owner A are committed to cloud stores service business CSP by the ciphertext collection and are stored, and the ciphertext collection is checked or downloaded to the cloud storage server that any use can provide by cloud stores service business CSP per family online, but can not revise the ciphertext collection;
I the element that step 3, certain user U are concentrated to data owner A request access private data, i.e. individual data, data owner A is after authentication of users U has access rights, to the secret decruption key of distributing i element of user U;
In order to obtain data set { x
1, x
2..., x
nIn i private data x
i(1≤i≤n), data owner A utilizes formula (3) to obtain decruption key
In formula (3), A
TFor the transposed matrix of matrix A,
Be that i component is the n dimension unit vector that 1 other component is 0;
Order
Decruption key
Solution vector for equation group (4):
Setting data owner A at most only distributes n-1 decruption key, for example distributes n-1 decruption key
(1≤i≤n-1); Thereby can resist collusion.
Step 4, user U utilize decruption key and ciphertext collection, adopt the dot-product operation deciphering to obtain i element;
User U utilizes formula (5) to obtain i the element x that private data is concentrated
i:
In the present embodiment, suppose n=3, scrambled matrix
Require r (A)=3; Expressly vectorial
Because
Therefore have
According to
Obtain following three equation group:
Wherein
Because r (A)=3, A is full rank, therefore equation group (7-9) all has unique solution.And then,
=k
11(a
11x
1+a
12x
2+a
13x
3)+k
12(a
21x
1+a
22x
2+a
23x
3)+k
13(a
31x
1+a
32x
2+a
33x
3)
=(k
11a
11+k
12a
21+k
13a
31)x
1+(k
11a
12+k
12a
22+k
13a
32)x
2+(k
11a
13+k
12a
23+k
13a
33)x
3
=x
1Modp(is according to equation group (7))
=k
21(a
11x
1+a
12x
2+a
13x
3)+k
22(a
21x
1+a
22x
2+a
23x
3)+k
23(a
31x
1+a
32x
2+a
33x
3)
=(k
21a
11+k
22a
21+k
23a
31)x
1+(k
21a
12+k
22a
22+k
23a
32)x
2+(k
21a
13+k
22a
23+k
23a
33)x
3
=x
2Modp(is according to equation group (8))
=k
31(a
11x
1+a
12x
2+a
13x
3)+k
32(a
21x
1+a
22x
2+a
23x
3)+k
33(a
31x
1+a
32x
2+a
33x
3)
=(k
31a
11+k
32a
21+k
33a
31)x
1+(k
31a
12+k
32a
22+k
33a
32)x
2+(k
31a
13+k
32a
23+k
33a
33)x
3
=x
3Modp(is according to equation group (9)).
Claims (4)
1. a cloud memory access control method, be based on the cloud memory access control system that cloud stores service business CSP, a data owner A and several users form, it is characterized in that, set up a finite field gf (p), wherein p is a large prime number, and large prime number p is open to all users; Described cloud memory access control method is carried out as follows:
Step 1, data owner A adopt the method for linear transformation to be encrypted the generating ciphertext collection to the private data collection;
Step 2, data owner A are committed to described cloud stores service business CSP by described ciphertext collection and are stored, described ciphertext collection is checked or downloaded to the cloud storage server that any use can provide by described cloud stores service business CSP per family online, but can not revise described ciphertext collection;
I the element that step 3, certain user U concentrate to data owner A request access private data, described data owner A is after authentication of users U has access rights, to the secret decruption key of providing i element of user U;
Step 4, user U utilize described decruption key and ciphertext collection, adopt the dot-product operation deciphering to obtain i the element that private data is concentrated.
2. cloud memory access control method according to claim 1, is characterized in that, in described step 1, adopting the method for linear transformation to be encrypted the generating ciphertext collection to the private data collection is to carry out as follows:
1) suppose that the private data collection that described data owner A has is { x
1, x
2..., x
n, described private data is concentrated i element x
i∈ GF (p) (1≤i≤n); Setting the concentrated effective element number of described private data is n-1, remains an element and generates at random; The n of data owner A full rank of random generation on finite field gf (p) * n matrix
A in described matrix A
Ij∈ GF (p) (1≤i≤n, 1≤j≤n);
2) described data owner A generates expressly vector
Described plaintext vector
I component be i the element x that described private data is concentrated
i(1≤i≤n),
3) upper at described finite field gf (p), data owner A utilizes formula (1) to obtain cyphertext vector
Described private data collection { x
1, x
2..., x
nCorresponding ciphertext collection is { y
1, y
2..., y
n.
3. cloud memory access control method according to claim 1 and 2, is characterized in that, the decruption key in described step 3 is to generate as follows:
In formula (2), A
TFor the transposed matrix of matrix A,
It is the n dimension unit vector that i component is 1, other component is 0;
The concentrated effective element number according to described private data, setting data owner A at most only distributes n-1 decruption key.
4. according to claim 1,2 or 3 described cloud memory access control methods, it is characterized in that, in described step 4, adopting the dot-product operation deciphering to obtain i concentrated element of private data is to carry out as follows:
User U utilizes formula (4) to obtain i the element x that described private data is concentrated
i:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310397608.8A CN103428299B (en) | 2013-09-04 | 2013-09-04 | A kind of cloud stores access control method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310397608.8A CN103428299B (en) | 2013-09-04 | 2013-09-04 | A kind of cloud stores access control method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103428299A true CN103428299A (en) | 2013-12-04 |
CN103428299B CN103428299B (en) | 2016-06-01 |
Family
ID=49652463
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310397608.8A Expired - Fee Related CN103428299B (en) | 2013-09-04 | 2013-09-04 | A kind of cloud stores access control method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103428299B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104980271A (en) * | 2014-04-10 | 2015-10-14 | 深圳中电长城信息安全系统有限公司 | Multiplication operation method and system in cloud computing and based on Batch RSA |
CN106330871A (en) * | 2016-08-17 | 2017-01-11 | 成都聚美优品科技有限公司 | Sensitive data protection method |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102014133A (en) * | 2010-11-26 | 2011-04-13 | 清华大学 | Method for implementing safe storage system in cloud storage environment |
CN102075542A (en) * | 2011-01-26 | 2011-05-25 | 中国科学院软件研究所 | Cloud computing data security supporting platform |
US20120167197A1 (en) * | 2010-12-27 | 2012-06-28 | International Business Machines Corporation | Enabling granular discretionary access control for data stored in a cloud computing environment |
CN102655508A (en) * | 2012-04-19 | 2012-09-05 | 华中科技大学 | Method for protecting privacy data of users in cloud environment |
US20130097306A1 (en) * | 2011-10-18 | 2013-04-18 | Nav Dhunay | System and method for monitoring, managing and controlling a plurality of devices using cloud resources |
US20130145447A1 (en) * | 2011-12-01 | 2013-06-06 | Dashlane SAS | Cloud-based data backup and sync with secure local storage of access keys |
-
2013
- 2013-09-04 CN CN201310397608.8A patent/CN103428299B/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102014133A (en) * | 2010-11-26 | 2011-04-13 | 清华大学 | Method for implementing safe storage system in cloud storage environment |
US20120167197A1 (en) * | 2010-12-27 | 2012-06-28 | International Business Machines Corporation | Enabling granular discretionary access control for data stored in a cloud computing environment |
CN102075542A (en) * | 2011-01-26 | 2011-05-25 | 中国科学院软件研究所 | Cloud computing data security supporting platform |
US20130097306A1 (en) * | 2011-10-18 | 2013-04-18 | Nav Dhunay | System and method for monitoring, managing and controlling a plurality of devices using cloud resources |
US20130145447A1 (en) * | 2011-12-01 | 2013-06-06 | Dashlane SAS | Cloud-based data backup and sync with secure local storage of access keys |
CN102655508A (en) * | 2012-04-19 | 2012-09-05 | 华中科技大学 | Method for protecting privacy data of users in cloud environment |
Non-Patent Citations (2)
Title |
---|
吕志强: "《云存储密文访问控制方案》", 《计算机科学与探索》 * |
石润华: "《一种新的门限秘密共享方案》", 《合肥工业大学学报(自然科学版)》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104980271A (en) * | 2014-04-10 | 2015-10-14 | 深圳中电长城信息安全系统有限公司 | Multiplication operation method and system in cloud computing and based on Batch RSA |
CN104980271B (en) * | 2014-04-10 | 2018-04-17 | 深圳中电长城信息安全系统有限公司 | Multiplying method and system based on Batch RSA in a kind of cloud computing |
CN106330871A (en) * | 2016-08-17 | 2017-01-11 | 成都聚美优品科技有限公司 | Sensitive data protection method |
Also Published As
Publication number | Publication date |
---|---|
CN103428299B (en) | 2016-06-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Li et al. | Full verifiability for outsourced decryption in attribute based encryption | |
US20210203497A1 (en) | Method for re-keying an encrypted data file | |
CN103618728B (en) | A kind of encryption attribute method at more mechanism centers | |
CN107508667B (en) | Ciphertext policy ABE base encryption method and its device of the fix duty without key escrow can be disclosed | |
CN108881314B (en) | Privacy protection method and system based on CP-ABE ciphertext under fog computing environment | |
CN102624522B (en) | A kind of key encryption method based on file attribute | |
CN103401839B (en) | A kind of many authorization center encryption method based on attribute protection | |
CN103957109A (en) | Cloud data privacy protection security re-encryption method | |
CN104486315A (en) | Revocable key external package decryption method based on content attributes | |
CN105915520A (en) | File storage and searching method based on public key searchable encryption, and storage system | |
Saroj et al. | Threshold cryptography based data security in cloud computing | |
CN104967693B (en) | Towards the Documents Similarity computational methods based on full homomorphism cryptographic technique of cloud storage | |
CN104363215A (en) | Encryption method and system based on attributes | |
CN107154845A (en) | A kind of BGN types ciphertext decryption outsourcing scheme based on attribute | |
Wang et al. | Security analysis of a privacy‐preserving decentralized ciphertext‐policy attribute‐based encryption scheme | |
CN105100083A (en) | Attribute-based encryption method and attribute-based encryption system capable of protecting privacy and supporting user Undo | |
CN104320393A (en) | Effective attribute base agent re-encryption method capable of controlling re-encryption | |
CN102594570A (en) | Key threshold algorithm based on level identity encryption | |
Huang et al. | Secure and privacy-preserving DRM scheme using homomorphic encryption in cloud computing | |
CN108092972A (en) | A kind of more authorization centers can search for encryption method based on attribute | |
CN103457725A (en) | Encryption method for multiple authorization centers | |
CN110086615A (en) | A kind of more authorized party's ciphertext policy ABE base encryption methods of distribution that medium is obscured | |
CN104618332A (en) | Secure two-party computation method and system based on symbol boundary value binary decision diagram | |
CN114143094A (en) | Multi-authorization attribute-based verifiable encryption method based on block chain | |
Kaci et al. | Access control reinforcement over searchable encryption |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160601 Termination date: 20210904 |