CN103746798B - A kind of data access control method and system - Google Patents
A kind of data access control method and system Download PDFInfo
- Publication number
- CN103746798B CN103746798B CN201310684938.5A CN201310684938A CN103746798B CN 103746798 B CN103746798 B CN 103746798B CN 201310684938 A CN201310684938 A CN 201310684938A CN 103746798 B CN103746798 B CN 103746798B
- Authority
- CN
- China
- Prior art keywords
- key
- data
- level
- encryption
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The present invention is applied to field of cloud computer technology, there is provided a kind of data access control method and system, methods described include:Third party generates the key of each level, and the key of generation is sent to the client of corresponding level;The data of cloud server to be uploaded are encrypted by the key received for the client, and the data after encryption are uploaded into cloud server.The present invention simplifies the key management in the control of cloud server data access, reduces computing cost, improve the efficiency of cloud server data access while cloud server data safety is improved.
Description
Technical field
The invention belongs to field of cloud computer technology, more particularly to a kind of data access control method and system.
Background technology
It is born from cloud computing, one of the problem of security is always enterprise implement cloud computing overriding concern.Access control is
Realize user data confidentiality and carry out the important means of secret protection.Server in cloud storage system is it will be assumed that it is not to be
Believable, user is unwilling vital strategic secrets information being put into cloud storage system, even ciphertext data, user can also worry quilt
Unauthorized user reads or quoted, and this causes the development that cloud storage service is applied to be restricted.
The encryption based on attribute of existing Ciphertext policy(Ciphertext-policy Attribute-Based
Encryption,CP-ABE)Scheme is by the set that the identification presentation of user is an attribute, the data after encryption(Ciphertext data)
It is associated with the access control structure of data.Can one user access this part of data, and the attribute set depending on the user is
It is no to match with access control structure.When realizing the data access control of cloud storage using CP-ABE, due to the category of user
Property between hierarchical relationship be present, cause the access structure of data complicated.The data that each user is able to access that simultaneously use CP-
ABE mechanism realizes the access of data, can cause the computing cost larger.
The content of the invention
The embodiment of the present invention is to provide a kind of data access control method, to solve prior art in access cloud server terminal
During data, the problem of computing cost is larger.
The first aspect of the embodiment of the present invention, there is provided a kind of data access control method, methods described include:
Third party generates the key of each level, and the key of generation is sent to the client of corresponding level;
The data of cloud server to be uploaded are encrypted by the key received for the client, and by after encryption
Data be uploaded to cloud server.
The second aspect of the embodiment of the present invention, there is provided a kind of data access control system, the system include:
Third party, client and cloud server terminal;
The third party, for generating the key of each level, and the key of generation is sent to the visitor for corresponding to level
Family end;
The client, the data of cloud server to be uploaded are encrypted for the key by receiving, and will
Data after encryption are uploaded to cloud server.
Existing beneficial effect is the embodiment of the present invention compared with prior art:The embodiment of the present invention passes through the believable 3rd
The key of Fang Shengcheng different levels, and the key of generation is sent to the client for corresponding to level, to cause client to lead to
The key received is crossed the data of cloud server to be uploaded are encrypted.The embodiment of the present invention is improving cloud server number
According to it is safe while, simplify cloud server data access control in key management, reduce computing cost, improve cloud
The efficiency of server data access is held, there is stronger usability and practicality.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art
In the required accompanying drawing used be briefly described, it should be apparent that, drawings in the following description be only the present invention some
Embodiment, for those of ordinary skill in the art, without having to pay creative labor, can also be according to these
Accompanying drawing obtains other accompanying drawings.
Fig. 1 is the application scenario diagram that the data access control system that first embodiment of the invention provides is applicable;
Fig. 2 is the implementation process figure for the data access control method that second embodiment of the invention provides.
Embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
In order to illustrate technical solutions according to the invention, illustrated below by specific embodiment.
Embodiment one:
Fig. 1 shows the application scenarios that the data access control system that first embodiment of the invention provides is applicable, in order to
It is easy to illustrate, illustrate only the part related to the embodiment of the present invention.
As shown in figure 1, the data access control system includes multiple user terminals 1, cloud service end 2 and third party 3.
Pass through wired or wirelessly connection communication between the multiple user terminal 1, cloud service end 2 and third party 3.
Wherein, the user terminal 1 can be mobile phone, tablet personal computer, computer etc..
The cloud service end 2 and third party 3 can be single servers, or be total to by several function servers
With the server end of composition.
In authority more than one or multi-level institutional framework(Such as within the hospital, including president, section directors, director cure
It is raw, doctor in charge etc.;In enterprise, including general manager, department manager, project manager, engineer etc.), different rights or level
User can decrypt different grades of data ciphertext and obtain correlation information.The data of cloud storage are being realized using CP-ABE
During access control, due to hierarchical relationship be present between the attribute of user, cause the access structure of data complicated.Each user's energy simultaneously
The data enough accessed all realize the access of data using CP-ABE mechanism, and computing cost can be caused larger.To solve above-mentioned ask
Topic, specific implementation are as follows:
The third party 3 generates the key of each level based on hierarchical access control model(Including public key and private key), and will
The key of generation is sent to the user terminal 1 of corresponding level.The user terminal 1 is by the key that receives to be uploaded
The data of cloud server 2 are encrypted, and the data after encryption are uploaded into cloud server 2.
Wherein, the system comprises at least the first level(The higher level of authority)With the second level(The relatively low layer of authority
It is secondary), the user terminal 12 of user terminal 11 and second level of the user terminal 1 including the first level of corresponding level.
Preferably, number of the present embodiment in the user terminal 1 by the key that receives to cloud server 2 to be uploaded
According to before being encrypted, in addition to:
The third party 3 attribute key according to corresponding to generating the attribute of the second level user terminal 12(Including public key and
Private key), and the attribute key is sent to the second level user terminal 12;
Wherein, data of the second level user terminal 12 by the key that receives to cloud server 2 to be uploaded
It is encrypted, and the data after encryption is uploaded to cloud server 2 and specifically included:
The second level user terminal 12 is added by the key received to the data of cloud server 2 to be uploaded
It is close, and the key is encrypted by the attribute key, the data after encryption and the key after encryption are uploaded together
To cloud server 2.
Further, the present embodiment also includes:
The second level user terminal 12 from the cloud server 2 download the encryption data and encryption it is close
After key, the key of the encryption is decrypted by the attribute key, obtains symmetric key, then by the symmetric key to described
The data of encryption are decrypted so that the place user of user terminal 12 checks.
Further, the first level user terminal 11 is after the cloud server 2 downloads the data of the encryption,
The data of the encryption are decrypted by the key so that the place user of user terminal 11 checks.
It should be noted that the public key and private key are a pair, if data are encrypted with public key, only with corresponding
Private key could decrypt;If data are encrypted with private key, then public key corresponding to only using could be decrypted.
The present embodiment is on the basis of based on CP-ABE(The data of cloud server are finely divided, structure is not
The access structure of same data), binding hierarchy access control model, it is proposed that a kind of efficient data towards high in the clouds service end is visited
Control program is asked, this programme can construct simpler efficient data ciphertext access structure(That is the first level and the second level),
The key management in data access control is simplified simultaneously, reduces computing cost, is keeping the basis of CP-ABE good characteristics
On, realize the data access control mechanism similar to based role.
Further, before the data of cloud server 2 to be uploaded are encrypted user terminal 1, in addition to:
User terminal 1 receives the information of log-on data access control function.
Wherein, the information of the log-on data access control function includes the log-on data access control function that user sends
Instruction, or according to caused by default time interval log-on data access control function triggering information.
In the present embodiment, the instruction of the log-on data access control function can be preferably:Monitoring that user exists
After touch action on user terminal 1 is two touches and sliding trace is longitudinally opposed slip, two touch point longitudinal direction phases are judged
Default first threshold whether is simultaneously greater than to the displacement of slip, that whether the range difference of the final drop point in two touch points is less than is pre-
If Second Threshold and two touch point slide speed whether be simultaneously greater than default 3rd threshold value;Or monitoring
The touch action is two touches and the sliding trace is after opposite direction is slided, and judges that two touch point opposite directions are slided
Displacement whether be simultaneously greater than default first threshold, whether the range difference of the final drop point in two touch points is more than default the
Whether the speed that four threshold values and two touch point are slided is simultaneously greater than default 3rd threshold value, if(That is above three condition
Judged result is all "Yes"), then it is determined as the instruction of log-on data access control function;If not(The judgement of above three condition
As a result at least one is "No"), then do not perform, terminate current operation.
The application scenarios that the present embodiment provides are served only for explaining the present invention, do not limit protection scope of the present invention.
Embodiment two:
Fig. 2 shows the implementation process of the second data access control method for applying example offer, and details are as follows for this method process:
In step s 201, third party generates the key of each level, and the key of generation is sent into corresponding level
Client.
In the present embodiment, the third party is credible(By safety certification)Third party.The specific base of third party
The key of each level is generated in hierarchical access control model(Including public key and private key), and the key of generation is sent to pair
Answer the client of level.
Wherein, the present embodiment comprises at least the first level(The higher level of authority)With the second level(The relatively low layer of authority
It is secondary), the user terminal of user terminal and second level of the user terminal including the first level of corresponding level.Specific level is drawn
Divide to be adjusted according to the actual requirements, and the present embodiment is not limited to this.
In order that multi-level data can be realized by the method for level key derivation between obtaining user at many levels
Access, such as allow the user of high authority to be able to access that the data that low rights user is able to access that, the first level described in the present embodiment
Key can generate the key of the second level, i.e. the key that the second level client accesses data can be by the first level client
Key derivation.
In step S202, the data of cloud server to be uploaded are encrypted by the key received for client,
And the data after encryption are uploaded to cloud server.
Particularly, the data of the cloud server to be uploaded are encrypted by symmetric encipherment algorithm.
Further, data of the present embodiment in the client by the key that receives to cloud server to be uploaded
Before being encrypted, in addition to:
The third party is according to the attribute of the second level client(Including corresponding authority, addressable data etc.)Generation
Corresponding attribute key(Including public key and private key), and the attribute key is sent to the second level client.
Preferably, the data of cloud server to be uploaded are encrypted by the key received for the client, and
Data after encryption are uploaded into cloud server to specifically include:
The data of cloud server to be uploaded are encrypted by the key received for the second level client, and
The key is encrypted by the attribute key, the data after encryption and the key after encryption are uploaded to high in the clouds together
Server.
Particularly, the key is encrypted by symmetric encipherment algorithm.
Further, the present embodiment also includes:
After the second level client downloads the data of the encryption and the key of encryption from the cloud server,
The key of the encryption is decrypted by the attribute key, obtains symmetric key, then by the symmetric key to the encryption
Data be decrypted so that user where terminal checks.
Further, after the data that the first level client downloads the encryption from the cloud server, pass through
The key data of the encryption is decrypted so that user where terminal checks.
In the present embodiment, the first level client possesses a key(Including public key, private key);Second level client
Possess two keys.Data of the first level client by the private key in the key or public key to cloud server to be uploaded
It is encrypted and obtains data ciphertext, and decrypts by the public key or private key to obtain data original text;For the second level client,
Then need first to decrypt the key ciphertext according to its attribute key, and the symmetric key solution obtained by decrypting the key ciphertext
Ciphertext data ciphertext, so as to obtain data original text.
In summary, the embodiment of the present invention generates the key of different levels by believable third party, and by the institute of generation
The client that key is sent to corresponding level is stated, to cause client by the key that receives to cloud server to be uploaded
Data are encrypted.The embodiment of the present invention simplifies cloud server data while cloud server data safety is improved
Key management in access control, reduces computing cost, improves the efficiency of cloud server data access, has stronger
Usability and practicality.
Those of ordinary skill in the art are further appreciated that all or part of step realized in above-described embodiment method is can
To instruct the hardware of correlation to complete by program, described program can be stored in a computer read/write memory medium
In, described storage medium, including ROM/RAM, disk, CD etc..
Above content is to combine specific preferred embodiment further description made for the present invention, it is impossible to is assert
The specific implementation of the present invention is confined to these explanations.For general technical staff of the technical field of the invention,
Some equivalent substitutes or obvious modification are made on the premise of not departing from present inventive concept, and performance or purposes are identical, all should
It is considered as belonging to the scope of patent protection that the present invention is determined by the claims submitted.
Claims (6)
1. a kind of data access control method, it is characterised in that methods described includes:
Third party generates the key of each level, and the key of generation is sent to the client of corresponding level;
Client receives the information of log-on data access control function;
After the client receives the information of log-on data access control function, by the key that receives to high in the clouds to be uploaded
The data of server are encrypted, and the data after encryption are uploaded into cloud server;
Methods described comprises at least the first level and the second level;
The authority of first level is higher than the second level;
After the data that first level client downloads the encryption from the cloud server, by the key to the encryption
Data be decrypted so that user where terminal checks.
2. the method as described in claim 1, it is characterised in that in the client by the key that receives to cloud to be uploaded
Before the data of end server are encrypted, in addition to:
Third party attribute key according to corresponding to generating the attribute of the second level client, and the attribute key is sent
To the second level client;
The data of cloud server to be uploaded are encrypted by the key received for the client, and by the number after encryption
Specifically included according to cloud server is uploaded to:
The data of cloud server to be uploaded are encrypted by the key received for the second level client, and are passed through
The key is encrypted the attribute key, and the data after encryption and the key after encryption are uploaded into cloud service together
Device.
3. method as claimed in claim 2, it is characterised in that methods described also includes:
After the second level client downloads the data of the encryption and the key of encryption from the cloud server, pass through
The attribute key decrypts the key of the encryption, obtains symmetric key, then the number by the symmetric key to the encryption
According to being decrypted so that user where terminal checks.
4. a kind of data access control system, it is characterised in that the system includes:
Third party, client and cloud server terminal;
The third party, for generating the key of each level, and the key of generation is sent to the client for corresponding to level;
The client, for receiving the information of log-on data access control function, and receiving log-on data access control
After the information of function, the data of cloud server to be uploaded are encrypted by the key received, and by the number after encryption
According to being uploaded to cloud server;
The system comprises at least the first level and the second level;
The authority of first level is higher than the second level;
The first level client, it is additionally operable to after the data of the cloud server download encryption, by described close
Key the data of the encryption is decrypted so that user where terminal checks.
5. system as claimed in claim 4, it is characterised in that the third party is additionally operable to, according to the second level client
Attribute key corresponding to attribute generation, and the attribute key is sent to the second level client;
The second level client, the data of cloud server to be uploaded are encrypted for the key by receiving,
And the key is encrypted by the attribute key, the data after encryption and the key after encryption are uploaded to cloud together
Hold server.
6. system as claimed in claim 5, it is characterised in that the second level client, be additionally operable to take from the high in the clouds
After the data of the device download encryption of being engaged in and the key of encryption, the key of the encryption is decrypted by the attribute key, is obtained
The data of the encryption are decrypted to symmetric key, then by the symmetric key so that user where terminal checks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310684938.5A CN103746798B (en) | 2013-12-12 | 2013-12-12 | A kind of data access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310684938.5A CN103746798B (en) | 2013-12-12 | 2013-12-12 | A kind of data access control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103746798A CN103746798A (en) | 2014-04-23 |
| CN103746798B true CN103746798B (en) | 2017-12-26 |
Family
ID=50503790
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310684938.5A Active CN103746798B (en) | 2013-12-12 | 2013-12-12 | A kind of data access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103746798B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104320426A (en) * | 2014-08-29 | 2015-01-28 | 哈尔滨工业大学深圳研究生院 | Data layering accessing method and system under cloud environment |
| US10887634B2 (en) | 2018-07-26 | 2021-01-05 | Wangsu Science & Technology Co., Ltd. | Video resource file acquisition method and management system |
| CN108989848B (en) * | 2018-07-26 | 2020-04-28 | 网宿科技股份有限公司 | Video resource file acquisition method and management system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1531820A (en) * | 2001-06-30 | 2004-09-22 | ض� | Multi-level, multi-dimensional content protection |
| CN1859086A (en) * | 2005-12-31 | 2006-11-08 | 华为技术有限公司 | Content grading access control system and method |
| CN101938497A (en) * | 2010-09-26 | 2011-01-05 | 深圳大学 | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof |
| CN102012981A (en) * | 2010-11-16 | 2011-04-13 | 传神联合(北京)信息技术有限公司 | Distributing and matching method and system of general permission grade |
| CN102624522A (en) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | Key encryption method based on file attribution |
| CN103107992A (en) * | 2013-02-04 | 2013-05-15 | 杭州师范大学 | Multistage authority management method for cloud storage enciphered data sharing |
| CN103248479A (en) * | 2012-02-06 | 2013-08-14 | 中兴通讯股份有限公司 | Cloud storage safety system, data protection method and data sharing method |
-
2013
- 2013-12-12 CN CN201310684938.5A patent/CN103746798B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1531820A (en) * | 2001-06-30 | 2004-09-22 | ض� | Multi-level, multi-dimensional content protection |
| CN1859086A (en) * | 2005-12-31 | 2006-11-08 | 华为技术有限公司 | Content grading access control system and method |
| CN101938497A (en) * | 2010-09-26 | 2011-01-05 | 深圳大学 | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof |
| CN102012981A (en) * | 2010-11-16 | 2011-04-13 | 传神联合(北京)信息技术有限公司 | Distributing and matching method and system of general permission grade |
| CN103248479A (en) * | 2012-02-06 | 2013-08-14 | 中兴通讯股份有限公司 | Cloud storage safety system, data protection method and data sharing method |
| CN102624522A (en) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | Key encryption method based on file attribution |
| CN103107992A (en) * | 2013-02-04 | 2013-05-15 | 杭州师范大学 | Multistage authority management method for cloud storage enciphered data sharing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103746798A (en) | 2014-04-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103763319B (en) | Method for safely sharing mobile cloud storage light-level data | |
| CN103327002B (en) | Based on the cloud memory access control system of attribute | |
| CN110417750B (en) | Block chain technology-based file reading and storing method, terminal device and storage medium | |
| CN103179114B (en) | Data fine-grained access control method during a kind of cloud stores | |
| CN104917741B (en) | A kind of plain text document public network secure transmission system based on USBKEY | |
| CN109120639A (en) | A kind of data cloud storage encryption method and system based on block chain | |
| CN103731475B (en) | A kind of data protection system | |
| CN102567688B (en) | File confidentiality keeping system and file confidentiality keeping method on Android operating system | |
| CN107040374B (en) | Attribute-based data encryption method supporting user dynamic revocation in cloud storage environment | |
| CN110445840B (en) | File storage and reading method based on block chain technology | |
| CN108900301A (en) | The certification of restful interface security and message mixed encryption method based on .NET MVC | |
| CN105933345A (en) | Verifiable outsourcing attribute-based encryption method based on linear secret sharing | |
| CN112383391A (en) | Data security protection method based on data attribute authorization, storage medium and terminal | |
| KR20120132708A (en) | Distributed access priviledge management apparatus and method in cloud computing environments | |
| CN103746798B (en) | A kind of data access control method and system | |
| Thilakanathan et al. | Secure multiparty data sharing in the cloud using hardware-based TPM devices | |
| CN102999710A (en) | Method, equipment and system for safely sharing digital content | |
| CN107911221A (en) | The key management method of solid-state disk data safety storage | |
| CN113360944B (en) | Dynamic access control system and method for electric power Internet of things | |
| Mahalakshmi et al. | Effectuation of secure authorized deduplication in hybrid cloud | |
| CN102761559B (en) | Network security based on private data shares method and communication terminal | |
| CN116366364A (en) | Terminal data processing method and system for cloud computer | |
| CN115150200A (en) | Electric power data sharing system and equipment based on block chain | |
| CN106790312A (en) | A kind of cloud storage data safety based on ABE shares implementation method | |
| Kadu et al. | A Hybrid Cloud Approach for Secure Authorized Deduplication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |