CN104717297A - Safety cloud storage method and system - Google Patents

Abstract

The invention provides a safety cloud storage method and system. The safety cloud storage system comprises a cloud storage server, a key generation and distribution server and a client-side, wherein the cloud storage server is used for managing data and controlling data access; the key generation and distribution server is used for generating property public keys of shared data and a property secrete key of a user; the client-side is used for encrypting and decrypting data and setting the data access strategy. File data are encrypted in a file linear coding mode and are transmitted and stored as a ciphertext, and data safety is guaranteed; a file secrete key is encrypted according to a property encryption algorithm, and the obtained secret key can be used for realizing access control.

Description

A kind of secure cloud storage means and system

Technical field

The present invention relates to field of information security technology, particularly relate to the security technology area of data encryption and data sharing, be specially a kind of secure cloud storage means and system.

Background technology

In recent years, the fast development of making rapid progress along with Internet technology, and the development of whole information industry is that personal information or business data are all in explosive growth.Therefore increasing manufacturer is had to be proposed cloud stores service at present.

Although cloud stores bring huge facility to user, meanwhile, cloud stores and also brings a lot of hidden danger.The major obstacle affecting cloud service extensive use is safety and privacy concern.The data upload of user to server after, the administrative power of data has server to take over, and therefore user cannot ensure data confidentiality on the server.Cloud storage server is also faced with many security threats, such as software vulnerability, viral rogue program and managerial competency.In addition, cloud memory technology can realize data sharing by Intel Virtualization Technology, and data can be shared between multi-user, improve resource utilization.But this shared lacking, has caused data-privacy problem, and in cloud stores, suitable access control mechanisms is absolutely necessary.

Therefore, how encryption and decryption is carried out to data, how safety management key, and how the high efficiency access control mechanisms of design safety guarantees data security, and to share be very important.Through finding prior art literature search, existing secure cloud storage system such as Cleversafe, by information dispersal algorithm encrypted file data and distributed storage, ensures the fail safe of data, but cannot provide the data sharing abilities between multi-user.Its cloud storage system he providing data sharing is Baidu's cloud, new billow cloud such as, have employed authenticating user identification mechanism and Access Control List (ACL) realizes, and shortcoming is when userbase is large, storage overhead and computing cost large.

Summary of the invention

The shortcoming of prior art in view of the above, the object of the present invention is to provide a kind of secure cloud storage means and system, for solving in prior art safety in the storage of data and access and the shared technical problem that can not balance.

For achieving the above object and other relevant objects, the present invention provides a kind of secure cloud storage means on the one hand, and described secure cloud storage means comprises: cloud storage administration data also control the access of data; Generate and share the attribute PKI of data and the attribute private key of user; Be encrypted storing data, decipher and the access strategy of configuration data.

Preferably, cloud storage administration data control specifically to comprise to the access of data: the interface of data upload and download is provided and the data stored are managed; The data of user being accessed to storage carry out control of authority.

Preferably, also comprise: the community set of independent management and control user; Stochastic generation is used for the common parameter sharing data encryption use; Generate the PKI of open character and the main key of privacy character of attribute according to described common parameter, generate unique private key according to the attribute of user simultaneously and be sent to user.

Preferably, for the process be encrypted storage data be: stochastic generation key also obtains symmetric key, adopt uniform enconding algorithm carry out enciphered data and obtain cryptograph files, adopt encryption attribute algorithm to be encrypted symmetric key simultaneously and obtain key file.

Preferably, the access strategy of configuration access data specifically comprises: limit the community set that can be decrypted, the non-leaf nodes that the leaf node arranging the PKI representing attribute and this attribute and the thresholding formed by encoding are formed; To the password that described thresholding is arranged; Secret generating Distributor is set and Symmetric key generation PKI according to access strategy, the leaf node of the corresponding access strategy tree of each PKI.

The present invention is providing a kind of secure cloud storage system in addition on the one hand, and described secure cloud storage system comprises: cloud storage server, controls for cloud storage administration data and to the access of data; Secret generating Distributor, is connected with described cloud storage server, for the attribute private key of the attribute PKI and user that generate shared data; Client, is connected with described secret generating Distributor with described cloud storage server, for being encrypted storing data, deciphering and the access strategy of configuration data.

Preferably, described cloud storage server comprises: data management module, for providing the interface of data upload and download and managing the data stored; User management module, is connected with described data management module, carries out control of authority for the data of user being accessed to storage.

Preferably, described secret generating Distributor is made up of the key distribution center server of multiple independent management and control community set of user separately, each key distribution center server comprises: initialization module, is used for for stochastic generation the common parameter sharing data encryption use; Secret generating distribution module, is connected with described initialization module, for generating the PKI of open character and the main key of privacy character of attribute according to described common parameter, generates unique private key simultaneously and be sent to user according to the attribute of user.

Preferably, described client comprises: encrypting module, and stochastic generation key also obtains symmetric key, adopts uniform enconding algorithm carry out enciphered data and obtain cryptograph files, adopts encryption attribute algorithm to be encrypted symmetric key simultaneously and obtains key file; Deciphering module, is connected with described encrypting module, is decrypted for the file encrypted described encrypting module; Access strategy module, is connected with described deciphering module with described encrypting module, is made up of some thresholdings, for generating the access strategy of access cryptograph files box key file.

Preferably, described access strategy module comprises: access strategy tree unit, for limiting the community set that can be decrypted, and the non-leaf nodes that the leaf node comprising the PKI representing attribute and this attribute and the thresholding formed by encoding are formed; Threshold cryptography unit, sets unit with described access strategy and is connected, to the password that described thresholding is arranged; PKI aggregation units, PKI is set and Symmetric key generation according to access strategy by secret generating Distributor, the leaf node of the corresponding access strategy tree of each PKI.

As mentioned above, a kind of secure cloud storage means of the present invention and system, have following beneficial effect:

One aspect of the present invention is by adopting information dispersal algorithm, to encoding after deblocking and encrypting, ensure the fail safe such as data-privacy and confidentiality, adopt the encryption attribute algorithm realization access control mechanisms of different rights rank on the other hand, provide data security sharing functionality flexibly.

Accompanying drawing explanation

Fig. 1 is shown as the schematic flow sheet of secure cloud storage means of the present invention.

Fig. 2 is shown as the structural representation of secure cloud storage system of the present invention.

Element numbers explanation

1 cloud storage server

2 secret generating Distributors

3 clients

The client of 31 data sharings

The client that 32 data are downloaded

S11 ~ S13 step

Embodiment

Below by way of specific instantiation, embodiments of the present invention are described, those skilled in the art the content disclosed by this specification can understand other advantages of the present invention and effect easily.The present invention can also be implemented or be applied by embodiments different in addition, and the every details in this specification also can based on different viewpoints and application, carries out various modification or change not deviating under spirit of the present invention.

The object of the present invention is to provide a kind of secure cloud storage means and system, for solving in prior art safety in the storage of data and access and the shared technical problem that can not balance.To principle and the execution mode of a kind of secure cloud storage means of the present invention and system be elaborated below, and make those skilled in the art not need creative work can understand a kind of secure cloud storage means of the present invention and system.

first embodiment

The present embodiment provides a kind of secure cloud storage means, and in secure cloud storage means of the present invention, cloud stores service allows user's remote storage data and shares these information easily.A crucial problem is the fail safe and the privacy that how to ensure user data, realizes access control mechanisms in data sharing.The inventive method be cloud store in the efficient File encryption and decryption in conjunction with uniform enconding and access control scheme.First carry out encrypted file data by file uniform enconding, make file data with ciphertext form transmission and store, ensure that Information Security, secondly adopt encryption attribute algorithm to be encrypted file key, the key obtained is for realizing access control.System of the present invention comprises: file encryption-decryption module, attribute encryption/decryption module, key server and cloud storage system.In the present invention, the fail safe of transfer of data and storage is easy to ensure, achieves data simultaneously and shares between validated user.

Particularly, as shown in Figure 1, described secure cloud storage means comprises the following steps.

Step S11, cloud storage administration data also control the access of data, namely carry out cloud storage and management to data, cloud storage administration data also control specifically to comprise to the access of data: provide the interface of data upload and download and manage the data stored; The data of user being accessed to storage carry out control of authority.

In step s 12, the shared attribute PKI of data and the attribute private key of user is generated.

In step s 13, be encrypted storing data, decipher and the access strategy of configuration data.

Wherein, for the process be encrypted storage data be: stochastic generation key also obtains symmetric key, adopt uniform enconding algorithm carry out enciphered data and obtain cryptograph files, adopt encryption attribute algorithm to be encrypted symmetric key simultaneously and obtain key file.

Wherein, the access strategy of configuration access data specifically comprises: limit the community set that can be decrypted, the non-leaf nodes that the leaf node arranging the PKI representing attribute and this attribute and the thresholding formed by encoding are formed; To the password that described thresholding is arranged; Secret generating Distributor is set and Symmetric key generation PKI according to access strategy, the leaf node of the corresponding access strategy tree of each PKI.

Below above-mentioned steps is described in detail.

The community set of independent management and control user; Stochastic generation is used for the common parameter sharing data encryption use; Generate the PKI of open character and the main key of privacy character of attribute according to described common parameter, generate unique private key according to the attribute of user simultaneously and be sent to user.

Whether with the community set of user for input, first need the community set of artificial certification and this user of examination & verification to be allowed to, then key production module can be followed successively by the private key of each attribute value generation one, and the attribute private key of different user is all different.Then by secure network socket, these private keys are sent to user.

User selects the local file needing encryption, and configures the access strategy of this file.By file data piecemeal, and generate a random data block, adopt information dispersal algorithm these data blocks to be encoded, obtain the data file after encoding.Then adopt encryption attribute algorithm that this random data block encryption is obtained a key file.

The access control mechanisms based on encryption attribute under method of the present invention to distributed environment, working method comprises:

1, initial phase, for community set sets up common parameter, total total N number of KDC A={A in supposing the system ₁, A ₂..., A _n, each KDC manages a community set independently, and all community sets are L={L ₁, L ₂..., L _n.These key distributions produce the PKI T of each attribute _a,iwith main key t _a,i, PKI be open in system everyone, and master key secret.

2, private key for user generates: when user adds system, user has one group of property value, secret generating Distributor according to this attribute for user generates private key for user, conspire to prevent user, the Identity Association of this private key value and user, that is for different users, the private key of same attribute is different, the private key of user A is skimble-skamble for user B, and shared private key can not bring any harm.

3, user file encryption is uploaded: produce random data block and file data blocks, and adopt information dispersal algorithm to carry out piecemeal to file content, coding, obtains the data file of ciphertext form.Second step is data set provider is that data formulate access strategy Γ, a tree structure be made up of multiple thresholding during this access strategy, the leaf node of tree has property value, and non-leaf nodes is by encoding the thresholding formed, and defining the user possessing which attribute can decipher.Then encrypt the random data block in the first step according to strategy, obtain ciphertext CT, save as key file.Data file and key file upload to cloud storage server the most at last.

4, user's downloading data deciphering: first user downloads key file, when user property set meets the access strategy of ciphertext, user can use the PKI in oneself private key set SK and ciphertext to obtain random data block in step 3 to decipher this key file.Then, user's download data files, usage data file, information dispersal algorithm decrypts former data file.

5, user right is cancelled: there is some situation needs to reduce user right, and cancelling authority is attribute by cancelling user, and the private key of this attribute of this user namely must be made to lose efficacy.Behavior of cancelling is initiated by KDC, and first for this attribute generates new PKI, then generate new private key for other users not cancelling authority, the private key of cancelling the user of authority so just fails.

In addition, in order to realize preventing user from conspiring, the attribute private key of user is all that therefore the private key of different user is useless each other with the identity binding of user oneself.Above step inherits the frame structure from encryption attribute algorithm substantially, but has several large advantage and innovation compared with before:

1) key distribution is made up of distributed system, fail safe and anti-attack ability more Gao Gengqiang.The task of KDC is with Attribute transposition, and key server manages separately oneself community set, minimum alternately before Deterministic service device, there is not certain server and is attacked and affect other servers.

2) encryption and decryption of file adopt information dispersal algorithm.Encrypt data is distributed storage, makes assailant must capture whole storage servers completely, and the data read completely wherein just can decrypt initial data.

3) the access control structure in encryption attribute algorithm has been come by encoder matrix.During deciphering, coding/decoding method is utilized to obtain privacy information.Polynomial computation before comparing and Lagrange's interpolation algorithm, the scheme based on Code And Decode is more simple, efficiently.

4) transmission security is very high.In system, all data of transmission that need do not need additional encryption.Ciphertext after comprising encryption is on the one hand can directly in transmission over networks, and it is also safe for being put in any incredible third party's storage.In addition, key information is also directly in transmission over networks, and user key is directly transmission.

It is initialization and key distribution respectively that key distribution includes two work.

Initialization: jointly completed by KDCs all in whole system, relevant algorithm parameter is all randomness.

1) common parameter of selecting system: g ₁, g ₂, q, β, G ₁, G ₂, G _t, e:G ₁× G ₂→ G _t. e:G here ₁× G ₂→ G _tbe Bilinear map, q is crowd G ₁, G ₂, G _tprime Orders, g ₁, g ₂crowd G respectively ₁, G ₂generator, β is finite field Z _qon random number.

2) each KDC a ∈ A random selecting integer τ _a∈ Z _q, then calculate by Y _abe broadcast to other KDC.Finally, all KDCs can calculate:

3) hash function H:{0 is chosen, 1} ^*→ Z _q, this function is mapped in finite field by the binary data of random length.Each key pipe Distribution Center a ∈ A, supposes that managed community set is L _a. kDC a calculates τ _a,i=H (i) is then that this attribute i selects initialization version number V randomly _i∈ Z _q.In conjunction with above-mentioned all steps, obtain total system common parameter:

$<Y=e{(g_1,g_2)}^{\mathrm{\&tau;}},g_2,g_2^{\mathrm{\&beta;}},\{T_{a,i}=g_1^{t_{a,i}}{g_1}^{V_i}{\}}_{i\&Element;L_a,a\&Element;A}>.$

These common parameters are that each KDC has, and in system, all users also know.

Key distribution: when new user j application joins in system time, the unique identity number of user is u _j, all KDCs will generate private key for user, and the user having private key could data decryption.The generative process of private key is as follows: suppose that the community set of user j is S _j, for i ∈ S _jif, i ∈ L _a, so user j will obtain by the following formula of the private key of KDC a:

${\mathrm{SK}}_a=(\&ForAll;i\&Element;S_i\&cap;L_a:D_i=g_1^{u_j{V}_i}\&CenterDot;T_{a,i}).$

So whole private keys of user's acquisition are as follows:

$\mathrm{SK}=<D=g_1^{(t+u_j)/\mathrm{\&beta;}},g_2^{u_j},\&ForAll;a\&Element;A:{\mathrm{SK}}_a>.$

III.1. file encryption is uploaded

File encryption algorithm combines encryption attribute algorithm and information dispersal algorithm.

The flow process of encryption attribute algorithm is as follows, supposes that input data are M, and data owner is the access control tree that this plaintext is given is Γ, and any intermediate node k of this tree is a [d _k, n _k] thresholding, then associate [a n _k, d _k] maximum distance separable codes on this thresholding.This encoder matrix is the sparse matrix of least density

The encoder matrix as above formula that this method uses, I is identical element here. mutually different.Given source data file M and corresponding access strategy tree Γ, data owner is encrypted according to following steps:

1) random selecting seed s ∈ Z _q, calculate Y ^s, with Y ^scarry out data file encryption as symmetric key to obtain, ciphertext is MY ^s.

2) encryption attribute algorithm Encode (k, the v based on coding is used _k, Γ) and carry out encrypted symmetric key Y ^s.This algorithm is the recursive algorithm on access strategy tree, is encoded layer by layer by private information, down transmits, get to leaf node always, leaf node calculates PKI, the property value one_to_one corresponding of this PKI and leaf node representative.Here cryptographic algorithm comes based on above-mentioned encoder matrix, and input is k is respectively the node serial number that access strategy is set, v _kthe input data of node, namely will by the data of encoding, meeting Γ is access strategy tree.Specific algorithm is as follows:

Input: tree node k, privacy information v _k, access control tree Γ;

Export: the public key information of leaf node;

Arthmetic statement Encode (k, v _k, Γ):

If k is leaf node, so otherwise Stochastic choice vector S=(s ₁, s ₂..., s _d), meeting vector sum is v _k; Calculate (v _{k, 1}, v _{k, 2}..., v _k,n)=S × G _{d × n}; Each element one_to_one corresponding of the above results vector is distributed to n child node.

Suppose child node k _iobtain v _k,i, recursive call Encode (k _i, v _k,i, Γ); v ₀=s

3) form calling this algorithm is Encode (0, s, Γ), and 0 represents that access strategy sets the root node of Γ, and represents that the initial data that will encrypt is s.Finally, data owner, by cipher-text information, access strategy tree and public key information packing, obtains:

$\mathrm{CT}=<\mathrm{\&Gamma;},M\&CenterDot;Y^s,C=g_2^{\mathrm{\&beta;s}},\&ForAll;i\&Element;I:C_i=g_2^{v_i},C_i^{\&prime;}=T_{a,i}^{v_i},C_i^{\&prime;\&prime;}=g_1^{v_i(V_i-1)}>;$ Following consideration information dispersal algorithm.

First information dispersal algorithm divides into groups to file data m, and respectively to each block encoding, the size of each grouping is ws bit.The encoder matrix that information dispersal algorithm is chosen adopts reed-solomon code, and matrix is G _{s × s}.

$G_{s\&times;s}=\left(\begin{array}{cccc}1& 2& ...& s\\ 1^2& 2^2& ...& s^2\\ .& .& .& .\\ .& .& .& .\\ .& .& .& .\\ 1^s& 2^s& ...& s^s\end{array}\right).$

If any assailant can not obtain whole s+1 part data blocks, just can not decipher.The encryption of data is carried out according to grouping equally, is in the grouping of ws a size, data is divided into s data slice, is designated as vectorial d ₀, d ₁..., d _s-1, random generation size is the data slice K of w bit, then calculates the vector M=(m before coding ₀, m ₁..., m _s-1).As follows:

$m_i=d_i\&CirclePlus;K;$

Vector before coding is (m ₀, m ₁..., m _s-1), then carry out encoding operation:

G _s×s×M＝C；

This formula ensure that computational security, unless assailant obtains whole encrypt datas, could obtain original vector M.We obtain elementary encrypt data (c ₀, c ₁..., c _s-1).MD5 hash algorithm is adopted to obtain cryptographic Hash h to this ciphertext.This cryptographic Hash is encrypted according to encryption attribute algorithm.The encrypt file C of the key information CT obtained after encryption attribute the most at last and coding gained packs as ciphertext.

III.2. file download deciphering

File decryption algorithm combines attribute decipherment algorithm and information dispersal algorithm.Given key information CT and file C, user j will according to the community set S of oneself _jtrial solution ciphertext data is carried out with the private key SK of correspondence.

Decryption step is divided into two flow processs, is the decrypting process of attribute decipherment algorithm decrypting process and information dispersal algorithm respectively.

The decryption step of encryption attribute algorithm is as follows:

1) obtain the access strategy tree Γ in ciphertext, suppose that the community set of the leaf node representative of this tree is I.Property value i in all for I, if i ∈ is S _j, so calculate:

$\begin{array}{c}e(D_i,C_i)/(e(C_i^{\&prime;},g_2)\&CenterDot;e(C_i^{\&prime;\&prime;},g_2^{u_j}))\\ =\frac{e{(g_1,g_2)}^{v_i\&CenterDot;(t_{a,i}+u_j{V}_i)}}{e{(g_1,g_2)}^{v_i\&CenterDot;(t_{a,i}+u_j\&CenterDot;(V_i-1))}}\\ =e{(g_1,g_2)}^{v_i\&CenterDot;u_j}\end{array};$ This result of calculation is returned to father node by leaf node.

2) after father node takes the calculated value returned from child node, call algorithm NodeDecode (k, X), the input of this algorithm is the numbering k of this node respectively, and from the vectorial X that the result of calculation that child node obtains is formed.The core thinking of algorithm NodeDecode (k, X) carries out decode operation according to vectorial X, and then obtain decoded former vector, summation obtains .The concrete false code of this algorithm is as follows:

Input: tree node k, the decoded vector X of the information structure that all child nodes return; Export: return decoded information.Arthmetic statement NodeDecode (k, X):

(1) if vectorial X length is less than d, sky is returned;

(2) for element x in vectorial X _i, i ∈ [1, d], if x _ifrom a jth child node, j ∈ [1, n], selects generator matrix G _{d × n}jth row, form submatrix H _{d × d};

(3) to H _{d × d}finding the inverse matrix, and the addition of the column vector of inverse matrix is obtained vector (h _1,h ₂..., h _d) ^t;

(4) return value is $e{(g_1,g_2)}^{u_j{v}_k}\&LeftArrow;\underset{i\&Element;[1,n]}{\mathrm{\&Pi;}}{x}_i^{h_i};$

Bottom-up, repeat step (2), calculate root node, the result finally obtained should be always $e{(g_1,g_2)}^{u_j\&CenterDot;v_0}={e(g_1,g_2)}^{u_j\&CenterDot;s}.$ This result is utilized to calculate Y ^s:

$\begin{array}{c}{Y}^s=e(C,D)/e{(g_1,g_2)}^{u_j\&CenterDot;v_0}\\ =e{(g_1,g_2)}^{\mathrm{\&tau;}\&CenterDot;s+u_j\&CenterDot;s}/e{(g_1,g_2)}^{u_j\&CenterDot;s}\\ =e{(g_1,g_2)}^{\mathrm{\&tau;}\&CenterDot;s}\end{array};$ Take Y ^safter, directly can decipher MY ^sobtain data M.

Cryptograph files is decoded by information dispersion calculation method, as follows: do decode operation to ciphertext block data.Try to achieve encoder matrix G _{s × s}inverse matrix H _{s × s}.Decoding is multiply operation H _{s × s}(c ₀, c ₁..., c _s-1)=(m ₀, m ₁..., m _s-1), then do xor operation with the random value K that the first step calculates with decoding vector out, namely , obtain cleartext information (d ₀, d ₁..., d _s-1), namely final source file data.

III.3. private key for user upgrades

Attribute and the privilege of user can not remaining unchanged for a long period of time.In order to tackle the attribute change of user, this method devises user property to be increased and user property revocation mechanism, can ensure flexibility and the extensibility of access control system.

1) user property adds: if certain legal user adds attribute, namely user property set changes, and this corresponding private key for user also needs have updated, and realizes user property and add very simple in this mechanism.The unique identities being assumed to be user j is u _j, need the new attribute i ∈ L added _a, the identity of a ∈ A, KDC a first authentication of users, after confirming that user is legal, calculates this result is sent to user j.User j receives D _iafter, upgrade the private key (SK of oneself _a) _new=(SK _a) _old∪ { D _i.

2) user property is cancelled: user property is cancelled and is mainly divided into three processes: KDC upgrades the PKI of this attribute; The private key that the non-rights of rescission limit the use of family upgrades; The re-encrypted of ciphertext.Suppose that active user needs the attribute of cancelling to be i ∈ L _a, a ∈ A.The attribute of cancelling this user will perform following steps: attribute PKI upgrades: need to upgrade about the part of this attribute in the common parameter of system.KDC a is the version number V' that attribute i stochastic generation is new _i, and replace PKI for .Private key for user upgrades: according to formula, the non-user cancelling attribute needs the private key upgrading this attribute.Validated user j needs to apply for new private key to KDC.

${\left(D_i\right)}_{\mathrm{new}}={\left(D_i\right)}_{\mathrm{old}}\&CenterDot;g_1^{u_j\&CenterDot;(V_i^{\&CenterDot;}-V_i)};$

This method is safe, prevents disabled user from conspiring.Because new private key contains the identity information u of validated user _jeven if the data of key updating are intercepted by disabled user, and disabled user also does nothing.Ciphertext re-encryption: because the PKI of attribute changes, so ciphertext also needs re-encrypted, the user that the follow-up new interpolation of guarantee is come in can decipher these data, and the user having cancelled this attribute can not data decryption.Every encrypt data relevant with attribute i all needs to upgrade, and the part of renewal is exactly the C in formula ", it represent the PKI version number information of attribute.

${\left(C_i^{\&prime;\&prime;}\right)}_{\mathrm{new}}={\left({\left(C_i^{\&prime;\&prime;}\right)}_{\mathrm{old}}\right)}^{\frac{V_i^{\&prime;}-1}{V_i-1}}$

After above step, cancelled the user of attribute the old private key that has will lose efficacy, the private key of other users is upgraded simultaneously.

second embodiment

For realizing above-mentioned secure cloud storage means, the present embodiment correspondence provides a kind of secure cloud storage system, refers to Fig. 2, is shown as the structural representation of a kind of secure cloud storage system of the present invention.As shown in Figure 2, described secure cloud storage system comprises: cloud storage server 1, secret generating Distributor 2 and client 3.

Cloud storage server 1 controls for cloud storage administration data and to the access of data; Cloud storage server 1, for storing all data, provides the platform of data sharing, can download and uploading data.Particularly, in the present embodiment, cloud storage server 1 comprises: data management module and user management module.

Data management module is for providing the interface of data upload and download and managing the data stored.

User management module is connected with described data management module, carries out control of authority for the data of user being accessed to storage.User management module provides user operation, and new user can register, afterwards just can usage data service, and user also can nullify oneself, no longer enjoys stores service.

Secret generating Distributor 2 is connected with described cloud storage server 1, for the attribute private key of the attribute PKI and user that generate shared data; Whether with the community set of user for input, first need the community set of artificial certification and this user of examination & verification to allow, then key production module can be followed successively by the private key of each attribute value generation one, and the attribute private key of different user is all different.Then by secure network socket, these private keys are sent to user.Secret generating Distributor 2 stochastic generation is used for the common parameter sharing data encryption use; Generate the PKI of open character and the main key of privacy character of attribute according to described common parameter, generate unique private key according to the attribute of user simultaneously and be sent to user.

Described secret generating Distributor 2 is made up of the key distribution center server of multiple independent management and control community set of user separately, the community set of independent management and control user; Each key distribution center server comprises: initialization module, the common parameter sharing data encryption use is used for for stochastic generation, secret generating distribution module, be connected with described initialization module, for generating the PKI of open character and the main key of privacy character of attribute according to described common parameter, generate unique private key according to the attribute of user simultaneously and be sent to user.

Wherein, initialization procedure wants some parameters of stochastic generation, and these parameters are parts is privately owned, and part is public.Generate the PKI of attribute and main key, and by open for PKI to all in system, and main key is privacy.Generate the private key of user, according to unique identity number and the community set of user, be the private key that each attribute value generation one is unique, and send to user by network.

Comprise at secret generating Distributor 2:

1, initial phase, for community set sets up common parameter, total total N number of KDC A={A in supposing the system ₁, A ₂..., A _n, each KDC manages a community set independently, and all community sets are L={L ₁, L ₂..., L _n.These key distributions produce the PKI T of each attribute _a,iwith main key t _a,i, PKI be open in system everyone, and master key secret.

2, private key for user generates: when user adds system, user has one group of property value, secret generating Distributor 2 according to this attribute for user generates private key for user, conspire to prevent user, the Identity Association of this private key value and user, that is for different users, the private key of same attribute is different, the private key of user A is skimble-skamble for user B, and shared private key can not bring any harm.

Secret generating Distributor 2 is not only and is carried out subscriber authorisation by distributed key, and can cancel certain customers' authority or whole authority.

Particularly, key distribution includes two work is initialization and key distribution respectively.

Initialization: jointly completed by KDCs all in whole system, relevant algorithm parameter is all randomness.

1) common parameter of selecting system: g ₁, g ₂, q, β, G ₁, G ₂, G _t, e:G ₁× G ₂→ G _t. e:G here ₁× G ₂→ G _tbe Bilinear map, q is crowd G ₁, G ₂, G _tprime Orders, g ₁, g ₂crowd G respectively ₁, G ₂generator, β is finite field Z _qon random number.

2) each KDC a ∈ A random selecting integer τ _a∈ Z _q, then calculate by Y _abe broadcast to other KDC.Finally, all KDCs can calculate:

3) hash function H:{0 is chosen, 1} ^*→ Z _q, this function is mapped in finite field by the binary data of random length.Each key pipe Distribution Center a ∈ A, supposes that managed community set is L _a. , KDC a calculates τ _a,i=H (i) is then that this attribute i selects initialization version number V randomly _i∈ Z _q.In conjunction with above-mentioned all steps, obtain total system common parameter:

$<Y=e{(g_1,g_2)}^{\mathrm{\&tau;}},g_2,g_2^{\mathrm{\&beta;}},\{T_{a,i}=g_1^{t_{a,i}}{g_1}^{V_i}{\}}_{i\&Element;L_a,a\&Element;A}>.$

These common parameters are that each KDC has, and in system, all users also know.

Key distribution: when new user j application joins in system time, the unique identity number of user is u _j, all KDCs will generate private key for user, and the user having private key could data decryption.The generative process of private key is as follows: suppose that the community set of user j is S _j, for i ∈ S _jif, i ∈ L _a, so user j will obtain by the following formula of the private key of KDC a:

${\mathrm{SK}}_a=(\&ForAll;i\&Element;S_i\&cap;L_a:D_i=g_1^{u_j{V}_i}\&CenterDot;T_{a,i}).$

So whole private keys of user's acquisition are as follows:

$\mathrm{SK}=<D=g_1^{(t+u_j)/\mathrm{\&beta;}},g_2^{u_j},\&ForAll;a\&Element;A:{\mathrm{SK}}_a>.$

Client 3 is connected with described secret generating Distributor 2 with described cloud storage server 1, for being encrypted storing data, deciphering and the access strategy of configuration data.

The client 32 that described client 3 is divided into the client 31 of data sharing and data to download, any one client 3 includes:

Encrypting module stochastic generation key also obtains symmetric key, adopts uniform enconding algorithm carry out enciphered data and obtain cryptograph files, adopts encryption attribute algorithm to be encrypted symmetric key simultaneously and obtains key file; User file encryption is uploaded: produce random data block and file data blocks, and adopt information dispersal algorithm to carry out piecemeal to file content, coding, obtains the data file of ciphertext form.Second step is data set provider is that data formulate access strategy Γ, a tree structure be made up of multiple thresholding during this access strategy, the leaf node of tree has property value, and non-leaf nodes is by encoding the thresholding formed, and defining the user possessing which attribute can decipher.Then encrypt the random data block in the first step according to strategy, obtain ciphertext CT, save as key file.Data file and key file upload to cloud storage server 1 the most at last.

Particularly, in encrypting module, file encryption algorithm combines encryption attribute algorithm and information dispersal algorithm.

The flow process of encryption attribute algorithm is as follows, supposes that input data are M, and data owner is the access control tree that this plaintext is given is Γ, and any intermediate node k of this tree is a [d _k, n _k] thresholding, then associate [a n _k, d _k] maximum distance separable codes on this thresholding.This encoder matrix is the sparse matrix of least density

The encoder matrix as above formula that this method uses, I is identical element here. mutually different.Given source data file M and corresponding access strategy tree Γ, data owner is encrypted according to following steps:

1) random selecting seed s ∈ Z _q, calculate Y ^s, with Y ^scarry out data file encryption as symmetric key to obtain, ciphertext is MY ^s.

2) encryption attribute algorithm Encode (k, the v based on coding is used _k, Γ) and carry out encrypted symmetric key Y ^s.This algorithm is the recursive algorithm on access strategy tree, is encoded layer by layer by private information, down transmits, get to leaf node always, leaf node calculates PKI, the property value one_to_one corresponding of this PKI and leaf node representative.Here cryptographic algorithm comes based on above-mentioned encoder matrix, and input is k is respectively the node serial number that access strategy is set, v _kthe input data of node, namely will by the data of encoding, meeting Γ is access strategy tree.Specific algorithm is as follows:

Input: tree node k, privacy information v _k, access control tree Γ;

Export: the public key information of leaf node;

Arthmetic statement Encode (k, v _k, Γ):

If k is leaf node, so otherwise Stochastic choice vector S=(s ₁, s ₂..., s _d), meeting vector sum is v _k; Calculate (v _{k, 1}, v _{k, 2}..., v _k,n)=S × G _{d × n}; Each element one_to_one corresponding of the above results vector is distributed to n child node.

Suppose child node k _iobtain v _k,i, recursive call Encode (k _i, v _k,i, Γ); v ₀=s

3) form calling this algorithm is Encode (0, s, Γ), and 0 represents that access strategy sets the root node of Γ, and represents that the initial data that will encrypt is s.Finally, data owner, by cipher-text information, access strategy tree and public key information packing, obtains:

$\mathrm{CT}=<\mathrm{\&Gamma;},M\&CenterDot;Y^s,C=g_2^{\mathrm{\&beta;s}},\&ForAll;i\&Element;I:C_i=g_2^{v_i},C_i^{\&prime;}=T_{a,i}^{v_i},C_i^{\&prime;\&prime;}=g_1^{v_i(V_i-1)}>;$ Following consideration information dispersal algorithm.

First information dispersal algorithm divides into groups to file data m, and respectively to each block encoding, the size of each grouping is ws bit.The encoder matrix that information dispersal algorithm is chosen adopts reed-solomon code, and matrix is G _{s × s}.

$G_{s\&times;s}=\left(\begin{array}{cccc}1& 2& ...& s\\ 1^2& 2^2& ...& s^2\\ .& .& .& .\\ .& .& .& .\\ .& .& .& .\\ 1^s& 2^s& ...& s^s\end{array}\right).$

If any assailant can not obtain whole s+1 part data blocks, just can not decipher.The encryption of data is carried out according to grouping equally, is in the grouping of ws a size, data is divided into s data slice, is designated as vectorial d ₀, d ₁..., d _s-1, random generation size is the data slice K of w bit, then calculates the vector M=(m before coding ₀, m ₁..., m _s-1).As follows:

$m_i=d_i\&CirclePlus;K;$

Vector before coding is (m ₀, m ₁..., m _s-1), then carry out encoding operation:

G _s×s×M＝C；

This formula ensure that computational security, unless assailant obtains whole encrypt datas, could obtain original vector M.We obtain elementary encrypt data (c ₀, c ₁..., c _s-1).MD5 hash algorithm is adopted to obtain cryptographic Hash h to this ciphertext.This cryptographic Hash is encrypted according to encryption attribute algorithm.The encrypt file C of the key information CT obtained after encryption attribute the most at last and coding gained packs as ciphertext.

Deciphering module is connected with described encrypting module, is decrypted for the file encrypted described encrypting module; User's downloading data is deciphered: first user downloads key file, and when user property set meets the access strategy of ciphertext, user can use the PKI in oneself private key set and ciphertext to obtain random data block in step 3 to decipher this key file.Then, user's download data files, usage data file, information dispersal algorithm decrypts former data file.Concrete deciphering module comprises the steps:

User asks to obtain authority, key authentication user identity, according to user property set generation and distributed key to user.

User, according to the key of oneself and community set, downloads the data on cloud storage server 1, attempts deciphering.If user property set meets Ciphertext policy, so the key of this user coordinates the PKI of ciphertext to decipher.Otherwise user right is not enough deciphered.Decrypting process is the decoding scheme based on maximum distance separable codes.

Particularly, in deciphering module, file decryption algorithm combines attribute decipherment algorithm and information dispersal algorithm.Given key information CT and file C, user j will according to the community set S of oneself _jtrial solution ciphertext data is carried out with the private key SK of correspondence.

Decryption step is divided into two flow processs, is the decrypting process of attribute decipherment algorithm decrypting process and information dispersal algorithm respectively.

The decryption step of encryption attribute algorithm is as follows:

1) obtain the access strategy tree Γ in ciphertext, suppose that the community set of the leaf node representative of this tree is I.Property value i in all for I, if i ∈ is S _j, so calculate:

$\begin{array}{c}e(D_i,C_i)/(e(C_i^{\&prime;},g_2)\&CenterDot;e(C_i^{\&prime;\&prime;},g_2^{u_j}))\\ =\frac{e{(g_1,g_2)}^{v_i\&CenterDot;(t_{a,i}+u_j{V}_i)}}{e{(g_1,g_2)}^{v_i\&CenterDot;(t_{a,i}+u_j\&CenterDot;(V_i-1))}}\\ =e{(g_1,g_2)}^{v_i\&CenterDot;u_j}\end{array};$ This result of calculation is returned to father node by leaf node.

2) after father node takes the calculated value returned from child node, call algorithm NodeDecode (k, X), the input of this algorithm is the numbering k of this node respectively, and from the vectorial X that the result of calculation that child node obtains is formed.The core thinking of algorithm NodeDecode (k, X) carries out decode operation according to vectorial X, and then obtain decoded former vector, summation obtains the concrete false code of this algorithm is as follows:

Input: tree node k, the decoded vector X of the information structure that all child nodes return; Export: return decoded information.Arthmetic statement NodeDecode (k, X):

(1) if vectorial X length is less than d, sky is returned;

(2) for element x in vectorial X _i, i ∈ [1, d], if x _ifrom a jth child node, j ∈ [1, n], selects generator matrix G _{d × n}jth row, form submatrix H _{d × d};

(3) to H _{d × d}finding the inverse matrix, and the addition of the column vector of inverse matrix is obtained vector (h _1,h ₂..., h _d) ^t;

(4) return value is $e{(g_1,g_2)}^{u_j{v}_k}\&LeftArrow;\underset{i\&Element;[1,n]}{\mathrm{\&Pi;}}{x}_i^{h_i};$

Bottom-up, repeat step (2), calculate root node, the result finally obtained should be always $e{(g_1,g_2)}^{u_j\&CenterDot;v_0}={e(g_1,g_2)}^{u_j\&CenterDot;s}.$ This result is utilized to calculate Y ^s:

$\begin{array}{c}{Y}^s=e(C,D)/e{(g_1,g_2)}^{u_j\&CenterDot;v_0}\\ =e{(g_1,g_2)}^{\mathrm{\&tau;}\&CenterDot;s+u_j\&CenterDot;s}/e{(g_1,g_2)}^{u_j\&CenterDot;s}\\ =e{(g_1,g_2)}^{\mathrm{\&tau;}\&CenterDot;s}\end{array};$ Take Y ^safter, directly can decipher MY ^sobtain data M.

Cryptograph files is decoded by information dispersion calculation method, as follows: do decode operation to ciphertext block data.Try to achieve encoder matrix G _{s × s}inverse matrix H _{s × s}.Decoding is multiply operation H _{s × s}(c ₀, c ₁..., c _s-1)=(m ₀, m ₁..., m _s-1), then do xor operation with the random value K that the first step calculates with decoding vector out, namely obtain cleartext information (d ₀, d ₁..., d _s-1), namely final source file data.

User has key updating function, if secret generating Distributor 2 notifies that the key of certain attribute is expired, and produces new key for user, and user will more new key, original old key expires.

Attribute and the privilege of user can not remaining unchanged for a long period of time.In order to tackle the attribute change of user, this method devises user property to be increased and user property revocation mechanism, can ensure flexibility and the extensibility of access control system.

User property adds: if certain legal user adds attribute, namely user property set changes, and this corresponding private key for user also needs have updated, and realizes user property and add very simple in this mechanism.The unique identities being assumed to be user j is u _j, need the new attribute i ∈ L added _a, the identity of a ∈ A, KDC a first authentication of users, after confirming that user is legal, calculates .This result is sent to user j.User j receives D _iafter, upgrade the private key (SK of oneself _a) _new=(SK _a) _old∪ { D _i.

Access strategy module is connected with described deciphering module with described encrypting module, be made up of some thresholdings, for generating the access strategy of access cryptograph files box key file, this thresholding realizes based on coding, and these thresholdings determine can the user property set of visit data.Once access strategy is designated, anyone must not revise.

Data set provider uses this module to produce the access strategy of specifying for ciphertext, determines the access rights of other user to data.Wherein, described access strategy module comprises: access strategy tree unit, for limiting the community set that can be decrypted, and the non-leaf nodes that the leaf node comprising the PKI representing attribute and this attribute and the thresholding formed by encoding are formed; Threshold cryptography unit, sets unit with described access strategy and is connected, and to the password that described thresholding is arranged, threshold cryptography determines the input number of the minimum needs of the solution will trying to achieve problem.The thresholding of one [n, k] refers to that any k or more input can in the hope of separating; PKI aggregation units, PKI is set and Symmetric key generation according to access strategy by secret generating Distributor 2, the leaf node of the corresponding access strategy tree of each PKI.

Described client 3 also comprises user right and cancels module, is when user no longer has certain attribute, needs the private key of cancelling this this attribute of user, make this private key invalid.Each attribute Dou Youyige version number in system, the KDC managing this attribute upgrades this version number, and regenerates new attribute PKI, and is that the user not cancelling authority produces new private key.

User right is cancelled: there is some situation needs to reduce user right, and cancelling authority is attribute by cancelling user, and the private key of this attribute of this user namely must be made to lose efficacy.Behavior of cancelling is initiated by KDC, and first for this attribute generates new PKI, then generate new private key for other users not cancelling authority, the private key of cancelling the user of authority so just fails.

Cancel in module at user right, user property is cancelled and is mainly divided into three processes: KDC upgrades the PKI of this attribute; The private key that the non-rights of rescission limit the use of family upgrades; The re-encrypted of ciphertext.Suppose that active user needs the attribute of cancelling to be i ∈ L _a, a ∈ A.The attribute of cancelling this user will perform following steps: attribute PKI upgrades: need to upgrade about the part of this attribute in the common parameter of system.KDC a is the version number V that attribute i stochastic generation is new _i', and replace PKI for .Private key for user upgrades: according to formula, the non-user cancelling attribute needs the private key upgrading this attribute.Validated user j needs to apply for new private key to KDC.

${\left(D_i\right)}_{\mathrm{new}}={\left(D_i\right)}_{\mathrm{old}}\&CenterDot;g_1^{u_j\&CenterDot;(V_i^{\&CenterDot;}-V_i)};$

This method is safe, prevents disabled user from conspiring.Because new private key contains the identity information u of validated user _jeven if the data of key updating are intercepted by disabled user, and disabled user also does nothing.Ciphertext re-encryption: because the PKI of attribute changes, so ciphertext also needs re-encrypted, the user that the follow-up new interpolation of guarantee is come in can decipher these data, and the user having cancelled this attribute can not data decryption.Every encrypt data relevant with attribute i all needs to upgrade, and the part of renewal is exactly the C in formula ", it represent the PKI version number information of attribute.

${\left(C_i^{\&prime;\&prime;}\right)}_{\mathrm{new}}={\left({\left(C_i^{\&prime;\&prime;}\right)}_{\mathrm{old}}\right)}^{\frac{V_i^{\&prime;}-1}{V_i-1}}$

After above step, cancelled the user of attribute the old private key that has will lose efficacy, the private key of other users is upgraded simultaneously.

In sum, one aspect of the present invention is by adopting information dispersal algorithm, to encoding after deblocking and encrypting, ensure the fail safe such as data-privacy and confidentiality, adopt the encryption attribute algorithm realization access control mechanisms of different rights rank on the other hand, provide data security sharing functionality flexibly.So the present invention effectively overcomes various shortcoming of the prior art and tool high industrial utilization.

Above-described embodiment is illustrative principle of the present invention and function thereof only, but not for limiting the present invention.Any person skilled in the art scholar all without prejudice under spirit of the present invention and category, can modify above-described embodiment or changes.Therefore, such as have in art usually know the knowledgeable do not depart from complete under disclosed spirit and technological thought all equivalence modify or change, must be contained by claim of the present invention.

Claims (10)

1. a secure cloud storage means, is characterized in that, described secure cloud storage means comprises:

Cloud storage administration data also control the access of data;

Generate and share the attribute PKI of data and the attribute private key of user;

Be encrypted storing data, decipher and the access strategy of configuration data.

2. secure cloud storage means according to claim 1, is characterized in that, cloud storage administration data also control specifically to comprise to the access of data:

The interface of data upload and download is provided and the data stored are managed;

The data of user being accessed to storage carry out control of authority.

3. secure cloud storage means according to claim 1, is characterized in that, also comprise:

The community set of independent management and control user;

Stochastic generation is used for the common parameter sharing data encryption use;

Generate the PKI of open character and the main key of privacy character of attribute according to described common parameter, generate unique private key according to the attribute of user simultaneously and be sent to user.

4. secure cloud storage means according to claim 1, it is characterized in that, process for being encrypted storage data is: stochastic generation key also obtains symmetric key, adopt uniform enconding algorithm carry out enciphered data and obtain cryptograph files, adopt encryption attribute algorithm to be encrypted symmetric key simultaneously and obtain key file.

5. secure cloud storage means according to claim 4, is characterized in that, the access strategy of configuration access data specifically comprises:

The community set that restriction can be decrypted, the non-leaf nodes that the leaf node arranging the PKI representing attribute and this attribute and the thresholding formed by encoding are formed;

To the password that described thresholding is arranged;

Secret generating Distributor is set and Symmetric key generation PKI according to access strategy, the leaf node of the corresponding access strategy tree of each PKI.

6. a secure cloud storage system, is characterized in that, described secure cloud storage system comprises:

Cloud storage server, controls for cloud storage administration data and to the access of data;

Secret generating Distributor, is connected with described cloud storage server, for the attribute private key of the attribute PKI and user that generate shared data;

Client, is connected with described secret generating Distributor with described cloud storage server, for being encrypted storing data, deciphering and the access strategy of configuration data.

7. secure cloud storage system according to claim 6, is characterized in that, described cloud storage server comprises:

Data management module, for providing the interface of data upload and download and managing the data stored;

User management module, is connected with described data management module, carries out control of authority for the data of user being accessed to storage.

8. secure cloud storage system according to claim 6, is characterized in that, described secret generating Distributor is made up of the key distribution center server of multiple independent management and control community set of user separately, and each key distribution center server comprises:

Initialization module, is used for for stochastic generation the common parameter sharing data encryption use;

Secret generating distribution module, is connected with described initialization module, for generating the PKI of open character and the main key of privacy character of attribute according to described common parameter, generates unique private key simultaneously and be sent to user according to the attribute of user.

9. secure cloud storage system according to claim 6, is characterized in that, described client comprises:

Encrypting module, stochastic generation key also obtains symmetric key, adopts uniform enconding algorithm carry out enciphered data and obtain cryptograph files, adopts encryption attribute algorithm to be encrypted symmetric key simultaneously and obtains key file;

Deciphering module, is connected with described encrypting module, is decrypted for the file encrypted described encrypting module;

Access strategy module, is connected with described deciphering module with described encrypting module, is made up of some thresholdings, for generating the access strategy of access cryptograph files box key file.

10. secure cloud storage system according to claim 9, is characterized in that, described access strategy module comprises:

Access strategy tree unit, for limiting the community set that can be decrypted, the non-leaf nodes that the leaf node comprising the PKI representing attribute and this attribute and the thresholding formed by encoding are formed;

Threshold cryptography unit, sets unit with described access strategy and is connected, to the password that described thresholding is arranged;

PKI aggregation units, PKI is set and Symmetric key generation according to access strategy by secret generating Distributor, the leaf node of the corresponding access strategy tree of each PKI.