CN104917787B - File security sharing method based on group key and system - Google Patents
File security sharing method based on group key and system Download PDFInfo
- Publication number
- CN104917787B CN104917787B CN201410086634.3A CN201410086634A CN104917787B CN 104917787 B CN104917787 B CN 104917787B CN 201410086634 A CN201410086634 A CN 201410086634A CN 104917787 B CN104917787 B CN 104917787B
- Authority
- CN
- China
- Prior art keywords
- group
- key
- user terminal
- management
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention discloses a kind of file security sharing method and system based on group key.Wherein the first user terminal is in shared original document, original document is encrypted to generate encryption file using working key, working key is encrypted using group key to generate key ciphertext, encryption file and key ciphertext are uploaded to shared storage server;Second user terminal downloads specified encryption file, key ciphertext associated with specified encryption file and group identification from shared storage server;Second user terminal is decrypted to obtain working key key ciphertext when judging the group identification downloaded for the group identification of the second user terminal group, using group key, is decrypted encryption file to obtain original document using working key.By using group key cryptographic work key, it can be achieved that the encryption file security that flexible, user controllable, key is easily managed is shared, the risk that user file is divulged a secret in shared procedure is reduced.
Description
Technical field
The present invention relates to the communications field, more particularly to a kind of file security sharing method and system based on group key.
Background technology
With the fast development of the Internet, applications, user data value is constantly promoted, and user is to information services such as cloud storages
Safety more stringent requirements are proposed, how while promoting secure user data, realize that the safety of data is shared into
For the main difficult technical of the service facings such as current cloud storage, the main File Sharing Technique scheme of industry or system exist at present
Following some problems:
1, the secret sharing for authorizing and accessing is combined in plain text,
Since file is with stored in clear, safety is low;
2, Cryptograph Sharing scheme:
1)Server end encryption and decryption, presence server side key are divulged a secret risk, user's control scarce capacity, especially in cloud meter
Under the multi-tenants application scenarios such as calculation, there are larger security risks;
2)User terminal encryption and decryption, there are key updating, the difficulties of management aspect.
Invention content
The embodiment of the present invention provides a kind of file security sharing method and system based on group key.For existing safety
Storage scheme there are user's autonomous control scarce capacity, key and shared management and group are difficult the problems such as, it is proposed that traditional
On the basis of file encryption, using group key encryption file key, by the distribution, more of group administrator's differentiated control group key
New method, it can be achieved that flexible, user controllable, key is easily managed on the basis of meeting subscriber data file and storing safety
Encryption file security it is shared, reduce the risk that user file is divulged a secret in shared procedure.
According to an aspect of the present invention, a kind of file security sharing method based on group key is provided, including:
Original document is encrypted to generate encryption in shared original document, using working key for first user terminal
File is encrypted working key using preconfigured group key to generate key ciphertext;
First user terminal will encrypt file and key ciphertext is uploaded to shared storage server;
Shared storage server storage encryption file and key ciphertext, and encryption file, key ciphertext and first are used
The group identification of the family terminal group is associated;
Second user terminal downloads specified encryption text from shared storage server when obtaining specified encryption file
Part, key ciphertext associated with specified encryption file and group identification;
Second user terminal judge download group identification whether be the second user terminal group group identification;
If the group identification downloaded is the group identification of the second user terminal group, second user terminal is using in advance
The key ciphertext of download is decrypted to obtain working key in the group key first configured, using obtained working key under
The encryption file of load is decrypted to obtain original document.
In one embodiment, if the group identification downloaded is not the group identification of the second user terminal group,
The key ciphertext and group identification of download are sent to the second management and group device by second user terminal, wherein the second management and group device
For the manager of the second user terminal group;
Second management and group device sends cipher key acquisition request to the first management and group device, wherein the first management and group device is the
The manager of one group, the first group are associated with the group identification of the download;
First management and group device is encrypted using the group key of pre-set the first group of higher level's group key pair,
To obtain group key ciphertext, and group key ciphertext is sent to the second management and group device;
Second management and group device is decrypted group key ciphertext using pre-set higher level's group key, to obtain
The group key of first group is decrypted the key ciphertext of download using the group key of the first group close to obtain work
Obtained working key is sent to second user terminal by key;
Second user terminal is decrypted to obtain original text the encryption file of download using the working key received
Part.
In one embodiment, if the group identification downloaded is not the group identification of the second user terminal group,
The key ciphertext and group identification of download are sent to the second management and group device by second user terminal, wherein the second management and group device
For the manager of the second user terminal group;
Second management and group device sends cipher key acquisition request to the first management and group device, and wherein cipher key acquisition request includes
The key ciphertext of download, the first management and group device are the manager of the first group, the group identification of the first group and the download
It is associated;
First management and group device is decrypted to obtain working key key ciphertext using the group key of the first group,
Obtained working key is encrypted using pre-set higher level's group key, to obtain working key ciphertext, and by work
Make key ciphertext and is sent to the second management and group device;
Second management and group device is decrypted to obtain working key ciphertext using pre-set higher level's group key
Obtained working key is sent to second user terminal by working key;
Second user terminal is decrypted to obtain original text the encryption file of download using the working key received
Part.
In one embodiment, the first user terminal original document is encrypted using working key to generate encryption text
The step of part includes:
First user terminal generates working key at random;
First user terminal original document is encrypted using the working key generated at random to generate encryption file.
In one embodiment, group key of the management and group device in designated group in updating the designated group
When, the whole key ciphertexts associated with designated group mark being stored in shared storage server are updated, so as to
The whole key ciphertext is only capable of being decrypted using updated group key;
The updated group key is sent in the designated group by the management and group device in the designated group
Each user terminal.
In one embodiment, group key of the management and group device in designated group in updating the designated group
When, the step of the whole key ciphertexts associated with designated group mark being stored in shared storage server are updated
Including:
Management and group device in designated group is in the group key in updating the designated group, from shared storage service
Device downloads whole key ciphertexts associated with designated group mark;
Using current group key respectively to the key ciphertext K of downloadiE is decrypted, to obtain corresponding work
Key Ki, wherein 1≤i≤N, N are the quantity of whole key ciphertexts;
Using updated group key respectively to working key KiIt is encrypted, it is close to respectively obtain updated key
Literary Kie′;
By updated key ciphertext KiE ' is sent to shared storage server, to share storage server using update
Key ciphertext K afterwardsiE ' is to key ciphertext KiE is updated.
According to another aspect of the present invention, a kind of file security shared system based on group key, including first are provided
User terminal, second user terminal and shared storage server, wherein:
First user terminal, in shared original document, original document to be encrypted with life using working key
At encryption file, working key is encrypted using preconfigured group key to generate key ciphertext, file will be encrypted
It is uploaded to shared storage server with key ciphertext;
Shared storage server, for after the encryption file and key ciphertext for receiving the first user terminal uploads, depositing
Storage encryption file and key ciphertext, and the group identification that file, key ciphertext and the first user terminal group will be encrypted
It is associated;
Second user terminal is used for when obtaining specified encryption file, and specified add is downloaded from shared storage server
Ciphertext part, key ciphertext associated with specified encryption file and group identification;Judge download group identification whether be
The group identification of the second user terminal group is marked in the group that the group identification of download is the second user terminal group
When knowledge, the key ciphertext of download is decrypted to obtain working key using preconfigured group key, utilizes what is obtained
The encryption file of download is decrypted to obtain original document in working key.
In one embodiment, there are one management and group devices for each group's tool, wherein:
Second user terminal be additionally operable to be not in the group identification of download the second user terminal group group identification
When, the key ciphertext and group identification of download are sent to the second management and group device, wherein the second management and group device is the second use
The manager of the family terminal group;When receiving the working key of the second management and group device transmission, the work received is utilized
The encryption file for making key pair download is decrypted to obtain original document;
Second management and group device, for sending cipher key acquisition request to the first management and group device, wherein the first management and group
Device is the manager of the first group, and the first group is associated with the group identification of the download;Receiving the first management and group
When the group key ciphertext that device is sent, group key ciphertext is decrypted using pre-set higher level's group key, with
To the group key of the first group, the key ciphertext of download is decrypted to obtain work using the group key of the first group
Obtained working key is sent to second user terminal by key;
First management and group device, for being carried out using the group key of pre-set the first group of higher level's group key pair
Encryption, to obtain group key ciphertext, and is sent to the second management and group device by group key ciphertext.
In one embodiment, second user terminal is additionally operable to where the group identification of download is not second user terminal
When the group identification of group, the key ciphertext and group identification of download are sent to the second management and group device, wherein the second group
Manager is the manager of the second user terminal group;When receiving the working key of the second management and group device transmission,
The encryption file of download is decrypted to obtain original document using the working key received;
Second management and group device, for sending cipher key acquisition request, wherein cipher key acquisition request to the first management and group device
Include the key ciphertext downloaded, the first management and group device is the manager of the first group, the group of the first group and the download
Group mark is associated;When receiving the working key ciphertext of the first management and group device transmission, pre-set higher level group is utilized
Working key ciphertext is decrypted to obtain working key in group key, and obtained working key is sent to second user end
End;
First management and group device is decrypted to obtain work key ciphertext for the group key using the first group
Key is encrypted obtained working key using pre-set higher level's group key, to obtain working key ciphertext, and
Working key ciphertext is sent to the second management and group device.
In one embodiment, the first user terminal specifically generates working key at random, close using the work generated at random
Key original document is encrypted to generate encryption file.
In one embodiment, the management and group device in designated group, the group being additionally operable in updating the designated group
When group key, the whole key ciphertexts associated with designated group mark being stored in shared storage server are carried out more
Newly, so that whole key ciphertexts are only capable of being decrypted using updated group key;The updated group is close
Key is sent to each user terminal in the designated group.
In one embodiment, group of the management and group implement body in designated group in updating the designated group is close
When key, whole key ciphertexts associated with designated group mark are downloaded from shared storage server;It is close using current group
Key is respectively to the key ciphertext K of downloadiE is decrypted, to obtain corresponding working key Ki, wherein 1≤i≤N, N are described
The quantity of whole key ciphertexts;Using updated group key respectively to working key KiIt is encrypted, to respectively obtain more
Key ciphertext K after newie′;By updated key ciphertext KiE ' is sent to shared storage server, to share storage service
Device utilizes updated key ciphertext KiE ' is to key ciphertext KiE is updated.
The present invention, in shared original document, original document is encrypted using working key by the first user terminal
File is encrypted to generate, working key is encrypted to generate key ciphertext, will be encrypted using preconfigured group key
File and key ciphertext are uploaded to shared storage server;Shared storage server storage encryption file and key ciphertext, and will
The group identification of encryption file, key ciphertext and the first user terminal group is associated;Second user terminal is obtaining
When the fixed encryption file of fetching, specified encryption file, associated with the encryption file specified is downloaded from shared storage server
Key ciphertext and group identification;Second user terminal is judging the group identification downloaded for the second user terminal group
Group identification when, the key ciphertext of download is decrypted to obtain working key using preconfigured group key, profit
The encryption file of download is decrypted to obtain original document with obtained working key.Work is encrypted by using group key
Make key, it can be achieved that flexible, user controllable, key is easily managed on the basis of meeting subscriber data file and storing safety
Encrypt the risk that file security is shared, and reduction user file is divulged a secret in shared procedure.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without having to pay creative labor, may be used also for those of ordinary skill in the art
With obtain other attached drawings according to these attached drawings.
Fig. 1 is that the present invention is based on the schematic diagrames of file security sharing method one embodiment of group key.
Fig. 2 is that the present invention is based on the schematic diagrames of another embodiment of file security sharing method of group key.
Fig. 3 is the schematic diagram that group key of the present invention updates one embodiment.
Fig. 4 is that the present invention is based on the schematic diagrames of file security shared system one embodiment of group key.
Fig. 5 is that the present invention is based on the schematic diagrames of another embodiment of file security shared system of group key.
Fig. 6 is the schematic diagram that the present invention uploads shared information one embodiment.
Fig. 7 is the schematic diagram that the present invention downloads shared information one embodiment.
Fig. 8 is the schematic diagram that group key of the present invention updates network architecture one embodiment.
Fig. 9 is the schematic diagram of group key differentiated control one embodiment of the present invention.
Figure 10 is the schematic diagram that the present invention downloads another embodiment of shared information.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Below
Description only actually at least one exemplary embodiment is illustrative, is never used as to the present invention and its application or makes
Any restrictions.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, shall fall within the protection scope of the present invention.
Unless specifically stated otherwise, positioned opposite, the digital table of the component and step that otherwise illustrate in these embodiments
It is not limited the scope of the invention up to formula and numerical value.
Simultaneously, it should be appreciated that for ease of description, the size of attached various pieces shown in the drawings is not according to reality
Proportionate relationship draw.
Technology, method and apparatus known to person of ordinary skill in the relevant may be not discussed in detail, but suitable
In the case of, the technology, method and apparatus should be considered as authorizing part of specification.
In shown here and discussion all examples, any occurrence should be construed as merely illustrative, without
It is as limitation.Therefore, the other examples of exemplary embodiment can have different values.
It should be noted that:Similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi
It is defined, then it need not be further discussed in subsequent attached drawing in a attached drawing.
Fig. 1 is that the present invention is based on the schematic diagrames of file security sharing method one embodiment of group key.Wherein:
Step 101, the first user terminal is in shared original document, using working key by original document be encrypted with
Encryption file is generated, working key is encrypted using preconfigured group key to generate key ciphertext.
Wherein, each group is equipped with group key, which is only distributed to the user terminal in the group.
Preferably, the first user terminal generates working key at random, and using the working key generated at random by original text
Part is encrypted to generate encryption file.
Step 102, the first user terminal will encrypt file and key ciphertext is uploaded to shared storage server.
Step 103, share storage server storage encryption file and key ciphertext, and will encryption file, key ciphertext with
And first the group identification of the user terminal group be associated.
Step 104, second user terminal is specified when obtaining specified encryption file from the download of shared storage server
Encrypt file, key ciphertext associated with specified encryption file and group identification.
Step 105, second user terminal judge download group identification whether be the second user terminal group group
Group mark.
It is, judging second user terminal, whether the user terminal of the encryption file shared with offer is in same
In group.
Step 106, if the group identification downloaded is the group identification of the second user terminal group, second user is whole
End is decrypted to obtain working key the key ciphertext of download using preconfigured group key, utilizes obtained work
The encryption file that key pair is downloaded is decrypted to obtain original document.
Based on the file security sharing method based on group key that the above embodiment of the present invention provides, pass through the first user
Terminal original document is encrypted in shared original document, using working key to generate encryption file, using matching in advance
The group key set is encrypted working key to generate key ciphertext, and encryption file and key ciphertext are uploaded to shared deposit
Store up server;Shared storage server storage encryption file and key ciphertext, and encryption file, key ciphertext and first are used
The group identification of the family terminal group is associated;Second user terminal is deposited when obtaining specified encryption file from shared
It stores up server and downloads specified encryption file, key ciphertext associated with specified encryption file and group identification;Second
For user terminal when judging the group identification downloaded for the group identification of the second user terminal group, utilization is preconfigured
The key ciphertext of download is decrypted to obtain working key in group key, the encryption using obtained working key to download
File is decrypted to obtain original document.By using group key cryptographic work key, deposited meeting subscriber data file
, it can be achieved that the encryption file security that flexible, user controllable, key is easily managed is shared on the basis of storage safety, user's text is reduced
The risk that part is divulged a secret in shared procedure.
Fig. 2 is that the present invention is based on the schematic diagrames of another embodiment of file security sharing method of group key.Shown in Fig. 1
Embodiment is compared, in the embodiment depicted in figure 2, further to the user terminal of second user terminal and the shared encryption file of offer
Processing when in different groups is described.
Step 201, second user terminal is specified when obtaining specified encryption file from the download of shared storage server
Encrypt file, key ciphertext associated with specified encryption file and group identification.
Step 202, second user terminal judge download group identification whether be the second user terminal group group
Group mark.If the group identification downloaded is the group identification of the second user terminal group, 203 are thened follow the steps;If downloading
Group identification be not the second user terminal group group identification, then follow the steps 204.
Step 203, second user terminal using preconfigured group key to the key ciphertext of download be decrypted with
Working key is obtained, the encryption file of download is decrypted to obtain original document using obtained working key.Later, no
Other steps of the present embodiment are executed again.
That is, when the user terminal of second user terminal and the shared encryption file of offer is in same group, second user
Terminal can be used directly preconfigured group key and be decrypted.
Step 204, the key ciphertext and group identification of download are sent to the second management and group device by second user terminal,
In the second management and group device be the second user terminal group manager.
Step 205, the second management and group device sends cipher key acquisition request to the first management and group device, wherein the first group manages
The manager that device is the first group is managed, the first group is associated with the group identification of the download.
Step 206, the first management and group device utilizes the group key of pre-set the first group of higher level's group key pair
It is encrypted, to obtain group key ciphertext, and group key ciphertext is sent to the second management and group device.
Step 207, the second management and group device solves group key ciphertext using pre-set higher level's group key
It is close, to obtain the group key of the first group, using the first group group key to the key ciphertext of download be decrypted with
Working key is obtained, obtained working key is sent to second user terminal.
Step 208, second user terminal is decrypted to obtain the encryption file of download using the working key received
To original document.
That is, when the user terminal of second user terminal and the shared encryption file of offer is not at same group,
Second user terminal can be close to be worked accordingly by the information exchange of the first management and group device and the second management and group device
Key, and the user terminal in a group can't obtain the group key in other groups, it is ensured that system is safe.
In another embodiment, above-mentioned steps 205-207 also can be replaced step 205 ' -207 ', wherein:
Step 205 ', the second management and group device sends cipher key acquisition request to the first management and group device, and wherein key obtains
Request includes the key ciphertext downloaded, and the first management and group device is the manager of the first group, the first group and the download
Group identification it is associated.
Step 206 ', the first management and group device is decrypted to obtain key ciphertext using the group key of the first group
Working key is encrypted obtained working key using pre-set higher level's group key, close to obtain working key
Text, and working key ciphertext is sent to the second management and group device.
Step 207 ', the second management and group device solves working key ciphertext using pre-set higher level's group key
It is close to obtain working key, obtained working key is sent to second user terminal.
Pass through the embodiment, it can be ensured that group key will not be known by other management and group devices, to can further improve
The safety of system.
In addition, regularly updating requirement in the case where group member changes, group key is revealed, or according to strategy, need
The group key of related group is updated.
Wherein, the management and group device in designated group will be stored in the group key in updating the designated group
Whole key ciphertexts associated with designated group mark in shared storage server are updated, so as to whole keys
Ciphertext is only capable of being decrypted using updated group key.In addition, management and group device in the designated group will described in more
Group key after new is sent to each user terminal in the designated group.
To which each user terminal in designated group can realize the update of group key, while by shared storage server
In corresponding key ciphertext also carried out corresponding update.
Fig. 3 is the schematic diagram that group key of the present invention updates one embodiment.
Step 301, the management and group device in designated group is in the group key in updating the designated group, from shared
Storage server downloads whole key ciphertexts associated with designated group mark.
Step 302, using current group key respectively to the key ciphertext K of downloadiE is decrypted, opposite to obtain
The working key K answeredi, wherein 1≤i≤N, N are the quantity of whole key ciphertexts.
Step 303, using updated group key respectively to working key KiIt is encrypted, after respectively obtaining update
Key ciphertext Kie′。
Step 304, by updated key ciphertext KiE ' is sent to shared storage server, to share storage server
Utilize updated key ciphertext KiE ' is to key ciphertext KiE is updated.
Step 305, the updated group key is sent to the finger by the management and group device in the designated group
Each user terminal in grouping group.
Fig. 4 is that the present invention is based on the schematic diagrames of file security shared system one embodiment of group key.Such as Fig. 4 institutes
Show, which includes multiple user terminals, for brevity, only provides the first user terminal 401 here and second user is whole
End 402, in addition, the system further includes shared storage server 403.Wherein:
First user terminal 401, in shared original document, using working key by original document be encrypted with
Encryption file is generated, working key is encrypted using preconfigured group key to generate key ciphertext, by encryption text
Part and key ciphertext are uploaded to shared storage server.
Preferably, the first user terminal specifically generates working key at random, will be original using the working key generated at random
File is encrypted to generate encryption file.
Shared storage server 403, for after the encryption file and key ciphertext for receiving the first user terminal uploads,
Storage encryption file and key ciphertext, and the group for encrypting file, key ciphertext and the first user terminal group is marked
Knowledge is associated.
Second user terminal 402, for when obtaining specified encryption file, being specified from the download of shared storage server
Encrypt file, key ciphertext associated with specified encryption file and group identification;Whether judge the group identification downloaded
For the group identification of the second user terminal group, in the group that the group identification of download is the second user terminal group
When mark, the key ciphertext of download is decrypted to obtain working key using preconfigured group key, using obtaining
Working key the encryption file of download is decrypted to obtain original document.
Based on the above embodiment of the present invention provide the file security shared system based on group key,
By the first user terminal in shared original document, original document is encrypted to generate using working key
Encrypt file, working key be encrypted using preconfigured group key to generate key ciphertext, will encryption file and
Key ciphertext is uploaded to shared storage server;Shared storage server storage encryption file and key ciphertext, and will encryption text
The group identification of part, key ciphertext and the first user terminal group is associated;Second user terminal is specified in acquisition
Encryption file when, download specified encryption file, key associated with the encryption file specified from shared storage server
Ciphertext and group identification;Second user terminal is judging the group identification downloaded for the group of the second user terminal group
When mark, the key ciphertext of download is decrypted to obtain working key using preconfigured group key, using obtaining
Working key the encryption file of download is decrypted to obtain original document.It is close by using group key encrypted work
Key, it can be achieved that the encryption that flexible, user controllable, key is easily managed on the basis of meeting subscriber data file and storing safety
File security is shared, reduces the risk that user file is divulged a secret in shared procedure.
Fig. 5 is that the present invention is based on the schematic diagrames of another embodiment of file security shared system of group key.Shown in Fig. 4
Embodiment is compared, and further includes management and group device in system shown in Fig. 5, wherein there are one management and group devices for each group tool.For
For the sake of concise, the first management and group device 501 and the second management and group device 502 are only provided here.Meanwhile given here second
Only as an example, the configuration of the second user terminal is equally applicable to the other user terminals in system to user terminal 402.
Wherein:
Second user terminal 402 is additionally operable to mark in the group that the group identification of download is not the second user terminal group
When knowledge, the key ciphertext and group identification of download are sent to the second management and group device 502, wherein the second management and group device is the
The manager of the two user terminal groups;When receiving the working key of the second management and group device 502 transmission, reception is utilized
To working key the encryption file of download is decrypted to obtain original document.
Second management and group device 502, for sending cipher key acquisition request to the first management and group device 501, wherein first group
Group manager is the manager of the first group, and the first group is associated with the group identification of the download;Receiving first group
When the group key ciphertext that group manager 501 is sent, group key ciphertext is carried out using pre-set higher level's group key
Decryption, to obtain the group key of the first group, is decrypted the key ciphertext of download using the group key of the first group
To obtain working key, obtained working key is sent to second user terminal 402.
First management and group device 501, for the group key using pre-set the first group of higher level's group key pair
It is encrypted, to obtain group key ciphertext, and group key ciphertext is sent to the second management and group device.
To, when the user terminal of second user terminal and the shared encryption file of offer is not at same group, second
User terminal can by the information exchange of the first management and group device and the second management and group device to obtain corresponding working key, and
User terminal in one group can't obtain the group key in other groups, it is ensured that system is safe.
In another embodiment, second user terminal 402 is additionally operable in the group identification of download not be second user terminal
When the group identification of the group, the key ciphertext and group identification of download are sent to the second management and group device, wherein second
Management and group device is the manager of the second user terminal group;In the working key for receiving the transmission of the second management and group device
When, the encryption file of download is decrypted to obtain original document using the working key received.
Second management and group device 502, for sending cipher key acquisition request to the first management and group device,
Wherein cipher key acquisition request includes the key ciphertext downloaded, and the first management and group device is the management of the first group
Device, the first group are associated with the group identification of the download;It is close in the working key for receiving the transmission of the first management and group device
Wen Shi is decrypted to obtain working key working key ciphertext using pre-set higher level's group key, by what is obtained
Working key is sent to second user terminal.
First management and group device 501 is decrypted to obtain key ciphertext for the group key using the first group
Working key is encrypted obtained working key using pre-set higher level's group key, close to obtain working key
Text, and working key ciphertext is sent to the second management and group device.
To, it can be ensured that group key will not be known by other management and group devices, to can further improve the peace of system
Quan Xing.
In addition, regularly updating requirement in the case where group member changes, group key is revealed, or according to strategy, need
The group key of related group is updated.Management and group device in the designated group being set forth below can be in system
Any group in management and group device.Wherein:
Management and group device in designated group is additionally operable to, in the group key in updating the designated group, to store
Whole key ciphertexts associated with designated group mark in shared storage server are updated, so that the whole is close
Key ciphertext is only capable of being decrypted using updated group key;The updated group key is sent to the designated group
Each user terminal in group.
Wherein, the management and group implement body in designated group is in the group key in updating the designated group, from altogether
It enjoys storage server and downloads whole key ciphertexts associated with designated group mark;Using current group key respectively under
The key ciphertext K of loadiE is decrypted, to obtain corresponding working key Ki, wherein 1≤i≤N, N are that whole keys are close
The quantity of text;Using updated group key respectively to working key KiIt is encrypted, to respectively obtain updated key
Ciphertext Kie′;By updated key ciphertext KiE ' is sent to shared storage server, to share storage server using update
Key ciphertext K afterwardsiE ' is to key ciphertext KiE is updated.
The present invention is specifically described below by specific example.
Fig. 6 is the schematic diagram that the present invention uploads shared information one embodiment.It is said by taking user terminal A as an example below
It is bright.
Step 601, user terminal A is random to generate working key K in shared original document.
Step 602, original document F is encrypted to generate encryption file Fe using working key.
Step 603, working key K is encrypted using preconfigured group key Kg to generate key ciphertext Ke.
Step 604, user terminal A is uploaded to shared storage server by file Fe and key ciphertext Ke is encrypted.So as to altogether
Storage server storage encryption file and key ciphertext are enjoyed, and will encryption file, key ciphertext and the user terminal A group
Group identification be associated.
Fig. 7 is the schematic diagram that the present invention downloads shared information one embodiment.The embodiment is related to user terminal B from shared
Storage server downloads the shared file of user terminal A, and wherein user terminal B and user terminal A belongs to same group G.
Step 701, user terminal B downloads specified encryption file Fe and specified encryption text from shared storage server
The associated key ciphertext Ke of part Fe.
Step 702, the key ciphertext Ke of download is decrypted to obtain work using preconfigured group key Kg
Key K.
Step 703, the encryption file Fe of download is decrypted to obtain original document F using obtained working key K.
Fig. 8 is the schematic diagram that group key of the present invention updates network architecture one embodiment.
Being located in group G has user terminal A and B, has had the shared file in group G in shared storage server
F1e ..., Fne, corresponding key ciphertext be K1e ..., Kne, specific upload operation can be as shown in above-described embodiment.
1)The management and group device of group G downloads key ciphertext K1e ... Kne from shared storage server.
2)Management and group device uses old group key Kg decruption keys ciphertext K1e, and uses new group key Kg ' encryptions
Key ciphertext forms ciphertext K1e '.
3)Group administrator decrypts one by one, re-encrypted private key ciphertext, forms new key ciphertext K1e ' ... Kne '.
4)New key ciphertext K1e ' ... Kne ' is uploaded to document storage system by group administrator, and new and old close
Key ciphertext K1e ... Kne.
5)New group key is distributed to all members of group by group administrator.
Fig. 7 and embodiment illustrated in fig. 8 all refer to user terminal A and user terminal B belongs to same group G.In actual conditions
Under, it often will appear user terminal A and the case where user terminal B belongs to different groups.As shown in figure 9, member makes in group 11
It is group key 11, member uses group key 1n in group 1n, when the user terminal A in group 1n desires access to
When shared information in group 11, since it does not have the group key 11 in group 11, the encryption of download can not be believed
Breath is correctly decrypted.At this moment it can pass through the higher level group in group 11 and group 1n(Group 1)Group key 1 carry out correlation
Processing also can successfully obtain phase to make the user A in group 1n without group key 11 in group 11
The file answered.Those skilled in the art, can be across it will be appreciated that aforesaid operations can be realized between any two group
Multi-level groups obtain key step by step, such as corresponding operating can be carried out between group 1n and group Mn.Corresponding specific processing step
It is rapid as shown in Figure 10:
Step 1001, user terminal A downloads specified encryption file Fe and specified encryption text from shared storage server
Part associated key ciphertext Ke and group identification ID.
Step 1002, user terminal A is judging that the group identification ID downloaded is not group's mark of the user terminal A group
When knowledge, the key ciphertext Ke of download and group identification ID are sent to the management and group device A of user terminal A group GA.
Step 1003, management and group device Bs of the management and group device A into group GB associated with group identification ID sends key
Obtain request.
Step 1004, management and group device B carries out the group key B of this group using pre-set higher level's group key
Encryption, to obtain group key ciphertext.
Wherein higher level's group key is the group key for the upper level group for including group GA and GB.
Step 1005, group key ciphertext is sent to management and group device A by management and group device B.
Step 1006, management and group device A is decrypted group key ciphertext using pre-set higher level's group key,
To obtain the group key KB of group GB, the key ciphertext of download is decrypted using group key KB close to obtain work
Key.
Step 1007, obtained working key is sent to user terminal A by management and group device A.
Step 1008, user terminal A is decrypted to obtain the encryption file of download using the working key received
Original document.
It is interacted by above- mentioned information, the user terminal A in group GA is without knowing the group key KB's in group GB
In the case of, by the information exchange between management and group device A and management and group device B, it can get corresponding working key.To really
System safety is protected.
Preferably, above-mentioned steps 1003-1006 also can be replaced step 1003 ' -1006 ', wherein:
Step 1003 ', management and group device Bs of the management and group device A into group GB associated with group identification ID sends close
Key obtains request, and cipher key acquisition request includes the key ciphertext Ke downloaded.
Step 1004 ', management and group device B is decrypted key ciphertext Ke using corresponding group key, to obtain phase
The working key K answered is encrypted working key K using pre-set higher level's group key, close to obtain working key
Text.
Step 1005 ', working key ciphertext is sent to management and group device A by management and group device B.
Step 1006 ', management and group device A solves working key ciphertext using pre-set higher level's group key
It is close, to obtain working key K.
To, it can be ensured that group key will not be known by other management and group devices, to can further improve the peace of system
Quan Xing.
One of ordinary skill in the art will appreciate that realizing that all or part of step of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can be stored in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
Description of the invention provides for the sake of example and description, and is not exhaustively or will be of the invention
It is limited to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.It selects and retouches
It states embodiment and is to more preferably illustrate the principle of the present invention and practical application, and those skilled in the art is enable to manage
Various embodiments with various modifications of the solution present invention to design suitable for special-purpose.
Claims (10)
1. a kind of file security sharing method based on group key, which is characterized in that including:
Original document is encrypted to generate encryption text in shared original document, using working key for first user terminal
Part is encrypted working key using preconfigured group key to generate key ciphertext;
First user terminal will encrypt file and key ciphertext is uploaded to shared storage server;
Shared storage server storage encryption file and key ciphertext, and it is whole to encrypt file, key ciphertext and the first user
The group identification of the end group is associated;
Second user terminal when obtaining specified encryption file, from shared storage server download specified encryption file, with
The associated key ciphertext of specified encryption file and group identification;
Second user terminal judge download group identification whether be the second user terminal group group identification;
If the group identification downloaded is the group identification of the second user terminal group, second user terminal utilizes matches in advance
The key ciphertext of download is decrypted to obtain working key in the group key set, using obtained working key to download
Encryption file is decrypted to obtain original document;
If the group identification downloaded is not the group identification of the second user terminal group, second user terminal is by download
Key ciphertext and group identification are sent to the second management and group device, wherein the second management and group device is group where second user terminal
The manager of group;
Second management and group device sends cipher key acquisition request to the first management and group device, wherein the first management and group device is first group
The manager of group, the first group are associated with the group identification of the download;
First management and group device is encrypted using the group key of pre-set the first group of higher level's group key pair, with
It is sent to the second management and group device to group key ciphertext, and by group key ciphertext;
Second management and group device is decrypted group key ciphertext using pre-set higher level's group key, to obtain first
The group key of group is decrypted to obtain working key the key ciphertext of download using the group key of the first group,
Obtained working key is sent to second user terminal;
Second user terminal is decrypted to obtain original document the encryption file of download using the working key received.
2. according to the method described in claim 1, it is characterized in that, if the group identification downloaded is not second user terminal place
The group identification of group further includes:
The key ciphertext and group identification of download are sent to the second management and group device by second user terminal, wherein the second group manages
Manage the manager that device is the second user terminal group;
Second management and group device sends cipher key acquisition request to the first management and group device, and wherein cipher key acquisition request includes downloading
Key ciphertext, the first management and group device is the manager of the first group, and the first group is related to the group identification of the download
Connection;
First management and group device is decrypted key ciphertext using the group key of the first group to obtain working key, utilizes
Obtained working key is encrypted in pre-set higher level's group key, and to obtain working key ciphertext, and it is close to work
Key ciphertext is sent to the second management and group device;
Second management and group device is decrypted to obtain work working key ciphertext using pre-set higher level's group key
Obtained working key is sent to second user terminal by key;
Second user terminal is decrypted to obtain original document the encryption file of download using the working key received.
3. according to the method described in any one of claim 1-2, which is characterized in that
Original document is encrypted using working key for first user terminal:
First user terminal generates working key at random;
First user terminal original document is encrypted using the working key generated at random to generate encryption file.
4. according to the method described in any one of claim 1-2, which is characterized in that
Management and group device in designated group will be stored in shared storage clothes in the group key in updating the designated group
Whole key ciphertexts associated with designated group mark in business device are updated, so that whole key ciphertexts are only capable of making
It is decrypted with updated group key;
The updated group key is sent to every in the designated group by the management and group device in the designated group
A user terminal.
5. according to the method described in claim 4, it is characterized in that,
Management and group device in designated group will be stored in shared storage clothes in the group key in updating the designated group
Whole key ciphertexts the step of being updated associated with designated group mark in business device includes:
Management and group device in designated group is in the group key in updating the designated group, under shared storage server
Carry whole key ciphertexts associated with designated group mark;
Using current group key respectively to the key ciphertext K of downloadiE is decrypted, to obtain corresponding working key
Ki, wherein 1≤i≤N, N are the quantity of whole key ciphertexts;
Using updated group key respectively to working key KiIt is encrypted, to respectively obtain updated key ciphertext
Kie′;
By updated key ciphertext KiE ' is sent to shared storage server, to share storage server using updated
Key ciphertext KiE ' is to key ciphertext KiE is updated.
6. a kind of file security shared system based on group key, which is characterized in that including the first user terminal, second user
Terminal and shared storage server, there are one management and group devices for each group's tool, wherein:
First user terminal, in shared original document, being encrypted original document using working key and being added with generating
Ciphertext part, is encrypted working key using preconfigured group key to generate key ciphertext, will encryption file and close
Key ciphertext is uploaded to shared storage server;
Shared storage server, for after the encryption file and key ciphertext for receiving the first user terminal uploads, storage to add
Ciphertext part and key ciphertext, and the group identification for encrypting file, key ciphertext and the first user terminal group is carried out
Association;
Second user terminal, for when obtaining specified encryption file, specified encryption text to be downloaded from shared storage server
Part, key ciphertext associated with specified encryption file and group identification;Judge whether the group identification downloaded is second
The group identification of the user terminal group, in the group identification that the group identification of download is the second user terminal group
When, the key ciphertext of download is decrypted to obtain working key using preconfigured group key, utilizes obtained work
The encryption file for making key pair download is decrypted to obtain original document;It is not second user terminal in the group identification of download
When the group identification of the group, the key ciphertext and group identification of download are sent to the second management and group device, wherein second
Management and group device is the manager of the second user terminal group;In the working key for receiving the transmission of the second management and group device
When, the encryption file of download is decrypted to obtain original document using the working key received;
Second management and group device, for sending cipher key acquisition request to the first management and group device, wherein the first management and group device is
The manager of first group, the first group are associated with the group identification of the download;Receiving the first management and group device hair
When the group key ciphertext sent, group key ciphertext is decrypted using pre-set higher level's group key, to obtain
The group key of one group is decrypted the key ciphertext of download using the group key of the first group close to obtain work
Obtained working key is sent to second user terminal by key;
First management and group device, for being added using the group key of pre-set the first group of higher level's group key pair
It is close, to obtain group key ciphertext, and group key ciphertext is sent to the second management and group device.
7. system according to claim 6, which is characterized in that
Second user terminal is additionally operable to when the group identification of download is not the group identification of the second user terminal group, will
The key ciphertext and group identification of download are sent to the second management and group device, wherein the second management and group device is second user terminal
The manager of the group;When receiving the working key of the second management and group device transmission, the working key received is utilized
The encryption file of download is decrypted to obtain original document;
Second management and group device is additionally operable to send cipher key acquisition request to the first management and group device, is wherein wrapped in cipher key acquisition request
The key ciphertext of download is included, the first management and group device is the manager of the first group, and the first group and the group of the download mark
Sensible association;It is close using pre-set higher level group when receiving the working key ciphertext of the first management and group device transmission
Working key ciphertext is decrypted to obtain working key in key, and obtained working key is sent to second user terminal;
First management and group device is additionally operable to that key ciphertext is decrypted using the group key of the first group close to obtain work
Key is encrypted obtained working key using pre-set higher level's group key, to obtain working key ciphertext, and will
Working key ciphertext is sent to the second management and group device.
8. according to the system described in any one of claim 6-7, which is characterized in that
First user terminal specifically generates working key at random, and original document is encrypted using the working key generated at random
File is encrypted to generate.
9. the system described according to claim 6 or 7, which is characterized in that
Management and group device in designated group is additionally operable in the group key in updating the designated group, shared by being stored in
Whole key ciphertexts associated with designated group mark in storage server are updated, so as to whole key ciphertexts
It is only capable of being decrypted using updated group key;The updated group key is sent in the designated group
Each user terminal.
10. system according to claim 9, which is characterized in that
Management and group implement body in designated group is in the group key in updating the designated group, from shared storage service
Device downloads whole key ciphertexts associated with designated group mark;It is close to the key of download respectively using current group key
Literary KiE is decrypted, to obtain corresponding working key Ki, wherein 1≤i≤N, N are the quantity of whole key ciphertexts;
Using updated group key respectively to working key KiIt is encrypted, to respectively obtain updated key ciphertext Kie′;It will
Updated key ciphertext KiE ' is sent to shared storage server, close using updated key to share storage server
Literary KiE ' is to key ciphertext KiE is updated.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410086634.3A CN104917787B (en) | 2014-03-11 | 2014-03-11 | File security sharing method based on group key and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410086634.3A CN104917787B (en) | 2014-03-11 | 2014-03-11 | File security sharing method based on group key and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104917787A CN104917787A (en) | 2015-09-16 |
CN104917787B true CN104917787B (en) | 2018-10-23 |
Family
ID=54086491
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410086634.3A Active CN104917787B (en) | 2014-03-11 | 2014-03-11 | File security sharing method based on group key and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104917787B (en) |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104980269A (en) * | 2014-04-03 | 2015-10-14 | 华为技术有限公司 | Secret key sharing method, device and system |
CN109831405B (en) * | 2017-11-23 | 2021-06-22 | 航天信息股份有限公司 | File protection method and device on cloud platform |
CN108306880B (en) * | 2018-01-31 | 2019-06-11 | 北京深思数盾科技股份有限公司 | A kind of data distribution, retransmission method and device |
CN111418181B (en) * | 2018-03-28 | 2021-09-07 | 华为技术有限公司 | Shared data processing method, communication device and communication equipment |
CN109104273B (en) * | 2018-07-04 | 2021-03-30 | 华为技术有限公司 | Message processing method and receiving end server |
WO2020051833A1 (en) * | 2018-09-13 | 2020-03-19 | 华为技术有限公司 | Information processing method, terminal device and network system |
CN109614792B (en) * | 2018-11-29 | 2022-02-08 | 中国电子科技集团公司第三十研究所 | Hierarchical file key management method |
CN109639682A (en) * | 2018-12-14 | 2019-04-16 | 深圳市青葡萄科技有限公司 | Sharing files method |
CN111756524B (en) * | 2019-03-26 | 2024-07-23 | 深圳市网安计算机安全检测技术有限公司 | Dynamic group key generation method, device, computer equipment and storage medium |
CN109981663A (en) * | 2019-03-31 | 2019-07-05 | 杭州复杂美科技有限公司 | A kind of privacy group chat method, equipment and storage medium |
TWI712307B (en) * | 2019-09-18 | 2020-12-01 | 遊戲橘子數位科技股份有限公司 | Methods for encrypting and decrypting the group message and transporting the encrypted group message |
CN110888853A (en) * | 2019-11-26 | 2020-03-17 | 廊坊新奥燃气有限公司 | Data management system and method |
CN112235289B (en) * | 2020-10-13 | 2023-03-31 | 桂林微网互联信息技术有限公司 | Data encryption and decryption method and device, computing equipment and storage medium |
CN116193381A (en) * | 2021-11-26 | 2023-05-30 | 中国移动通信有限公司研究院 | Method, device, communication equipment and storage medium for transmitting encrypted message |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001099333A1 (en) * | 2000-06-21 | 2001-12-27 | Sony Corporation | Information processing device and processing method |
CN101091172A (en) * | 2005-01-19 | 2007-12-19 | 三星电子株式会社 | Method of controlling content access and method of obtaining content key using the same |
CN101562519A (en) * | 2009-05-27 | 2009-10-21 | 广州杰赛科技股份有限公司 | Digital certificate management method of user packet communication network and user terminal for accessing into user packet communication network |
CN101989984A (en) * | 2010-08-24 | 2011-03-23 | 北京易恒信认证科技有限公司 | Electronic document safe sharing system and method thereof |
CN103107992A (en) * | 2013-02-04 | 2013-05-15 | 杭州师范大学 | Multistage authority management method for cloud storage enciphered data sharing |
-
2014
- 2014-03-11 CN CN201410086634.3A patent/CN104917787B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001099333A1 (en) * | 2000-06-21 | 2001-12-27 | Sony Corporation | Information processing device and processing method |
CN101091172A (en) * | 2005-01-19 | 2007-12-19 | 三星电子株式会社 | Method of controlling content access and method of obtaining content key using the same |
CN101562519A (en) * | 2009-05-27 | 2009-10-21 | 广州杰赛科技股份有限公司 | Digital certificate management method of user packet communication network and user terminal for accessing into user packet communication network |
CN101989984A (en) * | 2010-08-24 | 2011-03-23 | 北京易恒信认证科技有限公司 | Electronic document safe sharing system and method thereof |
CN103107992A (en) * | 2013-02-04 | 2013-05-15 | 杭州师范大学 | Multistage authority management method for cloud storage enciphered data sharing |
Also Published As
Publication number | Publication date |
---|---|
CN104917787A (en) | 2015-09-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104917787B (en) | File security sharing method based on group key and system | |
CN110224814B (en) | Block chain data sharing method and device | |
CN109995513B (en) | Low-delay quantum key mobile service method | |
US8059818B2 (en) | Accessing protected data on network storage from multiple devices | |
JP6363032B2 (en) | Key change direction control system and key change direction control method | |
CN104917723B (en) | For realizing the shared methods, devices and systems of encryption file security | |
CN104158880B (en) | User-end cloud data sharing solution | |
CN109067528A (en) | Crypto-operation, method, cryptographic service platform and the equipment for creating working key | |
CN111371790B (en) | Data encryption sending method based on alliance chain, related method, device and system | |
US11128452B2 (en) | Encrypted data sharing with a hierarchical key structure | |
CN104735070B (en) | A kind of data sharing method between general isomery encryption cloud | |
CN113992330B (en) | Agent re-encryption-based blockchain data controlled sharing method and system | |
CN105610793A (en) | Outsourced data encrypted storage and cryptograph query system and application method therefor | |
CN105072107A (en) | System and method for enhancing data transmission and storage security | |
KR101615137B1 (en) | Data access method based on attributed | |
CN103475474B (en) | Method for providing and acquiring shared enciphered data and identity authentication equipment | |
CN112580072A (en) | Data set intersection method and device | |
JP6058514B2 (en) | Cryptographic processing method, cryptographic system, and server | |
CN105915333B (en) | A kind of efficient key distribution method based on encryption attribute | |
JP2020532177A (en) | Computer-implemented systems and methods for advanced data security, high-speed encryption, and transmission | |
CN115766066A (en) | Data transmission method, device, safety communication system and storage medium | |
US9473471B2 (en) | Method, apparatus and system for performing proxy transformation | |
CN104796411A (en) | Method for safely transmitting, storing and utilizing data in cloud and mobile terminal | |
CN108933758A (en) | Cloud storage encipher-decipher method, device and system can be shared | |
KR101595056B1 (en) | System and method for data sharing of intercloud enviroment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |