CN104954447A - Mobile intelligent device security service implementation method and system supporting attribute based encryption - Google Patents

Mobile intelligent device security service implementation method and system supporting attribute based encryption Download PDF

Info

Publication number
CN104954447A
CN104954447A CN201510288622.3A CN201510288622A CN104954447A CN 104954447 A CN104954447 A CN 104954447A CN 201510288622 A CN201510288622 A CN 201510288622A CN 104954447 A CN104954447 A CN 104954447A
Authority
CN
China
Prior art keywords
data
intelligent movable
encryption
key
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510288622.3A
Other languages
Chinese (zh)
Other versions
CN104954447B (en
Inventor
何倩
蔡孟飞
阳鑫磊
董庆贺
王勇
韦永壮
程东升
陈亦婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guilin University of Electronic Technology
Original Assignee
Guilin University of Electronic Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guilin University of Electronic Technology filed Critical Guilin University of Electronic Technology
Priority to CN201510288622.3A priority Critical patent/CN104954447B/en
Publication of CN104954447A publication Critical patent/CN104954447A/en
Application granted granted Critical
Publication of CN104954447B publication Critical patent/CN104954447B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a mobile intelligent device security service implementation method and system supporting attribute based encryption. The constructed attribute based encryption service system comprises an authentication service provider and an attribute based encryption proxy. When the system is initialized, the authentication service provider generates a public key and a master key of the attribute based encryption service system and transmits the public key and the master key to the encryption proxy. On one hand, attribute based encryption service is provided for a mobile intelligent device to upload data to a third party. On the other hand, attribute based decryption service is provided for the mobile intelligent device to download the data. The mobile intelligent device realizes attribute based decryption of the third party for uploading and downloading the data through the authentication service provider and the encryption proxy, and fine-grained access control for the data can be realized by the aid of a user identity. Attribute based encryption and fine-grained management based on ABE (attribute based encryption) for the data can be realized, and the system has the advantages of high data security, low expenditure and high encryption and decryption speed.

Description

Support intelligent movable device security service implementing method and the system of the encryption of attribute base
Technical field
The present invention relates to information security and the communications field, be specifically related to a kind of support attribute base to encrypt intelligent movable device security service implementing method and system.
Background technology
Intelligent movable equipment has accessing Internet ability, and the product category mainly comprised has the types such as mobile phone, flat board, portable navigation product and wearable device.Intelligent movable equipment, because of problems such as calculating, store and battery durable is limited in one's ability, is difficult on local terminal, complete all operations, needs to assist by third party.Therefore, the personal data of a large amount of intelligent movable equipment will be kept at third party, and the third party providing data to preserve may abuse the data of user for one's own profit, needs a kind of effective encryption mechanism to ensure the safety of these outsourcing data.
The reasonable method of current one utilizes attribute base encryption technology (Attribute-Based Encryption exactly, ABE), attribute base encryption technology is the novel encryption technology being mapped as Fundamentals of Mathematics with Bilinear map proposed afterwards for a kind of 2006, take attribute as PKI, by ciphertext and private key for user and Attribute Association, access control policy can be represented neatly, can realize the fine-grained management of data.The encryption of attribute base is divided into key-tactful ABE (KP-ABE) and ciphertext-tactful ABE (CP-ABE), due to the introducing of Bilinear map, the computation complexity carrying out ABE associates with pairing computing, pairing computational complexity is higher, for the most frequently used decrypt operation, the operation times of the pairing computing of KP-ABE and CP-ABE all equals attribute number, speed is very slow, so, it is more difficult for directly on intelligent movable equipment, running attribute base cryptographic algorithm, and can take too many system resource.Restful serves stateless, clear in structure, meets standard, easy to understand, calls conveniently, has become a kind of internet interface pattern of main flow.
Summary of the invention
To be solved by this invention be difficult in resource-constrained intelligent movable equipment run ABE to realize the problem of data security, provide a kind of support attribute base to encrypt intelligent movable device security service implementing method and system.
For solving the problem, the present invention is achieved by the following technical solutions:
The intelligent movable device security service implementing method supporting attribute base to encrypt, comprises data upload stage and data download phase; Wherein
The data upload stage comprises the steps:
Intelligent movable equipment submits to data upload requests to authentication service supplier, and in upload request, send the address of uploading data and the access control policy based on data confidentiality attribute;
Authentication service supplier generates linear safe sharing scheme matrix according to access control policy; Stochastic generation upload session key; The address of the uploading data corresponding to data, linear safe sharing scheme matrix and upload session key are preserved, and upload session ID and upload session key are returned to intelligent movable equipment;
Uploading data is encrypted with uploading session key by intelligent movable equipment, and enciphered data and upload session ID are issued encryption agents;
Encryption agents inquires about upload session key and linear safe sharing scheme matrix according to upload session ID to authentication service supplier, first by the enciphered data uploading session key deciphering intelligent movable equipment, carry out the encryption of attribute base according to linear safe sharing scheme matrix by deciphering the data that obtain again, after enciphered data uploaded to data, services third party preserve;
Data download phase comprises the steps:
Intelligent movable equipment submits to data download request to authentication service supplier, and sends address and the attribute information of required downloading data in the request;
Authentication service supplier generates attribute base decruption key according to attribute information; Stochastic generation download session key; Download session ID and download session key are returned to intelligent movable equipment;
Download session ID is transmitted to encryption agents by intelligent movable equipment;
Encryption agents downloads enciphered data from data, services third party, and obtains download session key and attribute base decruption key according to download session ID from authentication service supplier; After first the enciphered data downloaded being decrypted with attribute base decruption key, then will the data download session secret key encryption that obtains be deciphered, after enciphered data is sent to intelligent movable equipment;
The enciphered data that intelligent movable equipment download session secret key decryption encryption agents is sent, obtains expressly.
Described access control policy is made up of a series of attribute description and logical relation, is the detailed description of the access rights to these data.
Authentication service supplier preserves the useful life of linear safe sharing scheme matrix and upload session key, and the linear safe sharing scheme matrix and the upload session key that exceed this useful life can not return to encryption agents.
Attribute number positive correlation in the size of linear safe sharing scheme matrix and access control policy.
Intelligent movable equipment with upload session key uploading data is encrypted time, employing be symmetric encipherment algorithm; Encryption agents download session double secret key deciphers the data obtained when being encrypted, and what also adopt is symmetric encipherment algorithm.
Attribute information is the mark of this intelligent movable device access authority, and it is made up of a series of device attribute.
Only meet the access control policy of data at the property set of data download request person, encryption agents ability use attribute base decruption key is to decrypt data.
The intelligent movable device data security service supporting attribute base to encrypt realizes a system, is made up of intelligent movable equipment, authentication service supplier, encryption agents and data, services third party; Wherein
Intelligent movable equipment: the party in request being service;
Authentication service supplier: in system initialisation phase, the main key of primary responsibility generation system and PKI; In the data upload stage, primary responsibility upload session key, linear safe sharing scheme matrix generates; In data download phase, primary responsibility download session key, the generation of attribute base decruption key; In addition, provide key inquiry service towards encryption agents, and by inner database, the information such as key are managed;
Encryption agents: in the data upload stage, first by upload session ID that intelligent movable equipment is submitted to, upload session key and linear safe sharing scheme matrix is inquired about to authentication service supplier, then the data transformations through upload session secret key encryption user uploaded is the data of attribute base encryption, finally uploads data to data, services third party and preserves; In data download phase, first by download session ID that intelligent movable equipment is submitted to, download session key and attribute base decruption key is inquired about to authentication service supplier, then from data, services third party downloading data, by the data that the data transformations that attribute base is encrypted is download session secret key encryption, be finally distributed to intelligent movable equipment;
Data, services third party: the storage of primary responsibility mass data and maintenance.
Intelligent movable equipment and authentication service supplier carry out communication by Restful web interface, and authentication service supplier and encryption agents carry out communication by Restful web interface, and encryption agents and intelligent movable equipment carry out communication by Restful web interface.
Compared with prior art, the present invention has following features:
1, intelligent movable equipment end does not need to carry out complicated ABE computing, only need the relevant Restful service acquisition encryption parameter by invokes authentication ISP and encryption agents, use symmetric cryptography, just can realize managing the attribute base encryption of data and the fine granularity based on ABE.
2, the mode of intelligent movable equipment utilization session symmetric cryptography communicates with encryption agents, both ensure that the safety of data, it also avoid direct use attribute base and encrypts the very large expense brought, improve the speed of encryption and decryption.Authentication service supplier and encryption agents adopt Restful web services to build standard interface, ensure that provided security service has general applicability.
Accompanying drawing explanation
Fig. 1 is the schematic diagram that the security service of intelligent movable device data realizes.
Fig. 2 is authentication service supplier functional block diagram.
Fig. 3 is attribute base encryption agents functional block diagram.
Fig. 4 is intelligent movable equipment uploading data flow chart.
Fig. 5 is intelligent movable device downloads data flowchart.
Embodiment
Fig. 1 is the intelligent movable device data secure service network environment schematic typically supporting attribute base to encrypt, and namely a kind of intelligent movable device data security service supporting attribute base to encrypt realizes system, and this system mainly comprises 4 parts:
Intelligent movable equipment (such as mobile phone, PAD etc.): the party in request being service.
Authentication service supplier: in system initialisation phase, the main key of primary responsibility generation system and PKI; In the data upload stage, primary responsibility upload session key, LSSS matrix (linear safe sharing scheme matrix) generates; In data download phase, primary responsibility download session key, the generation of attribute base decruption key; In addition, by Restful interface, provide key inquiry service towards encryption agents, and by inner database, the information such as key are managed.
Encryption agents: in the data upload stage, first by session id that intelligent movable equipment is submitted to, to authentication service supplier inquiry session key and LSSS matrix, then the data transformations through symmetric cryptography user uploaded is the data of attribute base encryption, finally uploads data to data, services third party and preserves; In data download phase, first by session id that intelligent movable equipment is submitted to, to authentication service supplier inquiry session key and attribute base decruption key, then from data, services third party downloading data, the data transformations encrypted by attribute base is the data of symmetric cryptography, is finally distributed to intelligent movable equipment.
Data, services third party: the storage of primary responsibility mass data and maintenance.
Below, by two roles very important in native system: the functional module of authentication service supplier and encryption agents, analyze in conjunction with diagram.
As shown in Figure 2, be the functional block diagram of typical authentication service supplier in the present invention, specifically, authentication service supplier needs to have following functions:
1, system initialization: in the encryption mechanism of attribute base, comprise secret generating, data are encrypted, the operations such as deciphering.And these operations all need to use public-key.In addition, the generation of attribute base decruption key, needs to use main key.For basic CP-ABE algorithm, by | U| attribute, obtains h at random 1..., h u∈ G, generates PKI PK and main key MK as follows:
PK=g,e(g,g) α,g a,h 1,...,h U,MK=g α
In the present invention, PKI, main key are all be responsible for generation by authentication service supplier, and are properly kept at authentication service supplier and attribute Ji Jiamidailichu.
2, upload towards intelligent movable equipment, the Restful service interface of download request: for upload request, this interface is with access control policy, and data upload address is required parameter, and with session key, session id returns to intelligent movable equipment as the reply of request.For download request, this interface is with device attribute collection, and data download address is as required parameter, and with session key, session id returns to intelligent movable equipment as the reply of request.
3, LSSS matrix, session key is generated: in the data upload stage, intelligent movable equipment submits the access control policy of these data to, and access control policy is made up of the logical relation of element in one group of property set and property set.Authentication service supplier needs to generate LSSS matrix according to access control policy.In addition, session key generation, session key is mainly used in the symmetric cryptography carrying out data between intelligent movable equipment and encryption agents, to realize communication security.
4, preserve LSSS matrix, session key, session id, the information such as data upload address are to database: wherein LSSS matrix needs to use when carrying out the encryption of attribute base.Session id is mainly used in encryption agents and uses when authentication service supplier sends key inquiry request.According to session id, corresponding LSSS matrix, session key and data upload address just can be found.In addition, generating an expired time when being saved in database, specifying the useful life of this session key.
5, attribute base decruption key is generated: authentication service supplier, after receiving the data download request from intelligent movable equipment, according to the facility information of intelligent movable equipment, generates attribute base decruption key.For basic CP-ABE algorithm, stochastic generation t ∈ Z p, obtain private key SK as follows:
S K = ( g α g α t , g t , ∀ x ∈ SK x = h x t )
And be temporarily saved in database.
6, towards the Restful web interface of encryption agents key inquiry: this interface is using session id as required parameter.After authentication service supplier receives request, according to session id Query Database, find corresponding session key, LSSS matrix (uploading the stage) or attribute base decruption key (download phase), and determine whether expired.If not expired, they are returned to encryption agents as the reply of Restful web request.
As shown in Figure 3, be the functional block diagram of typical encryption agents in the present invention, specifically, encryption agents needs to have following functions:
1, towards the Restful interface of intelligent movable device data upload request: this Restful interface is using session id as required parameter.And file upload services is provided.Wherein session id returns to intelligent movable equipment by authentication service supplier before being, the file uploaded is by ciphertext that session key is crossed.
2, the function of key inquiry is initiated: encryption agents, after receiving the Restful service request of intelligent movable equipment, needs to send key inquiry request according to the session id in required parameter to authentication service supplier.After this request success, encryption agents can obtain corresponding to the session key of session id, LSSS matrix (uploading the stage) or attribute base decruption key (download phase).
3, translation function is encrypted: encryption translation function is the Core Feature of encryption agents, and the encryption of encrypting for symmetric cryptography and attribute base is changed.In the data upload stage, data are converted to attribute base by symmetric cryptography and encrypt by encryption agents.For basic CP-ABE algorithm, stochastic generation then λ is calculated i=vL i, L ifor the i-th row of linear safe sharing matrix, obtain ciphertext AEM after plaintext M encryption as follows:
A E M = { C = M e ( g , g ) α s , C ′ = g s , ( C 1 = g a λ 1 h ρ ( 1 ) - r 1 D 1 = g r 1 ) , ... , ( C l = g a λ l h ρ ( l ) - r l D l = g r l )
4, in data download phase, attribute base decipherment algorithm is first adopted to be decrypted.For basic CP-ABE algorithm, deciphering obtains expressly as follows:
M=e(C',K)/(∏ i∈I(e(C i,L)e(D i,K ρ(i))) wi
Further, encryption agents is by the M after deciphering, and use again session key to carry out symmetric cryptography, to issue intelligent movable equipment, and intelligent movable equipment just can obtain M with regard to only needing to carry out symmetrical decryption oprerations.
5, towards the Restful interface of intelligent movable device downloads request, this interface is using session id as required parameter.And document flow transmission service is provided, send the ciphertext being converted to symmetric cryptography to intelligent movable equipment.
Based on the intelligent movable device security service implementing method of a kind of support attribute base encryption supporting attribute base to encrypt that said system realizes, its attribute base cryptographic services system built is made up of authentication service supplier and attribute base encryption agents (encryption agents), and all access interfaces of authentication service supplier and encryption agents all adopt stateless Restful web services.When system initialization, authentication service supplier generates the PKI of attribute-based encryption system and main key, issues encryption agents simultaneously.
On the one hand, the present invention provides attribute base cryptographic services for intelligent movable equipment uploads data to third party, comprising:
During intelligent movable equipment uploading data, submit the address of uploading data to, based on the access control policy of data attribute to authentication service supplier;
Authentication service supplier generates linear safe sharing scheme (Linear Secret-Sharing Schemes according to data confidentiality attribute, LSSS) session key of matrix and symmetric cryptography, the device identification corresponding to data, on by reference, session key, session id and LSSS matrix preserve, and session id and session key returned to intelligent movable equipment;
The session key symmetric encipherment algorithm that intelligent movable equipment authentication service supplier returns, as DES, AES etc., carries out symmetric cryptography and the data after encryption is sent to encryption agents;
Encryption agents according to session id to authentication service supplier inquiry session key and LSSS matrix, by the enciphered data of session key deciphering intelligent movable equipment, and according to LSSS matrix, data are carried out the encryption of attribute base, finally upload to data, services third party and preserve;
On the one hand, the present invention provides attribute base decryption services for intelligent movable device downloads data, comprising:
During intelligent movable device downloads data, inquire about decrypted session ID and key to authentication service supplier;
Authentication service supplier generates the identity attribute obtaining its correspondence according to the identity of intelligent movable equipment, and session key generation and attribute base decruption key, session id and session key are returned to intelligent movable equipment;
Intelligent movable equipment session id is to encryption agents request downloading data;
Encryption agents is by from data, services third party downloading data, session key and attribute base decruption key is obtained from authentication service supplier, based on the data that the deciphering of attribute base cipher mode is downloaded from third party, then with sending to intelligent movable equipment after session key;
Intelligent movable equipment session key enabling decryption of encrypted acts on behalf of the asymmetric cryptography data sent, and obtains expressly.
As can be seen here, intelligent movable equipment achieves the third party's attribute base encryption for data upload and download by authentication service supplier and encryption agents, can realize fine-granularity access control data being adopted to user identity.
Below respectively in data upload stage and data download phase, the intelligent movable device security service implementing method of this support attribute base encryption is described in detail:
As shown in Figure 4, be a typical data upload flow chart.In data upload process:
Intelligent movable equipment submits to data upload requests to authentication service supplier.First intelligent movable equipment submits the address of data upload and the access control policy of data by Restful interface to authentication service supplier.Wherein, access control policy is made up of a series of attribute description and logical relation, and it is the detailed description of the access rights to these data, such as, certain intelligent movable equipment prepares to upload a file A, and it wants that controlling these data only has the equipment of some particular community to access, such as device id, MAC Address, SIM card ID etc., and, data upload person can also define the relation between these attributes, such as: with or relation.Such as: can define ((MAC Address) and ((device id) or (SIM ID))).So, certain equipment is wanted to access this data demand fulfillment two conditions: 1. device mac address is identical with specified value; 2. the device id of equipment or SIM ID identical with specified value.Therefore, it when not knowing the concrete identity of deciphering person, can provide fine-grained access control.
Authentication service supplier generates LSSS matrix according to access control policy, and session key etc. also preserve database, then return session key to intelligent movable equipment.Authentication service supplier provides service with Restful web interface to intelligent movable equipment.Receive intelligent movable equipment uploading resource request after.Authentication service provides selects suitable LSSS matrix by according to the access control policy of user profile.In addition, stochastic generation session key.Then by LSSS matrix, session id, uploading resource address, session key is saved in database, in addition, when preservation key, an expired time is set, for identifying the useful life of session key, exceeding the key of this useful life, can not encryption agents be returned to.Attribute number positive correlation wherein in the size of LSSS matrix and the access control policy of user profile.Session key is mainly used in symmetric cryptography, and it has two effects, and authentication service supplier is by session cipher key distribution to intelligent movable equipment on the one hand, and the data that upload are carried out symmetric cryptography by this session key of intelligent movable equipment use.This session key is distributed to encryption agents by authentication service supplier on the other hand, and encryption agents then can use this session key by data deciphering after the asymmetric cryptography data receiving user's transmission.Inquiry foundation when session id is inquired about as key, when encryption agents carries out key inquiry, determines corresponding session key, LSSS matrix, data upload address etc. by session id.Finally, authentication service supplier is by session id, and session key returns to intelligent movable equipment as the response of Restful web request.
Intelligent movable equipment use session key Data Concurrent gives encryption agents.After intelligent movable equipment receives the response of authentication service supplier, use session key data, certain symmetric cryptography mode, such as AES encryption can be selected here.In the process, because intelligent movable equipment directly uses session key to carry out symmetric cryptography, the exponent arithmetic in attribute base ciphering process is avoided.And the exponent arithmetic in group expends computational resource in the extreme.Therefore, the computing cost of intelligent movable equipment is reduced.After having encrypted, intelligent movable equipment is by session id, and the ciphertext of symmetric cryptography issues encryption agents.Wherein, session id sends the foundation of key inquiry to authentication service supplier as encryption agents.
Encryption agents to authentication service supplier query key, and changes cipher mode according to session id, and data upload is to data, services third party the most at last.Encryption agents receives the symmetric cryptography ciphertext that intelligent movable equipment is sent, after session id.By session id, encryption agents uses Restful web interface to send key inquiry request to authentication service supplier.Authentication service supplier, according to session id Query Database, finds corresponding session key, LSSS matrix, data upload address, and the reply then as Restful web request returns to encryption agents.Then, encryption agents uses session key data decryption, and by authentication service supplier, the symmetric key used when ensure that this session key and intelligent movable devices encrypt data is identical.Then, according to LSSS matrix, encryption agents carries out the encryption of attribute base by deciphering the data obtained.Finally, the data after encryption send to data, services third party to preserve by encryption agents.
In the process of whole data upload, if do not introduce this system, so attribute base ciphering process must complete in intelligent movable equipment.Due to carry out attribute base encryption needs carry out a large amount of exponent arithmetic, and exponent arithmetic suitable expend computational resource, be not suitable for carrying out in this kind of resource-constrained devices such as intelligent movable equipment.By introducing this system, by exponent arithmetic large for computing cost, transferring to encryption agents by intelligent movable equipment and carrying out.Like this, not only fine-grained access control is provided to data, and save the computing cost of intelligent movable equipment, reduce equipment power dissipation, improve the applicability of attribute base encryption mechanism in intelligent movable equipment.
As shown in Figure 5, be that typical data download flow chart.In data downloading process:
Intelligent movable equipment submits to data download request to authentication service supplier.Intelligent movable equipment sends download request by Restful web interface to authentication service supplier, and sends the address of required downloading data in the request.In addition, in download request, also contains the attribute information of this equipment.Wherein, attribute information is as the mark of this device access authority, and it is made up of a series of device attribute, such as MAC Address, device id, the information such as SIM card ID.
Authentication service supplier generates attribute base decruption key according to the device attribute in download request, and session key etc., then return session key to intelligent movable equipment.Authentication service supplier provides service with Restful web interface to intelligent movable equipment.Authentication service supplier, after the data download request receiving the submission of intelligent movable equipment, by the community set according to equipment, generates attribute base decruption key.In addition, stochastic generation session key, this session key has two effects: 1. by session cipher key distribution to encryption agents, this session key of encryption agents carries out symmetric cryptography to data.2. by session cipher key distribution to intelligent movable equipment, this session key decrypted symmetric of intelligent movable equipment use encryption data.Then, authentication service supplier by session id, session key, and attribute base decruption key preserve database.Use in order to the inquiry of encryption agents after a while, wherein the session id foundation of inquiring about as encryption agents key.Finally, by session id, session key returns to intelligent movable equipment as the reply of Restful web request.
Intelligent movable equipment submits to data download request to encryption agents.Intelligent movable equipment receives the response of the Restful of authentication service supplier, returns results and comprises: session id and session symmetric key.Send resource download request by Restful interface to encryption agents again, except session id, remaining download address, download user and password information all adopt symmetric cryptography.
Encryption agents according to session id to authentication service supplier query key.Encryption agents provides service with Restful web interface to intelligent movable equipment.After encryption agents receives the data download request of intelligent movable equipment.First from this request, extract session id, then by the Restful service interface of authentication service supplier, submit key inquiry request to authentication service supplier, and, comprise the session id obtained in the request.
Authentication service supplier provides key inquiry service with Restful web interface to encryption agents.After authentication service supplier receives the key inquiry request from encryption agents, according to session id, Query Database, finds corresponding session key, attribute base decruption key.And return to encryption agents as the reply of Restful web request.
Encryption agents is from data third party downloading data, and translation data cipher mode, then send to intelligent movable equipment.Receive the reply from authentication service supplier, and obtain session key, after attribute base decruption key, by the download request that session symmetric key decryption intelligent movable equipment sends, obtain download address, download user and password, encryption agents starts to download enciphered data from data, services third party, and these data are based on encryption attribute.After data have been downloaded, encryption agents use attribute base decryption key decryption data.If the property set of data download request person meets the access control policy of these data, so use attribute base decruption key is to after decrypt data, data clear text will be obtained, then encryption agents uses session key, in certain symmetric cryptography mode (such as AES encryption), the data clear text obtained is encrypted, then sends to intelligent movable equipment.If the property set of intelligent movable equipment does not meet the access control policy of data, so decipher failure, encryption agents replys intelligent movable equipment immediately, informs that status incongruence closes requirement, and interrupts data downloading process.
Intelligent movable equipment use session key data decryption.After intelligent movable equipment receives the data of symmetric cryptography, the session key obtained from authentication service supplier there before use is decrypted, because this session key is identical with the session key that encryption agents carries out symmetric cryptography, so, after deciphering, intelligent movable equipment will obtain data clear text.Arrive this, data downloading process terminates.
In whole data downloading process, data are stored in data, services third party, and are encrypted based on attribute.If do not use this system, the decrypting process based on attribute must carry out in intelligent movable equipment.But need a large amount of pairings and exponent arithmetic based on the decrypting process of attribute, and pairing and exponent arithmetic expend computational resource in the extreme.Obviously this is inappropriate for the resource-constrained devices that intelligent movable equipment is such.After this system of introducing, attribute base decrypting process can be transferred to encryption agents by intelligent movable equipment and perform.Significantly reduce computing cost and the power consumption of intelligent movable equipment.Improve the applicability of attribute base encryption mechanism in intelligent movable equipment.

Claims (9)

1. support the intelligent movable device security service implementing method of attribute base encryption, it is characterized in that, comprise data upload stage and data download phase; Wherein
The data upload stage comprises the steps:
Intelligent movable equipment submits to data upload requests to authentication service supplier, and in upload request, send the address of uploading data and the access control policy based on data confidentiality attribute;
Authentication service supplier generates linear safe sharing scheme matrix according to access control policy; Stochastic generation upload session key; The address of the uploading data corresponding to data, linear safe sharing scheme matrix and upload session key are preserved, and upload session ID and upload session key are returned to intelligent movable equipment;
Uploading data is encrypted with uploading session key by intelligent movable equipment, and enciphered data and upload session ID are issued encryption agents;
Encryption agents inquires about upload session key and linear safe sharing scheme matrix according to upload session ID to authentication service supplier, first by the enciphered data uploading session key deciphering intelligent movable equipment, carry out the encryption of attribute base according to linear safe sharing scheme matrix by deciphering the data that obtain again, after enciphered data uploaded to data, services third party preserve;
Data download phase comprises the steps:
Intelligent movable equipment submits to data download request to authentication service supplier, and sends address and the attribute information of required downloading data in the request;
Authentication service supplier generates attribute base decruption key according to attribute information; Stochastic generation download session key; Download session ID and download session key are returned to intelligent movable equipment;
Download session ID is transmitted to encryption agents by intelligent movable equipment;
Encryption agents downloads enciphered data from data, services third party, and obtains download session key and attribute base decruption key according to download session ID from authentication service supplier; After first the enciphered data downloaded being decrypted with attribute base decruption key, then will the data download session secret key encryption that obtains be deciphered, after enciphered data is sent to intelligent movable equipment;
The enciphered data that intelligent movable equipment download session secret key decryption encryption agents is sent, obtains expressly.
2. the intelligent movable device security service implementing method of support attribute base encryption according to claim 1, it is characterized in that, described access control policy is made up of a series of attribute description and logical relation, is the detailed description of the access rights to these data.
3. the intelligent movable device security service implementing method of support attribute base encryption according to claim 1, it is characterized in that, authentication service supplier preserves the useful life of linear safe sharing scheme matrix and upload session key, and the linear safe sharing scheme matrix and the upload session key that exceed this useful life can not return to encryption agents.
4. the intelligent movable device security service implementing method of support attribute base according to claim 1 encryption, is characterized in that, the attribute number positive correlation in the size of linear safe sharing scheme matrix and access control policy.
5. the intelligent movable device security service implementing method of support attribute base encryption according to claim 1, is characterized in that,
Intelligent movable equipment with upload session key uploading data is encrypted time, employing be symmetric encipherment algorithm; Encryption agents download session double secret key deciphers the data obtained when being encrypted, and what also adopt is symmetric encipherment algorithm.
6. the intelligent movable device security service implementing method of support attribute base encryption according to claim 1, it is characterized in that, attribute information is the mark of this intelligent movable device access authority, and it is made up of a series of device attribute.
7. the intelligent movable device security service implementing method of support attribute base encryption according to claim 1, it is characterized in that, only meet the access control policy of data at the property set of data download request person, encryption agents ability use attribute base decruption key is to decrypt data.
8. support that the intelligent movable device data security service of attribute base encryption realizes system, it is characterized in that, be made up of intelligent movable equipment, authentication service supplier, encryption agents and data, services third party; Wherein
Intelligent movable equipment: the party in request being service;
Authentication service supplier: in system initialisation phase, the main key of primary responsibility generation system and PKI; In the data upload stage, primary responsibility upload session key, linear safe sharing scheme matrix generates; In data download phase, primary responsibility download session key, the generation of attribute base decruption key; In addition, provide key inquiry service towards encryption agents, and by inner database, the information such as key are managed;
Encryption agents: in the data upload stage, first by upload session ID that intelligent movable equipment is submitted to, upload session key and linear safe sharing scheme matrix is inquired about to authentication service supplier, then the data transformations through upload session secret key encryption user uploaded is the data of attribute base encryption, finally uploads data to data, services third party and preserves; In data download phase, first by download session ID that intelligent movable equipment is submitted to, download session key and attribute base decruption key is inquired about to authentication service supplier, then from data, services third party downloading data, by the data that the data transformations that attribute base is encrypted is download session secret key encryption, be finally distributed to intelligent movable equipment;
Data, services third party: the storage of primary responsibility mass data and maintenance.
9. the intelligent movable device data security service of support attribute base encryption according to claim 8 realizes system, it is characterized in that, intelligent movable equipment and authentication service supplier carry out communication by Restful web interface, authentication service supplier and encryption agents carry out communication by Restful web interface, and encryption agents and intelligent movable equipment carry out communication by Restful web interface.
CN201510288622.3A 2015-05-29 2015-05-29 Support the intelligent movable equipment safety service implementing method and system of attribute base encryption Active CN104954447B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510288622.3A CN104954447B (en) 2015-05-29 2015-05-29 Support the intelligent movable equipment safety service implementing method and system of attribute base encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510288622.3A CN104954447B (en) 2015-05-29 2015-05-29 Support the intelligent movable equipment safety service implementing method and system of attribute base encryption

Publications (2)

Publication Number Publication Date
CN104954447A true CN104954447A (en) 2015-09-30
CN104954447B CN104954447B (en) 2018-02-02

Family

ID=54168790

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510288622.3A Active CN104954447B (en) 2015-05-29 2015-05-29 Support the intelligent movable equipment safety service implementing method and system of attribute base encryption

Country Status (1)

Country Link
CN (1) CN104954447B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106993052A (en) * 2017-05-08 2017-07-28 桂林电子科技大学 A kind of service competition method based on cloud platform under secret protection
CN107769915A (en) * 2016-08-17 2018-03-06 实创时新(北京)科技有限公司 Possess the data encrypting and deciphering system and method for fine-grained user control
CN108400871A (en) * 2018-01-25 2018-08-14 南京邮电大学 In conjunction with the searching ciphertext system and method for identity and the support proxy re-encryption of attribute

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110320809A1 (en) * 2010-06-23 2011-12-29 Motorola, Inc. Method and apparatus for key revocation in an attribute-based encryption scheme
CN103095847A (en) * 2013-02-04 2013-05-08 华中科技大学 Cloud storage safety-ensuring method and system thereof
CN103618609A (en) * 2013-09-09 2014-03-05 南京邮电大学 User timely revocation method based on attribute-based encryption in cloud environment
CN103763319A (en) * 2014-01-13 2014-04-30 华中科技大学 Method for safely sharing mobile cloud storage light-level data
CN104486315A (en) * 2014-12-08 2015-04-01 北京航空航天大学 Revocable key external package decryption method based on content attributes
CN104580205A (en) * 2015-01-05 2015-04-29 南京邮电大学 CP-ABE-based fixed ciphertext length proxy re-encryption system and method in cloud computing

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110320809A1 (en) * 2010-06-23 2011-12-29 Motorola, Inc. Method and apparatus for key revocation in an attribute-based encryption scheme
CN103095847A (en) * 2013-02-04 2013-05-08 华中科技大学 Cloud storage safety-ensuring method and system thereof
CN103618609A (en) * 2013-09-09 2014-03-05 南京邮电大学 User timely revocation method based on attribute-based encryption in cloud environment
CN103763319A (en) * 2014-01-13 2014-04-30 华中科技大学 Method for safely sharing mobile cloud storage light-level data
CN104486315A (en) * 2014-12-08 2015-04-01 北京航空航天大学 Revocable key external package decryption method based on content attributes
CN104580205A (en) * 2015-01-05 2015-04-29 南京邮电大学 CP-ABE-based fixed ciphertext length proxy re-encryption system and method in cloud computing

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107769915A (en) * 2016-08-17 2018-03-06 实创时新(北京)科技有限公司 Possess the data encrypting and deciphering system and method for fine-grained user control
CN106993052A (en) * 2017-05-08 2017-07-28 桂林电子科技大学 A kind of service competition method based on cloud platform under secret protection
CN108400871A (en) * 2018-01-25 2018-08-14 南京邮电大学 In conjunction with the searching ciphertext system and method for identity and the support proxy re-encryption of attribute

Also Published As

Publication number Publication date
CN104954447B (en) 2018-02-02

Similar Documents

Publication Publication Date Title
CN101789865B (en) Dedicated server used for encryption and encryption method
Moffat et al. A survey on ciphertext-policy attribute-based encryption (CP-ABE) approaches to data security on mobile devices and its application to IoT
Tao et al. Secure data sharing and search for cloud-edge-collaborative storage
CN101247232B (en) Encryption technique method based on digital signature in data communication transmission
US20140192976A1 (en) Method and system for id-based encryption and decryption
Huang et al. DECENT: Secure and fine-grained data access control with policy updating for constrained IoT devices
CN106487506B (en) Multi-mechanism KP-ABE method supporting pre-encryption and outsourcing decryption
CN101123495A (en) A data encryption, decryption system and method
CN102624522A (en) Key encryption method based on file attribution
CN103731432A (en) Multi-user supported searchable encryption system and method
CN103957109A (en) Cloud data privacy protection security re-encryption method
CN102176709A (en) Method and device with privacy protection function for data sharing and publishing
CN105743646A (en) Encryption method and system based on identity
CN104158880B (en) User-end cloud data sharing solution
CN104620535A (en) Attribute-based encryption
US7620186B2 (en) Method for establishing an encrypted communication by means of keys
CN110838915B (en) Cloud storage data sharing method for forward security key aggregation
CN112966022B (en) Information query method, device and system of data transaction platform
CN113708917B (en) APP user data access control system and method based on attribute encryption
CN106790259A (en) A kind of asymmetric across cryptographic system re-encryption, decryption method and system
CN101317357A (en) Key management
CN104954447A (en) Mobile intelligent device security service implementation method and system supporting attribute based encryption
KR20030047148A (en) Method of messenger security based on client/server using RSA
KR101812311B1 (en) User terminal and data sharing method of user terminal based on attributed re-encryption
KR101793528B1 (en) Certificateless public key encryption system and receiving terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant