CN105007259B - Cloud platform big data access method - Google Patents
Cloud platform big data access method Download PDFInfo
- Publication number
- CN105007259B CN105007259B CN201510279993.5A CN201510279993A CN105007259B CN 105007259 B CN105007259 B CN 105007259B CN 201510279993 A CN201510279993 A CN 201510279993A CN 105007259 B CN105007259 B CN 105007259B
- Authority
- CN
- China
- Prior art keywords
- user
- node
- cloud platform
- identity
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a kind of cloud platform big data access method, this method includes:Cloud platform server produces key parameter, select security node, user adds system by security node, security node performs key with user and exchanged, security node is private key and token corresponding to user produces, user verifies to message, then decrypts and obtains private key, other nodes in cloud platform determine whether user has legal identity.The method of the present invention can efficiently solve the problem of disabled user is attacked by network logical address, the safety of safeguards system, suitable for cloud storage system.
Description
Technical field
The present invention relates to big data safety, more particularly to a kind of cloud platform big data access method.
Background technology
Cloud storage system for big data ensures that the height of service provided can by the management of cloud platform and operating mechanism
By property;On the other hand provide that cost is cheap and capacity is huge by the way that all storage resources for being contributed of participation users are collected
Memory space, effectively to meet the Internet, applications of high speed development in extensive property, high efficiency, high reliability, Highly Scalable
Demand in terms of property and high performance-price ratio.The userbase and data scale of cloud system are all very huge, and with so that it faces
More complicated safety problem.User is the user of system.User's authorization control mechanism is the first of cloud storage system safety
Road defence line, for determine user whether can accessing system, and once determine to login, it will be that each login user point
With a unique identity, to be able to verify that the legal identity of the user in system scope.Only possess legal identity
User can participate in system operation, use system provide service.On user's authorization control in the prior art, illegally
User can be with multiple different identity accessing systems, and each identity is associated with the identity got, so as to
Multiple disabled users can be formed.So, it is illegal to use if be not any limitation as to the identity quantity that user can obtain
Family can the easily quite node of most, even whole system in control system.In addition, when system allows user
During its identity of unrestricted choice, disabled user will purposely go to select the identity that can control significant data space.
In this case, that is, the identity for allowing users to obtain is very limited, and system also takes data redundancy storage strategy,
Multiple disabled users by joint, remain able to easily obtain the identity of memory node corresponding to data trnascription, from
And data are polluted.Meanwhile disabled user can also select suitable identity by joint, with the possibility of maximum
To make them appear in the routing table of legitimate node, so as to control access of the legitimate node to system.
The content of the invention
To solve the problems of above-mentioned prior art, the present invention proposes a kind of cloud platform big data access method,
Including:
Cloud platform server produces the addition of integer group G that two ranks are prime number p0And G1, and a Bilinear map e:G0×
G0→G1;From galois field GF (2p) one random element s of middle selection0As master key, and it is Q to calculate its public key0=s0P0, its
In, P0For G0Generation member;Hash function H is pre-selected1, H2With SHA-1 cryptographic Hash functions H3;By key parameter (G0, G1,
E, P0, Q0, H1, H2) be distributed;
Cloud platform server selects security node P, security node P to obtain identity ID at cloud platform serverPWith
Private key SP, security node P is from galois field GF (2p) one random element s of middle selectionPAs its master key, and calculate public key QP
=sPP0, user Q gets security node P address by cloud platform server, and then adds system by security node P;
User Q sends its network logical address LA to security node PQ;Security node P is by way of readjustment to user Q
Verified to determine that user Q possesses LA reallyQ, then security node P and user Q perform key and exchange, produce one symmetrically
Key KP·Q, transmission is encrypted to follow-up caused private key, and protect the integrality of transmission message;
Security node P is that user Q distributes identity IDQMoment T is produced with itQ, for private key S corresponding to its generationQ, and
One token of generation is used for other node verifications user Q identity, i.e.,:
1) the identity ID for producing user Q is obtainedQAt the time of TQ, and the identity for calculating user Q is IDQ=H3
(LAQ, TQ);
2) public key for calculating user Q is PQ=H1(IDQ);
3) private key for calculating user Q is SQ=SP+sPPQ, and utilize KP·QEncrypt to obtain E (SQ, KP·Q);
4) computational token is TokQ=SP+sPH2(IDQ, TQ);
5) (ID is sent to user QQ, TQ, QP, TokQ, E (SQ, KP·Q));
After user Q receives message, message is verified, then utilizes KP·QDecrypt to obtain SQ;
When user Q and other node Rs contact, (ID is sent toQ, IDP, TQ, QP, TokQ), node R is to cloud platform service
Device determines whether IDP is security node, if it is not, refusal user Q;Otherwise, node R calculates and judges e (P0, TokQ)=e
(Q0, PP)·e(QP, H2(IDQ, TQ)) whether set up, if set up, it is determined that user Q has a legal identity, node R establish with
User Q contact;Otherwise, user Q is refused;
After user Q effective identity is expired, contact node P updates its key pair, and user Q sends (LA to node PQ, TQ,
TokQ), P verifies to user Q, if by checking, P to user Q send renewal after identity, the moment, private key and
Token, if P has been moved off system, user Q is obtained the address of new security node by cloud platform server, is sent to
(LAQ, IDP, TQ, QP, TokQ), new security node will be Q more new keys pair.
The present invention compared with prior art, has advantages below:
The method of the present invention can efficiently solve the problem of disabled user is attacked by network logical address, ensure
The safety of system, suitable for cloud storage system.
Brief description of the drawings
Fig. 1 is the flow chart of cloud platform big data access method according to embodiments of the present invention.
Embodiment
Retouching in detail to one or more embodiment of the invention is hereafter provided together with the accompanying drawing for illustrating the principle of the invention
State.The present invention is described with reference to such embodiment, but the invention is not restricted to any embodiment.The scope of the present invention is only by right
Claim limits, and the present invention covers many replacements, modification and equivalent.Illustrate in the following description many details with
Thorough understanding of the present invention is just provided.These details are provided for exemplary purposes, and without in these details
Some or all details can also realize the present invention according to claims.
Fig. 1 is cloud platform big data access method flow chart according to embodiments of the present invention.The present invention is directed to cloud storage system
The characteristics of system, the present invention utilize the authorization control mechanism in cloud storage, and identity is efficiently distributed for user security, and effectively
Resist rogue attacks in ground.The public key of user can be exported directly from his identity, and its private key can be by a series of
Key parameter, which calculates, to be produced.In the first embodiment, cloud platform server is patrolled for the user of each accessing system based on its network
Collect address and distribute an identity, and produce for it and distribute the key pair corresponding to the identity, there is legal identity
User be arranged to a node in system;In user's accessing system, it is verified by way of readjustment, user is only
Can receive during the connection to network logical address be considered as just the network logical address rightful holder, only
Identity can be just allocated by the user of checking by having, so as to prevent disabled user from being got largely by forging network logical address
System identity start rogue attacks.
In a further embodiment, graded encryption technology is introduced, effectively to reduce the expense of cloud platform server.Yun Ping
Platform server can save multiple safety in system are distributed to for the work that user distributes identity and produces corresponding private key
Put to complete, so that system possesses good scalability.Further embodiment is based on network logical address and port numbers
Identity is distributed for user.Meanwhile in order to prevent the disabled user using conversion address from being obtained by using multiple port numbers
Substantial amounts of identity, crypto-operation is added when distributing private key for user, identity mark is obtained so as to effectively limit disabled user
The speed and rogue attacks of knowledge.
In the cryptosystem that the present invention applies, public key is produced by simple data object, such as the data object can
To be network logical address;Then the private key for encrypting, decrypting, signing and verifying is produced by a series of key parameter.
The generation of private key is responsible for by a safe third party for being referred to as key generator.Pass through this building mode, it is not necessary to distribute
The key of other forms, user's can encryption data or checking signature.Except the certificate management of complexity works, greatly reduce
The expense of system.In order to reduce the computing cost of key generator, tree can be formed by multistage key generator so that
Private key is produced and can completed by multistage key generator.
The present invention is based on the cloud storage system architecture being made up of cloud platform server and multiple users.Arbitrary network
Logical address can be forged by disabled user, and any data propagated in network can be eavesdropped by disabled user, but one
The quantity and computing capability for the active block logical address that individual disabled user can get are limited.It is described in detail below
The operation of the method for the present invention is formed, the user for being embodied as accessing system distributes legal identity, and resists to the illegal of system
Attack.
In the first embodiment, cloud platform server distributes a random identity mark for the user of each accessing system
Know, and private key corresponding to generation, User Identity and its private key are bound.This method includes system initialization and user
Login two stages.
Initial phase:Cloud platform server performs following operation and produces protocol cipher parameter.
1) the addition of integer group G that two ranks are prime number p is produced0And G1, and a Bilinear map e:G0×G0→G1, its
In, P0For G0Generation member.
2) from galois field GF (2p) one random element s of middle selection0As master key, and it is Q to calculate its public key0=
s0P0。
3) hash function H is pre-selected1, H2With SHA-1 cryptographic Hash functions H3。
4) key parameter (G is distributed0, G1, e, P0, Q0, H1, H2)。
When user's N accessing systems, its network logical address LA is sent to cloud platform server firstN.Cloud platform service
Device is verified by way of readjustment to N, i.e., to LANEstablish a connection, the response of request will all be connected by this into
Row transmission, so that it is determined that N possesses LA reallyN。
Then cloud platform server performs key with N and exchanged, and produces a symmetric key KN, for follow-up caused private
Transmission is encrypted in key, and protects the integrality of transmission message.
Cloud platform server performs operation.Identity ID is distributed for user NNMoment T is produced with itN, TNRepresent IDN's
Effective time scope, it is private key SN corresponding to its generation, and generating a token makes other nodes in system be able to verify that user N
Identity so that user N turns into an efficient system node, i.e.,:
1) the identity ID for producing user N is obtainedNAt the time of TN, and calculate IDN=H3(LAN, TN);
2) public key for calculating user N is PN=H1(IDN);
3) private key for calculating user N is SN=s0PN, and utilize KNEncrypt to obtain E (SN, KN)。
4) computational token is TokN=s0H2(IDN, TN);
5) (ID is sent to user NN, TN, TokN, E (SN, KN)).After user N receives message, message is verified, so
K is utilized afterwardsNDecrypt to obtain SN。
When other users node M contacts in N and system, (ID is sent toN, TN, TokN).M is calculated and is judged e (P0,
TokN)=e (Q0, H2(IDN, TN)) whether set up, if set up, illustrate that N has legal identity, M foundation contacts with N's;Otherwise,
N will be refused.
After N effective identity is expired, it needs to contact cloud platform server to update its key pair.N takes to cloud platform
Be engaged in device transmission (LAN, TN, TokN), cloud platform server is verified to it, if by checking, cloud platform server will be to it
Send identity, moment, private key and the token after renewal.Therefore only need just can directly to lead by the identity of node
Go out its public key.Agreement can not only be that user distributes a random identity, and at the time of by defining identity simultaneously
Control its period of validity.
In further second embodiment, cloud platform server will be that user distributes identity and produces corresponding private key
Work distribute to multiple security nodes in system to complete, so as to effectively reduce cloud platform server expense.First, cloud
Platform Server selects some security nodes, and these nodes obtain identity by first embodiment at cloud platform server
Mark and private key;Then, these nodes are respectively that the user of accessing system distributes a random identity, and are produced correspondingly
Private key.Second embodiment is based on first embodiment, it is assumed that selected security node P is obtained at cloud platform server
Identity IDPWith private key SP, P will be from galois field GF (2p) one random element s of middle selectionPAs its master key, and calculate
QP=sPP0.User Q contact cloud platform servers get P address, and then contact P and add system.
It is the first stage that user logins process first.Q sends its network logical address LA to PQ;The side that P passes through readjustment
Formula is verified to Q to determine that Q possesses LA reallyQ.Then P performs key with Q and exchanged, and produces a symmetric key KP·Q, it is used for
Transmission is encrypted to follow-up caused private key, and protects the integrality of transmission message.
P performs operation and distributes identity ID for QQMoment T is produced with itQ, for private key S corresponding to its generationQ, and generate
One token makes other nodes in system be able to verify that Q identity, so that Q turns into an efficient system node, i.e.,:
1) the identity ID for producing user Q is obtainedQAt the time of TQ, and the identity for calculating Q is IDQ=H3(LAQ,
TQ);
2) public key for calculating user Q is PQ=H1(IDQ);
3) private key for calculating user Q is SQ=SP+sPPQ, and utilize KP·QEncrypt to obtain E (SQ, KP·Q)。
4) computational token is TokQ=SP+sPH2(IDQ, TQ);
5) (ID is sent to user QQ, TQ, QP, TokQ, E (SQ, KP·Q))。
After Q receives message, message is verified, then utilizes KP·QDecrypt to obtain SQ。
When other node Rs contact in Q and system, (ID is sent toQ, IDP, TQ, QP, TokQ).R is to cloud platform server
Determine whether IDP is security node, if it is not, Q will be refused;Otherwise, R is calculated and is judged e (P0, TokQ)=e (Q0, PP)·e
(QP, H2(IDQ, TQ)) whether set up, if set up, illustrate that Q has legal identity, R foundation contacts with Q's;Otherwise, will refuse
Q。
After Q effective identity is expired, it needs contact P to update its key pair.Q sends (LA to PQ, TQ, TokQ), P pairs
It is verified, if by checking, P will be sent to identity, moment, private key and token after updating.Pay attention to, now
If P has been moved off system, Q will be got the address of new security node by cloud platform server, be sent to (LAQ, IDP, TQ,
QP, TokQ), new security node will be Q more new keys pair.
Compared to first embodiment, cloud platform server can will distribute identity for user and produce the work of corresponding private key
Multiple security nodes in system are distributed to complete, so as to effectively reduce its expense.In system start-up phase, number of nodes
When less, cloud platform server can be using the scheme of first embodiment come work;When security node quantity gradually increases in system
When more, security node can be progressively distributed in work.
By network address translation, can just multiple host be set to network using a network logical address.If based on this
Network logical address is that user produces identity, and the user of multiple accessing systems makes system by with same identity
Can not normal operation.3rd embodiment can solve the problem, make the main frame of network internal in accessing system, it is necessary to provide simultaneously
The public network logical address and port numbers that it is used, cloud platform server will be that user produces identity mark according to these information
Know.Because the port numbers that different main frames use are different, different bodies can also be possessed by changing each user inside address network
Part mark.3rd embodiment is expanded based on first embodiment, and system initialisation phase is identical.
Disabled user can get multiple identity using multiple different port numbers, in order to solve the problem,
In the third embodiment, process will be logined to user in first embodiment to expand, and will be specially:
Cloud platform server produces a crypto-operation H (IDN||TN||PZN), wherein " | | " it is character string concatenation operation
Symbol, and utilize KN⊕PZNE (S SN are encrypted to obtainN, KN⊕PZN), wherein, H is cryptographic Hash function, PZNIt is pre- for length
Determine the random number of bit;Most rear line N sends (IDN, TN, TokN, H (IDN||TN||PZN), E (SN, KN⊕PZN))。
After user N receives message and it is verified, it is necessary first to determine PZN, according to cryptographic Hash function list
To irreversible property, user N can only be by the method for exhaustion come Brute Force H (IDN||TN||PZN), to obtain PZN;Followed by
KN⊕PZNDecryption obtains SN.Pay attention to, by the PZ for selecting different lengthNThe difficulty of decryption computing can be controlled.
The phase III of process is finally logined in user, 3rd embodiment is identical with first embodiment.When user N contacts cloud platform service
When device updates its key pair, cloud platform server will produce new crypto-operation, and user could obtain after only cracking the computing
New private key.
By making the user of network internal to pay certain calculation cost when obtaining private key, so as to effectively limit
Disabled user obtains the speed of identity, limits rogue attacks.
Fourth embodiment is similar with 3rd embodiment, is provided to solve the problems, such as using conversion address strap to come in a network
And propose.Unlike, fourth embodiment is the expansion to second embodiment, and system initialization process is still identical, with
Process is logined at family, and changing the main frame inside address network needs to provide public network logical address and port numbers simultaneously, safety section
Point is that user produces identity, remaining operation all same in the stage according to these information.
Process is logined in user, security node produces a crypto-operation H (IDQ||TQ||PZQ), PZQIt is predetermined for length
The random number of bit;And utilize KP·Q⊕PZQTo SQE (S are encrypted to obtainQ, KP·Q⊕PZQ);After most (ID is sent to QQ, TQ, QP,
TokQ, H (IDQ||TQ||PZQ), E (SQ, KP·Q⊕PZQ))。
After user Q receives message, and it is verified, pass through method of exhaustion Brute Force H (ID firstQ||TQ||PZQ),
To obtain PZQ;Followed by KP·Q⊕PZQDecryption obtains SQ;Process is logined for end user, fourth embodiment is implemented with second
Example is identical.When Q contact security nodes update its key pair, security node will produce new crypto-operation, and user only cracks
New private key could be obtained after the computing.
In another aspect of this invention, performing the component architecture of the inventive method alternatively includes cloud platform server, number
According to the owner, data set provider and the data user by authorizing.Data owner is controlled to the various power of data, point
Public keys is sent out, instruction data set provider, which uploads, gathers data coming and by public-key encryption.Data owner can
With oneself processing combined data or other users are authorized to use encryption data.Each data set provider can contribute fraction number
According to.Data owner or authorized user can be complete data analysis or data mining task and with cloud platform server interaction.
For gathered data, data owner will generate a n dimension random vectors b0, and b0∈ galois fields GF (2p)。b0
Utilize public-key encryption, i.e. E (b0)=(E (b01) ..., E (b0n)), then it is distributed to data set provider.
Data set provider i is by its matrix AiPart row submit to cloud storage in an encrypted form.In addition, they will be utilized
Following similar shape algorithm calculates E (Aib0) result, and be submitted to data owner.Assuming that AiA certain behavior a, then:
E(Aib0) in number of elements it is identical with the quantity for the row that supplier will submit to cloud platform server, and the number
Amount is usually 1.Finally, data owner collects all E (Aib0), it is decrypted to find Ab0。
In order to protect the security for the plaintext vector for submitting to cloud platform server, authorized data user must hold
Line number step, to be ready for perturbation motion method.Then, client cooperates with the expansion of cloud platform server, in iteration
Complete security matrix vector multiplication computing.
Data user by mandate will receive E (b from data owner0)、E(Ab0) and decruption key, then select m
Individual n ties up random vector, and sends it to cloud platform server, wherein m smaller (such as m=5).These random vectors will be used for
Vector { b is disturbed and protected during each iterationi}.The present invention is denoted as seed random vector { si, wherein i=1 ..., m, si
∈ galois fields GF (2p)。
To each random vector si, safe A is carried out in accordance with the following steps in cloud platform serverisiCalculate.For result
Vector (Aisi)jJ-th of element, have:
Wherein, sikRepresent vector siK-th of element, AjkRepresenting matrix A (j, k) individual element.By E (Asi) send back
Client, give over to by decryption and handle later.After the preparatory stage, the user by mandate retains random vector S={ siAnd
Result vector As=(Asi), i=1 ..., m.
Iteration phase is from random vector b0Start, perform bk+1=Abk/||Abk| | and other described in dominant eigenvalue
Inexpensive step.Had to b in each iterationiSecrecy, otherwise, it will leakage characteristic vector.Profit is protected with the following method
Protect the privacy calculated.
From E (A) and biIn calculate E (Abi).By biBefore being sent to cloud platform server, the present invention devises one kind and disturbed
Dynamic method protects bi.Basic ideas are to use a random vector ri, and bi is sent into cloud platform server.
b’i=bi+ri mod q
Wherein, q represents larger random prime numbers, and q is sufficiently large to include all numerical value in application domain.Utilize the preparatory stage
The seed random vector of generation designs ri。
Wherein, i=1 ..., k, αilAnd βijRandomly choosed from q.Calculated in preparatory stage and previous steps
{AskAnd { Abj, j<I }, and AriFor:
Client sets b 'i=bi+riMod q, calculate E (Abi) afterwards and result is returned.Client decryption E (Abi) to obtain
Obtain Abi.Then there is Abi=Abi-AriMod q, can be to calculate b during next iterationi+1=Abi/||Abi||。
Client is using the vector b being disturbed ' i passes to distributed-computation program, cloud platform server meter as parameter
Calculate and return to Abi.Cloud platform server is described below calculates E (Abi) when distributed computing method.Mapping function uses above-mentioned
Vector multiplication calculating formula, and send the result represented using line number.It will be exported and mapped according to line number, split and sorted, then
Corresponding distributed node is sent to, data segment is write disk by distributed node.
In summary, method of the invention can efficiently solve what disabled user was attacked by network logical address
Problem, the safety of safeguards system, suitable for cloud storage system.
Obviously, can be with general it should be appreciated by those skilled in the art, above-mentioned each module of the invention or each step
Computing system realize that they can be concentrated in single computing system, or be distributed in multiple computing systems and formed
Network on, alternatively, they can be realized with the program code that computing system can perform, it is thus possible to they are stored
Performed within the storage system by computing system.So, the present invention is not restricted to any specific hardware and software combination.
It should be appreciated that the above-mentioned embodiment of the present invention is used only for exemplary illustration or explains the present invention's
Principle, without being construed as limiting the invention.Therefore, that is done without departing from the spirit and scope of the present invention is any
Modification, equivalent substitution, improvement etc., should be included in the scope of the protection.In addition, appended claims purport of the present invention
Covering the whole changes fallen into scope and border or this scope and the equivalents on border and repairing
Change example.
Claims (1)
- A kind of 1. cloud platform big data access method, it is characterised in that including:Cloud platform server produces the addition of integer group G that two ranks are prime number p0And G1, and a Bilinear map e:G0×G0→ G1;From galois field GF (2p) one random element s of middle selection0As master key, and it is Q to calculate its public key0=s0P0, wherein, P0For G0Generation member;Hash function H is pre-selected1, H2With SHA-1 cryptographic Hash functions H3;By key parameter (G0, G1, e, P0, Q0, H1, H2) it is distributed to user;Cloud platform server selects security node P, security node P to obtain identity ID at cloud platform serverPAnd private key SP, security node P is from galois field GF (2p) one random element s of middle selectionPAs its master key, and calculate public key QP= sPP0, user Q gets security node P address by cloud platform server, and then adds system by security node P;User Q sends its network logical address LA to security node PQ;Security node P is tested user Q by way of readjustment Card, i.e., to LAQA connection is established, the response to request will be all transmitted by the connection, to determine that user Q possesses really LAQ, then security node P and user Q perform key and exchange, one symmetric key K of generationP·Q, follow-up caused private key is carried out Encrypted transmission, and protect the integrality of transmission message;Security node P is that user Q distributes identity IDQMoment T is produced with itQ, for private key S corresponding to its generationQ, and generate One token is used for other node verifications user Q identity, i.e.,:1) the identity ID for producing user Q is obtainedQAt the time of TQ, and the identity for calculating user Q is IDQ=H3(LAQ, TQ);2) public key for calculating user Q is PQ=H1(IDQ);3) private key for calculating user Q is SQ=SP+sPPQ, and utilize KP·QEncrypt to obtain E (SQ, KP·Q);4) computational token is TokQ=SP+sPH2(IDQ, TQ);5) (ID is sent to user QQ, TQ, QP, TokQ, E (SQ, KP·Q));After user Q receives message, message is verified, then utilizes KP·QDecrypt to obtain SQ;When user Q and other node Rs contact, (ID is sent toQ, IDP, TQ, QP, TokQ), node R is true to cloud platform server Determine whether IDP is security node, if it is not, refusal user Q;Otherwise, node R calculates and judges e (P0, TokQ)=e (Q0, PP)·e(QP, H2(IDQ, TQ)) whether set up, if set up, it is determined that user Q has legal identity, and node R is established and user Q Contact;Otherwise, user Q is refused;After user Q effective identity is expired, contact node P updates its key pair, and user Q sends (LA to node PQ, TQ, TokQ), P verifies to user Q, if by checking, P to user Q send renewal after identity, the moment, private key and Token, if P has been moved off system, user Q is obtained the address of new security node by cloud platform server, is sent to (LAQ, IDP, TQ, QP, TokQ), new security node will be Q more new keys pair.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510279993.5A CN105007259B (en) | 2015-05-27 | 2015-05-27 | Cloud platform big data access method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510279993.5A CN105007259B (en) | 2015-05-27 | 2015-05-27 | Cloud platform big data access method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105007259A CN105007259A (en) | 2015-10-28 |
CN105007259B true CN105007259B (en) | 2018-03-02 |
Family
ID=54379782
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510279993.5A Active CN105007259B (en) | 2015-05-27 | 2015-05-27 | Cloud platform big data access method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105007259B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102611749A (en) * | 2012-01-12 | 2012-07-25 | 电子科技大学 | Cloud-storage data safety auditing method |
CN102984156A (en) * | 2012-11-30 | 2013-03-20 | 无锡赛思汇智科技有限公司 | Verifiable distributed privacy data comparing and sorting method and device |
CN103067374A (en) * | 2012-12-26 | 2013-04-24 | 电子科技大学 | Data safety audit method based on identification |
-
2015
- 2015-05-27 CN CN201510279993.5A patent/CN105007259B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102611749A (en) * | 2012-01-12 | 2012-07-25 | 电子科技大学 | Cloud-storage data safety auditing method |
CN102984156A (en) * | 2012-11-30 | 2013-03-20 | 无锡赛思汇智科技有限公司 | Verifiable distributed privacy data comparing and sorting method and device |
CN103067374A (en) * | 2012-12-26 | 2013-04-24 | 电子科技大学 | Data safety audit method based on identification |
Also Published As
Publication number | Publication date |
---|---|
CN105007259A (en) | 2015-10-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Fu et al. | NPP: A new privacy-aware public auditing scheme for cloud data sharing with group users | |
CN108885741B (en) | Tokenization method and system for realizing exchange on block chain | |
JP4790731B2 (en) | Derived seed | |
CN104320393B (en) | The controllable efficient attribute base proxy re-encryption method of re-encryption | |
CN103563288B (en) | Single-round password-based key exchange protocols | |
CN110933033B (en) | Cross-domain access control method for multiple Internet of things domains in smart city environment | |
JP2017517229A (en) | Network authentication system using dynamic key generation | |
CN110365469B (en) | Data integrity verification method in cloud storage supporting data privacy protection | |
CN107332858B (en) | Cloud data storage method | |
CN107465681B (en) | Cloud computing big data privacy protection method | |
CN109711184A (en) | Block chain data access control method and device based on attribute encryption | |
CN105208007A (en) | Data sharing system | |
CN110390203B (en) | Strategy hidden attribute-based encryption method capable of verifying decryption authority | |
CN101282216B (en) | Method for switching three-partner key with privacy protection based on password authentication | |
Li et al. | Provably secure unbounded multi‐authority ciphertext‐policy attribute‐based encryption | |
MacKenzie et al. | Delegation of cryptographic servers for capture-resilient devices | |
Zhou et al. | Novel generic construction of leakage-resilient PKE scheme with CCA security | |
CN110933052A (en) | Encryption and policy updating method based on time domain in edge environment | |
CN108809996B (en) | Integrity auditing method for duplicate deletion stored data with different popularity | |
CN113098681B (en) | Port order enhanced and updatable blinded key management method in cloud storage | |
CN104935582B (en) | Big data storage method | |
CN112601221A (en) | Internet of things dynamic NTRU access authentication method based on time information | |
CN111541668A (en) | Energy Internet of things information safe transmission and storage method based on block chain | |
AlMeghari et al. | A proposed authentication and group-key distribution model for data warehouse signature, DWS framework | |
Zhang et al. | Privacy‐friendly weighted‐reputation aggregation protocols against malicious adversaries in cloud services |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |