CN105790929A - High-efficient access control method based on rule redundancy elimination in encryption environment - Google Patents

High-efficient access control method based on rule redundancy elimination in encryption environment Download PDF

Info

Publication number
CN105790929A
CN105790929A CN201610245485.XA CN201610245485A CN105790929A CN 105790929 A CN105790929 A CN 105790929A CN 201610245485 A CN201610245485 A CN 201610245485A CN 105790929 A CN105790929 A CN 105790929A
Authority
CN
China
Prior art keywords
node
secret
leaf
algorithm
nodes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610245485.XA
Other languages
Chinese (zh)
Other versions
CN105790929B (en
Inventor
崔勇
唐翯祎
吴建平
任奎
翁健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Jinan University
University of Jinan
Original Assignee
Tsinghua University
Jinan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University, Jinan University filed Critical Tsinghua University
Priority to CN201610245485.XA priority Critical patent/CN105790929B/en
Publication of CN105790929A publication Critical patent/CN105790929A/en
Application granted granted Critical
Publication of CN105790929B publication Critical patent/CN105790929B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Abstract

A high-efficient access control method based on rule redundancy elimination in an encryption environment is disclosed. In a cryptograph construction process, secret of each left is determined according to the attributes of each leaf node, and secrets of non-leaf nodes are constructed from leaves upwards according to a tree construction, so that all nodes secrets can be determined to prevent redundant calculation through recursion construction. Elimination of redundant data and calculation is realized during cryptograph construction according to access control rules under a cloud storage access control situation based on attribute-based encryption, thereby reducing calculating and storage consumption. Compared with the prior art, the method greatly reduces calculating and storage consumption during encryption and decryption processes. The method is a general solution and is applicable to attribute-based encryption schemes of different kinds.

Description

Efficient access control method in the encryption environment that a kind of rule-based redundancy eliminates
Technical field
The invention belongs to Internet technical field and technical field of data security, particularly relate to user to carry out the scene of data interaction with incomplete credible cloud service, for efficient access control method in the encryption environment that a kind of rule-based redundancy eliminates, by utilizing NETCONF agreement in 4over6 Access Network interim network scene so that Virtual network operator can forward Policy Table's item in Remote configuration transitional facility.
Background technology
Along with the high speed development of the Internet, user data gets more and more, and cloud service becomes more and more important, and increasing user selects that the data of oneself are put into high in the clouds and stores.And high in the clouds is as the third-party server not controlled by oneself, safety and privacy are not readily available guarantee.Major part cloud service is half credible cloud service, and they can provide correct service logic, but is meanwhile likely to steal a glance at user data, and reveals privacy.
In this case, in an encrypted form data are stored on cloud to be following development trend, and on this basis, how to continue to provide usual service to become new problem.Access control is a service common in cloud storage service, for the access control problem adding ciphertext data, Waters et al. proposes attribute base encryption technology, in the attribute base encryption technology of ciphertext, each user will be assigned to several attributes, a data will define an access control rule being made up of each attribute when uploading, and data will be encrypted based on this rule and upload.After user downloads data, the attribute of and if only if user self with access rule meet time, could correctly decipher this data, reach to access the purpose controlled with this.Specifically, attribute base encrypted packet is containing following components.
Attribute certification authority: attribute certification authority is a believable authoritative institution, belongs to PKI infrastructure, it according to the attribute base scheme specifically chosen, can generate suitable parameter, and generate PKI for the community set in system, encrypt for data owner.It is for the community set of each different user simultaneously, generates the private key that each user is corresponding, solves ciphertext data for visitor.
Cloud Server: Cloud Server provides uploading and download function of data, it is considered as half believable, that is, Cloud Server can verily upload and download according to the flow performing of regulation, but it is likely to the leaking data of user to assailant, therefore the data uploaded up itself need to ensure confidentiality, but need not be anti-tamper.
Data owner: data owner is desirable to the user that data sharing is gone out, the PKI of his first reading attributes certification authority, then for his each number evidence, he will set an access control rule, then the algorithm specified according to scheme performs encryption, then the ciphertext after encryption is uploaded to Cloud Server.
Data user: data user is the user reading the data that owner shares out, first they can take, from attribute certification authority, the private key that their attribute is corresponding, when they need to read data, the data that owner uploads will be downloaded from Cloud Server, then ciphertext is decrypted by the private key of oneself according to corresponding rule, when the community set of and if only if user meets access control rule, user could decipher these data.
Fig. 1 illustrates the overall workflow of this framework, and under this framework, the encryption of attribute base mainly comprises following key algorithm:
System initialization: algorithm by attribute certification authority in initial execution, input for attribute complete or collected works U, is output as PKI PK corresponding for U and master key MK, and wherein PKI PK can be disclosed in system all members, master key MK is the private information of attribute certification authority, need to ensure safety.After step (1) namely calls initialization algorithm in figure, system PKI is issued data owner.
Key generates: algorithm is performed by attribute certification authority, the community set S that input is some user and the master key MK of generation in initialization procedure, it is output as property set S correspondence private key for user SK, this algorithm is in certain user's addition system, perform during attribute certification authority distribution key, then SK will be sent to corresponding user privately, and user need to ensure the confidentiality of SK.In step (2), attribute certification authority generates private key according to the community set of data user, is then issued to user.
Encryption: AES is performed by data owner, inputs as PKI PK, message M to be encrypted and access control rule A, is output as ciphertext CT.In step (3), the regular A that data owner sets M by performing this algorithm according to him is encrypted, and after obtaining ciphertext CT, uploads it to Cloud Server and accesses for other users.
Deciphering: decipherment algorithm is performed by data user, inputs as ciphertext CT, PKI PK and private key for user SK.In step (4), the ciphertext that data user uploads data owner from Cloud Server downloads, then pass through public information and the private key of oneself is attempted ciphertext CT is decrypted, algorithm need to ensure that and if only if when community set S corresponding for private key SK meets access control rule A corresponding for ciphertext CT, and algorithm could correctly be deciphered these data and obtain original plaintext M.
By above structure, a complete access controls system and namely can erect, and data correctly can be shared with other users according to rule by data owner.
In attribute base encryption technology, the specific configuration scheme of enciphering and deciphering algorithm is: for an access control rule (AANDB) OR (CANDDANDE), first scheme will construct a secret s.According to the expression that rule is concrete, it is secret that s will be split into many height, each entry (A, B, C, D, E) in corresponding rule so that a few row secrets satisfied condition just can re-construct s.Finally, each height is secret to be encrypted PKI relevant for the attribute using each row corresponding respectively, forms final ciphertext.
For each group of be-encrypted data and access control rule, he can individually construct a secret and construct corresponding ciphertext, and ciphertext data volume is relatively big, when be-encrypted data is more, huge storage overhead can be produced, when calculating, also can produce huge computing cost.
Summary of the invention
For the shortcoming overcoming above-mentioned prior art, it is an object of the invention to provide efficient access control method in the encryption environment that a kind of rule-based redundancy eliminates, for having more number according to when to be encrypted, suitable method is used to find out the redundancy section in the middle of access control rule, and redesign enciphering and deciphering algorithm, redundancy in eliminating ciphertext storage and calculating, thus reaching to reduce the purpose of storage and computing cost.
To achieve these goals, the technical solution used in the present invention is:
Efficient access control method in the encryption environment that a kind of rule-based redundancy eliminates, in ciphertext constructs, the secret of each leaf is first determined according to leaf node attribute, up construct the secret of non-leaf nodes again from leaf by tree construction, so that it is determined that the secret of all nodes, then recurrence Construction prevents redundant computation from occurring.
Before determining the secret of each leaf, access can be first carried out and control tree construction adjustment algorithm, corresponding for the access control rule of input access is controlled the structure that tree is adjusted to unified, differs preventing the access control structure of identical table Danone power to be judged as, it is ensured that the accuracy of judgement.
Described control tree construction adjustment algorithm is from accessing the recursive algorithm that control root vertex starts to perform, comprising the steps:
Step 1: judge to be currently entered node N (being initially root node) whether as AND node or OR node, if it is not, go to step 5;
Step 2: initializing child nodes set S is empty set, and node set S ' to be tested is all child nodes being currently entered node N;
All child nodes of N ' if node type is identical with being currently entered node N, are then added in node set S ' to be tested by step 3: the node N ' in cyclic access node set S ' to be tested, and N ' otherwise directly puts into child nodes set S;
Step 4: set up filiation for all nodes in present node N and child nodes set S so that in set S, all nodes all become the child nodes of N;
Step 5: all child nodes these algorithms of recursive call to present node.
The described secret method determining each leaf according to leaf node attribute is to randomly select some secrets according to leaf node attribute, is then assigned to leaf node, specifically includes following two step:
Step 1. takes out whole community set, for each attribute, randomly selects the numerical value secret as it, and ith attribute obtains secret s [i];
Step 2. traversal accesses all leaf nodes controlling tree, for node N, secret corresponding for the attribute of N is assigned to N, that is, it is assumed that the attribute of N is A (N), then s [N]=s [A (N)].
After leaf node secret is determined, performing non-leaf nodes secret construction algorithm, make non-leaf nodes by being constructed the secret of each node toward root from leaf by the mode of recurrence, ultimately generate the secret of each file, the root that namely corresponding access controls to set is secret.
Described non-leaf nodes secret construction algorithm is the recursive algorithm started from root node, comprises the steps:
Step 1: call redundancy decision algorithm, if being currently entered node N is the redundant node occurred, then directly accesses corresponding secret, otherwise goes to step 2;
Step 2: all child nodes of all N are called node secret construction algorithm by recurrence, obtain the secret of each child nodes;
Step 3: if being currently entered node N is AND node, directly uses Lagrange's interpolation to generate the secret of present node, goes to step 5, otherwise go to step 4;
Step 4: be currently entered the non-AND node of node N, then first randomly select the secret secret value as N, and the new secret of each child node of correspondence is calculated by Lagrange's interpolation, to each child node, generate extraneous information, safeguard the secret of child node itself with harsh become new secret between contact, preserve this extraneous information;
Step 5: the secret being currently entered node N and its correspondence is stored in redundancy Hash table.
Further, the unnecessary non-leaf nodes that ability to express is identical can be merged so that originally structure is different but some rules that ability to express is identical will be adjusted to consistent structure.
By introducing redundancy decision algorithm so that calculating process is avoided the structure occurred by double counting, simultaneously by introducing extraneous information so that the process of de-redundancy can guarantee that the correctness of algorithm.When certain node of recursive calculation secret, perform to access and control subtree redundancy decision algorithm, first carry out a redundancy and judge, then decide whether to be calculated, reuse and double counting to prevent from accessing the ciphertext controlling two identical nodes of sub-tree structure.
The described core controlling subtree redundancy decision algorithm that accesses is to generate to access the cryptographic Hash controlling subtree, and the algorithm that Hash generates is a recursive algorithm by root node, comprises the steps:
Step 1: call this algorithm, generates each child node cryptographic Hash of present node;
Step 2: all child node cryptographic Hash are pressed lexcographical order sequence, obtains Hash sequence { H1,H2,…}
Step 3: using this node type and above-mentioned Hash sequence as input, calls a hash function accepting random length input, obtains present node cryptographic Hash.
Simultaneously by introducing extraneous information so that the process of de-redundancy can guarantee that the correctness of algorithm.
The present invention passes through recursive call self on each leaf node, and form leaf node Hash sequence, then own type is put in Hash evaluation process so that the different access that structure is identical controls subtree one and obtains identical cryptographic Hash surely, and complexity is linear.
Note: in rooted tree structure, for any one node, the node being connected with it up is father's node, and all nodes being connected with it in lower section are his child nodes.Root node is positioned at the top, it does not have father's node.Leaf node is positioned at lowermost end, it does not have child nodes.Node outside disleaf child node is non-leaf nodes.Referring to textbook " graph theory and Algebraic Structure ".
The present invention accesses in the cloud storage encrypted based on attribute base and controls under scene, it is achieved that when constructing ciphertext according to access control rule, and the elimination to redundant data and calculating reaches to reduce the purpose calculated with storage overhead.
Compared with prior art, have an advantage in that: computing cost that one has been greatly decreases in encryption process and storage overhead;Two is him is a general solution, it is possible to suitable in different types of attribute base encipherment scheme.
Accompanying drawing explanation
Fig. 1 is attribute-based encryption system block schematic illustration.
Fig. 2 accesses in the embodiment of the present invention to control tree schematic diagram.
Fig. 3 is secret organigram in the embodiment of the present invention.
Detailed description of the invention
Embodiments of the present invention are described in detail below in conjunction with drawings and Examples.
Access control rule generally can be write as accesses the pattern controlling tree, as shown in Figure 1, rule respectively " (department of computer science AND student) OR (Department of Electronics AND student) " that two files are corresponding and " teacher OR (department of computer science AND student) ", and the attribute base AES on basis choose secret s will to respectively two files0With s1, then it is split to respectively on the leaf node of each rule, and is encrypted.
The secret of each leaf node, in ciphering process, not in use by first choosing the secret means split again on root, and in turn by each attribute, is first chosen according to attribute, is more up constructed the secret of non-leaf nodes in order by the scheme that the present invention proposes.Under such premise, the secret that identical minor structure obtains must be identical, then in encryption process, the part of redundancy can be eliminated originally.
Specifically, technical scheme comprises following main flow:
Access and control tree construction adjustment: the access corresponding firstly for the access control rule of input controls tree, differ to prevent the access control structure of identical ability to express to be judged as, all of access controls tree will be adjusted to unified structure, it is ensured that the accuracy of judgement;
Leaf node secret constructs: in each Classification Documents construction process, scheme is firstly the need of the secret determining all leaf nodes, due to a leaf node necessarily corresponding attribute, scheme each distributes a secret by first giving the attribute on all leaves, each leaf then directly uses the secret that its attribute is corresponding so that the duplicate attribute on leaf can avoid redundancy;
Non-leaf nodes secret constructs: after leaf node secret is determined, non-leaf nodes will construct the secret of each node by the mode of recurrence from leaf toward root, is ultimately generated the secret (namely the corresponding root secret accessing control tree) of each file by such flow process.
Access and control the judgement of subtree redundancy: in non-leaf nodes secret construction process, need to prevent accessing the ciphertext controlling two identical nodes of sub-tree structure to reuse and double counting, therefore when certain node of recursive calculation secret, need first to carry out a redundancy to judge, then decide whether to be calculated.
Being embedded in the enciphering and deciphering algorithm of attribute base encryption by above four flow processs present invention comprised, the redundancy that namely can realize attribute base encrypted cipher text eliminates.
Accessing control tree construction adjustment algorithm is that main algorithm step is as follows from accessing the recursive algorithm that control root vertex starts to perform:
Step 1: judge to be currently entered node N (being initially root node) whether as AND node or OR node, if it is not, go to step 5;
Step 2: initializing child nodes set S is empty set, and node set S ' to be tested is all child nodes being currently entered node N;
All child nodes of N ' if node type is identical with being currently entered node N, are then added in node set S ' to be tested by step 3: the node N ' in cyclic access node set S ' to be tested, and N ' otherwise directly puts into child nodes set S;
Step 4: set up filiation for all nodes in present node N and child nodes set S so that in set S, all nodes all become the child nodes of N;
Step 5: all child nodes these algorithms of recursive call to present node.
Non-leaf nodes secret construction algorithm is similarly the recursive algorithm started from root node, and algorithm steps is as follows:
Step 1: call redundancy decision algorithm, if being currently entered node N is the redundant node occurred, then directly accesses corresponding secret, otherwise goes to step 2;
Step 2: all child nodes of all N are called node secret construction algorithm by recurrence, obtain the secret of each child nodes;
Step 3: if being currently entered node N is AND node, directly uses Lagrange's interpolation to generate the secret of present node, goes to step 5, otherwise go to step 4;
Step 4: be currently entered the non-AND node of node N, then first randomly select the secret secret value as N, and the new secret of each child node of correspondence is calculated by Lagrange's interpolation, to each child node, generate extraneous information, safeguard the secret of child node itself with harsh become new secret between contact, preserve this extraneous information;
Step 5: the secret being currently entered node N and its correspondence is stored in redundancy Hash table.
In redundancy determination flow, the technical thought of core is to set up a redundancy Hash table, to control minor structure one cryptographic Hash of generation for each access, then cryptographic Hash is put into this Hash table with corresponding secret value, then judge to have only in inquiry Hash table whether existence is worth.
Therefore the core that redundancy judges is to generate to access the cryptographic Hash controlling subtree, and the algorithm that Hash generates is a recursive algorithm by root node equally, comprises the steps of.
Step 1: call this algorithm, generates each child node cryptographic Hash of present node
Step 2: all child node Hash are pressed lexcographical order sequence, obtains Hash sequence { H1,H2,…}
Step 3: using this node type and above-mentioned Hash sequence as input, calls a hash function accepting random length input, obtains present node cryptographic Hash.
What Fig. 3 provided is one exemplary embodiment of the present invention, two files and two rules accessing control tree representation are had when initially entering, step (1) is called access and is controlled tree construction adjustment algorithm, the AND node controlled in tree that accesses making two files all adjusts consistent structure, step (2) carries out leaf node secret structure afterwards, obtain the secret value that each attribute is corresponding, then step (3), (4) represent that calling non-leaf nodes secret constructs and redundancy decision algorithm, according to order from bottom to top, calculate the secret value of each node, and obtain the secret value s of two files0With s1
This flow process calls when encryption, and after having called, AES is encrypted with traditional attribute base encipherment scheme further according to the secret value of each node, can obtain final ciphertext.
To sum up, the present invention, in encryption cloud storage, uses the encryption of attribute base to realize accessing under the scene controlled, by the access control rule of comparison difference file, and revises original ciphertext Constructing Policy, it is achieved attribute base encrypted cipher text partial redundance eliminates.The present invention is amendment and the extension of enciphering and deciphering algorithm in original attribute base encryption technology, and the core concept of the present invention is reuse part identical in different access rule.

Claims (10)

1. efficient access control method in the encryption environment of a rule-based redundancy elimination, it is characterized in that, in ciphertext constructs, the secret of each leaf is first determined according to leaf node attribute, up construct the secret of non-leaf nodes again from leaf by tree construction, so that it is determined that the secret of all nodes, then recurrence Construction prevents redundant computation from occurring.
2. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 1, it is characterized in that, before determining the secret of each leaf, first carry out access and control tree construction adjustment algorithm, corresponding for the access control rule of input accessing is controlled the structure that tree is adjusted to unified, differ preventing the access control structure of identical table Danone power to be judged as, it is ensured that the accuracy of judgement.
3. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 2, it is characterised in that it is from accessing the recursive algorithm that control root vertex starts to perform, comprising the steps: that described access controls tree construction adjustment algorithm
Step 1: judge to be currently entered node N whether as AND node or OR node, if it is not, go to step 5;
Step 2: initializing child nodes set S is empty set, and node set S ' to be tested is all child nodes being currently entered node N;
All child nodes of N ' if node type is identical with being currently entered node N, are then added in node set S ' to be tested by step 3: the node N ' in cyclic access node set S ' to be tested, and N ' otherwise directly puts into child nodes set S;
Step 4: set up filiation for all nodes in present node N and child nodes set S so that in set S, all nodes all become the child nodes of N;
Step 5: all child nodes these algorithms of recursive call to present node.
4. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 1, it is characterized in that, the described secret method determining each leaf according to leaf node attribute is to randomly select some secrets according to leaf node attribute, then it is assigned to leaf node, specifically includes following two step:
Step 1. takes out whole community set, for each attribute, randomly selects the numerical value secret as it, and ith attribute obtains secret s [i];
Step 2. traversal accesses all leaf nodes controlling tree, for node N, secret corresponding for the attribute of N is assigned to N, that is, it is assumed that the attribute of N is A (N), then s [N]=s [A (N)].
5. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 4, after leaf node secret is determined, perform non-leaf nodes secret construction algorithm, make non-leaf nodes will be constructed the secret of each node toward root from leaf by the mode of recurrence, ultimately generate the secret of each file, i.e. the corresponding root secret accessing control tree.
6. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 5, it is characterised in that described non-leaf nodes secret construction algorithm is the recursive algorithm started from root node, comprises the steps:
Step 1: call redundancy decision algorithm, if being currently entered node N is the redundant node occurred, then directly accesses corresponding secret, otherwise goes to step 2;
Step 2: all child nodes of all N are called node secret construction algorithm by recurrence, obtain the secret of each child nodes;
Step 3: if being currently entered node N is AND node, directly uses Lagrange's interpolation to generate the secret of present node, goes to step 5, otherwise go to step 4;
Step 4: be currently entered the non-AND node of node N, then first randomly select the secret secret value as N, and the new secret of each child node of correspondence is calculated by Lagrange's interpolation, to each child node, generate extraneous information, safeguard the secret of child node itself with harsh become new secret between contact, preserve this extraneous information;
Step 5: the secret being currently entered node N and its correspondence is stored in redundancy Hash table.
7. efficient access control method in the encryption environment that rule-based redundancy according to claim 1 or 5 or 6 eliminates, it is characterised in that the unnecessary non-leaf nodes that ability to express is identical is merged.
8. efficient access control method in the encryption environment that rule-based redundancy according to claim 5 or 6 eliminates, it is characterized in that, when certain node of recursive calculation secret, perform to access and control subtree redundancy decision algorithm, first carry out a redundancy to judge, decide whether again to be calculated, to prevent the ciphertext accessing two identical nodes of control sub-tree structure from reusing and double counting.
9. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 8, it is characterized in that, the described core controlling subtree redundancy decision algorithm that accesses is to generate to access the cryptographic Hash controlling subtree, the algorithm that Hash generates is a recursive algorithm by root node, comprises the steps:
Step 1: call this algorithm, generates each child node cryptographic Hash of present node;
Step 2: all child node cryptographic Hash are pressed lexcographical order sequence, obtains Hash sequence { H1,H2,…}
Step 3: using this node type and above-mentioned Hash sequence as input, calls a hash function accepting random length input, obtains present node cryptographic Hash.
10. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 1, it is characterised in that
By introducing redundancy decision algorithm so that calculating process is avoided the structure occurred by double counting, simultaneously by introducing extraneous information so that the process of de-redundancy can guarantee that the correctness of algorithm;
By recursive call self on each leaf node, and form leaf node Hash sequence, then own type is put in Hash evaluation process so that the different access that structure is identical controls subtree one and obtains identical cryptographic Hash surely, and complexity is linear.
CN201610245485.XA 2016-04-19 2016-04-19 Access control method in a kind of encryption environment that rule-based redundancy is eliminated Active CN105790929B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610245485.XA CN105790929B (en) 2016-04-19 2016-04-19 Access control method in a kind of encryption environment that rule-based redundancy is eliminated

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610245485.XA CN105790929B (en) 2016-04-19 2016-04-19 Access control method in a kind of encryption environment that rule-based redundancy is eliminated

Publications (2)

Publication Number Publication Date
CN105790929A true CN105790929A (en) 2016-07-20
CN105790929B CN105790929B (en) 2018-12-28

Family

ID=56397968

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610245485.XA Active CN105790929B (en) 2016-04-19 2016-04-19 Access control method in a kind of encryption environment that rule-based redundancy is eliminated

Country Status (1)

Country Link
CN (1) CN105790929B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110378109A (en) * 2019-06-26 2019-10-25 中国科学院信息工程研究所 Reduce the method and system of chain type Hash stack performance loss
CN110445793A (en) * 2019-08-13 2019-11-12 四川长虹电器股份有限公司 A kind of analysis method for the analysis engine possessing the irredundant calculating of node thread rank
CN110647322A (en) * 2019-08-15 2020-01-03 北京三快在线科技有限公司 List rendering method and device, electronic equipment and computer readable medium
CN112565167A (en) * 2019-09-26 2021-03-26 华为数字技术(苏州)有限公司 Method for detecting access control list ACL and network equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102810141A (en) * 2011-06-01 2012-12-05 哈尔滨市和协岛数码科技有限公司 Software lease authorization method based on attribute encryption
CN103220291A (en) * 2013-04-09 2013-07-24 电子科技大学 Access control method base on attribute encryption algorithm
CN104572430A (en) * 2013-10-24 2015-04-29 腾讯科技(深圳)有限公司 Method, device and system for testing terminal application interface
CN105141574A (en) * 2015-06-12 2015-12-09 深圳大学 Cloud storage cipher text access control system based on table attributes

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102810141A (en) * 2011-06-01 2012-12-05 哈尔滨市和协岛数码科技有限公司 Software lease authorization method based on attribute encryption
CN103220291A (en) * 2013-04-09 2013-07-24 电子科技大学 Access control method base on attribute encryption algorithm
CN104572430A (en) * 2013-10-24 2015-04-29 腾讯科技(深圳)有限公司 Method, device and system for testing terminal application interface
CN105141574A (en) * 2015-06-12 2015-12-09 深圳大学 Cloud storage cipher text access control system based on table attributes

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SHUCHENG YU ETC.: "Achieving Secure,Scalable,and Fine-grained Data Access Control in cloud Computing", 《IEEE》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110378109A (en) * 2019-06-26 2019-10-25 中国科学院信息工程研究所 Reduce the method and system of chain type Hash stack performance loss
CN110445793A (en) * 2019-08-13 2019-11-12 四川长虹电器股份有限公司 A kind of analysis method for the analysis engine possessing the irredundant calculating of node thread rank
CN110647322A (en) * 2019-08-15 2020-01-03 北京三快在线科技有限公司 List rendering method and device, electronic equipment and computer readable medium
CN112565167A (en) * 2019-09-26 2021-03-26 华为数字技术(苏州)有限公司 Method for detecting access control list ACL and network equipment

Also Published As

Publication number Publication date
CN105790929B (en) 2018-12-28

Similar Documents

Publication Publication Date Title
Li et al. An efficient ciphertext-policy weighted attribute-based encryption for the internet of health things
CN112019591B (en) Cloud data sharing method based on block chain
CN105871543B (en) Multiple key cipher text retrieval method under more data owner's backgrounds based on attribute
CN105100083B (en) A kind of secret protection and support user's revocation based on encryption attribute method and system
CN103701833B (en) A kind of ciphertext access control method and system based on cloud computing platform
CN109120639A (en) A kind of data cloud storage encryption method and system based on block chain
CN106375346B (en) Data guard method based on condition broadcast agent re-encryption under a kind of cloud environment
CN103618729A (en) Multi-mechanism hierarchical attribute-based encryption method applied to cloud storage
CN108833393A (en) A kind of revocable data sharing method calculated based on mist
CN107395568A (en) A kind of cipher text retrieval method of more data owner's certifications
CN103731432A (en) Multi-user supported searchable encryption system and method
US20150207621A1 (en) Method for creating asymmetrical cryptographic key pairs
CN104468615A (en) Data sharing based file access and permission change control method
CN107276766B (en) Multi-authorization attribute encryption and decryption method
CN105790929A (en) High-efficient access control method based on rule redundancy elimination in encryption environment
CN106612169A (en) Safe data sharing method in cloud environment
CN115296817A (en) Data access control method based on block chain technology and attribute encryption
CN107634830B (en) The revocable attribute base encryption method of server- aided, apparatus and system
CN106888213B (en) Cloud ciphertext access control method and system
CN113411323B (en) Medical record data access control system and method based on attribute encryption
CN108763944A (en) Multicenter large attribute Domain Properties base encryption method can be revoked safely in calculating in mist
KR102381389B1 (en) System and Method for Controlling Multi Factor Access Prioritized
CN109347833B (en) Access control method and system used in machine learning environment based on attribute encryption
CN110599376A (en) Course selection system based on attribute password
CN106549758B (en) Support the encryption method based on attribute of non-monotonic access structure

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant