CN105978689A - Anti-key-exposure cloud data safe sharing method - Google Patents

Anti-key-exposure cloud data safe sharing method Download PDF

Info

Publication number
CN105978689A
CN105978689A CN201610497226.6A CN201610497226A CN105978689A CN 105978689 A CN105978689 A CN 105978689A CN 201610497226 A CN201610497226 A CN 201610497226A CN 105978689 A CN105978689 A CN 105978689A
Authority
CN
China
Prior art keywords
data
key
private key
algorithm
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610497226.6A
Other languages
Chinese (zh)
Other versions
CN105978689B (en
Inventor
熊虎
闫东杰
秦臻
苑晨
蔡浩庭
卢震宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201610497226.6A priority Critical patent/CN105978689B/en
Publication of CN105978689A publication Critical patent/CN105978689A/en
Application granted granted Critical
Publication of CN105978689B publication Critical patent/CN105978689B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an anti-key-exposure cloud data safe sharing method, and aims to realize safe sharing of cloud data and solve the problem of key exposure in data sharing. According to the method, safe sharing of the cloud data is realized through a proxy re-encryption technology on the basis of public key encryption, and meanwhile users in a system are provided with unique physical security assistants in conjunction with a key insulation technology. The life cycle of the system is partitioned into different time slices, and the assistants help specified users update private keys of the users at replacement of two adjacent time slices, so that the users own different private keys in different time slices. Thus, the security of the system in other time slices is not influenced when the private keys of the users are exposed in a single or a part of time slices. Through adoption of the method, the problem of key exposure in cloud data safe sharing can be solved.

Description

A kind of cloud data secure sharing method of anti-key exposure
Technical field
The present invention relates to cloud computing and information security field, specifically, be the anti-key exposure of the one under cloud environment Cloud data secure sharing method, the method can not only realize the safety of cloud data and share, additionally it is possible to opposing associated user The threat that key exposure causes.
Background technology
Cloud computing is topmost feature with its powerful storage and computing capability.All of user can share cloud service The software and hardware resources of device and information, and Cloud Server is on-demand provides the user service.
Cloud computing includes that software i.e. services, platform i.e. services and infrastructure i.e. services three kinds of service modes.In cloud computing In environment, user can store its data from long-range outsourcing, it is possible to obtain the high-quality application and service of on-demand.Meanwhile, User can break away from the burden of local datastore and maintenance.
The feature of cloud computing and advantage are that the data sharing between user is provided convenience, but, user's needs are uploaded Data are likely to be some sensitive datas with individual privacy, and some other users specific can only be shared by these data, And some malicious users or data owner can not be not intended to disclosed user (including Cloud Server) and announce.So using Family needed data are encrypted operation before uploading data.
Existing cloud data secure sharing method mainly employing being acted on behalf of Re-encryption Technology, Cloud Server utilizes re-encryption Double secret key original cipher text carries out re-encryption operation, and original cipher text is converted to the new ciphertext that data consumer can decipher, and is solving During this new ciphertext close, data consumer has only to the private key of oneself.During whole, Cloud Server can only obtain original Ciphertext and re-encrypted private key, but it can not obtain any cleartext information.
But, all there is a defect in existing cloud data secure sharing method, namely can not resist user key Leakage problem, if the private key of user leaks, then opponent can decipher any and user-dependent encryption data.This for It is flagrant for data safety.
Summary of the invention
In order to overcome the deficiency of above-mentioned existing cloud data secure sharing method, the invention provides an anti-key exposure Cloud data secure sharing method, ensures the safety of cloud data and sharing initially with acting on behalf of Re-encryption Technology, then in conjunction with Key-insulated technology, it is ensured that key exposure problem can be resisted in cloud data sharing process, thus realize an anti-key exposure Cloud data secure sharing method.
The technical solution adopted in the present invention is: data owner's encrypted shared data is also uploaded to Cloud Server, and cloud takes The role of agency played the part of by business device, and utilizes re-encrypted private key that original cipher text is carried out the operation of re-encrypted, is turned by original cipher text It is changed to the new ciphertext that data consumer can utilize oneself private key to decipher.For reaching to resist the characteristic of key exposure, this method will The life cycle of whole system is divided into n different timeslice, and in whole system life cycle, client public key keeps not Become, but in different timeslices, user uses different private keys to be decrypted operation, and specifically, each user is owned by The collaborationist that one unique physics is perfectly safe, is used for assisting user to update private key for user when timeslice replaces.Cause This, the safety that single or part-time sheet private key occurs leakage can't affect other times sheet data.
The safe shared system of cloud data in the present invention relates to four entities: Cloud Server, data owner A, data make User B, collaborationist's (collaborationist of different user is different) of physical security.
Cloud Server: Cloud Server safeguards some cloud infrastructure, including bandwidth, storage device with have high computing capability Server.Within the system, Cloud Server mainly provides two kinds of services, i.e. data storage and re-encryption.It addition, this system is false If Cloud Server is half trusted servers, namely can correctly perform related algorithm, but relevant cleartext information is kept Very.
Data owner A: this entity is intended to the owner of the data shared, is responsible for encryption and uploads data.It addition, at weight Before cryptographic operation, this entity is responsible for calculating generation re-encrypted private key and being sent to Cloud Server.
Data consumer B: this entity is the user of shared data, i.e. data requester.This entity is to cloud service Device sends request of data, and obtains the new ciphertext after the re-encryption of Cloud Server loopback, is then decrypted with the private key of oneself.
The collaborationist of physical security: each user is owned by the collaborationist of a unique physical security, this collaborationist gathers around Having the main private key of oneself, when timeslice substitutes, this entity utilizes the main private key of oneself to assist user to update private key for user.
The present invention is made up of seven algorithms altogether.
(1) key generates (KeyGen): this algorithm picks security parameter, and respectively data owner and data consumer Generate PKI and the corresponding initial private key of user and the main private key of collaborationist.
(2) collaborationist's key updating (Update*): this collaborationist is that a physics is perfectly safe but computing capability is restricted Equipment, when adjacent two timeslices substitute, collaborationist runs this algorithm, utilize the main private key of collaborationist generate one for Update collaborationist's more new key of private key for user.
(3) user key updates (Update): when two adjacent timeslices substitute, this algorithm is run by user, profit Using collaborationist's more new key that an algorithm generates, user generates a user corresponding to new timeslice by this algorithm Private key.
(4) re-encrypted private key generates (ReKeyGen): this algorithm is run by data owner, and data owner utilizes data The PKI of user, oneself private key and selected timeslice, generate corresponding re-encrypted private key, and this key is for wanting The encryption data shared carries out re-encrypted.
(5) data encryption (Enc): this algorithm is run by data owner, data owner utilizes the PKI of oneself and right Data to be shared are encrypted by the timeslice answered, and are uploaded to Cloud Server.
(6) data re-encryption (ReEnc): this algorithm is run by Cloud Server, Cloud Server utilizes the re-encryption generated The encryption data that double secret key user uploads carries out re-encrypted, original cipher text is converted to can by data consumer decipher new Ciphertext.
(7) data deciphering (Dec): for original encryption data, can only be utilized the private key of oneself by data owner It is decrypted, for the new ciphertext after re-encryption, the private key of oneself can only be utilized to be decrypted by data consumer.
Compared with traditional method, the invention has the beneficial effects as follows: the key exposure solved during cloud data safety is shared is asked Topic, decreases because user key leaks the harm causing system.
Accompanying drawing explanation
Fig. 1 is the system model figure of the cloud data secure sharing method of anti-key exposure of the present invention.
Detailed description of the invention
Referring to the drawings 1, the entity that the method for the invention relates to includes: Cloud Server, data owner A, data use Person B, collaborationist A and collaborationist B.
The method of the invention is made up of seven specific algorithms, and specific implementation process is as follows:
KeyGen: input security parameter lk, randomly select q so that | q |=k, exporting two rank is the group of qWith One bilinear map computingWhereinGeneration unit be g, system common parameter is g,e; Then PKI and the private key of correspondence are generated for associated user: for data owner A, its PKI isThe main private key of its collaborationist isIts initial private key isFor For data consumer B, its PKI isThe main private key of its collaborationist is Its initial private key is
Update*: timeslice i-1 ∈ 0,1 ..., at the end of t-1}, the collaborationist of user runs algorithm Update*, for next Individual timeslice i ∈ 1,2 ..., t) generate collaborationist and update key SK 'A, i=x 'i, wherein
Update: input collaborationist more new key x 'iA timeslice i-1 ∈ upper with user 0,1 ..., the temporary private of t-1} SKA, i-1, this algorithm is by calculating Output xiAs user timeslice i ∈ 1,2 ..., the private key SK of t}A, i
ReKeyGen: this algorithm is first with the PKI of data consumerWith timeslice i ∈ 1, 2 ..., t}, as input, calculatesThen the private key SK of data owner is utilizedA, iMeter CalculateFinal data owner willIt is sent to cloud service as re-encrypted private key Device.
Enc: this algorithm is with the PKI PK of data ownerA, iAs input, randomly selectIt is calculated original Ciphertext C=(C1, C2), whereinC2=e (g, g)rM, and by C It is sent to Cloud Server.
ReEnc: this algorithm utilizes re-encrypted private keyCiphertext C is carried out re-encryption, calculatesObtain C '=(C '1, C2).And this re-encryption ciphertext is sent to data use Person B.
Dec: for original cipher text C, data owner A can utilize xiBy calculatingIt is right to obtain The plaintext M answered;For re-encryption ciphertext C ', data consumer B performs algorithm Dec, utilizes yiCalculateObtain Obtain in plain text.

Claims (3)

1. the cloud data secure sharing method of an anti-key exposure, it is characterised in that:
(1) utilizing the mechanism of public key encryption, data owner utilizes the public key encryption of oneself share data and be uploaded to cloud service Device, in the case of not knowing data owner's private key, other users (including Cloud Server) cannot solve ciphertext data and obtain correspondence Cleartext information;
(2) mechanism of re-encryption is acted on behalf of in utilization, and its data are entered by the re-encrypted private key that Cloud Server utilizes data owner to transmit Row re-encryption, the data through conversion can be decrypted by corresponding data consumer;
(3) utilizing the mechanism of Key-insulated, whole system time to be divided into n timeslice, in each timeslice, data are gathered around The private key of oneself can be updated with the help of collaborationist by the person of having and data consumer, uses not in different timeslices Same private key, such that it is able to reduce because private key leaks the loss caused;
(4) by combining public-key cryptography scheme, acting on behalf of re-encryption mechanism and Key-insulated mechanism, the method can resist cloud data Key exposure problem during safety is shared.
The cloud data secure sharing method of a kind of anti-key exposure the most according to claim 1, it is characterised in that the method Including following algorithm:
(1) key generates (KeyGen): this algorithm picks security parameter lk, and respectively data owner and data consumer are raw Become PKI and the corresponding initial private key of user and the main private key of collaborationist;
(2) collaborationist's key updating (Update*): this collaborationist is that a physics is perfectly safe but computing capability is restricted sets Standby, when two adjacent timeslices substitute, collaborationist runs this algorithm, utilizes the main private key of collaborationist to generate one for updating The collaborationist of private key for user more new key;
(3) user key updates (Update): when two adjacent timeslices substitute, this algorithm is run by user, in utilization Collaborationist's more new key that one algorithm generates, it is private that user generates a user corresponding to new timeslice by this algorithm Key;
(4) re-encrypted private key generates (ReKeyGen): this algorithm is run by data owner, and data owner utilizes data to use The PKI of person, oneself private key and selected timeslice, generate corresponding re-encrypted private key, and this key is for to share Encryption data carry out re-encrypted;
(5) data encryption (Enc): this algorithm is run by data owner, data owner utilizes PKI and the correspondence of oneself Data to be shared are encrypted by timeslice, and are uploaded to Cloud Server;
(6) data re-encryption (ReEnc): this algorithm is run by Cloud Server, Cloud Server utilizes the re-encrypted private key generated The encryption data uploading user carries out re-encrypted, and original cipher text is converted to the Xinmi City can deciphered by data consumer Literary composition;
(7) data deciphering (Dec): for original encryption data, can only be utilized the private key of oneself to carry out by data owner Deciphering, for the new ciphertext after re-encryption, can only be utilized the private key of oneself to be decrypted by data consumer.
3. according to the cloud data secure sharing method of a kind of anti-key exposure described in claim 1,2, it is characterised in that include Specific algorithm is implemented as follows:
KeyGen: input security parameter lk, randomly select q so that | q |=k, exporting two rank is the group of qDouble with one Linear Mapping computingWhereinGeneration unit be g, system common parameter is g,e;Then it is Associated user generates PKI and the private key of correspondence: for data owner A, its PKI is The main private key of its collaborationist isIts initial private key isFor data consumer B, its PKI isThe main private key of its collaborationist isIts initial private key is
Update*: timeslice i-1 ∈ 0,1 ..., at the end of t-1}, the collaborationist of user runs algorithm Update*, for next Individual timeslice i ∈ 1,2 ..., t} generates collaborationist and updates key SK 'A, i=x 'i, wherein
Update: input collaborationist more new key x 'iA timeslice i-1 ∈ upper with user 0,1 ..., temporary private SK of t-1}A, i-1, This algorithm is by calculating Output xiAs user timeslice i ∈ 1,2 ..., the private key SK of t}A, i
ReKeyGen: this algorithm is first with the PKI of data consumerWith timeslice i ∈ 1, 2 ..., t}, as input, calculatesThen the private key SK of data owner is utilizedA, iMeter CalculateFinal data owner willIt is sent to cloud service as re-encrypted private key Device;
Enc: this algorithm is with the PKI PK of data ownerA, iAs input, randomly selectIt is calculated original cipher text C =(C1, C2), whereinC2=e (g, g)rM, and C is sent To Cloud Server;
ReEnc: this algorithm utilizes re-encrypted private keyCiphertext C is carried out re-encryption, calculates Obtain C '=(C '1, C2).And this re-encryption ciphertext is sent to data consumer B;
Dec: for original cipher text C, data owner A can utilize xiBy calculatingObtain correspondence Plaintext M;For re-encryption ciphertext C ', data consumer B performs algorithm Dec, utilizes yiCalculateObtain bright Literary composition.
CN201610497226.6A 2016-06-28 2016-06-28 Secret key leakage resistant cloud data secure sharing method Expired - Fee Related CN105978689B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610497226.6A CN105978689B (en) 2016-06-28 2016-06-28 Secret key leakage resistant cloud data secure sharing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610497226.6A CN105978689B (en) 2016-06-28 2016-06-28 Secret key leakage resistant cloud data secure sharing method

Publications (2)

Publication Number Publication Date
CN105978689A true CN105978689A (en) 2016-09-28
CN105978689B CN105978689B (en) 2019-12-24

Family

ID=57020492

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610497226.6A Expired - Fee Related CN105978689B (en) 2016-06-28 2016-06-28 Secret key leakage resistant cloud data secure sharing method

Country Status (1)

Country Link
CN (1) CN105978689B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483883A (en) * 2017-07-19 2017-12-15 中标慧安信息技术股份有限公司 A kind of method and device of intelligent data interaction
CN108847928A (en) * 2018-04-26 2018-11-20 如般量子科技有限公司 The communication system and communication means of the transmission of information encryption and decryption are realized based on group's type quantum key card
CN109660332A (en) * 2019-01-21 2019-04-19 电子科技大学 A kind of parallel Key-insulated label decryption method based on no certificate
CN112152779A (en) * 2020-09-29 2020-12-29 黑龙江大学 Lattice-based homomorphic proxy re-encryption method for resisting strong collusion attack
CN113360886A (en) * 2021-04-23 2021-09-07 山东英信计算机技术有限公司 Method, device and equipment for sharing encrypted data and readable medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103414557A (en) * 2013-08-29 2013-11-27 青岛大学 Novel secret key separated signing method and system
CN103647642A (en) * 2013-11-15 2014-03-19 河海大学 Certificate-based agent heavy encryption method and system
CN104980477A (en) * 2014-04-14 2015-10-14 航天信息股份有限公司 Data access control method and system in cloud storage environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103414557A (en) * 2013-08-29 2013-11-27 青岛大学 Novel secret key separated signing method and system
CN103647642A (en) * 2013-11-15 2014-03-19 河海大学 Certificate-based agent heavy encryption method and system
CN104980477A (en) * 2014-04-14 2015-10-14 航天信息股份有限公司 Data access control method and system in cloud storage environment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
吴韬: "可代理的基于身份的密钥隔离技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
秦志光 等: "密钥隔离密码系统研究现状", 《计算机学报》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483883A (en) * 2017-07-19 2017-12-15 中标慧安信息技术股份有限公司 A kind of method and device of intelligent data interaction
CN107483883B (en) * 2017-07-19 2019-12-20 中标慧安信息技术股份有限公司 Intelligent data interaction method and device
CN108847928A (en) * 2018-04-26 2018-11-20 如般量子科技有限公司 The communication system and communication means of the transmission of information encryption and decryption are realized based on group's type quantum key card
CN108847928B (en) * 2018-04-26 2021-04-06 如般量子科技有限公司 Communication system and communication method for realizing information encryption and decryption transmission based on group type quantum key card
CN109660332A (en) * 2019-01-21 2019-04-19 电子科技大学 A kind of parallel Key-insulated label decryption method based on no certificate
CN112152779A (en) * 2020-09-29 2020-12-29 黑龙江大学 Lattice-based homomorphic proxy re-encryption method for resisting strong collusion attack
CN113360886A (en) * 2021-04-23 2021-09-07 山东英信计算机技术有限公司 Method, device and equipment for sharing encrypted data and readable medium

Also Published As

Publication number Publication date
CN105978689B (en) 2019-12-24

Similar Documents

Publication Publication Date Title
Xiong et al. Partially policy-hidden attribute-based broadcast encryption with secure delegation in edge computing
CN108600217B (en) Cloud-based data authorization certainty updating method based on proxy re-encryption
Dong et al. Achieving an effective, scalable and privacy-preserving data sharing service in cloud computing
CN103957109B (en) A kind of cloud data-privacy protects safe re-encryption method
CN103618728B (en) A kind of encryption attribute method at more mechanism centers
CN108632030B (en) CP-ABE-based fine-grained access control method
US20140208117A1 (en) Server apparatus and program
CN105978689A (en) Anti-key-exposure cloud data safe sharing method
CN104320393B (en) The controllable efficient attribute base proxy re-encryption method of re-encryption
Fan et al. Cross-domain based data sharing scheme in cooperative edge computing
Zu et al. New ciphertext-policy attribute-based encryption with efficient revocation
CN111163036B (en) Data sharing method, device, client, storage medium and system
CN111917721B (en) Attribute encryption method based on block chain
CN108880801A (en) The distributed nature base encryption method of fine granularity attribute revocation is supported on a kind of lattice
CN107040374A (en) The attribute base data encryption method of user's Dynamic Revocation is supported under a kind of cloud storage environment
CN105933345A (en) Verifiable outsourcing attribute-based encryption method based on linear secret sharing
Ming et al. Efficient revocable multi-authority attribute-based encryption for cloud storage
CN105915333B (en) A kind of efficient key distribution method based on encryption attribute
Chatterjee et al. Cryptography in cloud computing: a basic approach to ensure security in cloud
CN108632251A (en) Authentic authentication method based on cloud computing data service and its Encryption Algorithm
CN116011014A (en) Privacy computing method and privacy computing system
Zhang et al. Multi‐authority attribute‐based encryption scheme with constant‐size ciphertexts and user revocation
CN114697042A (en) Block chain-based Internet of things security data sharing proxy re-encryption method
CN112889240A (en) Server device, communication terminal, communication system, and program
Yang et al. An environmental monitoring data sharing scheme based on attribute encryption in cloud-fog computing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20191224

Termination date: 20200628

CF01 Termination of patent right due to non-payment of annual fee