CN105978689A - Anti-key-exposure cloud data safe sharing method - Google Patents
Anti-key-exposure cloud data safe sharing method Download PDFInfo
- Publication number
- CN105978689A CN105978689A CN201610497226.6A CN201610497226A CN105978689A CN 105978689 A CN105978689 A CN 105978689A CN 201610497226 A CN201610497226 A CN 201610497226A CN 105978689 A CN105978689 A CN 105978689A
- Authority
- CN
- China
- Prior art keywords
- data
- key
- private key
- algorithm
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an anti-key-exposure cloud data safe sharing method, and aims to realize safe sharing of cloud data and solve the problem of key exposure in data sharing. According to the method, safe sharing of the cloud data is realized through a proxy re-encryption technology on the basis of public key encryption, and meanwhile users in a system are provided with unique physical security assistants in conjunction with a key insulation technology. The life cycle of the system is partitioned into different time slices, and the assistants help specified users update private keys of the users at replacement of two adjacent time slices, so that the users own different private keys in different time slices. Thus, the security of the system in other time slices is not influenced when the private keys of the users are exposed in a single or a part of time slices. Through adoption of the method, the problem of key exposure in cloud data safe sharing can be solved.
Description
Technical field
The present invention relates to cloud computing and information security field, specifically, be the anti-key exposure of the one under cloud environment
Cloud data secure sharing method, the method can not only realize the safety of cloud data and share, additionally it is possible to opposing associated user
The threat that key exposure causes.
Background technology
Cloud computing is topmost feature with its powerful storage and computing capability.All of user can share cloud service
The software and hardware resources of device and information, and Cloud Server is on-demand provides the user service.
Cloud computing includes that software i.e. services, platform i.e. services and infrastructure i.e. services three kinds of service modes.In cloud computing
In environment, user can store its data from long-range outsourcing, it is possible to obtain the high-quality application and service of on-demand.Meanwhile,
User can break away from the burden of local datastore and maintenance.
The feature of cloud computing and advantage are that the data sharing between user is provided convenience, but, user's needs are uploaded
Data are likely to be some sensitive datas with individual privacy, and some other users specific can only be shared by these data,
And some malicious users or data owner can not be not intended to disclosed user (including Cloud Server) and announce.So using
Family needed data are encrypted operation before uploading data.
Existing cloud data secure sharing method mainly employing being acted on behalf of Re-encryption Technology, Cloud Server utilizes re-encryption
Double secret key original cipher text carries out re-encryption operation, and original cipher text is converted to the new ciphertext that data consumer can decipher, and is solving
During this new ciphertext close, data consumer has only to the private key of oneself.During whole, Cloud Server can only obtain original
Ciphertext and re-encrypted private key, but it can not obtain any cleartext information.
But, all there is a defect in existing cloud data secure sharing method, namely can not resist user key
Leakage problem, if the private key of user leaks, then opponent can decipher any and user-dependent encryption data.This for
It is flagrant for data safety.
Summary of the invention
In order to overcome the deficiency of above-mentioned existing cloud data secure sharing method, the invention provides an anti-key exposure
Cloud data secure sharing method, ensures the safety of cloud data and sharing initially with acting on behalf of Re-encryption Technology, then in conjunction with
Key-insulated technology, it is ensured that key exposure problem can be resisted in cloud data sharing process, thus realize an anti-key exposure
Cloud data secure sharing method.
The technical solution adopted in the present invention is: data owner's encrypted shared data is also uploaded to Cloud Server, and cloud takes
The role of agency played the part of by business device, and utilizes re-encrypted private key that original cipher text is carried out the operation of re-encrypted, is turned by original cipher text
It is changed to the new ciphertext that data consumer can utilize oneself private key to decipher.For reaching to resist the characteristic of key exposure, this method will
The life cycle of whole system is divided into n different timeslice, and in whole system life cycle, client public key keeps not
Become, but in different timeslices, user uses different private keys to be decrypted operation, and specifically, each user is owned by
The collaborationist that one unique physics is perfectly safe, is used for assisting user to update private key for user when timeslice replaces.Cause
This, the safety that single or part-time sheet private key occurs leakage can't affect other times sheet data.
The safe shared system of cloud data in the present invention relates to four entities: Cloud Server, data owner A, data make
User B, collaborationist's (collaborationist of different user is different) of physical security.
Cloud Server: Cloud Server safeguards some cloud infrastructure, including bandwidth, storage device with have high computing capability
Server.Within the system, Cloud Server mainly provides two kinds of services, i.e. data storage and re-encryption.It addition, this system is false
If Cloud Server is half trusted servers, namely can correctly perform related algorithm, but relevant cleartext information is kept
Very.
Data owner A: this entity is intended to the owner of the data shared, is responsible for encryption and uploads data.It addition, at weight
Before cryptographic operation, this entity is responsible for calculating generation re-encrypted private key and being sent to Cloud Server.
Data consumer B: this entity is the user of shared data, i.e. data requester.This entity is to cloud service
Device sends request of data, and obtains the new ciphertext after the re-encryption of Cloud Server loopback, is then decrypted with the private key of oneself.
The collaborationist of physical security: each user is owned by the collaborationist of a unique physical security, this collaborationist gathers around
Having the main private key of oneself, when timeslice substitutes, this entity utilizes the main private key of oneself to assist user to update private key for user.
The present invention is made up of seven algorithms altogether.
(1) key generates (KeyGen): this algorithm picks security parameter, and respectively data owner and data consumer
Generate PKI and the corresponding initial private key of user and the main private key of collaborationist.
(2) collaborationist's key updating (Update*): this collaborationist is that a physics is perfectly safe but computing capability is restricted
Equipment, when adjacent two timeslices substitute, collaborationist runs this algorithm, utilize the main private key of collaborationist generate one for
Update collaborationist's more new key of private key for user.
(3) user key updates (Update): when two adjacent timeslices substitute, this algorithm is run by user, profit
Using collaborationist's more new key that an algorithm generates, user generates a user corresponding to new timeslice by this algorithm
Private key.
(4) re-encrypted private key generates (ReKeyGen): this algorithm is run by data owner, and data owner utilizes data
The PKI of user, oneself private key and selected timeslice, generate corresponding re-encrypted private key, and this key is for wanting
The encryption data shared carries out re-encrypted.
(5) data encryption (Enc): this algorithm is run by data owner, data owner utilizes the PKI of oneself and right
Data to be shared are encrypted by the timeslice answered, and are uploaded to Cloud Server.
(6) data re-encryption (ReEnc): this algorithm is run by Cloud Server, Cloud Server utilizes the re-encryption generated
The encryption data that double secret key user uploads carries out re-encrypted, original cipher text is converted to can by data consumer decipher new
Ciphertext.
(7) data deciphering (Dec): for original encryption data, can only be utilized the private key of oneself by data owner
It is decrypted, for the new ciphertext after re-encryption, the private key of oneself can only be utilized to be decrypted by data consumer.
Compared with traditional method, the invention has the beneficial effects as follows: the key exposure solved during cloud data safety is shared is asked
Topic, decreases because user key leaks the harm causing system.
Accompanying drawing explanation
Fig. 1 is the system model figure of the cloud data secure sharing method of anti-key exposure of the present invention.
Detailed description of the invention
Referring to the drawings 1, the entity that the method for the invention relates to includes: Cloud Server, data owner A, data use
Person B, collaborationist A and collaborationist B.
The method of the invention is made up of seven specific algorithms, and specific implementation process is as follows:
KeyGen: input security parameter lk, randomly select q so that | q |=k, exporting two rank is the group of qWith
One bilinear map computingWhereinGeneration unit be g, system common parameter is g,e;
Then PKI and the private key of correspondence are generated for associated user: for data owner A, its PKI isThe main private key of its collaborationist isIts initial private key isFor
For data consumer B, its PKI isThe main private key of its collaborationist is
Its initial private key is
Update*: timeslice i-1 ∈ 0,1 ..., at the end of t-1}, the collaborationist of user runs algorithm Update*, for next
Individual timeslice i ∈ 1,2 ..., t) generate collaborationist and update key SK 'A, i=x 'i, wherein
Update: input collaborationist more new key x 'iA timeslice i-1 ∈ upper with user 0,1 ..., the temporary private of t-1}
SKA, i-1, this algorithm is by calculating
Output xiAs user timeslice i ∈ 1,2 ..., the private key SK of t}A, i。
ReKeyGen: this algorithm is first with the PKI of data consumerWith timeslice i ∈ 1,
2 ..., t}, as input, calculatesThen the private key SK of data owner is utilizedA, iMeter
CalculateFinal data owner willIt is sent to cloud service as re-encrypted private key
Device.
Enc: this algorithm is with the PKI PK of data ownerA, iAs input, randomly selectIt is calculated original
Ciphertext C=(C1, C2), whereinC2=e (g, g)rM, and by C
It is sent to Cloud Server.
ReEnc: this algorithm utilizes re-encrypted private keyCiphertext C is carried out re-encryption, calculatesObtain C '=(C '1, C2).And this re-encryption ciphertext is sent to data use
Person B.
Dec: for original cipher text C, data owner A can utilize xiBy calculatingIt is right to obtain
The plaintext M answered;For re-encryption ciphertext C ', data consumer B performs algorithm Dec, utilizes yiCalculateObtain
Obtain in plain text.
Claims (3)
1. the cloud data secure sharing method of an anti-key exposure, it is characterised in that:
(1) utilizing the mechanism of public key encryption, data owner utilizes the public key encryption of oneself share data and be uploaded to cloud service
Device, in the case of not knowing data owner's private key, other users (including Cloud Server) cannot solve ciphertext data and obtain correspondence
Cleartext information;
(2) mechanism of re-encryption is acted on behalf of in utilization, and its data are entered by the re-encrypted private key that Cloud Server utilizes data owner to transmit
Row re-encryption, the data through conversion can be decrypted by corresponding data consumer;
(3) utilizing the mechanism of Key-insulated, whole system time to be divided into n timeslice, in each timeslice, data are gathered around
The private key of oneself can be updated with the help of collaborationist by the person of having and data consumer, uses not in different timeslices
Same private key, such that it is able to reduce because private key leaks the loss caused;
(4) by combining public-key cryptography scheme, acting on behalf of re-encryption mechanism and Key-insulated mechanism, the method can resist cloud data
Key exposure problem during safety is shared.
The cloud data secure sharing method of a kind of anti-key exposure the most according to claim 1, it is characterised in that the method
Including following algorithm:
(1) key generates (KeyGen): this algorithm picks security parameter lk, and respectively data owner and data consumer are raw
Become PKI and the corresponding initial private key of user and the main private key of collaborationist;
(2) collaborationist's key updating (Update*): this collaborationist is that a physics is perfectly safe but computing capability is restricted sets
Standby, when two adjacent timeslices substitute, collaborationist runs this algorithm, utilizes the main private key of collaborationist to generate one for updating
The collaborationist of private key for user more new key;
(3) user key updates (Update): when two adjacent timeslices substitute, this algorithm is run by user, in utilization
Collaborationist's more new key that one algorithm generates, it is private that user generates a user corresponding to new timeslice by this algorithm
Key;
(4) re-encrypted private key generates (ReKeyGen): this algorithm is run by data owner, and data owner utilizes data to use
The PKI of person, oneself private key and selected timeslice, generate corresponding re-encrypted private key, and this key is for to share
Encryption data carry out re-encrypted;
(5) data encryption (Enc): this algorithm is run by data owner, data owner utilizes PKI and the correspondence of oneself
Data to be shared are encrypted by timeslice, and are uploaded to Cloud Server;
(6) data re-encryption (ReEnc): this algorithm is run by Cloud Server, Cloud Server utilizes the re-encrypted private key generated
The encryption data uploading user carries out re-encrypted, and original cipher text is converted to the Xinmi City can deciphered by data consumer
Literary composition;
(7) data deciphering (Dec): for original encryption data, can only be utilized the private key of oneself to carry out by data owner
Deciphering, for the new ciphertext after re-encryption, can only be utilized the private key of oneself to be decrypted by data consumer.
3. according to the cloud data secure sharing method of a kind of anti-key exposure described in claim 1,2, it is characterised in that include
Specific algorithm is implemented as follows:
KeyGen: input security parameter lk, randomly select q so that | q |=k, exporting two rank is the group of qDouble with one
Linear Mapping computingWhereinGeneration unit be g, system common parameter is g,e;Then it is
Associated user generates PKI and the private key of correspondence: for data owner A, its PKI is
The main private key of its collaborationist isIts initial private key isFor data consumer B, its
PKI isThe main private key of its collaborationist isIts initial private key is
Update*: timeslice i-1 ∈ 0,1 ..., at the end of t-1}, the collaborationist of user runs algorithm Update*, for next
Individual timeslice i ∈ 1,2 ..., t} generates collaborationist and updates key SK 'A, i=x 'i, wherein
Update: input collaborationist more new key x 'iA timeslice i-1 ∈ upper with user 0,1 ..., temporary private SK of t-1}A, i-1,
This algorithm is by calculating
Output xiAs user timeslice i ∈ 1,2 ..., the private key SK of t}A, i;
ReKeyGen: this algorithm is first with the PKI of data consumerWith timeslice i ∈ 1,
2 ..., t}, as input, calculatesThen the private key SK of data owner is utilizedA, iMeter
CalculateFinal data owner willIt is sent to cloud service as re-encrypted private key
Device;
Enc: this algorithm is with the PKI PK of data ownerA, iAs input, randomly selectIt is calculated original cipher text C
=(C1, C2), whereinC2=e (g, g)rM, and C is sent
To Cloud Server;
ReEnc: this algorithm utilizes re-encrypted private keyCiphertext C is carried out re-encryption, calculates
Obtain C '=(C '1, C2).And this re-encryption ciphertext is sent to data consumer B;
Dec: for original cipher text C, data owner A can utilize xiBy calculatingObtain correspondence
Plaintext M;For re-encryption ciphertext C ', data consumer B performs algorithm Dec, utilizes yiCalculateObtain bright
Literary composition.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610497226.6A CN105978689B (en) | 2016-06-28 | 2016-06-28 | Secret key leakage resistant cloud data secure sharing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610497226.6A CN105978689B (en) | 2016-06-28 | 2016-06-28 | Secret key leakage resistant cloud data secure sharing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105978689A true CN105978689A (en) | 2016-09-28 |
CN105978689B CN105978689B (en) | 2019-12-24 |
Family
ID=57020492
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610497226.6A Expired - Fee Related CN105978689B (en) | 2016-06-28 | 2016-06-28 | Secret key leakage resistant cloud data secure sharing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105978689B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107483883A (en) * | 2017-07-19 | 2017-12-15 | 中标慧安信息技术股份有限公司 | A kind of method and device of intelligent data interaction |
CN108847928A (en) * | 2018-04-26 | 2018-11-20 | 如般量子科技有限公司 | The communication system and communication means of the transmission of information encryption and decryption are realized based on group's type quantum key card |
CN109660332A (en) * | 2019-01-21 | 2019-04-19 | 电子科技大学 | A kind of parallel Key-insulated label decryption method based on no certificate |
CN112152779A (en) * | 2020-09-29 | 2020-12-29 | 黑龙江大学 | Lattice-based homomorphic proxy re-encryption method for resisting strong collusion attack |
CN113360886A (en) * | 2021-04-23 | 2021-09-07 | 山东英信计算机技术有限公司 | Method, device and equipment for sharing encrypted data and readable medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103414557A (en) * | 2013-08-29 | 2013-11-27 | 青岛大学 | Novel secret key separated signing method and system |
CN103647642A (en) * | 2013-11-15 | 2014-03-19 | 河海大学 | Certificate-based agent heavy encryption method and system |
CN104980477A (en) * | 2014-04-14 | 2015-10-14 | 航天信息股份有限公司 | Data access control method and system in cloud storage environment |
-
2016
- 2016-06-28 CN CN201610497226.6A patent/CN105978689B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103414557A (en) * | 2013-08-29 | 2013-11-27 | 青岛大学 | Novel secret key separated signing method and system |
CN103647642A (en) * | 2013-11-15 | 2014-03-19 | 河海大学 | Certificate-based agent heavy encryption method and system |
CN104980477A (en) * | 2014-04-14 | 2015-10-14 | 航天信息股份有限公司 | Data access control method and system in cloud storage environment |
Non-Patent Citations (2)
Title |
---|
吴韬: "可代理的基于身份的密钥隔离技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
秦志光 等: "密钥隔离密码系统研究现状", 《计算机学报》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107483883A (en) * | 2017-07-19 | 2017-12-15 | 中标慧安信息技术股份有限公司 | A kind of method and device of intelligent data interaction |
CN107483883B (en) * | 2017-07-19 | 2019-12-20 | 中标慧安信息技术股份有限公司 | Intelligent data interaction method and device |
CN108847928A (en) * | 2018-04-26 | 2018-11-20 | 如般量子科技有限公司 | The communication system and communication means of the transmission of information encryption and decryption are realized based on group's type quantum key card |
CN108847928B (en) * | 2018-04-26 | 2021-04-06 | 如般量子科技有限公司 | Communication system and communication method for realizing information encryption and decryption transmission based on group type quantum key card |
CN109660332A (en) * | 2019-01-21 | 2019-04-19 | 电子科技大学 | A kind of parallel Key-insulated label decryption method based on no certificate |
CN112152779A (en) * | 2020-09-29 | 2020-12-29 | 黑龙江大学 | Lattice-based homomorphic proxy re-encryption method for resisting strong collusion attack |
CN113360886A (en) * | 2021-04-23 | 2021-09-07 | 山东英信计算机技术有限公司 | Method, device and equipment for sharing encrypted data and readable medium |
Also Published As
Publication number | Publication date |
---|---|
CN105978689B (en) | 2019-12-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Xiong et al. | Partially policy-hidden attribute-based broadcast encryption with secure delegation in edge computing | |
CN108600217B (en) | Cloud-based data authorization certainty updating method based on proxy re-encryption | |
Dong et al. | Achieving an effective, scalable and privacy-preserving data sharing service in cloud computing | |
CN103957109B (en) | A kind of cloud data-privacy protects safe re-encryption method | |
CN103618728B (en) | A kind of encryption attribute method at more mechanism centers | |
CN108632030B (en) | CP-ABE-based fine-grained access control method | |
US20140208117A1 (en) | Server apparatus and program | |
CN105978689A (en) | Anti-key-exposure cloud data safe sharing method | |
CN104320393B (en) | The controllable efficient attribute base proxy re-encryption method of re-encryption | |
Fan et al. | Cross-domain based data sharing scheme in cooperative edge computing | |
Zu et al. | New ciphertext-policy attribute-based encryption with efficient revocation | |
CN111163036B (en) | Data sharing method, device, client, storage medium and system | |
CN111917721B (en) | Attribute encryption method based on block chain | |
CN108880801A (en) | The distributed nature base encryption method of fine granularity attribute revocation is supported on a kind of lattice | |
CN107040374A (en) | The attribute base data encryption method of user's Dynamic Revocation is supported under a kind of cloud storage environment | |
CN105933345A (en) | Verifiable outsourcing attribute-based encryption method based on linear secret sharing | |
Ming et al. | Efficient revocable multi-authority attribute-based encryption for cloud storage | |
CN105915333B (en) | A kind of efficient key distribution method based on encryption attribute | |
Chatterjee et al. | Cryptography in cloud computing: a basic approach to ensure security in cloud | |
CN108632251A (en) | Authentic authentication method based on cloud computing data service and its Encryption Algorithm | |
CN116011014A (en) | Privacy computing method and privacy computing system | |
Zhang et al. | Multi‐authority attribute‐based encryption scheme with constant‐size ciphertexts and user revocation | |
CN114697042A (en) | Block chain-based Internet of things security data sharing proxy re-encryption method | |
CN112889240A (en) | Server device, communication terminal, communication system, and program | |
Yang et al. | An environmental monitoring data sharing scheme based on attribute encryption in cloud-fog computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20191224 Termination date: 20200628 |
|
CF01 | Termination of patent right due to non-payment of annual fee |