CN105978689B - Secret key leakage resistant cloud data secure sharing method - Google Patents

Secret key leakage resistant cloud data secure sharing method Download PDF

Info

Publication number
CN105978689B
CN105978689B CN201610497226.6A CN201610497226A CN105978689B CN 105978689 B CN105978689 B CN 105978689B CN 201610497226 A CN201610497226 A CN 201610497226A CN 105978689 B CN105978689 B CN 105978689B
Authority
CN
China
Prior art keywords
key
data
user
private key
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610497226.6A
Other languages
Chinese (zh)
Other versions
CN105978689A (en
Inventor
熊虎
闫东杰
秦臻
苑晨
蔡浩庭
卢震宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201610497226.6A priority Critical patent/CN105978689B/en
Publication of CN105978689A publication Critical patent/CN105978689A/en
Application granted granted Critical
Publication of CN105978689B publication Critical patent/CN105978689B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a secret key leakage resistant cloud data secure sharing method, which realizes secure sharing of cloud data and can resist the secret key leakage problem in data sharing. The method realizes the safe sharing of cloud data by using an agent re-encryption technology on the basis of public key encryption, and simultaneously combines a key isolation technology with parallelism to respectively provide two independent physical safe helpers for each user in the system. By dividing the life cycle of the system into different time slices, when two adjacent time slices are replaced, the two helpers help the appointed user to update the private key of the user, and the user has different private keys in different time slices. Therefore, when the private key of the user of a single or partial time slice is leaked, the security of the system in other time slices is not influenced. The method can resist the problem of key leakage in the secure sharing of cloud data.

Description

Secret key leakage resistant cloud data secure sharing method
Technical Field
The invention relates to the field of cloud computing and information security, in particular to a secret key leakage resistant cloud data security sharing method in a cloud environment.
Background
Cloud computing is characterized by its powerful storage and computing capabilities. All users can share software and hardware resources and information of the cloud server, and the cloud server provides services for the users according to needs.
The cloud computing comprises three service modes of software as a service, platform as a service and infrastructure as a service. In a cloud computing environment, users can store their data from a remote outsource, and high quality applications and services can be obtained on demand. Meanwhile, the user can get rid of the burden of local data storage and maintenance.
The characteristics and advantages of cloud computing provide convenience for data sharing among users, however, data to be uploaded by users may be sensitive data with personal privacy, and the data can only be shared by specific other users and cannot be published by malicious users or users (including cloud servers) which the data owners do not wish to disclose. The user needs to perform an encryption operation on the data before uploading the data.
The existing secure sharing method for cloud data mainly adopts an agent re-encryption technology, a cloud server performs re-encryption operation on an original ciphertext by using a re-encryption key to convert the original ciphertext into a new ciphertext which can be decrypted by a data user, and when the new ciphertext is decrypted, the data user only needs a private key of the data user. The cloud server can only obtain the original ciphertext and the re-encryption key in the whole process, but cannot obtain any plaintext information.
However, the existing cloud data security sharing methods have a defect that the problem of user key leakage cannot be resisted, and if the private key of the user is leaked, an adversary can decrypt any encrypted data related to the user. This is intolerable for data security.
Disclosure of Invention
In order to overcome the defects of the existing cloud data security sharing method, the invention provides a secret key leakage resistant cloud data security sharing method.
The technical scheme adopted by the invention is as follows: the data owner encrypts the shared data and uploads the shared data to the cloud server, the cloud server plays a role of an agent, and the re-encryption key is used for carrying out re-encryption operation on the original ciphertext to convert the original ciphertext into a new ciphertext which can be decrypted by a data user by using the private key of the data user. In order to achieve the characteristic of resisting secret key leakage, the method divides the life cycle of the whole system into n different time slices, in the life cycle of the whole system, the public key of the user is kept unchanged, but in the different time slices, the user adopts different private keys to carry out decryption operation, specifically, each user has a unique assistant with physical absolute safety, and the assistant is used for assisting the user to update the private key of the user when the time slices are alternated. Thus, the disclosure of the private key of a single or partial time slice does not affect the security of other time slice data.
The cloud data security sharing system in the invention relates to four entities: cloud server, data owner a, data user B, physical security facilitator (different facilitators for different users).
Cloud server: cloud servers maintain some cloud infrastructure, including bandwidth, storage, and servers with high computing power. In this system, the cloud server mainly provides two services, namely data storage and re-encryption. In addition, the system assumes that the cloud server is a semi-trusted server, that is, the relevant algorithms can be executed correctly, but the system keeps curious about relevant plaintext information.
Data owner a: the entity is the owner of the data to be shared and is responsible for encrypting and uploading the data. In addition, before the re-encryption operation, the entity is responsible for computing and generating the re-encryption key and sending the re-encryption key to the cloud server.
The data user B: the entity is the user of the shared data, i.e., the data requestor. The entity sends a data request to the cloud server, obtains a new encrypted ciphertext returned by the cloud server, and then decrypts the ciphertext by using a private key of the entity.
Physical security facilitator: each user has a unique physically secure helper, the helper has its own master private key, and the entity uses its own master private key to assist the user in updating the user private key at the time of time slice replacement.
The invention consists of seven algorithms in total.
(1) Key generation (KeyGen): the algorithm selects security parameters and generates public keys and corresponding user initial private keys and helper master private keys for a data owner and a data user respectively.
(2) Helper key Update (Update): the helper is a physically absolutely secure but computationally limited device that runs the algorithm at the time of two adjacent time slice changes, using the helper master private key to generate a helper update key for updating the user private key.
(3) User key Update (Update): when two adjacent time slices are replaced, the algorithm is run by the user, the helper update key generated by the last algorithm is utilized, and the user generates a user private key corresponding to the new time slice through the algorithm.
(4) Re-encryption key generation (ReKeyGen): the algorithm is run by a data owner who generates a corresponding re-encryption key by using a public key of a data user, a private key of the data owner and the selected time slice, and the key is used for re-encrypting the encrypted data to be shared.
(5) Data encryption (Enc): the algorithm is operated by a data owner, and the data owner encrypts data to be shared by using a public key of the data owner and a corresponding time slice and uploads the data to the cloud server.
(6) Data re-encryption (ReEnc): the algorithm is operated by a cloud server, the cloud server uses the generated re-encryption key to re-encrypt the encrypted data uploaded by the user, and the original ciphertext is converted into a new ciphertext which can be decrypted by the data user.
(7) Data decryption (Dec): for the original encrypted data, the data owner can only decrypt the original encrypted data by using the private key of the data owner, and for the new encrypted data after the re-encryption, the data user can only decrypt the new encrypted data by using the private key of the data user.
Compared with the traditional method, the invention has the beneficial effects that: the method solves the problem of secret key leakage in cloud data security sharing, and reduces the harm to the system caused by the secret key leakage of the user.
Drawings
Fig. 1 is a system model diagram of a secure sharing method of cloud data resistant to key leakage according to the present invention.
Detailed Description
Referring to fig. 1, the entities involved in the method of the present invention include: the system comprises a cloud server, a data owner A, a data user B, a helper A and a helper B.
The method consists of seven specific algorithms, and the specific implementation process is as follows:
KeyGen: input of a safety parameter lkRandomly selecting q to make | q | ═ k, and outputting two groups with order of qAnd a bilinear map operationWhereinThe generator of (a) is g, the system common parameter is g,e; then generating corresponding public keys and private keys for related users: for data owner A, its public key isThe helper master private key isIts initial private key isFor data user B, the public key isThe helper master private key isIts initial private key is
Update: at the end of time slice i-1 e {0, 1.,. t-1}, the user's facilitator runs the algorithm Update to generate the facilitator Update key SK ' for the next time slice i e {1, 2.,. t) 'A,i=x′iWherein
Update: inputting facilitator update Key x'iAnd a temporary private key SK of a last time slice i-1 of the user, which belongs to {0, 1A,i-1The algorithm is calculated byOutput xiAs the private key SK of the user at time slice i ∈ {1, 2A,i
ReKeyGen: the algorithm first uses the public key of the data userAnd time slice i ∈ {1, 2.,. t } as input, calculatingAnd then utilizes the data owner's private key SKA,iComputingFinally, the data owner willAnd sending the encrypted data to the cloud server as the re-encryption key.
Enc: the algorithm uses the public key PK of the data ownerA,iAs input, randomly selectCalculating to obtain original cipher text C ═ C1,C2) WhereinC2=e(g,g)rM, and sending C to the cloud server.
ReEnc: the algorithm utilizes a re-encryption keyRe-encrypting the ciphertext C, and calculatingTo obtain C ═ C'1,C2). And sends the re-encrypted ciphertext to data user B.
And Dec: for the original ciphertext C, the data owner A may utilize xiBy calculation ofObtaining a corresponding plaintext M; for the re-encrypted ciphertext C', data consumer B performs the algorithm Dec, using yiComputingA plaintext is obtained.

Claims (1)

1. A secure cloud data sharing method for resisting key leakage is characterized by comprising the following steps:
step 1, initializing a cloud data sharing system for resisting key leakage and generating a key Gen by a key: setting security parameters of the system and generating a public key PK for a data owner A and a data user BA,PKBAnd an initial private key SKA,SKBAnd corresponding helper master private keyThe method specifically comprises the following steps:
input of safety parameters 1kRandomly selecting q to make | q | ═ k, and outputting two groups whose order is prime number qAnd a bilinear mapping operation e:whereinThe generator of (a) is g, the system common parameter is g,e; then generating corresponding public keys and private keys for related users: for data owner A, its public key isThe main private keys of the helpers are respectivelyIts initial private key isFor data user B, the public key isThe main private keys of the helpers are respectivelyIts initial private key is
Step 2, updating Update of helper key*: as an assistor of the cloud data sharing system resisting key leakage, by utilizing a device with physical absolute safety but limited computing capacity, the whole system time is divided into t time slices, and when two adjacent time slices are replaced, the assistor generates an assistor updating key SK 'for updating a user private key by utilizing a master private key of the assistor'A,i(ii) a The method specifically comprises the following steps:
in time slice i-1 ∈At the end of {0, 1., t-1}, an assistor update key SK' is generated for the next time slice i ∈ {1, 2., t }.A,i=x′iWherein
Step 3, updating Update by the user key: at the time of replacement of two adjacent time slices, the key SK 'is updated by the helper generated at the previous stage'A,iThe user can generate a user private key SK corresponding to a new time sliceA,i(ii) a The method specifically comprises the following steps:
inputting facilitator update Key x'iAnd a temporary private key SK of a last time slice i-1 of the user, which belongs to {0, 1A,i-1CalculatingAnd outputs xiSK, a private key of a data owner at time slice i ∈ {1, 2., t }A,i
Step 4, re-encrypting the key to generate ReKeyGen: data owner A utilizes its own private key SKA,iAnd public key PK of data user BBGenerating a corresponding re-encryption key within time slice iFor re-encrypting the encrypted data to be shared; the method specifically comprises the following steps: inputting public key of data user BData user A computes within a time slice i ∈ {1, 2.., t }And then uses the private key SK of the data owner AA,iComputingFinally, the data owner willSending the encrypted key to the cloud server as a re-encryption key;
step 5, data encryption Enc: data owner A utilizes its public key PK in time slice iAEncrypting data to be shared and uploading the data to a cloud server; the method specifically comprises the following steps:
public key PK of input data owner AARandom selection ofCalculating to obtain original cipher text C ═ C1,C2) WhereinC2=e(g,g)rM, and sending C to the cloud server;
step 6, data re-encryption ReEnc: cloud server utilizes generated re-encryption keyRe-encrypting the encrypted data uploaded by the user, and converting the original ciphertext C into a new ciphertext C' which can be decrypted by the data user B; the method specifically comprises the following steps:
using re-encryption keysRe-encrypting the ciphertext C, and calculatingObtaining a re-encrypted ciphertext C ═ C'1,C2) And sending the re-encrypted ciphertext to a data user B;
step 7, data decryption Dec: data owner A utilizes its own private key SKA,iThe original ciphertext C is decrypted to obtain the plaintext M, and the data user B decrypts the re-encrypted new ciphertext C' by using the private key thereof to obtain the ciphertext MObtaining a plaintext M; the method specifically comprises the following steps:
for the original ciphertext C, the data owner A may utilize xiBy calculation ofObtaining a corresponding plaintext M; for the re-encrypted ciphertext C', data consumer B performs Dec using yiComputingA plaintext is obtained.
CN201610497226.6A 2016-06-28 2016-06-28 Secret key leakage resistant cloud data secure sharing method Expired - Fee Related CN105978689B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610497226.6A CN105978689B (en) 2016-06-28 2016-06-28 Secret key leakage resistant cloud data secure sharing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610497226.6A CN105978689B (en) 2016-06-28 2016-06-28 Secret key leakage resistant cloud data secure sharing method

Publications (2)

Publication Number Publication Date
CN105978689A CN105978689A (en) 2016-09-28
CN105978689B true CN105978689B (en) 2019-12-24

Family

ID=57020492

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610497226.6A Expired - Fee Related CN105978689B (en) 2016-06-28 2016-06-28 Secret key leakage resistant cloud data secure sharing method

Country Status (1)

Country Link
CN (1) CN105978689B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483883B (en) * 2017-07-19 2019-12-20 中标慧安信息技术股份有限公司 Intelligent data interaction method and device
CN108847928B (en) * 2018-04-26 2021-04-06 如般量子科技有限公司 Communication system and communication method for realizing information encryption and decryption transmission based on group type quantum key card
CN109660332A (en) * 2019-01-21 2019-04-19 电子科技大学 A kind of parallel Key-insulated label decryption method based on no certificate
CN112152779B (en) * 2020-09-29 2022-05-06 黑龙江大学 Lattice-based homomorphic proxy re-encryption method for resisting strong collusion attack
CN113360886B (en) * 2021-04-23 2023-02-28 山东英信计算机技术有限公司 Method, device and equipment for sharing encrypted data and readable medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103414557A (en) * 2013-08-29 2013-11-27 青岛大学 Novel secret key separated signing method and system
CN103647642A (en) * 2013-11-15 2014-03-19 河海大学 Certificate-based agent heavy encryption method and system
CN104980477A (en) * 2014-04-14 2015-10-14 航天信息股份有限公司 Data access control method and system in cloud storage environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103414557A (en) * 2013-08-29 2013-11-27 青岛大学 Novel secret key separated signing method and system
CN103647642A (en) * 2013-11-15 2014-03-19 河海大学 Certificate-based agent heavy encryption method and system
CN104980477A (en) * 2014-04-14 2015-10-14 航天信息股份有限公司 Data access control method and system in cloud storage environment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
可代理的基于身份的密钥隔离技术研究;吴韬;《中国优秀硕士学位论文全文数据库 信息科技辑》;20101115;第I136-154页 *
密钥隔离密码系统研究现状;秦志光 等;《计算机学报》;20150430;第759-774页 *

Also Published As

Publication number Publication date
CN105978689A (en) 2016-09-28

Similar Documents

Publication Publication Date Title
US9426131B2 (en) Server apparatus and program to re-encrypt ciphertext data
CN105978689B (en) Secret key leakage resistant cloud data secure sharing method
CN106533650B (en) Interactive method for secret protection and system towards cloud
JP5851558B2 (en) RE-ENCRYPTION KEY GENERATION DEVICE, RE-ENCRYPTION DEVICE, AND PROGRAM
CN106375346B (en) Data guard method based on condition broadcast agent re-encryption under a kind of cloud environment
CN108632030B (en) CP-ABE-based fine-grained access control method
JP5361920B2 (en) File server system
WO2014007310A1 (en) Secret sharing system, data distribution device, distributed data conversion device, secret sharing method, and program
JP6313074B2 (en) Data management device, system, data sharing device, and program
JP6194886B2 (en) Encryption statistical processing system, decryption system, key generation device, proxy device, encrypted statistical data generation device, encryption statistical processing method, and encryption statistical processing program
CN104158880B (en) User-end cloud data sharing solution
CN105933345B (en) It is a kind of that outsourcing attribute base encryption method can verify that based on linear privacy sharing
JPWO2019130528A1 (en) Conversion key generation device, ciphertext conversion device, secret information processing system, conversion key generation method, conversion key generation program, ciphertext conversion method, and ciphertext conversion program
WO2020143131A1 (en) Revocable cloud data security sharing method
JP2016158189A (en) Change direction with key control system and change direction with key control method
CN103607278A (en) Safe data cloud storage method
CN113411323B (en) Medical record data access control system and method based on attribute encryption
CN113132345B (en) Agent privacy set intersection method with searchable function
JP6266130B2 (en) Cryptographic system, master key update device, and master key update program
JP5469618B2 (en) Encryption system, decryption method, key update method, key generation device, reception device, proxy calculation device, program
CN114531293B (en) Cross-trust-domain based identity agent re-encryption method
CN111431711B (en) Lightweight CPABE method for fixing key length
CN113792315A (en) Cloud data access control method and system supporting block-level encryption and de-duplication
CN113609502A (en) Space crowdsourcing system and method based on block chain
KR20110118273A (en) Method for encrypting and decrypting stream and cryptographic file systems thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20191224

Termination date: 20200628

CF01 Termination of patent right due to non-payment of annual fee