CN106131224A - A kind of data transmission system - Google Patents

Abstract

The invention provides a kind of data transmission system, including field detection equipment, cloud storage system and field detection mobile terminal；Described cloud storage system accesses the Internet, for storing detection data and the geographical location information of field detection mobile terminal；Described field detection mobile terminal includes data acquisition module, GPS locating module, wireless communication module；Described data acquisition module is for gathering the detection data of field detection equipment, and data acquisition module connects GPS locating module and wireless communication module, and described wireless communication module connects the Internet through mobile phone Cellular Networks.The present invention contributes to field work personnel and disposably gathers enough data, it is not necessary to repeatedly come and go being smoothed out of setting, beneficially field work, can shorten the duty cycle of field work, reduces field work cost, reduces the labor intensity of operating personnel.

Description

A kind of data transmission system

Technical field

The present invention relates to technical field of data transmission, be specifically related to a kind of data transmission system.

Background technology

Operating personnel is when conducting a field operation, it is often necessary to use various field detection equipment to gather various data, or Shooting a large amount of picture, the such as operation such as geology investigation, detection, therefore field work personnel generally require and carry with Large Copacity shifting Dynamic storage device is for storing the data and the picture of shooting gathered.Owing to the memory capacity of movable storage device is limited , when the operation amount of counting is more and setting is distant, the memory capacity of movable storage device often cannot meet number Memory requirement according to collection capacity so that field work personnel cannot disposably gather enough data, needs repeatedly to come and go setting, Thus have influence on being smoothed out of field work, can cause extend the duty cycle of field work, operating cost increase, also can increase Add the labor intensity of operating personnel.It addition, the price of Large Copacity movable storage device is the most costly.

Summary of the invention

For solving the problems referred to above, it is desirable to provide a kind of data transmission system.

The purpose of the present invention realizes by the following technical solutions:

Provide a kind of data transmission system, including field detection equipment, cloud storage system and field detection mobile terminal； Described cloud storage system accesses the Internet, for storing detection data and the geographical location information of field detection mobile terminal；Institute State field detection mobile terminal and include data acquisition module, GPS locating module, wireless communication module；Described data acquisition module For gathering the detection data of field detection equipment, data acquisition module connects GPS locating module and wireless communication module, described Wireless communication module connects the Internet through mobile phone Cellular Networks.

The invention have the benefit that field detection mobile terminal can be connected to cloud deposited by mobile phone Cellular Networks, the Internet Storage system, utilizes field detection mobile terminal that field can be detected the detection data of equipment and setting geographical position is uploaded in real time To cloud storage system, contribute to field work personnel and disposably gather enough data, it is not necessary to repeatedly come and go setting, be conducive to open country Being smoothed out of outer operation, can shorten the duty cycle of field work, reduces field work cost, reduces the work of operating personnel Intensity, and cloud storage system can store substantial amounts of detection data, thus solve above-mentioned technical problem.

Accompanying drawing explanation

The invention will be further described to utilize accompanying drawing, but the embodiment in accompanying drawing does not constitute any limit to the present invention System, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain according to the following drawings Other accompanying drawing.

Fig. 1 is present configuration connection diagram.

Fig. 2 is the structural representation of data safety management system of the present invention.

Reference:

Cloud storage system 1, field detection mobile terminal 2, field detection equipment 3, data safety management system 4, data acquisition Collection module 21, GPS locating module 22, wireless communication module 23, USB connector 24, serial communication connector 25, extension connector 26, data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43, security management center 44。

Detailed description of the invention

The invention will be further described with the following Examples.

Application scenarios 1

See Fig. 1, Fig. 2, the data transmission system of an embodiment of this application scene, detects equipment 3, cloud including field Storage system 1 and field detection mobile terminal 2；Described cloud storage system 1 accesses the Internet, is used for storing field detection mobile eventually The detection data of end and geographical location information；Described field detection mobile terminal 2 includes that data acquisition module 21, GPS position mould Block 22, wireless communication module 23；Described data acquisition module 21 is for gathering the detection data of field detection equipment 3, data acquisition Collection module 21 connects GPS locating module and wireless communication module 23, and described wireless communication module 23 connects mutually through mobile phone Cellular Networks Networking.

Preferably, described wireless communication module 23 is GPRS module.

The field detection mobile terminal 2 that the above embodiment of the present invention is arranged can be connected to by mobile phone Cellular Networks, the Internet Cloud storage system 1, utilizes field detection mobile terminal 2 that field can be detected detection data and the setting geographical position of equipment 3 It is uploaded to cloud storage system 1 in real time, contributes to field work personnel and disposably gather enough data, it is not necessary to repeatedly come and go operation Being smoothed out of point, beneficially field work, can shorten the duty cycle of field work, reduces field work cost, reduces and makees The labor intensity of industry personnel, and cloud storage system 1 can store substantial amounts of detection data, thus solve above-mentioned technology and ask Topic.

Preferably, detection mobile terminal 2 in described field also includes USB connector 24, serial communication connector 25, extension even Fitting 26, described data acquisition module 21 be provided with the usb communication unit for connecting USB connector 24, for serial communication Serial communication unit that connector 25 connects, for and the extension FPGA module that is connected of connector 26.

This preferred embodiment arranges USB connector 24, serial communication connector 25, extension connector 26, it is simple to field The interface of detection equipment 3 matches.

Preferably, described data transmission system also includes the data peace for managing the detection data in cloud storage system 1 Full management system 4；Described data safety management system 4 includes that data service system 40, data pretreatment 41, cloud storage add Decryption system 42, control system 43 and security management center 44；Described data service system 40 is for being responsible for the storage of data, standby Part and inquiry；Described data pretreatment 41 is for carrying out pretreatment by the data that need to maintain secrecy；Described cloud storage encryption and decryption system System 42 is for being encrypted according to the access control safety strategy optimized the data that need to maintain secrecy or decipher；Described control system 43 For data are stored to corresponding storage device；Described security management center 44 is for carrying out unified monitoring to each security of system Management.

This preferred embodiment constructs the system structure of data safety management system 4.

Preferably, the storage of described responsible data, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined Consider, not only data are encrypted, the host-host protocol of data are encrypted simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit for being divided into the data acquisition system of multiple mutual exclusion to the data that need to maintain secrecy；Institute State data pick-up unit for the data acquisition system of described mutual exclusion is ranked up according to self-defining ordering rule, by each data First data cell in set sequentially extracts, and preserves as small block data, Qi Zhongsuo together with described ordering rule State and there is not any association between the data cell two-by-two that mutual exclusion represents in data acquisition system；Described access control safety policy optimization Unit generates the access control safety plan of system for access control safety policy optimization method based on fine granularity division of resources Omit, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described data are stored to corresponding storage device, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) store in described cloud storage module after remaining data being encrypted by cloud storage encrypting and deciphering system 42；Wherein, After cloud storage module receives data, cloud is saved in memory node after these data are carried out completeness check.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency； Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety Store after strategy to cloud storage module, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud from depositing Storage manager illegally steals, distorts the private data of user, improves the security performance of the data storage that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to maintaining secrecy are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK₁For the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage module are carried out data to add Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK that the data that need to store cloud storage module are carried out data encryption, after obtaining ciphertext CT, Utilize attribute PKI that AK is encrypted, generate attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key close Literary composition CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously；To the data that need to maintain secrecy, construct identity-based respectively Encryption and decryption key, attribute encryption and decryption key, merge and constitute data encryption key these data are encrypted, thus only simultaneously The user meeting identity and attribute double condition can decipher, and greatly improves the security performance of data safety management system 4.

In this application scenarios, update cycle T takes 6, and the safety of system improves 12% relatively.

Application scenarios 2

See Fig. 1, Fig. 2, the data transmission system of an embodiment of this application scene, detects equipment 3, cloud including field Storage system 1 and field detection mobile terminal 2；Described cloud storage system 1 accesses the Internet, is used for storing field detection mobile eventually The detection data of end and geographical location information；Described field detection mobile terminal 2 includes that data acquisition module 21, GPS position mould Block 22, wireless communication module 23；Described data acquisition module 21 is for gathering the detection data of field detection equipment 3, data acquisition Collection module 21 connects GPS locating module and wireless communication module 23, and described wireless communication module 23 connects mutually through mobile phone Cellular Networks Networking.

Preferably, described wireless communication module 23 is GPRS module.

The field detection mobile terminal 2 that the above embodiment of the present invention is arranged can be connected to by mobile phone Cellular Networks, the Internet Cloud storage system 1, utilizes field detection mobile terminal 2 that field can be detected detection data and the setting geographical position of equipment 3 It is uploaded to cloud storage system 1 in real time, contributes to field work personnel and disposably gather enough data, it is not necessary to repeatedly come and go operation Being smoothed out of point, beneficially field work, can shorten the duty cycle of field work, reduces field work cost, reduces and makees The labor intensity of industry personnel, and cloud storage system 1 can store substantial amounts of detection data, thus solve above-mentioned technology and ask Topic.

Preferably, detection mobile terminal 2 in described field also includes USB connector 24, serial communication connector 25, extension even Fitting 26, described data acquisition module 21 be provided with the usb communication unit for connecting USB connector 24, for serial communication Serial communication unit that connector 25 connects, for and the extension FPGA module that is connected of connector 26.

This preferred embodiment arranges USB connector 24, serial communication connector 25, extension connector 26, it is simple to field The interface of detection equipment 3 matches.

Preferably, described data transmission system also includes the data peace for managing the detection data in cloud storage system 1 Full management system 4；Described data safety management system 4 includes that data service system 40, data pretreatment 41, cloud storage add Decryption system 42, control system 43 and security management center 44；Described data service system 40 is for being responsible for the storage of data, standby Part and inquiry；Described data pretreatment 41 is for carrying out pretreatment by the data that need to maintain secrecy；Described cloud storage encryption and decryption system System 42 is for being encrypted according to the access control safety strategy optimized the data that need to maintain secrecy or decipher；Described control system 43 For data are stored to corresponding storage device；Described security management center 44 is for carrying out unified monitoring to each security of system Management.

This preferred embodiment constructs the system structure of data safety management system 4.

Preferably, the storage of described responsible data, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined Consider, not only data are encrypted, the host-host protocol of data are encrypted simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit for being divided into the data acquisition system of multiple mutual exclusion to the data that need to maintain secrecy；Institute State data pick-up unit for the data acquisition system of described mutual exclusion is ranked up according to self-defining ordering rule, by each data First data cell in set sequentially extracts, and preserves as small block data, Qi Zhongsuo together with described ordering rule State and there is not any association between the data cell two-by-two that mutual exclusion represents in data acquisition system；Described access control safety policy optimization Unit generates the access control safety plan of system for access control safety policy optimization method based on fine granularity division of resources Omit, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described data are stored to corresponding storage device, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) store in described cloud storage module after remaining data being encrypted by cloud storage encrypting and deciphering system 42；Wherein, After cloud storage module receives data, cloud is saved in memory node after these data are carried out completeness check.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency； Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety Store after strategy to cloud storage module, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud from depositing Storage manager illegally steals, distorts the private data of user, improves the security performance of the data storage that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to maintaining secrecy are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage module are carried out data to add Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK that the data that need to store cloud storage module are carried out data encryption, after obtaining ciphertext CT, Utilize attribute PKI that AK is encrypted, generate attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key close Literary composition CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously；To the data that need to maintain secrecy, construct identity-based respectively Encryption and decryption key, attribute encryption and decryption key, merge and constitute data encryption key these data are encrypted, thus only simultaneously The user meeting identity and attribute double condition can decipher, and greatly improves the security performance of data safety management system 4.

In this application scenarios, update cycle T takes 7, and the safety of system improves 11% relatively.

Application scenarios 3

See Fig. 1, Fig. 2, the data transmission system of an embodiment of this application scene, detects equipment 3, cloud including field Storage system 1 and field detection mobile terminal 2；Described cloud storage system 1 accesses the Internet, is used for storing field detection mobile eventually The detection data of end and geographical location information；Described field detection mobile terminal 2 includes that data acquisition module 21, GPS position mould Block 22, wireless communication module 23；Described data acquisition module 21 is for gathering the detection data of field detection equipment 3, data acquisition Collection module 21 connects GPS locating module and wireless communication module 23, and described wireless communication module 23 connects mutually through mobile phone Cellular Networks Networking.

Preferably, described wireless communication module 23 is GPRS module.

The field detection mobile terminal 2 that the above embodiment of the present invention is arranged can be connected to by mobile phone Cellular Networks, the Internet Cloud storage system 1, utilizes field detection mobile terminal 2 that field can be detected detection data and the setting geographical position of equipment 3 It is uploaded to cloud storage system 1 in real time, contributes to field work personnel and disposably gather enough data, it is not necessary to repeatedly come and go operation Being smoothed out of point, beneficially field work, can shorten the duty cycle of field work, reduces field work cost, reduces and makees The labor intensity of industry personnel, and cloud storage system 1 can store substantial amounts of detection data, thus solve above-mentioned technology and ask Topic.

Preferably, detection mobile terminal 2 in described field also includes USB connector 24, serial communication connector 25, extension even Fitting 26, described data acquisition module 21 be provided with the usb communication unit for connecting USB connector 24, for serial communication Serial communication unit that connector 25 connects, for and the extension FPGA module that is connected of connector 26.

This preferred embodiment arranges USB connector 24, serial communication connector 25, extension connector 26, it is simple to field The interface of detection equipment 3 matches.

Preferably, described data transmission system also includes the data peace for managing the detection data in cloud storage system 1 Full management system 4；Described data safety management system 4 includes that data service system 40, data pretreatment 41, cloud storage add Decryption system 42, control system 43 and security management center 44；Described data service system 40 is for being responsible for the storage of data, standby Part and inquiry；Described data pretreatment 41 is for carrying out pretreatment by the data that need to maintain secrecy；Described cloud storage encryption and decryption system System 42 is for being encrypted according to the access control safety strategy optimized the data that need to maintain secrecy or decipher；Described control system 43 For data are stored to corresponding storage device；Described security management center 44 is for carrying out unified monitoring to each security of system Management.

This preferred embodiment constructs the system structure of data safety management system 4.

Preferably, the storage of described responsible data, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined Consider, not only data are encrypted, the host-host protocol of data are encrypted simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit for being divided into the data acquisition system of multiple mutual exclusion to the data that need to maintain secrecy；Institute State data pick-up unit for the data acquisition system of described mutual exclusion is ranked up according to self-defining ordering rule, by each data First data cell in set sequentially extracts, and preserves as small block data, Qi Zhongsuo together with described ordering rule State and there is not any association between the data cell two-by-two that mutual exclusion represents in data acquisition system；Described access control safety policy optimization Unit generates the access control safety plan of system for access control safety policy optimization method based on fine granularity division of resources Omit, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described data are stored to corresponding storage device, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) store in described cloud storage module after remaining data being encrypted by cloud storage encrypting and deciphering system 42；Wherein, After cloud storage module receives data, cloud is saved in memory node after these data are carried out completeness check.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency； Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety Store after strategy to cloud storage module, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud from depositing Storage manager illegally steals, distorts the private data of user, improves the security performance of the data storage that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to maintaining secrecy are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage module are carried out data to add Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK that the data that need to store cloud storage module are carried out data encryption, after obtaining ciphertext CT, Utilize attribute PKI that AK is encrypted, generate attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key close Literary composition CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously；To the data that need to maintain secrecy, construct identity-based respectively Encryption and decryption key, attribute encryption and decryption key, merge and constitute data encryption key these data are encrypted, thus only simultaneously The user meeting identity and attribute double condition can decipher, and greatly improves the security performance of data safety management system 4.

In this application scenarios, update cycle T takes 8, and the safety of system improves 10% relatively.

Application scenarios 4

See Fig. 1, Fig. 2, the data transmission system of an embodiment of this application scene, detects equipment 3, cloud including field Storage system 1 and field detection mobile terminal 2；Described cloud storage system 1 accesses the Internet, is used for storing field detection mobile eventually The detection data of end and geographical location information；Described field detection mobile terminal 2 includes that data acquisition module 21, GPS position mould Block 22, wireless communication module 23；Described data acquisition module 21 is for gathering the detection data of field detection equipment 3, data acquisition Collection module 21 connects GPS locating module and wireless communication module 23, and described wireless communication module 23 connects mutually through mobile phone Cellular Networks Networking.

Preferably, described wireless communication module 23 is GPRS module.

The field detection mobile terminal 2 that the above embodiment of the present invention is arranged can be connected to by mobile phone Cellular Networks, the Internet Cloud storage system 1, utilizes field detection mobile terminal 2 that field can be detected detection data and the setting geographical position of equipment 3 It is uploaded to cloud storage system 1 in real time, contributes to field work personnel and disposably gather enough data, it is not necessary to repeatedly come and go operation Being smoothed out of point, beneficially field work, can shorten the duty cycle of field work, reduces field work cost, reduces and makees The labor intensity of industry personnel, and cloud storage system 1 can store substantial amounts of detection data, thus solve above-mentioned technology and ask Topic.

Preferably, detection mobile terminal 2 in described field also includes USB connector 24, serial communication connector 25, extension even Fitting 26, described data acquisition module 21 be provided with the usb communication unit for connecting USB connector 24, for serial communication Serial communication unit that connector 25 connects, for and the extension FPGA module that is connected of connector 26.

This preferred embodiment arranges USB connector 24, serial communication connector 25, extension connector 26, it is simple to field The interface of detection equipment 3 matches.

Preferably, described data transmission system also includes the data peace for managing the detection data in cloud storage system 1 Full management system 4；Described data safety management system 4 includes that data service system 40, data pretreatment 41, cloud storage add Decryption system 42, control system 43 and security management center 44；Described data service system 40 is for being responsible for the storage of data, standby Part and inquiry；Described data pretreatment 41 is for carrying out pretreatment by the data that need to maintain secrecy；Described cloud storage encryption and decryption system System 42 is for being encrypted according to the access control safety strategy optimized the data that need to maintain secrecy or decipher；Described control system 43 For data are stored to corresponding storage device；Described security management center 44 is for carrying out unified monitoring to each security of system Management.

This preferred embodiment constructs the system structure of data safety management system 4.

Preferably, the storage of described responsible data, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined Consider, not only data are encrypted, the host-host protocol of data are encrypted simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit for being divided into the data acquisition system of multiple mutual exclusion to the data that need to maintain secrecy；Institute State data pick-up unit for the data acquisition system of described mutual exclusion is ranked up according to self-defining ordering rule, by each data First data cell in set sequentially extracts, and preserves as small block data, Qi Zhongsuo together with described ordering rule State and there is not any association between the data cell two-by-two that mutual exclusion represents in data acquisition system；Described access control safety policy optimization Unit generates the access control safety plan of system for access control safety policy optimization method based on fine granularity division of resources Omit, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described data are stored to corresponding storage device, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) store in described cloud storage module after remaining data being encrypted by cloud storage encrypting and deciphering system 42；Wherein, After cloud storage module receives data, cloud is saved in memory node after these data are carried out completeness check.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency； Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety Store after strategy to cloud storage module, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud from depositing Storage manager illegally steals, distorts the private data of user, improves the security performance of the data storage that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to maintaining secrecy are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage module are carried out data to add Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK that the data that need to store cloud storage module are carried out data encryption, after obtaining ciphertext CT, Utilize attribute PKI that AK is encrypted, generate attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key close Literary composition CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously；To the data that need to maintain secrecy, construct identity-based respectively Encryption and decryption key, attribute encryption and decryption key, merge and constitute data encryption key these data are encrypted, thus only simultaneously The user meeting identity and attribute double condition can decipher, and greatly improves the security performance of data safety management system 4.

In this application scenarios, update cycle T takes 9, and the safety of system improves 9% relatively.

Application scenarios 5

See Fig. 1, Fig. 2, the data transmission system of an embodiment of this application scene, detects equipment 3, cloud including field Storage system 1 and field detection mobile terminal 2；Described cloud storage system 1 accesses the Internet, is used for storing field detection mobile eventually The detection data of end and geographical location information；Described field detection mobile terminal 2 includes that data acquisition module 21, GPS position mould Block 22, wireless communication module 23；Described data acquisition module 21 is for gathering the detection data of field detection equipment 3, data acquisition Collection module 21 connects GPS locating module and wireless communication module 23, and described wireless communication module 23 connects mutually through mobile phone Cellular Networks Networking.

Preferably, described wireless communication module 23 is GPRS module.

The field detection mobile terminal 2 that the above embodiment of the present invention is arranged can be connected to by mobile phone Cellular Networks, the Internet Cloud storage system 1, utilizes field detection mobile terminal 2 that field can be detected detection data and the setting geographical position of equipment 3 It is uploaded to cloud storage system 1 in real time, contributes to field work personnel and disposably gather enough data, it is not necessary to repeatedly come and go operation Being smoothed out of point, beneficially field work, can shorten the duty cycle of field work, reduces field work cost, reduces and makees The labor intensity of industry personnel, and cloud storage system 1 can store substantial amounts of detection data, thus solve above-mentioned technology and ask Topic.

Preferably, detection mobile terminal 2 in described field also includes USB connector 24, serial communication connector 25, extension even Fitting 26, described data acquisition module 21 be provided with the usb communication unit for connecting USB connector 24, for serial communication Serial communication unit that connector 25 connects, for and the extension FPGA module that is connected of connector 26.

This preferred embodiment arranges USB connector 24, serial communication connector 25, extension connector 26, it is simple to field The interface of detection equipment 3 matches.

Preferably, described data transmission system also includes the data peace for managing the detection data in cloud storage system 1 Full management system 4；Described data safety management system 4 includes that data service system 40, data pretreatment 41, cloud storage add Decryption system 42, control system 43 and security management center 44；Described data service system 40 is for being responsible for the storage of data, standby Part and inquiry；Described data pretreatment 41 is for carrying out pretreatment by the data that need to maintain secrecy；Described cloud storage encryption and decryption system System 42 is for being encrypted according to the access control safety strategy optimized the data that need to maintain secrecy or decipher；Described control system 43 For data are stored to corresponding storage device；Described security management center 44 is for carrying out unified monitoring to each security of system Management.

This preferred embodiment constructs the system structure of data safety management system 4.

Preferably, the storage of described responsible data, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined Consider, not only data are encrypted, the host-host protocol of data are encrypted simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit for being divided into the data acquisition system of multiple mutual exclusion to the data that need to maintain secrecy；Institute State data pick-up unit for the data acquisition system of described mutual exclusion is ranked up according to self-defining ordering rule, by each data First data cell in set sequentially extracts, and preserves as small block data, Qi Zhongsuo together with described ordering rule State and there is not any association between the data cell two-by-two that mutual exclusion represents in data acquisition system；Described access control safety policy optimization Unit generates the access control safety plan of system for access control safety policy optimization method based on fine granularity division of resources Omit, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described data are stored to corresponding storage device, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) store in described cloud storage module after remaining data being encrypted by cloud storage encrypting and deciphering system 42；Wherein, After cloud storage module receives data, cloud is saved in memory node after these data are carried out completeness check.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency； Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety Store after strategy to cloud storage module, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud from depositing Storage manager illegally steals, distorts the private data of user, improves the security performance of the data storage that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to maintaining secrecy are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK₁For the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage module are carried out data to add Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK that the data that need to store cloud storage module are carried out data encryption, after obtaining ciphertext CT, Utilize attribute PKI that AK is encrypted, generate attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key close Literary composition CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously；To the data that need to maintain secrecy, construct identity-based respectively Encryption and decryption key, attribute encryption and decryption key, merge and constitute data encryption key these data are encrypted, thus only simultaneously The user meeting identity and attribute double condition can decipher, and greatly improves the security performance of data safety management system 4.

In this application scenarios, update cycle T takes 10, and the safety of system improves 8% relatively.

Last it should be noted that, above example is only in order to illustrate technical scheme, rather than the present invention is protected Protecting the restriction of scope, although having made to explain to the present invention with reference to preferred embodiment, those of ordinary skill in the art should Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention Matter and scope.

Claims (3)

1. a data transmission system, it is characterised in that include that field detection equipment, cloud storage system and field detection are mobile eventually End；Described cloud storage system accesses the Internet, for storing detection data and the geographical location information of field detection mobile terminal； Described field detection mobile terminal includes data acquisition module, GPS locating module, wireless communication module；Described data acquisition module Block is for gathering the detection data of field detection equipment, and data acquisition module connects GPS locating module and wireless communication module, institute State wireless communication module and connect the Internet through mobile phone Cellular Networks.

A kind of data transmission system the most according to claim 1, it is characterised in that described wireless communication module is GPRS mould Block.

A kind of data transmission system the most according to claim 2, it is characterised in that described field detection mobile terminal also wraps Including USB connector, serial communication connector, extension connector, described data acquisition module is provided with for connecting USB connector Usb communication unit, for the serial communication unit being connected with serial communication connector, for and extend the FPGA that is connected of connector Module.