CN106161654A - A kind of cloud educational system - Google Patents

Abstract

The invention provides a kind of cloud educational system, including cloud education services center, customer mobile terminal and education terminal, described cloud education services center is used for storing education resource data, the more newly requested education terminal more newly requested to initiation data of data according to education terminal issues education resource data, request of data of uploading according to customer mobile terminal uploads the customer mobile terminal offer memory space of request of data to initiation, and manages the education terminal being attached thereto；Described customer mobile terminal provides interface service for uploading education resource data for user's Xiang Yun education services center；Described education terminal is more newly requested for initiating data to cloud education services center, and receives the education resource data that cloud education services center issues.The present invention by education resource data store in cloud education services center, more new education terminal by the way of instant request, to reach to save manpower, and can infinitely expand the memory capacity of education resource data.

Description

A kind of cloud educational system

Technical field

The present invention relates to communication and Internet technical field, be specifically related to a kind of cloud educational system.

Background technology

In correlation technique, educational resource is many to be come by traditional paper, multimedia CD or independent multimedia terminal Realize, although numerous in variety, but papery and disc medium can only periodically deliver content update by manpower, and Then cannot upgrade in independent multimedia terminal.Thus, teaching resource updates the most delayed, if desired has rich in natural resources, its The cost needed is the most high.

Summary of the invention

For solving the problems referred to above, it is desirable to provide a kind of cloud educational system.

The purpose of the present invention realizes by the following technical solutions:

Provide a kind of cloud educational system, including cloud education services center, customer mobile terminal and education terminal, described use Family mobile terminal, education terminal are connected with described cloud education services center to center communications respectively；Described cloud education services center is used for depositing Storage education resource data, issues religion according to the data of education terminal are more newly requested to the education terminal initiating data more newly requested Educate with resource data, carry according to the customer mobile terminal that request of data uploads request of data to initiation of uploading of customer mobile terminal For memory space, and manage the education terminal being attached thereto；Described customer mobile terminal is for in user's Xiang Yun education services Do missionary work to educate in the heart and provide interface service with resource data；Described education terminal updates for initiating data to cloud education services center Request, and receive the education resource data that cloud education services center issues.

The invention have the benefit that education resource data can be uploaded to cloud education services by customer mobile terminal at any time Center, enriches the data in the minds of in cloud education services；In education sector, in the content update mode of innovation, education is used Resource data store in cloud education services center, more new education terminal by the way of instant request, to reach to save manpower, and And the unlimited memory capacity expanding education resource data, thus solve above-mentioned technical problem.

Accompanying drawing explanation

The invention will be further described to utilize accompanying drawing, but the embodiment in accompanying drawing does not constitute any limit to the present invention System, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain according to the following drawings Other accompanying drawing.

Fig. 1 is present configuration connection diagram.

Fig. 2 is the structural representation of data safety management system of the present invention.

Reference:

Cloud education services center 1, customer mobile terminal 2, education terminal 3, data safety management system 4, data, services system System 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43, security management center 44.

Detailed description of the invention

The invention will be further described with the following Examples.

Application scenarios 1

See Fig. 1, Fig. 2, the cloud educational system of an embodiment of this application scene, including cloud education services center 1, use Family mobile terminal 2 and education terminal 3, described customer mobile terminal 2, education terminal 3 are led to described cloud education services center 1 respectively Letter connects；Described cloud education services center 1 is used for storing education resource data, and the data according to education terminal 3 are more newly requested Issuing education resource data to the education terminal 3 initiating data more newly requested, the data of uploading according to customer mobile terminal 2 please Ask and upload the customer mobile terminal 2 of request of data to initiation memory space is provided, and manage the education terminal 3 being attached thereto；Institute State customer mobile terminal 2 and provide interface service for uploading education resource data for user's Xiang Yun education services center 1；Described Education terminal 3 is more newly requested for initiating data to cloud education services center 1, and receives the religion that cloud education services center 1 issues Educate and use resource data.

Education resource data can be uploaded to cloud education services by the customer mobile terminal 2 of the above embodiment of the present invention at any time Center 1, the data in abundant cloud education services center 1；In education sector, in the content update mode of innovation, will education By resource data store in cloud education services center 1, more new education terminal 3 by the way of instant request, to reach to save people Power, and infinitely expand the memory capacity of education resource data, thus solve above-mentioned technical problem.

Preferably, described cloud education services center 1 includes:

More newly requested receiver module, the data initiated to cloud education services center 1 for receiving education terminal 3 update please Ask；

Parsing module, is used for resolving described data more newly requested, obtains the education resource data that education terminal 3 needs；

Memory module, is used for storing education resource data and cloud terminal management data；

Sending module, for issuing the education resource data of needs to education terminal 3.

This preferred embodiment achieves cloud education services center 1 and is updated the education resource data of education terminal 3 Function.

Preferably, described cloud education services center 1 also includes managing module, is used for being attached thereto by control command management Education terminal 3；Described sending module is also used for sending management control command.

This preferred embodiment achieves the function of cloud education services center 1 management education terminal 3.

Preferably, described cloud educational system also includes the data safety for managing the data in cloud education services center 1 Management system 4；Described data safety management system 4 includes that data service system 40, data pretreatment 41, cloud storage add solution Close system 42, control system 43 and security management center 44；Described data service system 40 is used for being responsible for education resource data Storage with cloud terminal management data, back up and inquire about；Described data pretreatment 41 is for carrying out the data that need to maintain secrecy Pretreatment；Described cloud storage encrypting and deciphering system 42 is used for the data to maintaining secrecy of the access control safety strategy according to optimization and carries out Encryption or deciphering；The education resource data store that described control system 43 is used for uploading is to corresponding storage device；Described Security management center 44 is for carrying out unified monitoring management to each security of system.

This preferred embodiment constructs the system structure of data safety management system 4.

Preferably, described responsible education resource data and the storage of cloud terminal management data, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined Consider, not only data are encrypted, the host-host protocol of data are encrypted simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit for being divided into the data acquisition system of multiple mutual exclusion to the data that need to maintain secrecy；Institute State data pick-up unit for the data acquisition system of described mutual exclusion is ranked up according to self-defining ordering rule, by each data First data cell in set sequentially extracts, and preserves as small block data, Qi Zhongsuo together with described ordering rule State and there is not any association between the data cell two-by-two that mutual exclusion represents in data acquisition system；Described access control safety policy optimization Unit generates the access control safety plan of system for access control safety policy optimization method based on fine granularity division of resources Omit, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described by the education resource data store uploaded to corresponding storage device, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) cloud storing in cloud service center after remaining information data being encrypted by cloud storage encrypting and deciphering system 42 is deposited Storage module；Wherein, after cloud storage module receives data, cloud is saved in memory node after these data are carried out completeness check In.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency； Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety Store after strategy to cloud storage module, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud from depositing Storage manager illegally steals, distorts the private data of user, improves the security performance of the information data storing that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to maintaining secrecy are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage module are carried out data to add Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK that the data that need to store cloud storage module are carried out data encryption, after obtaining ciphertext CT, Utilize attribute PKI that AK is encrypted, generate attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key close Literary composition CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously；To the data of cloud storage module need to be stored, respectively Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data, Thus the user only meeting identity and attribute double condition can decipher, and greatly improves data safety management system 4 simultaneously Security performance.

In this application scenarios, update cycle T takes 6, and the safety of data safety management system 4 improves 12% relatively.

Application scenarios 2

See Fig. 1, Fig. 2, the cloud educational system of an embodiment of this application scene, including cloud education services center 1, use Family mobile terminal 2 and education terminal 3, described customer mobile terminal 2, education terminal 3 are led to described cloud education services center 1 respectively Letter connects；Described cloud education services center 1 is used for storing education resource data, and the data according to education terminal 3 are more newly requested Issuing education resource data to the education terminal 3 initiating data more newly requested, the data of uploading according to customer mobile terminal 2 please Ask and upload the customer mobile terminal 2 of request of data to initiation memory space is provided, and manage the education terminal 3 being attached thereto；Institute State customer mobile terminal 2 and provide interface service for uploading education resource data for user's Xiang Yun education services center 1；Described Education terminal 3 is more newly requested for initiating data to cloud education services center 1, and receives the religion that cloud education services center 1 issues Educate and use resource data.

Education resource data can be uploaded to cloud education services by the customer mobile terminal 2 of the above embodiment of the present invention at any time Center 1, the data in abundant cloud education services center 1；In education sector, in the content update mode of innovation, will education By resource data store in cloud education services center 1, more new education terminal 3 by the way of instant request, to reach to save people Power, and infinitely expand the memory capacity of education resource data, thus solve above-mentioned technical problem.

Preferably, described cloud education services center 1 includes:

More newly requested receiver module, the data initiated to cloud education services center 1 for receiving education terminal 3 update please Ask；

Parsing module, is used for resolving described data more newly requested, obtains the education resource data that education terminal 3 needs；

Memory module, is used for storing education resource data and cloud terminal management data；

Sending module, for issuing the education resource data of needs to education terminal 3.

This preferred embodiment achieves cloud education services center 1 and is updated the education resource data of education terminal 3 Function.

Preferably, described cloud education services center 1 also includes managing module, is used for being attached thereto by control command management Education terminal 3；Described sending module is also used for sending management control command.

This preferred embodiment achieves the function of cloud education services center 1 management education terminal 3.

Preferably, described cloud educational system also includes the data safety for managing the data in cloud education services center 1 Management system 4；Described data safety management system 4 includes that data service system 40, data pretreatment 41, cloud storage add solution Close system 42, control system 43 and security management center 44；Described data service system 40 is used for being responsible for education resource data Storage with cloud terminal management data, back up and inquire about；Described data pretreatment 41 is for carrying out the data that need to maintain secrecy Pretreatment；Described cloud storage encrypting and deciphering system 42 is used for the data to maintaining secrecy of the access control safety strategy according to optimization and carries out Encryption or deciphering；The education resource data store that described control system 43 is used for uploading is to corresponding storage device；Described Security management center 44 is for carrying out unified monitoring management to each security of system.

This preferred embodiment constructs the system structure of data safety management system 4.

Preferably, described responsible education resource data and the storage of cloud terminal management data, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined Consider, not only data are encrypted, the host-host protocol of data are encrypted simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit for being divided into the data acquisition system of multiple mutual exclusion to the data that need to maintain secrecy；Institute State data pick-up unit for the data acquisition system of described mutual exclusion is ranked up according to self-defining ordering rule, by each data First data cell in set sequentially extracts, and preserves as small block data, Qi Zhongsuo together with described ordering rule State and there is not any association between the data cell two-by-two that mutual exclusion represents in data acquisition system；Described access control safety policy optimization Unit generates the access control safety plan of system for access control safety policy optimization method based on fine granularity division of resources Omit, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described by the education resource data store uploaded to corresponding storage device, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) cloud storing in cloud service center after remaining information data being encrypted by cloud storage encrypting and deciphering system 42 is deposited Storage module；Wherein, after cloud storage module receives data, cloud is saved in memory node after these data are carried out completeness check In.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency； Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety Store after strategy to cloud storage module, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud from depositing Storage manager illegally steals, distorts the private data of user, improves the security performance of the information data storing that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to maintaining secrecy are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage module are carried out data to add Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK that the data that need to store cloud storage module are carried out data encryption, after obtaining ciphertext CT, Utilize attribute PKI that AK is encrypted, generate attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key close Literary composition CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously；To the data of cloud storage module need to be stored, respectively Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data, Thus the user only meeting identity and attribute double condition can decipher, and greatly improves data safety management system 4 simultaneously Security performance.

In this application scenarios, update cycle T takes 7, and the safety of data safety management system 4 improves 11% relatively.

Application scenarios 3

See Fig. 1, Fig. 2, the cloud educational system of an embodiment of this application scene, including cloud education services center 1, use Family mobile terminal 2 and education terminal 3, described customer mobile terminal 2, education terminal 3 are led to described cloud education services center 1 respectively Letter connects；Described cloud education services center 1 is used for storing education resource data, and the data according to education terminal 3 are more newly requested Issuing education resource data to the education terminal 3 initiating data more newly requested, the data of uploading according to customer mobile terminal 2 please Ask and upload the customer mobile terminal 2 of request of data to initiation memory space is provided, and manage the education terminal 3 being attached thereto；Institute State customer mobile terminal 2 and provide interface service for uploading education resource data for user's Xiang Yun education services center 1；Described Education terminal 3 is more newly requested for initiating data to cloud education services center 1, and receives the religion that cloud education services center 1 issues Educate and use resource data.

Education resource data can be uploaded to cloud education services by the customer mobile terminal 2 of the above embodiment of the present invention at any time Center 1, the data in abundant cloud education services center 1；In education sector, in the content update mode of innovation, will education By resource data store in cloud education services center 1, more new education terminal 3 by the way of instant request, to reach to save people Power, and infinitely expand the memory capacity of education resource data, thus solve above-mentioned technical problem.

Preferably, described cloud education services center 1 includes:

More newly requested receiver module, the data initiated to cloud education services center 1 for receiving education terminal 3 update please Ask；

Parsing module, is used for resolving described data more newly requested, obtains the education resource data that education terminal 3 needs；

Memory module, is used for storing education resource data and cloud terminal management data；

Sending module, for issuing the education resource data of needs to education terminal 3.

This preferred embodiment achieves cloud education services center 1 and is updated the education resource data of education terminal 3 Function.

Preferably, described cloud education services center 1 also includes managing module, is used for being attached thereto by control command management Education terminal 3；Described sending module is also used for sending management control command.

This preferred embodiment achieves the function of cloud education services center 1 management education terminal 3.

Preferably, described cloud educational system also includes the data safety for managing the data in cloud education services center 1 Management system 4；Described data safety management system 4 includes that data service system 40, data pretreatment 41, cloud storage add solution Close system 42, control system 43 and security management center 44；Described data service system 40 is used for being responsible for education resource data Storage with cloud terminal management data, back up and inquire about；Described data pretreatment 41 is for carrying out the data that need to maintain secrecy Pretreatment；Described cloud storage encrypting and deciphering system 42 is used for the data to maintaining secrecy of the access control safety strategy according to optimization and carries out Encryption or deciphering；The education resource data store that described control system 43 is used for uploading is to corresponding storage device；Described Security management center 44 is for carrying out unified monitoring management to each security of system.

This preferred embodiment constructs the system structure of data safety management system 4.

Preferably, described responsible education resource data and the storage of cloud terminal management data, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined Consider, not only data are encrypted, the host-host protocol of data are encrypted simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit for being divided into the data acquisition system of multiple mutual exclusion to the data that need to maintain secrecy；Institute State data pick-up unit for the data acquisition system of described mutual exclusion is ranked up according to self-defining ordering rule, by each data First data cell in set sequentially extracts, and preserves as small block data, Qi Zhongsuo together with described ordering rule State and there is not any association between the data cell two-by-two that mutual exclusion represents in data acquisition system；Described access control safety policy optimization Unit generates the access control safety plan of system for access control safety policy optimization method based on fine granularity division of resources Omit, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described by the education resource data store uploaded to corresponding storage device, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) cloud storing in cloud service center after remaining information data being encrypted by cloud storage encrypting and deciphering system 42 is deposited Storage module；Wherein, after cloud storage module receives data, cloud is saved in memory node after these data are carried out completeness check In.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency； Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety Store after strategy to cloud storage module, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud from depositing Storage manager illegally steals, distorts the private data of user, improves the security performance of the information data storing that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to maintaining secrecy are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage module are carried out data to add Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK that the data that need to store cloud storage module are carried out data encryption, after obtaining ciphertext CT, Utilize attribute PKI that AK is encrypted, generate attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key close Literary composition CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously；To the data of cloud storage module need to be stored, respectively Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data, Thus the user only meeting identity and attribute double condition can decipher, and greatly improves data safety management system 4 simultaneously Security performance.

In this application scenarios, update cycle T takes 8, and the safety of data safety management system 4 improves 10% relatively.

Application scenarios 4

See Fig. 1, Fig. 2, the cloud educational system of an embodiment of this application scene, including cloud education services center 1, use Family mobile terminal 2 and education terminal 3, described customer mobile terminal 2, education terminal 3 are led to described cloud education services center 1 respectively Letter connects；Described cloud education services center 1 is used for storing education resource data, and the data according to education terminal 3 are more newly requested Issuing education resource data to the education terminal 3 initiating data more newly requested, the data of uploading according to customer mobile terminal 2 please Ask and upload the customer mobile terminal 2 of request of data to initiation memory space is provided, and manage the education terminal 3 being attached thereto；Institute State customer mobile terminal 2 and provide interface service for uploading education resource data for user's Xiang Yun education services center 1；Described Education terminal 3 is more newly requested for initiating data to cloud education services center 1, and receives the religion that cloud education services center 1 issues Educate and use resource data.

Education resource data can be uploaded to cloud education services by the customer mobile terminal 2 of the above embodiment of the present invention at any time Center 1, the data in abundant cloud education services center 1；In education sector, in the content update mode of innovation, will education By resource data store in cloud education services center 1, more new education terminal 3 by the way of instant request, to reach to save people Power, and infinitely expand the memory capacity of education resource data, thus solve above-mentioned technical problem.

Preferably, described cloud education services center 1 includes:

More newly requested receiver module, the data initiated to cloud education services center 1 for receiving education terminal 3 update please Ask；

Parsing module, is used for resolving described data more newly requested, obtains the education resource data that education terminal 3 needs；

Memory module, is used for storing education resource data and cloud terminal management data；

Sending module, for issuing the education resource data of needs to education terminal 3.

This preferred embodiment achieves cloud education services center 1 and is updated the education resource data of education terminal 3 Function.

Preferably, described cloud education services center 1 also includes managing module, is used for being attached thereto by control command management Education terminal 3；Described sending module is also used for sending management control command.

This preferred embodiment achieves the function of cloud education services center 1 management education terminal 3.

Preferably, described cloud educational system also includes the data safety for managing the data in cloud education services center 1 Management system 4；Described data safety management system 4 includes that data service system 40, data pretreatment 41, cloud storage add solution Close system 42, control system 43 and security management center 44；Described data service system 40 is used for being responsible for education resource data Storage with cloud terminal management data, back up and inquire about；Described data pretreatment 41 is for carrying out the data that need to maintain secrecy Pretreatment；Described cloud storage encrypting and deciphering system 42 is used for the data to maintaining secrecy of the access control safety strategy according to optimization and carries out Encryption or deciphering；The education resource data store that described control system 43 is used for uploading is to corresponding storage device；Described Security management center 44 is for carrying out unified monitoring management to each security of system.

This preferred embodiment constructs the system structure of data safety management system 4.

Preferably, described responsible education resource data and the storage of cloud terminal management data, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined Consider, not only data are encrypted, the host-host protocol of data are encrypted simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit for being divided into the data acquisition system of multiple mutual exclusion to the data that need to maintain secrecy；Institute State data pick-up unit for the data acquisition system of described mutual exclusion is ranked up according to self-defining ordering rule, by each data First data cell in set sequentially extracts, and preserves as small block data, Qi Zhongsuo together with described ordering rule State and there is not any association between the data cell two-by-two that mutual exclusion represents in data acquisition system；Described access control safety policy optimization Unit generates the access control safety plan of system for access control safety policy optimization method based on fine granularity division of resources Omit, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described by the education resource data store uploaded to corresponding storage device, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) cloud storing in cloud service center after remaining information data being encrypted by cloud storage encrypting and deciphering system 42 is deposited Storage module；Wherein, after cloud storage module receives data, cloud is saved in memory node after these data are carried out completeness check In.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency； Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety Store after strategy to cloud storage module, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud from depositing Storage manager illegally steals, distorts the private data of user, improves the security performance of the information data storing that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to maintaining secrecy are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,βAID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage module are carried out data to add Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK that the data that need to store cloud storage module are carried out data encryption, after obtaining ciphertext CT, Utilize attribute PKI that AK is encrypted, generate attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key close Literary composition CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously；To the data of cloud storage module need to be stored, respectively Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data, Thus the user only meeting identity and attribute double condition can decipher, and greatly improves data safety management system 4 simultaneously Security performance.

In this application scenarios, update cycle T takes 9, and the safety of data safety management system 4 improves 9% relatively.

Application scenarios 5

See Fig. 1, Fig. 2, the cloud educational system of an embodiment of this application scene, including cloud education services center 1, use Family mobile terminal 2 and education terminal 3, described customer mobile terminal 2, education terminal 3 are led to described cloud education services center 1 respectively Letter connects；Described cloud education services center 1 is used for storing education resource data, and the data according to education terminal 3 are more newly requested Issuing education resource data to the education terminal 3 initiating data more newly requested, the data of uploading according to customer mobile terminal 2 please Ask and upload the customer mobile terminal 2 of request of data to initiation memory space is provided, and manage the education terminal 3 being attached thereto；Institute State customer mobile terminal 2 and provide interface service for uploading education resource data for user's Xiang Yun education services center 1；Described Education terminal 3 is more newly requested for initiating data to cloud education services center 1, and receives the religion that cloud education services center 1 issues Educate and use resource data.

Education resource data can be uploaded to cloud education services by the customer mobile terminal 2 of the above embodiment of the present invention at any time Center 1, the data in abundant cloud education services center 1；In education sector, in the content update mode of innovation, will education By resource data store in cloud education services center 1, more new education terminal 3 by the way of instant request, to reach to save people Power, and infinitely expand the memory capacity of education resource data, thus solve above-mentioned technical problem.

Preferably, described cloud education services center 1 includes:

More newly requested receiver module, the data initiated to cloud education services center 1 for receiving education terminal 3 update please Ask；

Parsing module, is used for resolving described data more newly requested, obtains the education resource data that education terminal 3 needs；

Memory module, is used for storing education resource data and cloud terminal management data；

Sending module, for issuing the education resource data of needs to education terminal 3.

This preferred embodiment achieves cloud education services center 1 and is updated the education resource data of education terminal 3 Function.

Preferably, described cloud education services center 1 also includes managing module, is used for being attached thereto by control command management Education terminal 3；Described sending module is also used for sending management control command.

This preferred embodiment achieves the function of cloud education services center 1 management education terminal 3.

Preferably, described cloud educational system also includes the data safety for managing the data in cloud education services center 1 Management system 4；Described data safety management system 4 includes that data service system 40, data pretreatment 41, cloud storage add solution Close system 42, control system 43 and security management center 44；Described data service system 40 is used for being responsible for education resource data Storage with cloud terminal management data, back up and inquire about；Described data pretreatment 41 is for carrying out the data that need to maintain secrecy Pretreatment；Described cloud storage encrypting and deciphering system 42 is used for the data to maintaining secrecy of the access control safety strategy according to optimization and carries out Encryption or deciphering；The education resource data store that described control system 43 is used for uploading is to corresponding storage device；Described Security management center 44 is for carrying out unified monitoring management to each security of system.

This preferred embodiment constructs the system structure of data safety management system 4.

Preferably, described responsible education resource data and the storage of cloud terminal management data, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined Consider, not only data are encrypted, the host-host protocol of data are encrypted simultaneously；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit for being divided into the data acquisition system of multiple mutual exclusion to the data that need to maintain secrecy；Institute State data pick-up unit for the data acquisition system of described mutual exclusion is ranked up according to self-defining ordering rule, by each data First data cell in set sequentially extracts, and preserves as small block data, Qi Zhongsuo together with described ordering rule State and there is not any association between the data cell two-by-two that mutual exclusion represents in data acquisition system；Described access control safety policy optimization Unit generates the access control safety plan of system for access control safety policy optimization method based on fine granularity division of resources Omit, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described by the education resource data store uploaded to corresponding storage device, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) cloud storing in cloud service center after remaining information data being encrypted by cloud storage encrypting and deciphering system 42 is deposited Storage module；Wherein, after cloud storage module receives data, cloud is saved in memory node after these data are carried out completeness check In.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency； Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety Store after strategy to cloud storage module, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud from depositing Storage manager illegally steals, distorts the private data of user, improves the security performance of the information data storing that need to maintain secrecy.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to maintaining secrecy are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage module are carried out data to add Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext CT_UWith attribute key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK that the data that need to store cloud storage module are carried out data encryption, after obtaining ciphertext CT, Utilize attribute PKI that AK is encrypted, generate attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key close Literary composition CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously；To the data of cloud storage module need to be stored, respectively Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data, Thus the user only meeting identity and attribute double condition can decipher, and greatly improves data safety management system 4 simultaneously Security performance.

In this application scenarios, update cycle T takes 10, and the safety of data safety management system 4 improves 8% relatively.

Last it should be noted that, above example is only in order to illustrate technical scheme, rather than the present invention is protected Protecting the restriction of scope, although having made to explain to the present invention with reference to preferred embodiment, those of ordinary skill in the art should Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention Matter and scope.

Claims (3)

1. a cloud educational system, it is characterised in that include cloud education services center, customer mobile terminal and education terminal, institute State customer mobile terminal, education terminal is connected with described cloud education services center to center communications respectively；Described cloud education services center is used Store education resource data, more newly requested to initiating under the education terminal that data are more newly requested according to the data of education terminal Send out education resource data, move end according to the user that request of data uploads request of data to initiation that uploads of customer mobile terminal End provides memory space, and manages the education terminal being attached thereto；Described customer mobile terminal is for taking for user Xiang Yun education Business center is uploaded education resource data and is provided interface service；Described education terminal for initiating data to cloud education services center More newly requested, and receive the education resource data that cloud education services center issues.

A kind of cloud educational system the most according to claim 1, it is characterised in that described cloud education services center includes:

More newly requested receiver module, more newly requested for receiving the education data initiated to cloud education services center of terminal；

Parsing module, is used for resolving described data more newly requested, obtains the education resource data that education terminal needs；

Memory module, is used for storing education resource data and cloud terminal management data；

Sending module, for issuing the education resource data of needs to education terminal.

A kind of cloud educational system the most according to claim 2, it is characterised in that described cloud education services center also includes pipe Reason module, is used for managing, by control command, the education terminal being attached thereto；Described sending module is also used for sending management control Order.