CN106326666A - Health record information management service system - Google Patents
Health record information management service system Download PDFInfo
- Publication number
- CN106326666A CN106326666A CN201610789121.8A CN201610789121A CN106326666A CN 106326666 A CN106326666 A CN 106326666A CN 201610789121 A CN201610789121 A CN 201610789121A CN 106326666 A CN106326666 A CN 106326666A
- Authority
- CN
- China
- Prior art keywords
- data
- health
- service
- user
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a health record information management service system which comprises a cloud service center, a user mobile terminal, a service providing terminal and a data safety management system. The cloud service center comprises an information file storage module, a health analysis module and a health service application module, wherein the information file storage module is used for storing health file information and generating or updating a health file under a user account according to the stored health file information, the health analysis module is used for conducting data analysis on the health file information to obtain a health analysis result and determining a matched service item from the service items provided by the service providing terminal according to the health analysis result, the health service application module is used for pushing the matched service item to the corresponding user mobile terminal according to a service request sent by the user mobile terminal, and the data safety management system is used for guaranteeing storage and transmission safety of the health file information. The health record information management service system is practical, quick, convenient and high in safety.
Description
Technical field
The present invention relates to field of information management, be specifically related to a kind of health account information management service system.
Background technology
In correlation technique, belt-type apparatus is worn in health monitoring, the high speed development of domestic custodial care facility is personal health archives letters
Breath acquisition provides new way, but does not has unified information management service platform support, and these news files are still that fragmentation
State.
Another difficult problem be exactly electronization case history and health account scheme store information security and secret protection, hinder strong
The development of health Archives Information Service industry, individual cannot enjoy cloud service architecture and the Internet and bring healthy pipe to user
Reason convenience and preferably experience service.
Summary of the invention
For solving the problems referred to above, it is desirable to provide a kind of health account information management service system.
The purpose of the present invention realizes by the following technical solutions:
Provide a kind of health account information management service system, carry including cloud service center, customer mobile terminal, service
For terminal and data safety management system, described cloud service center includes news file memory module, health analysis module, health
Being served by module, described news file memory module is used for storing health account information, according to the health account information of storage
Generating or update the health account under user account, described health analysis module is for carrying out data analysis to health account information
Process obtains health analysis result, and determines from the service item that service providing terminal provides according to health analysis result
The service item joined;Described health service application module, for the service request sent according to customer mobile terminal, pushes described
The service item of coupling is to corresponding customer mobile terminal, and realizes the merit that service item selected by customer mobile terminal is corresponding
Can service;Described data safety management system is for ensureing storage and the transmission safety of health account information.
The invention have the benefit that and provide the user in addition to health account information storage services, simultaneously by health point
Analysis module feedback individual subscriber health status, remind and match this user health demand and service accordingly, data are set simultaneously
Safety management system, ensures storage and the transmission safety of health account information, and safety is high, thus solves above-mentioned technology and ask
Topic.
Accompanying drawing explanation
The invention will be further described to utilize accompanying drawing, but the embodiment in accompanying drawing does not constitute any limit to the present invention
System, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain according to the following drawings
Other accompanying drawing.
Fig. 1 is present configuration connection diagram.
Fig. 2 is the structural representation of data safety management system of the present invention.
Reference:
Cloud service center 1, customer mobile terminal 2, service providing terminal 3, data safety management system 4, news file are deposited
Storage module 10, health analysis module 11, health service application module 12, data service system 40, data pretreatment 41, cloud
Storage encrypting and deciphering system 42, control system 43, security management center 44.
Detailed description of the invention
The invention will be further described with the following Examples.
Application scenarios 1
See Fig. 1, Fig. 2, an embodiment of this application scene provide a kind of health account information management service system
System, including cloud service center 1, customer mobile terminal 2, service providing terminal 3 and data safety management system 4, described cloud service
Center 1 includes news file memory module 10, health analysis module 11, health service application module 12, and described news file is deposited
Storage module 10 is used for storing health account information, generates according to the health account information of storage or updates the health under user account
Archives, described health analysis module 11 obtains health analysis result for health account information is carried out Data Analysis Services, with
And from the service item that service providing terminal 3 provides, the service item of coupling is determined according to health analysis result;Described health
It is served by module 12 to ask for the service sent according to customer mobile terminal 2, pushes the service item of described coupling to phase
The customer mobile terminal 2 answered, and realize the function services that service item selected by customer mobile terminal 2 is corresponding;Described data
Safety management system 4 is for ensureing storage and the transmission safety of health account information.
Preferably, described health service application module 12 is additionally operable to according to customer mobile terminal 2 or service providing terminal 3
Operation, the health account under inquiry user account and health analysis result.
The above embodiment of the present invention provides the user in addition to health account information storage services, simultaneously by health analysis mould
Block 11 feedback user personal health state, remind and match this user health demand and service accordingly, data peace is set simultaneously
Full management system 4, ensures storage and the transmission safety of health account information, and safety is high, thus solves above-mentioned technology and ask
Topic.
Preferably, described customer mobile terminal 2 includes that customer relationship authorization module, described cloud service center 1 include user
Authority checking system, described user's authority checking system includes authorizing Authority Verification module;Described customer relationship authorization module
For sending authorization requests to cloud service center 1, described authorization requests includes user account or the service account being authorized to;Described
Authorize Authority Verification module for when receiving authorization requests, described authorized user account or service account are authorized
To health account and the operating right of health analysis result under the user account of transmission authorization requests.
This preferred embodiment further increases the security performance of health account message reference.
Preferably, described data safety management system 4 includes data service system 40, data pretreatment 41, Yun Cun
Storage encrypting and deciphering system 42, control system 43 and security management center 44;Described data service system 40 is used for being responsible for health account
The storage of information data manages, backs up and inquire about;Described data pretreatment 41 is for the health account information that need to maintain secrecy
Data carry out pretreatment;Described cloud storage encrypting and deciphering system 42 for according to the access control safety strategy that optimizes to maintaining secrecy
Health account information data is encrypted or deciphers;Described control system 43 is used for health account information data storing to accordingly
Storage device;Described security management center 44 is for carrying out unified monitoring management to each security of system.
This preferred embodiment constructs the system structure of data safety management system 4.
Preferably, the storage of described responsible health account information manages, backs up and inquire about, including:
(1) the data form of health account information is changed, set up and be applicable to what non-relational database carried out storing
Form;
(2) health account information data is divided into basic data and expert data, uses centralized and distributed combination
Data are stored by strategy, and during storage, all data all back up;The strategy of described centralized and distributed combination includes:
Centralised storage is used for the basic data higher than predeterminated frequency, for using distributed less than the expert data of predeterminated frequency
Storage;
(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue
The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue
Rope;Input key word at search engine, data are carried out precise search;Search engine finds the number of coupling according to certain mode
According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.
This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately
Data.
Preferably, described each security of system is carried out unified monitoring management, including:
(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43
Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace
Full protection system;
(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined
Consider, not only health account information data is encrypted, the host-host protocol of health account information data is encrypted simultaneously;
(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take
The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.
This preferred embodiment achieves the management of the unified monitoring to each security of system.
Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace
Full policy optimization unit, described data partitioning unit is for being divided into multiple mutual exclusion to the health account information data that need to maintain secrecy
Data acquisition system;Described data pick-up unit is for arranging according to self-defining ordering rule the data acquisition system of described mutual exclusion
Sequence, sequentially extracts first data cell in each data acquisition system, preserves as little together with described ordering rule
Blocks of data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system;Described access is controlled
Security strategy processed optimizes unit and generates system for access control safety policy optimization method based on fine granularity division of resources
Access control safety strategy, including:
(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described
Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number
According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy
Including the data cell in the data acquisition system of all mutual exclusions;
(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class
Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy
On, thus the rule in access control safety strategy is refine to data dimension;
(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often
The conflict of the rule in individual data cell and redundancy;
(4) merge the rule after optimizing, generate the access control safety strategy optimized.
Preferably, described data are stored to corresponding storage device, including:
(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out
Encryption;
(2) after being encrypted by cloud storage encrypting and deciphering system 42 by remaining data, storage is to the cloud storage of cloud service center 1
In;Wherein, after cloud storage receives data, cloud is saved in memory node after these data are carried out completeness check.
Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and
Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty
Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency;
Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety
Store after strategy to cloud storage, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology and exist
The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud storage
Manager illegally steals, distorts the private data of user, improves the security performance of the data storage that need to maintain secrecy.
Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use
Five, family entity is constituted, and the described health account information data to maintaining secrecy is encrypted or deciphers, including:
(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism
AID, including:
A, initializing, credible tripartite's initialization system parameter isWherein α is random integers;
B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:
Meanwhile, the authentication parameter of validated user is announcedWherein, CUAID∈ZP;
C, generate identity key pair for data owner and validated user;
(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said
The encryption and decryption key of identity-based includes identity public key GKUAIDWith identity private key CKUAID, described attribute encryption and decryption key includes belonging to
Property PKI GKAIDWith attribute private key CKAID:
CKUAID=(∝AID,βAID)
Wherein, ASAIDThe community set that can distribute for single attribute mechanism, GK1For the PKI of attribute x, BxFor attribute x's
Version number, ∝AIDFor the private key parameter of attribute mechanism, βAIDFor attribute undated parameter, ASUAID,AIDFor the identity according to attribute mechanism
The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝AID,βAID∈ZP;
(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage are carried out data to add
Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext
CTUWith attribute key ciphertext CTA, including:
A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:
DK=IK | | AK
B, utilize data key DK that the data that need to store cloud storage are carried out data encryption, after obtaining ciphertext CT, profit
With attribute PKI, AK is encrypted, generate attribute key ciphertext CTA, utilize identity public key that IK is encrypted, generate identity key ciphertext
CTU;
(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close
Key ciphertext CTUBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner
Private key and identity public key calculate and generate;
(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CKUAIDWith attribute private key CKAID
Decryption identity key ciphertext CTUWith attribute key ciphertext CTA, then reconstruct data key, decrypting ciphertext CT;
(6) renewal of attribute and identity key is carried out.
This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data
Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously;To the data that need to maintain secrecy, construct identity-based respectively
Encryption and decryption key, attribute encryption and decryption key, merge and constitute data encryption key these data are encrypted, thus only simultaneously
The user meeting identity and attribute double condition can decipher, and greatly improves the security performance of data safety management system 4.
In this application scenarios, update cycle T takes 6, and the safety of system improves 12% relatively.
Application scenarios 2
See Fig. 1, Fig. 2, an embodiment of this application scene provide a kind of health account information management service system
System, including cloud service center 1, customer mobile terminal 2, service providing terminal 3 and data safety management system 4, described cloud service
Center 1 includes news file memory module 10, health analysis module 11, health service application module 12, and described news file is deposited
Storage module 10 is used for storing health account information, generates according to the health account information of storage or updates the health under user account
Archives, described health analysis module 11 obtains health analysis result for health account information is carried out Data Analysis Services, with
And from the service item that service providing terminal 3 provides, the service item of coupling is determined according to health analysis result;Described health
It is served by module 12 to ask for the service sent according to customer mobile terminal 2, pushes the service item of described coupling to phase
The customer mobile terminal 2 answered, and realize the function services that service item selected by customer mobile terminal 2 is corresponding;Described data
Safety management system 4 is for ensureing storage and the transmission safety of health account information.
Preferably, described health service application module 12 is additionally operable to according to customer mobile terminal 2 or service providing terminal 3
Operation, the health account under inquiry user account and health analysis result.
The above embodiment of the present invention provides the user in addition to health account information storage services, simultaneously by health analysis mould
Block 11 feedback user personal health state, remind and match this user health demand and service accordingly, data peace is set simultaneously
Full management system 4, ensures storage and the transmission safety of health account information, and safety is high, thus solves above-mentioned technology and ask
Topic.
Preferably, described customer mobile terminal 2 includes that customer relationship authorization module, described cloud service center 1 include user
Authority checking system, described user's authority checking system includes authorizing Authority Verification module;Described customer relationship authorization module
For sending authorization requests to cloud service center 1, described authorization requests includes user account or the service account being authorized to;Described
Authorize Authority Verification module for when receiving authorization requests, described authorized user account or service account are authorized
To health account and the operating right of health analysis result under the user account of transmission authorization requests.
This preferred embodiment further increases the security performance of health account message reference.
Preferably, described data safety management system 4 includes data service system 40, data pretreatment 41, Yun Cun
Storage encrypting and deciphering system 42, control system 43 and security management center 44;Described data service system 40 is used for being responsible for health account
The storage of information data manages, backs up and inquire about;Described data pretreatment 41 is for the health account information that need to maintain secrecy
Data carry out pretreatment;Described cloud storage encrypting and deciphering system 42 for according to the access control safety strategy that optimizes to maintaining secrecy
Health account information data is encrypted or deciphers;Described control system 43 is used for health account information data storing to accordingly
Storage device;Described security management center 44 is for carrying out unified monitoring management to each security of system.
This preferred embodiment constructs the system structure of data safety management system 4.
Preferably, the storage of described responsible health account information manages, backs up and inquire about, including:
(1) the data form of health account information is changed, set up and be applicable to what non-relational database carried out storing
Form;
(2) health account information data is divided into basic data and expert data, uses centralized and distributed combination
Data are stored by strategy, and during storage, all data all back up;The strategy of described centralized and distributed combination includes:
Centralised storage is used for the basic data higher than predeterminated frequency, for using distributed less than the expert data of predeterminated frequency
Storage;
(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue
The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue
Rope;Input key word at search engine, data are carried out precise search;Search engine finds the number of coupling according to certain mode
According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.
This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately
Data.
Preferably, described each security of system is carried out unified monitoring management, including:
(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43
Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace
Full protection system;
(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined
Consider, not only health account information data is encrypted, the host-host protocol of health account information data is encrypted simultaneously;
(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take
The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.
This preferred embodiment achieves the management of the unified monitoring to each security of system.
Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace
Full policy optimization unit, described data partitioning unit is for being divided into multiple mutual exclusion to the health account information data that need to maintain secrecy
Data acquisition system;Described data pick-up unit is for arranging according to self-defining ordering rule the data acquisition system of described mutual exclusion
Sequence, sequentially extracts first data cell in each data acquisition system, preserves as little together with described ordering rule
Blocks of data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system;Described access is controlled
Security strategy processed optimizes unit and generates system for access control safety policy optimization method based on fine granularity division of resources
Access control safety strategy, including:
(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described
Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number
According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy
Including the data cell in the data acquisition system of all mutual exclusions;
(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class
Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy
On, thus the rule in access control safety strategy is refine to data dimension;
(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often
The conflict of the rule in individual data cell and redundancy;
(4) merge the rule after optimizing, generate the access control safety strategy optimized.
Preferably, described data are stored to corresponding storage device, including:
(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out
Encryption;
(2) after being encrypted by cloud storage encrypting and deciphering system 42 by remaining data, storage is to the cloud storage of cloud service center 1
In;Wherein, after cloud storage receives data, cloud is saved in memory node after these data are carried out completeness check.
Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and
Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty
Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency;
Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety
Store after strategy to cloud storage, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology and exist
The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud storage
Manager illegally steals, distorts the private data of user, improves the security performance of the data storage that need to maintain secrecy.
Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use
Five, family entity is constituted, and the described health account information data to maintaining secrecy is encrypted or deciphers, including:
(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism
AID, including:
A, initializing, credible tripartite's initialization system parameter isWherein α is random integers;
B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:
Meanwhile, the authentication parameter of validated user is announcedWherein, CUAID∈ZP;
C, generate identity key pair for data owner and validated user;
(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said
The encryption and decryption key of identity-based includes identity public key GKUAIDWith identity private key CKUAID, described attribute encryption and decryption key includes belonging to
Property PKI GKAIDWith attribute private key CKAID:
CKUAID=(∝AID,βAID)
Wherein, ASAIDThe community set that can distribute for single attribute mechanism, GKxFor the PKI of attribute x, BxFor attribute x's
Version number, ∝AIDFor the private key parameter of attribute mechanism, βAIDFor attribute undated parameter, ASUAID,AIDFor the identity according to attribute mechanism
The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝AID,βAID∈ZP;
(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage are carried out data to add
Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext
CTUWith attribute key ciphertext CTA, including:
A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:
DK=IK | | AK
B, utilize data key DK that the data that need to store cloud storage are carried out data encryption, after obtaining ciphertext CT, profit
With attribute PKI, AK is encrypted, generate attribute key ciphertext CTA, utilize identity public key that IK is encrypted, generate identity key ciphertext
CTU;
(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close
Key ciphertext CTUBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner
Private key and identity public key calculate and generate;
(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CKUAIDWith attribute private key CKAID
Decryption identity key ciphertext CTUWith attribute key ciphertext CTA, then reconstruct data key, decrypting ciphertext CT;
(6) renewal of attribute and identity key is carried out.
This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data
Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously;To the data that need to maintain secrecy, construct identity-based respectively
Encryption and decryption key, attribute encryption and decryption key, merge and constitute data encryption key these data are encrypted, thus only simultaneously
The user meeting identity and attribute double condition can decipher, and greatly improves the security performance of data safety management system 4.
In this application scenarios, update cycle T takes 7, and the safety of system improves 11% relatively.
Application scenarios 3
See Fig. 1, Fig. 2, an embodiment of this application scene provide a kind of health account information management service system
System, including cloud service center 1, customer mobile terminal 2, service providing terminal 3 and data safety management system 4, described cloud service
Center 1 includes news file memory module 10, health analysis module 11, health service application module 12, and described news file is deposited
Storage module 10 is used for storing health account information, generates according to the health account information of storage or updates the health under user account
Archives, described health analysis module 11 obtains health analysis result for health account information is carried out Data Analysis Services, with
And from the service item that service providing terminal 3 provides, the service item of coupling is determined according to health analysis result;Described health
It is served by module 12 to ask for the service sent according to customer mobile terminal 2, pushes the service item of described coupling to phase
The customer mobile terminal 2 answered, and realize the function services that service item selected by customer mobile terminal 2 is corresponding;Described data
Safety management system 4 is for ensureing storage and the transmission safety of health account information.
Preferably, described health service application module 12 is additionally operable to according to customer mobile terminal 2 or service providing terminal 3
Operation, the health account under inquiry user account and health analysis result.
The above embodiment of the present invention provides the user in addition to health account information storage services, simultaneously by health analysis mould
Block 11 feedback user personal health state, remind and match this user health demand and service accordingly, data peace is set simultaneously
Full management system 4, ensures storage and the transmission safety of health account information, and safety is high, thus solves above-mentioned technology and ask
Topic.
Preferably, described customer mobile terminal 2 includes that customer relationship authorization module, described cloud service center 1 include user
Authority checking system, described user's authority checking system includes authorizing Authority Verification module;Described customer relationship authorization module
For sending authorization requests to cloud service center 1, described authorization requests includes user account or the service account being authorized to;Described
Authorize Authority Verification module for when receiving authorization requests, described authorized user account or service account are authorized
To health account and the operating right of health analysis result under the user account of transmission authorization requests.
This preferred embodiment further increases the security performance of health account message reference.
Preferably, described data safety management system 4 includes data service system 40, data pretreatment 41, Yun Cun
Storage encrypting and deciphering system 42, control system 43 and security management center 44;Described data service system 40 is used for being responsible for health account
The storage of information data manages, backs up and inquire about;Described data pretreatment 41 is for the health account information that need to maintain secrecy
Data carry out pretreatment;Described cloud storage encrypting and deciphering system 42 for according to the access control safety strategy that optimizes to maintaining secrecy
Health account information data is encrypted or deciphers;Described control system 43 is used for health account information data storing to accordingly
Storage device;Described security management center 44 is for carrying out unified monitoring management to each security of system.
This preferred embodiment constructs the system structure of data safety management system 4.
Preferably, the storage of described responsible health account information manages, backs up and inquire about, including:
(1) the data form of health account information is changed, set up and be applicable to what non-relational database carried out storing
Form;
(2) health account information data is divided into basic data and expert data, uses centralized and distributed combination
Data are stored by strategy, and during storage, all data all back up;The strategy of described centralized and distributed combination includes:
Centralised storage is used for the basic data higher than predeterminated frequency, for using distributed less than the expert data of predeterminated frequency
Storage;
(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue
The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue
Rope;Input key word at search engine, data are carried out precise search;Search engine finds the number of coupling according to certain mode
According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.
This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately
Data.
Preferably, described each security of system is carried out unified monitoring management, including:
(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43
Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace
Full protection system;
(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined
Consider, not only health account information data is encrypted, the host-host protocol of health account information data is encrypted simultaneously;
(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take
The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.
This preferred embodiment achieves the management of the unified monitoring to each security of system.
Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace
Full policy optimization unit, described data partitioning unit is for being divided into multiple mutual exclusion to the health account information data that need to maintain secrecy
Data acquisition system;Described data pick-up unit is for arranging according to self-defining ordering rule the data acquisition system of described mutual exclusion
Sequence, sequentially extracts first data cell in each data acquisition system, preserves as little together with described ordering rule
Blocks of data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system;Described access is controlled
Security strategy processed optimizes unit and generates system for access control safety policy optimization method based on fine granularity division of resources
Access control safety strategy, including:
(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described
Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number
According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy
Including the data cell in the data acquisition system of all mutual exclusions;
(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class
Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy
On, thus the rule in access control safety strategy is refine to data dimension;
(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often
The conflict of the rule in individual data cell and redundancy;
(4) merge the rule after optimizing, generate the access control safety strategy optimized.
Preferably, described data are stored to corresponding storage device, including:
(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out
Encryption;
(2) after being encrypted by cloud storage encrypting and deciphering system 42 by remaining data, storage is to the cloud storage of cloud service center 1
In;Wherein, after cloud storage receives data, cloud is saved in memory node after these data are carried out completeness check.
Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and
Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty
Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency;
Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety
Store after strategy to cloud storage, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology and exist
The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud storage
Manager illegally steals, distorts the private data of user, improves the security performance of the data storage that need to maintain secrecy.
Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use
Five, family entity is constituted, and the described health account information data to maintaining secrecy is encrypted or deciphers, including:
(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism
AID, including:
A, initializing, credible tripartite's initialization system parameter isWherein α is random integers;
B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:
Meanwhile, the authentication parameter of validated user is announcedWherein, CUAID∈ZP;
C, generate identity key pair for data owner and validated user;
(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said
The encryption and decryption key of identity-based includes identity public key GKUAIDWith identity private key CKUAID, described attribute encryption and decryption key includes belonging to
Property PKI GKAIDWith attribute private key CKAID:
CKUAID=(∝AID,βAID)
Wherein, ASAIDThe community set that can distribute for single attribute mechanism, GKxFor the PKI of attribute x, BxFor attribute x's
Version number, ∝AIDFor the private key parameter of attribute mechanism, βAIDFor attribute undated parameter, ASUAID,AIDFor the identity according to attribute mechanism
The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝AID,βAID∈ZP;
(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage are carried out data to add
Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext
CTUWith attribute key ciphertext CTA, including:
A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:
DK=IK | | AK
B, utilize data key DK that the data that need to store cloud storage are carried out data encryption, after obtaining ciphertext CT, profit
With attribute PKI, AK is encrypted, generate attribute key ciphertext CTA, utilize identity public key that IK is encrypted, generate identity key ciphertext
CTU;
(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close
Key ciphertext CTUBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner
Private key and identity public key calculate and generate;
(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CKUAIDWith attribute private key CKAID
Decryption identity key ciphertext CTUWith attribute key ciphertext CTA, then reconstruct data key, decrypting ciphertext CT;
(6) renewal of attribute and identity key is carried out.
This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data
Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously;To the data that need to maintain secrecy, construct identity-based respectively
Encryption and decryption key, attribute encryption and decryption key, merge and constitute data encryption key these data are encrypted, thus only simultaneously
The user meeting identity and attribute double condition can decipher, and greatly improves the security performance of data safety management system 4.
In this application scenarios, update cycle T takes 8, and the safety of system improves 10% relatively.
Application scenarios 4
See Fig. 1, Fig. 2, an embodiment of this application scene provide a kind of health account information management service system
System, including cloud service center 1, customer mobile terminal 2, service providing terminal 3 and data safety management system 4, described cloud service
Center 1 includes news file memory module 10, health analysis module 11, health service application module 12, and described news file is deposited
Storage module 10 is used for storing health account information, generates according to the health account information of storage or updates the health under user account
Archives, described health analysis module 11 obtains health analysis result for health account information is carried out Data Analysis Services, with
And from the service item that service providing terminal 3 provides, the service item of coupling is determined according to health analysis result;Described health
It is served by module 12 to ask for the service sent according to customer mobile terminal 2, pushes the service item of described coupling to phase
The customer mobile terminal 2 answered, and realize the function services that service item selected by customer mobile terminal 2 is corresponding;Described data
Safety management system 4 is for ensureing storage and the transmission safety of health account information.
Preferably, described health service application module 12 is additionally operable to according to customer mobile terminal 2 or service providing terminal 3
Operation, the health account under inquiry user account and health analysis result.
The above embodiment of the present invention provides the user in addition to health account information storage services, simultaneously by health analysis mould
Block 11 feedback user personal health state, remind and match this user health demand and service accordingly, data peace is set simultaneously
Full management system 4, ensures storage and the transmission safety of health account information, and safety is high, thus solves above-mentioned technology and ask
Topic.
Preferably, described customer mobile terminal 2 includes that customer relationship authorization module, described cloud service center 1 include user
Authority checking system, described user's authority checking system includes authorizing Authority Verification module;Described customer relationship authorization module
For sending authorization requests to cloud service center 1, described authorization requests includes user account or the service account being authorized to;Described
Authorize Authority Verification module for when receiving authorization requests, described authorized user account or service account are authorized
To health account and the operating right of health analysis result under the user account of transmission authorization requests.
This preferred embodiment further increases the security performance of health account message reference.
Preferably, described data safety management system 4 includes data service system 40, data pretreatment 41, Yun Cun
Storage encrypting and deciphering system 42, control system 43 and security management center 44;Described data service system 40 is used for being responsible for health account
The storage of information data manages, backs up and inquire about;Described data pretreatment 41 is for the health account information that need to maintain secrecy
Data carry out pretreatment;Described cloud storage encrypting and deciphering system 42 for according to the access control safety strategy that optimizes to maintaining secrecy
Health account information data is encrypted or deciphers;Described control system 43 is used for health account information data storing to accordingly
Storage device;Described security management center 44 is for carrying out unified monitoring management to each security of system.
This preferred embodiment constructs the system structure of data safety management system 4.
Preferably, the storage of described responsible health account information manages, backs up and inquire about, including:
(1) the data form of health account information is changed, set up and be applicable to what non-relational database carried out storing
Form;
(2) health account information data is divided into basic data and expert data, uses centralized and distributed combination
Data are stored by strategy, and during storage, all data all back up;The strategy of described centralized and distributed combination includes:
Centralised storage is used for the basic data higher than predeterminated frequency, for using distributed less than the expert data of predeterminated frequency
Storage;
(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue
The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue
Rope;Input key word at search engine, data are carried out precise search;Search engine finds the number of coupling according to certain mode
According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.
This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately
Data.
Preferably, described each security of system is carried out unified monitoring management, including:
(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43
Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace
Full protection system;
(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined
Consider, not only health account information data is encrypted, the host-host protocol of health account information data is encrypted simultaneously;
(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take
The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.
This preferred embodiment achieves the management of the unified monitoring to each security of system.
Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace
Full policy optimization unit, described data partitioning unit is for being divided into multiple mutual exclusion to the health account information data that need to maintain secrecy
Data acquisition system;Described data pick-up unit is for arranging according to self-defining ordering rule the data acquisition system of described mutual exclusion
Sequence, sequentially extracts first data cell in each data acquisition system, preserves as little together with described ordering rule
Blocks of data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system;Described access is controlled
Security strategy processed optimizes unit and generates system for access control safety policy optimization method based on fine granularity division of resources
Access control safety strategy, including:
(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described
Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number
According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy
Including the data cell in the data acquisition system of all mutual exclusions;
(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class
Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy
On, thus the rule in access control safety strategy is refine to data dimension;
(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often
The conflict of the rule in individual data cell and redundancy;
(4) merge the rule after optimizing, generate the access control safety strategy optimized.
Preferably, described data are stored to corresponding storage device, including:
(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out
Encryption;
(2) after being encrypted by cloud storage encrypting and deciphering system 42 by remaining data, storage is to the cloud storage of cloud service center 1
In;Wherein, after cloud storage receives data, cloud is saved in memory node after these data are carried out completeness check.
Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and
Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty
Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency;
Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety
Store after strategy to cloud storage, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology and exist
The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud storage
Manager illegally steals, distorts the private data of user, improves the security performance of the data storage that need to maintain secrecy.
Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use
Five, family entity is constituted, and the described health account information data to maintaining secrecy is encrypted or deciphers, including:
(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism
AID, including:
A, initializing, credible tripartite's initialization system parameter isWherein α is random integers;
B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:
Meanwhile, the authentication parameter of validated user is announcedWherein, CUAID∈ZP;
C, generate identity key pair for data owner and validated user;
(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said
The encryption and decryption key of identity-based includes identity public key GKUAIDWith identity private key CKUAID, described attribute encryption and decryption key includes belonging to
Property PKI GKAIDWith attribute private key CKAID:
CKUAID=(∝AID,βAID)
Wherein, ASAIDThe community set that can distribute for single attribute mechanism, GKxFor the PKI of attribute x, BxFor attribute x's
Version number, ∝AIDFor the private key parameter of attribute mechanism, βAIDFor attribute undated parameter, ASUAID,AIDFor the identity according to attribute mechanism
The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝AID,βAID∈ZP;
(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage are carried out data to add
Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext
CTUWith attribute key ciphertext CTA, including:
A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:
DK=IK | | AK
B, utilize data key DK that the data that need to store cloud storage are carried out data encryption, after obtaining ciphertext CT, profit
With attribute PKI, AK is encrypted, generate attribute key ciphertext CTA, utilize identity public key that IK is encrypted, generate identity key ciphertext
CTU;
(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close
Key ciphertext CTUBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner
Private key and identity public key calculate and generate;
(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CKUAIDWith attribute private key CKAID
Decryption identity key ciphertext CTUWith attribute key ciphertext CTA, then reconstruct data key, decrypting ciphertext CT;
(6) renewal of attribute and identity key is carried out.
This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data
Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously;To the data that need to maintain secrecy, construct identity-based respectively
Encryption and decryption key, attribute encryption and decryption key, merge and constitute data encryption key these data are encrypted, thus only simultaneously
The user meeting identity and attribute double condition can decipher, and greatly improves the security performance of data safety management system 4.
In this application scenarios, update cycle T takes 9, and the safety of system improves 9% relatively.
Application scenarios 5
See Fig. 1, Fig. 2, an embodiment of this application scene provide a kind of health account information management service system
System, including cloud service center 1, customer mobile terminal 2, service providing terminal 3 and data safety management system 4, described cloud service
Center 1 includes news file memory module 10, health analysis module 11, health service application module 12, and described news file is deposited
Storage module 10 is used for storing health account information, generates according to the health account information of storage or updates the health under user account
Archives, described health analysis module 11 obtains health analysis result for health account information is carried out Data Analysis Services, with
And from the service item that service providing terminal 3 provides, the service item of coupling is determined according to health analysis result;Described health
It is served by module 12 to ask for the service sent according to customer mobile terminal 2, pushes the service item of described coupling to phase
The customer mobile terminal 2 answered, and realize the function services that service item selected by customer mobile terminal 2 is corresponding;Described data
Safety management system 4 is for ensureing storage and the transmission safety of health account information.
Preferably, described health service application module 12 is additionally operable to according to customer mobile terminal 2 or service providing terminal 3
Operation, the health account under inquiry user account and health analysis result.
The above embodiment of the present invention provides the user in addition to health account information storage services, simultaneously by health analysis mould
Block 11 feedback user personal health state, remind and match this user health demand and service accordingly, data peace is set simultaneously
Full management system 4, ensures storage and the transmission safety of health account information, and safety is high, thus solves above-mentioned technology and ask
Topic.
Preferably, described customer mobile terminal 2 includes that customer relationship authorization module, described cloud service center 1 include user
Authority checking system, described user's authority checking system includes authorizing Authority Verification module;Described customer relationship authorization module
For sending authorization requests to cloud service center 1, described authorization requests includes user account or the service account being authorized to;Described
Authorize Authority Verification module for when receiving authorization requests, described authorized user account or service account are authorized
To health account and the operating right of health analysis result under the user account of transmission authorization requests.
This preferred embodiment further increases the security performance of health account message reference.
Preferably, described data safety management system 4 includes data service system 40, data pretreatment 41, Yun Cun
Storage encrypting and deciphering system 42, control system 43 and security management center 44;Described data service system 40 is used for being responsible for health account
The storage of information data manages, backs up and inquire about;Described data pretreatment 41 is for the health account information that need to maintain secrecy
Data carry out pretreatment;Described cloud storage encrypting and deciphering system 42 for according to the access control safety strategy that optimizes to maintaining secrecy
Health account information data is encrypted or deciphers;Described control system 43 is used for health account information data storing to accordingly
Storage device;Described security management center 44 is for carrying out unified monitoring management to each security of system.
This preferred embodiment constructs the system structure of data safety management system 4.
Preferably, the storage of described responsible health account information manages, backs up and inquire about, including:
(1) the data form of health account information is changed, set up and be applicable to what non-relational database carried out storing
Form;
(2) health account information data is divided into basic data and expert data, uses centralized and distributed combination
Data are stored by strategy, and during storage, all data all back up;The strategy of described centralized and distributed combination includes:
Centralised storage is used for the basic data higher than predeterminated frequency, for using distributed less than the expert data of predeterminated frequency
Storage;
(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue
The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue
Rope;Input key word at search engine, data are carried out precise search;Search engine finds the number of coupling according to certain mode
According to, and be ranked up feeding back to user according to the matching degree of data Yu key word.
This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately
Data.
Preferably, described each security of system is carried out unified monitoring management, including:
(1) for data service system 40, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43
Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace
Full protection system;
(2) set up effective Data Security, the safety in data storage, transmission, access process is comprehensively examined
Consider, not only health account information data is encrypted, the host-host protocol of health account information data is encrypted simultaneously;
(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take
The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.
This preferred embodiment achieves the management of the unified monitoring to each security of system.
Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace
Full policy optimization unit, described data partitioning unit is for being divided into multiple mutual exclusion to the health account information data that need to maintain secrecy
Data acquisition system;Described data pick-up unit is for arranging according to self-defining ordering rule the data acquisition system of described mutual exclusion
Sequence, sequentially extracts first data cell in each data acquisition system, preserves as little together with described ordering rule
Blocks of data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system;Described access is controlled
Security strategy processed optimizes unit and generates system for access control safety policy optimization method based on fine granularity division of resources
Access control safety strategy, including:
(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described
Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number
According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy
Including the data cell in the data acquisition system of all mutual exclusions;
(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class
Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy
On, thus the rule in access control safety strategy is refine to data dimension;
(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often
The conflict of the rule in individual data cell and redundancy;
(4) merge the rule after optimizing, generate the access control safety strategy optimized.
Preferably, described data are stored to corresponding storage device, including:
(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out
Encryption;
(2) after being encrypted by cloud storage encrypting and deciphering system 42 by remaining data, storage is to the cloud storage of cloud service center 1
In;Wherein, after cloud storage receives data, cloud is saved in memory node after these data are carried out completeness check.
Above-mentioned two preferred embodiment arranges data pretreatment 41, first the data that need to maintain secrecy are carried out data segmentation and
Data pick-up processes, then the rule refinement controlled in security strategy that conducts interviews, it is possible to reduce the physical store of data storage is empty
Between, reduce the expense of storage, and eliminate the conflict in access control safety strategy and redundancy, improve access control decision efficiency;
Processing extracting part divided data by data pick-up and store in local storage, remainder data arranges corresponding access control safety
Store after strategy to cloud storage, solve traditional cloud storage data-privacy security mechanism based on simple encryption technology and exist
The bigger overhead that brings in actual process operation data and loaded down with trivial details, can effectively prevent malicious user or cloud storage
Manager illegally steals, distorts the private data of user, improves the security performance of the data storage that need to maintain secrecy.
Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use
Five, family entity is constituted, and the described health account information data to maintaining secrecy is encrypted or deciphers, including:
(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism
AID, including:
A, initializing, credible tripartite's initialization system parameter isWherein α is random integers;
B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:
Meanwhile, the authentication parameter of validated user is announcedWherein, CUAID∈ZP;
C, generate identity key pair for data owner and validated user;
(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said
The encryption and decryption key of identity-based includes identity public key GKUAIDWith identity private key CKUAID, described attribute encryption and decryption key includes belonging to
Property PKI GKAIDWith attribute private key CKAID:
CKUAID=(∝AID,βAID)
Wherein, ASAIDThe community set that can distribute for single attribute mechanism, GKxFor the PKI of attribute x, BxFor attribute x's
Version number, ∝AIDFor the private key parameter of attribute mechanism, βAIDFor attribute undated parameter, ASUAID,AIDFor the identity according to attribute mechanism
The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝AID,βAID∈ZP;
(3) cloud storage encrypting and deciphering system 42 utilizes data key that the data that need to store cloud storage are carried out data to add
Close, obtain ciphertext CT, be then utilized respectively identity public key and attribute PKI and data key is encrypted, generate identity key ciphertext
CTUWith attribute key ciphertext CTA, including:
A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:
DK=IK | | AK
B, utilize data key DK that the data that need to store cloud storage are carried out data encryption, after obtaining ciphertext CT, profit
With attribute PKI, AK is encrypted, generate attribute key ciphertext CTA, utilize identity public key that IK is encrypted, generate identity key ciphertext
CTU;
(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close
Key ciphertext CTUBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner
Private key and identity public key calculate and generate;
(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CKUAIDWith attribute private key CKAID
Decryption identity key ciphertext CTUWith attribute key ciphertext CTA, then reconstruct data key, decrypting ciphertext CT;
(6) renewal of attribute and identity key is carried out.
This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the fine granularity to eurypalynous data
Access and control and secret protection, resist user and the collusion of attribute mechanism simultaneously;To the data that need to maintain secrecy, construct identity-based respectively
Encryption and decryption key, attribute encryption and decryption key, merge and constitute data encryption key these data are encrypted, thus only simultaneously
The user meeting identity and attribute double condition can decipher, and greatly improves the security performance of data safety management system 4.
In this application scenarios, update cycle T takes 10, and the safety of system improves 8% relatively.
Last it should be noted that, above example is only in order to illustrate technical scheme, rather than the present invention is protected
Protecting the restriction of scope, although having made to explain to the present invention with reference to preferred embodiment, those of ordinary skill in the art should
Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention
Matter and scope.
Claims (3)
1. a health account information management service system, it is characterised in that include cloud service center, customer mobile terminal, clothes
Business provides terminal and data safety management system, described cloud service center include news file memory module, health analysis module,
Health service application module, described news file memory module is used for storing health account information, according to the health account of storage
Information generates or updates the health account under user account, and described health analysis module is for carrying out data to health account information
Analyzing and processing obtains health analysis result, and according to health analysis result from the service item that service providing terminal provides true
The service item of fixed coupling;Described health service application module, for the service request sent according to customer mobile terminal, pushes
The service item of described coupling is to corresponding customer mobile terminal, and it is corresponding to realize service item selected by customer mobile terminal
Function services;Described data safety management system is for ensureing storage and the transmission safety of health account information.
A kind of health account information management service system the most according to claim 1, it is characterised in that described health service
Application module is additionally operable to the operation according to customer mobile terminal or service providing terminal, health account under inquiry user account and
Health analysis result.
A kind of health account information management service system the most according to claim 2, it is characterised in that described user moves
Terminal includes that customer relationship authorization module, described cloud service center include user's authority checking system, described user's authority checking
System includes authorizing Authority Verification module;Described customer relationship authorization module is used for sending authorization requests to cloud service center,
Described authorization requests includes user account or the service account being authorized to;The described Authority Verification module that authorizes is for when receiving
During authorization requests, described authorized user account or service account are authorized under the user account to transmission authorization requests healthy
Archives and the operating right of health analysis result.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610789121.8A CN106326666A (en) | 2016-08-30 | 2016-08-30 | Health record information management service system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610789121.8A CN106326666A (en) | 2016-08-30 | 2016-08-30 | Health record information management service system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106326666A true CN106326666A (en) | 2017-01-11 |
Family
ID=57789195
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610789121.8A Pending CN106326666A (en) | 2016-08-30 | 2016-08-30 | Health record information management service system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106326666A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107038341A (en) * | 2017-04-10 | 2017-08-11 | 武汉康慧然信息技术咨询有限公司 | Family health care data managing method and system |
CN108053323A (en) * | 2017-11-13 | 2018-05-18 | 平安养老保险股份有限公司 | Method, apparatus, computer equipment and the storage medium of service plan generation |
CN108769024A (en) * | 2018-05-30 | 2018-11-06 | 中国电子信息产业集团有限公司第六研究所 | A kind of data capture method and majority are according to operator negotiation service system |
CN109818923A (en) * | 2018-12-18 | 2019-05-28 | 北京九州云腾科技有限公司 | A kind of attribute base cloud service access control method based on attribute ciphertext re-encryption |
CN112613072A (en) * | 2020-12-28 | 2021-04-06 | 无锡建舜科技有限公司 | Information management method, management system and management cloud platform based on file big data |
CN113360749A (en) * | 2020-03-05 | 2021-09-07 | 秦超 | Health service system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050154884A1 (en) * | 2003-11-27 | 2005-07-14 | Oce-Technologies B.V. | Secure data transmission in a network system of image processing devices |
CN101968774A (en) * | 2010-10-21 | 2011-02-09 | 中国人民解放军61938部队 | Device and method for storing mobile data safely |
CN102281314A (en) * | 2011-01-30 | 2011-12-14 | 程旭 | Realization method and apparatus for high-efficient and safe data cloud storage system |
CN103391185A (en) * | 2013-08-12 | 2013-11-13 | 北京泰乐德信息技术有限公司 | Cloud security storage and processing method and system for rail transit monitoring data |
CN103886529A (en) * | 2014-02-24 | 2014-06-25 | 深圳市爱康信息技术有限公司 | Health archive information management service system and method |
CN105023086A (en) * | 2015-01-07 | 2015-11-04 | 泰华智慧产业集团股份有限公司 | Digital city management data sharing system based on cloud calculation |
-
2016
- 2016-08-30 CN CN201610789121.8A patent/CN106326666A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050154884A1 (en) * | 2003-11-27 | 2005-07-14 | Oce-Technologies B.V. | Secure data transmission in a network system of image processing devices |
CN101968774A (en) * | 2010-10-21 | 2011-02-09 | 中国人民解放军61938部队 | Device and method for storing mobile data safely |
CN102281314A (en) * | 2011-01-30 | 2011-12-14 | 程旭 | Realization method and apparatus for high-efficient and safe data cloud storage system |
CN103391185A (en) * | 2013-08-12 | 2013-11-13 | 北京泰乐德信息技术有限公司 | Cloud security storage and processing method and system for rail transit monitoring data |
CN103886529A (en) * | 2014-02-24 | 2014-06-25 | 深圳市爱康信息技术有限公司 | Health archive information management service system and method |
CN105023086A (en) * | 2015-01-07 | 2015-11-04 | 泰华智慧产业集团股份有限公司 | Digital city management data sharing system based on cloud calculation |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107038341A (en) * | 2017-04-10 | 2017-08-11 | 武汉康慧然信息技术咨询有限公司 | Family health care data managing method and system |
CN107038341B (en) * | 2017-04-10 | 2019-07-12 | 杭州银江医联网技术股份有限公司 | Family health care data managing method and system |
CN108053323A (en) * | 2017-11-13 | 2018-05-18 | 平安养老保险股份有限公司 | Method, apparatus, computer equipment and the storage medium of service plan generation |
CN108769024A (en) * | 2018-05-30 | 2018-11-06 | 中国电子信息产业集团有限公司第六研究所 | A kind of data capture method and majority are according to operator negotiation service system |
CN108769024B (en) * | 2018-05-30 | 2020-11-13 | 中国电子信息产业集团有限公司第六研究所 | Data acquisition method and multi-data operator negotiation service system |
CN109818923A (en) * | 2018-12-18 | 2019-05-28 | 北京九州云腾科技有限公司 | A kind of attribute base cloud service access control method based on attribute ciphertext re-encryption |
CN113360749A (en) * | 2020-03-05 | 2021-09-07 | 秦超 | Health service system |
CN112613072A (en) * | 2020-12-28 | 2021-04-06 | 无锡建舜科技有限公司 | Information management method, management system and management cloud platform based on file big data |
CN112613072B (en) * | 2020-12-28 | 2024-05-28 | 江苏恒米数字科技有限公司 | Information management method, management system and management cloud platform based on archive big data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109033855B (en) | Data transmission method and device based on block chain and storage medium | |
CN110033258B (en) | Service data encryption method and device based on block chain | |
CN108418681B (en) | Attribute-based ciphertext retrieval system and method supporting proxy re-encryption | |
CN102685148B (en) | Method for realizing secure network backup system under cloud storage environment | |
CN101939946B (en) | Systems and methods for securing data using multi-factor or keyed dispersal | |
CN103039057B (en) | To moving medial according to the system and method protected | |
CN103270516B (en) | System and method for securing virtual machine computing environments | |
CN100499450C (en) | Layered encryption key generating method and device for digital resources | |
CN106326666A (en) | Health record information management service system | |
CN106203146A (en) | A kind of big data safety management system | |
CN103780607B (en) | The method of the data de-duplication based on different rights | |
CN103229165A (en) | Systems and methods for secure remote storage | |
CN105071936A (en) | Systems and methods for secure data sharing | |
CN103959302A (en) | Systems and methods for secure distributed storage | |
CN106131225A (en) | The security system accessed for medical treatment case information | |
CN108021677A (en) | The control method of cloud computing distributed search engine | |
CN106356066A (en) | Speech recognition system based on cloud computing | |
CN116611083A (en) | Medical data sharing method and system | |
Gajmal et al. | Blockchain-based access control and data sharing mechanism in cloud decentralized storage system | |
CN106161654A (en) | A kind of cloud educational system | |
CN106254510A (en) | The Internet financial resources integrates shared system | |
CN113127927A (en) | Attribute reconstruction encryption method and system for license chain data sharing and supervision | |
CN106131224A (en) | A kind of data transmission system | |
CN108055256A (en) | The platform efficient deployment method of cloud computing SaaS | |
Raj et al. | Efficient mechanism for sharing private data in a secured manner |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170111 |