CN107769915B - Data encryption and decryption system and method with fine-grained user control - Google Patents

Data encryption and decryption system and method with fine-grained user control Download PDF

Info

Publication number
CN107769915B
CN107769915B CN201610682250.7A CN201610682250A CN107769915B CN 107769915 B CN107769915 B CN 107769915B CN 201610682250 A CN201610682250 A CN 201610682250A CN 107769915 B CN107769915 B CN 107769915B
Authority
CN
China
Prior art keywords
key
user
private
decryption
computer server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610682250.7A
Other languages
Chinese (zh)
Other versions
CN107769915A (en
Inventor
邓慧杰
李迎九
王展
王绍斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shichuang Shixin Beijing Technology Co ltd
Original Assignee
Shichuang Shixin Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shichuang Shixin Beijing Technology Co ltd filed Critical Shichuang Shixin Beijing Technology Co ltd
Priority to CN201610682250.7A priority Critical patent/CN107769915B/en
Publication of CN107769915A publication Critical patent/CN107769915A/en
Application granted granted Critical
Publication of CN107769915B publication Critical patent/CN107769915B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data encryption and decryption system and method with fine-grained user control, which outsources encrypted data to a public computer server, such as a public cloud server, so that authorized users can access the outsourced data. The system and the method provided by the invention have the following advantages: first, the present invention supports fine-grained access control and expressive access policies. Second, the present invention supports the ability to efficiently and instantly revoke past, present, and future ciphertext decryption by an "revoked user". Third, the present invention supports immediate updating of the user's attributes and the user's decryption capabilities. Fourth, the present invention effectively prevents a "revoked user" from decrypting encrypted data on a public computer server, even if the "revoked user" already knows the symmetric key used to encrypt the data.

Description

Data encryption and decryption system and method with fine-grained user control
Technical Field
The invention relates to data encryption and decryption, in particular to data encryption and decryption by combining symmetric encryption, public key encryption and attribute-based encryption.
Background
In cloud computing environments, more and more data is stored using cloud platforms, and the software and hardware of the cloud platforms are often provided by multi-party servers rather than data owners. To protect the privacy of the data, it is suggested that the data owner encrypt the data before uploading it to the public cloud and any servers. There are many existing data encryption and decryption techniques that can be used to protect the privacy of data. Among these technologies, attribute-based encryption, and in particular, Ciphertext policy attribute-based encryption (CP-ABE), is an extensible scheme suitable for cloud encryption and decryption (b.waters, Ciphertext-policy attribute-based encryption: an expression, effect, and privacy security recommendation ", 2011Proceedings of Practice and Theory in Public Key Cryptography, pp.53-70). In a conventional public key encryption system, a piece of ciphertext can only be decrypted by a single private key. In contrast, in the CP-ABE public key system, a piece of ciphertext can be decrypted by multiple private keys.
Specifically, in CP-ABE, for each data, a user possesses a private key, corresponding to the user's set of attributes. Each ciphertext is generated with an attribute-based accessAsking about the policy binding. Only if all attributes of a user satisfy the access policy of a ciphertext can the private key of the user be used to decrypt the ciphertext. Suppose that the private key of user Alice corresponds to a set of attributes SAABC entity, Research Manager, the private key of user Bob corresponds to a set of attributes SB(DEF institute, Research Scientist). Further assume that the access policy for a piece of ciphertext is (Research Manager) AND ((ABC institute) or (DEF institute)). Alice can decrypt the ciphertext with her private key and Bob cannot decrypt it.
Since there may be many users in an attribute-based encryption system, it is inevitable that user revocation and user attribute updating are caused due to disclosure of a user private key, user vocalization or user position change, and the like. How to effectively manage user revocation and user attribute updates is an important issue. One simple solution is to require each user to periodically update their private key (D.Boneh and M.Franklin, "Identity-based encryption from the well Pairing," Proceedings of the 2001 Advances in cryptography, pp.213-219). The drawback of the above solution is that all users are required to periodically obtain new private keys through the Key Generation Center (KGC), regardless of their private key. In addition, KGC also needs to be online and deliver the private key to each user over a secure channel. Assuming that the number of all users is n and the number of revoked users is r, the size of the total key renewal information is O (n-r). Obviously, the key update operation of the above scheme can cause security and performance bottlenecks.
In order to reduce the size of key updates from linear to logarithmic levels, Boldyreva et al (A. Boldyreva, V.Goyal, and V.Kumar, "Identity-based encryption with impact retrieval", Proceedings of 2008 the 2008. ACM reference on Computer and communications Security, pp.417-426) propose a binary tree based approach to managing user revocation. In this scheme, the KGC distributes the long-term private key to each user. At the beginning of each time segment, KGC publicly broadcasts key update information. Only the users without the revoked authority can generate a new decryption key by using the long-term private key owned by the users and the key updating information broadcasted by the KGC, and the new decryption key is used for decrypting the ciphertext newly generated in the current time segment. The common disadvantages of this solution with the previous one are: the revoked user can decrypt the ciphertext generated in the past time period. Therefore, these schemes are not suitable for cloud data encryption and decryption.
Disclosure of Invention
Aiming at the problems, the invention provides a novel data encryption and decryption system and method supporting efficient user revocation and user attribute updating.
The data encryption and decryption system provided by the invention comprises the following parts:
a common computer server for storing data cryptograms, which may be a public cloud server, a publicly accessible computer, or a publicly accessible mobile device;
a first private computer server;
a first private database within the first private computer server for storing:
1) the system publishes the parameters;
2) the master key of the first private computer server (used to generate the user's decryption key and control key);
3) the user attribute set is used for describing the access authority of the user;
4) the user ID.
A second, private computer server;
a second private database within a second private computer server for storing:
1) a user ID;
2) a set of user attributes;
3) a user control key;
4) a public-private key pair of a second private computer server (for incomplete decryption, i.e., to produce an intermediate ciphertext).
A first key generation program for generating a system public parameter, a first private computer server master key, and a decryption key and a control key based on a set of user attributes.
A second key generation program for generating a public-private key pair of a second private computer server. The key generation program may modify the control key, the user ID, and the set of user attributes in the second private database simultaneously. The key generation program may also delete the control key, the user ID, and the set of user attributes simultaneously in the second private data.
In the above system, the first private computer server may generate the user decryption key and the user control key only if the user right is not revoked; the second private computer server can do incomplete decryption only if the user ID exists in the second database.
The method for operating the data encryption and decryption system provided by the invention comprises the following steps:
1) providing public parameters to a first private computer server for encrypting a first symmetric key and generating a ciphertext CABE(ii) a Encrypting the data with the first symmetric key and generating a ciphertext C1(ii) a Providing the public key to a second private computer server for encrypting a second symmetric key and generating a ciphertext CPKE(ii) a Encrypting C with a second symmetric key1And generates a ciphertext C2
2) Providing the user control key to the second private computer server for incomplete decryption of the ciphertext CABEAnd generates ciphertext C'ABE(ii) a Wherein the generation and use of the user control key is determined by a set of user attributes.
3) Providing the private key to a second private computer server for decryption CPKEAnd obtains a second symmetric key and decrypts C using the second symmetric key2To obtain C1
4) Will ciphertext C'ABEAnd C1Transmitted to the user computer, which decrypts C 'with a decryption key'ABEObtaining a first symmetric key and decrypting C using the first symmetric key1To obtain the plaintext of the data.
Further wherein the decryption key and the control key correspond to a user ID and a set of user attributes.
Further, C 'is decrypted only if the second private database contains the user ID'ABEAnd CPKEThe steps of (1) are performed. Encrypting the second symmetric key with the public key of the second private computer server to produce CPKEAnd encrypting C with a second symmetric key1To produce C2Optionally, the step (b) is not performed.
Further, the method includes the step of modifying, in the second private computer server, the control key, the user ID, and the set of user attributes in the second private database.
Further, the method also includes the step of deleting, in the second private computer server, the control key, the user ID, and the set of user attributes in the second private database.
The invention has the following innovation points and advantages:
firstly, the invention supports fine-grained access control and expressive access strategies; secondly, the invention supports the ability to cancel the ciphertext generated by the 'revoked user' in the past, present and future in a high-efficient and instant way; thirdly, the invention supports the instant update of the user attribute; fourth, the present invention supports hybrid encryption, i.e., the symmetric key used to encrypt the data is jointly encrypted by the CP-ABE and the public key encryption system (PKE). Thus, even if the "revoked user" knows the symmetric key used to encrypt the data, the cloud-encrypted data cannot be decrypted.
Drawings
Fig. 1 is a diagram of a data encryption and decryption system.
Fig. 2 is a diagrammatic representation of the steps of encrypting data.
Fig. 3 is a diagrammatic representation of the steps for decrypting ciphertext stored at the public cloud.
Detailed Description
The invention is further illustrated by the following specific examples and the accompanying drawings.
Referring to fig. 1, individual and enterprise users may encrypt data with a data encryption and decryption system 10 and distribute the ciphertext to an untrusted server, such as a public cloud. The user can also obtain and decrypt the ciphertext from the server. The data encryption and decryption system 10 is composed of a data owner 15, a data user 20, a key generation center 25, a control server 30, a private cloud 40, and a public cloud 50. The interrelationship between the parts is described as follows:
without loss of generality, we assume that the key generation center 25 and the control server 30 are located in a private cloud operated by the data owner 15. Other assumptions about the key generation center and the control server are discussed further. Each data consumer 20 has a set of attributes, e.g., S ═ ABC Institute, Research Manager. For example, in one application scenario example, data owner 15 may be a business and data consumer 20 is an employee of the business. The enterprise outsources encrypted data to the public cloud 50 for storage, while the attributes of the data users are specified by the human resources department of the enterprise. To control data access and user revocation, the enterprise manages and operates a key generation center 25 and a control server 30 in its private cloud (i.e., its internal information system).
The key generation center maintains a database DBKGC={u,SuU ∈ all valid data users for each data user 20, the database includes a user ID and a set of attributes Su. The center is responsible for generating a private key for each user for decrypting data obtained from the public cloud. The control server 30 maintains a data user list for handling user revocation when the user leaves the enterprise or the user private key is compromised, etc.
During the initialization phase of data encryption/decryption system 10, key generation center 25 runs an initialization algorithm. The input of the algorithm comprises a safety parameter lambda and a description about a complete set of attributes U; the output of the algorithm includes a system public parameter PK and a master key MSK. The system security parameter is a positive integer whose value is greater, indicating that the cryptographic system is more secure. The full set of attributes is the set of all attributes in the encryption/decryption system 10. The system disclosure parameter PK is given to all entities in the system, including the data owner 15, the data user 20 and the control server 30. The master key is securely kept by the key generation center.
Each time a new data is sentWhen a user joins the system or a set of attributes of an existing user changes, the key generation center 25 generates a new key for the user. To register in the system, a data user 20 authenticates his user ID u to the key generation center 25. After successful authentication, the center retrieves its database DBKGCObtain the user attribute set Su. With public parameter PK, master key MSK, user ID u and user attribute set SuFor input, the key generation algorithm generates a decryption key dk for user uuAnd a control key cku. Via a secure channel, the centre decrypts the key dkuAnd a set of user attributes SuTo the data user 20 and transmits the data tuples (u, ck)u,Su) To the control server 30.
In the initial phase, the control server generates a public key pk for a public key cryptosystem (e.g. RSA)CSAnd a private key skCSWherein the public key is distributed to each entity in the data encryption and decryption system 10 and the private key is securely kept by the control server 30. The control server 30 stores a private database DBCS={skCS,(u,cku,Su) All valid data users u ∈ whenever a new user joins the system or an existing user's set of attributes is modified, the control server receives (u, ck) from key generation center 25u,Su). If user 20 is a new user, one is about (u, ck)u,Su) Will be added to the database DBCSIn (1). If user 20 is an existing user and its set of attributes is modified, then the value of (u, ck)u,Su) Will replace in the database DBCSThere are records about the user. When a user 20 is revoked from the system, the user's decryption capabilities must also be revoked as soon as possible. At this point, the key generation center 25 will inform the control server to revoke the user u, who will then withdraw it from its database DSCSDeletion correlation and (u, ck)u,Su) Is recorded.
When the data owner 15 wishes to publish data M to the public cloud 50, the data owner constructs an access policy A for M that indicates the user's needsHas what property to decrypt M. The data owner encrypts M using an encryption algorithm. The inputs to the encryption algorithm include the system public parameter PK of the key generation center 25, the public key PK of the control server 30CSData M and access policy a.
Fig. 2 is a diagrammatic representation of the steps of an encryption algorithm. The encryption algorithm generates a symmetric key k1Then k is encrypted with the public parameter PK of the key generation center 251And generates a ciphertext CABE=ABE(PK,k1). Then using symmetric key encryption algorithm SE1Encrypt M and generate ciphertext
Figure BDA0001081535700000051
Then another symmetric key k is generated2Using the public key pk of the control server 30CSEncryption k2And generates a ciphertext CPKE=PKE(pkCS,k2). Then using another symmetric key encryption algorithm SE2Encryption
Figure BDA0001081535700000052
And generates a ciphertext
Figure BDA0001081535700000053
Finally, the encryption algorithm outputs the ciphertext
Figure BDA0001081535700000054
The CT is uploaded to the public cloud by the data owner 15.
Fig. 3 is a graphical representation of the decryption steps with respect to the control server 30 and the data consumer 20. The ciphertext CT is decrypted whenever the user 20, having the user ID u, requests the public cloud 50
Figure BDA0001081535700000055
First sent to the control server 30 for incomplete decryption. When the control server 30 receives the ciphertext CT from the data user u 20 or directly from the public cloud 50, the server starts the first decryption algorithm. The inputs to the algorithm include u and,
Figure BDA0001081535700000056
DBCS,cku,skCS. The algorithm first checks the database DBCSIf there is a data user u. If user u 20 does not exist, the request for incomplete decryption is denied. Otherwise, the first decryption algorithm further determines whether the set of attributes S of the user 20 is availableuThe access policy a is satisfied. If not, the request for incomplete decryption is denied. Otherwise, the first decryption algorithm uses the control key ck of user uuIncomplete decryption removal CABEAnd obtaining C'ABEThen use the private key skCSDecrypter CPKEAnd obtain k2Further using k2Decryption
Figure BDA0001081535700000061
And obtain
Figure BDA0001081535700000062
Finally, the first decryption algorithm outputs the result
Figure BDA0001081535700000063
And transmitted to the user u 20 by the control server 30.
Receiving
Figure BDA0001081535700000064
Thereafter, the user 20 with user ID u initiates a second decryption algorithm, the input of which comprises
Figure BDA0001081535700000065
And dku. The algorithm first uses the user's decryption key dkuDecipher C'ABEAnd harvesting k1Then using k1Decryption
Figure BDA0001081535700000066
And M is obtained. Finally, the 2 nd decryption algorithm outputs a result M.
In our proposed data encryption and decryption system, whenever a user with a user ID u is revoked, a record in the control server about the user is retrieved from the database DBCSAnd deleting the data. In this case, the control server will reject any decryption request from user u. The object of user revocation is thus achieved.
Furthermore, whenever the set of attributes of user u changes, a new decryption key dkuAnd a new control key ckuWill replace the old version while the new data record (u, ck)u,Su) Will be in the database DSCSReplacing the old record. After which the incomplete decryption operation performed on the control server will be based on the new control key cku. The object of updating the user attributes is thus achieved.
Note that the data M is encrypted twice in the encryption process. First time using symmetric key k1Encryption acquisition
Figure BDA0001081535700000067
Second time with another symmetric key k2Encryption acquisition
Figure BDA0001081535700000068
In the decryption process, the control server 30 first decrypts
Figure BDA0001081535700000069
And obtain
Figure BDA00010815357000000610
User 20 re-decrypts
Figure BDA00010815357000000611
M is obtained. Assuming that the data M is encrypted only once
Figure BDA00010815357000000612
Without a second encryption, a legitimate user can decrypt many ciphertexts and retain all the associated symmetric keys (which are small in size relative to the data cipher) for future use. The user is also able to decrypt the ciphertext encrypted with the symmetric keys when he is revoked on a day. The double encryption proposed by the present invention effectively prevents this from happening.
There are various schemes as to how to arrange two symmetric key encryptions. For example, a first symmetric key encryption may be used to encrypt all the bits of data M, while a second symmetric key may selectively encrypt some of the bits of the first encrypted ciphertext.
We have the following assumptions about the public cloud 50, the private cloud 40, the key generation center 25, and the control server 30:
a) the security assumption of the public cloud is honest but curious. In other words, the public cloud truthfully provides data storage services, but is curious about data of data owners, and thus cannot safely keep data plaintext.
b) The private cloud 40, the key generation center 25, and the control server 30 are trusted. They may be operated by the data owner's institution or a trusted third party. It is possible to deploy the key generation center and the control server in a private cloud (see fig. 1). Other deployment possibilities also exist. For example, the key generation center may be deployed in a private cloud and managed by a system administrator of the data-owning authority. The control server may be deployed in a public cloud protected by trusted computing technology and managed by a trusted third party. Or both the key generation center and the control server may be under the management of the same or different trusted third parties. Note that our dual encryption scheme can prevent the key generation center from the key escrow problem of the standard ABE system when the key generation center 25 and the control server 30 are managed by different entities. In a standard ABE system, the key generation center knows the private keys of all users, and is therefore able to decrypt all the ciphertext in the system. This does not occur in our proposed system because the data is further encrypted by a second symmetric key that is not controlled by the key generation center.
The data encryption and decryption system and method provided by the invention can be realized by any person by adding improvements in any standard CP-ABE or KP-ABE system. Without loss of generality, the following describes an implementation of CP-ABE Based on B.Waters (B.Waters, "confidential-policy attribute-Based encryption: an expression, impact, and innovative security recommendation", 2011Proceedings of Practice and Theory in public Key encryption, pp.53-70.).
1) System setup of key generation center and control server
The key generation center 25 initiates a system setup algorithm. The inputs to the algorithm include a security parameter λ and a full set of attributes U. The algorithm selects a group with prime rank p, a group generator G and a hash function H that maps the input string to elements in G. The algorithm additionally has an integer set Z from 0 to p-1pSelects a random index α and outputs a system public parameter PK ═ (g, e (g, g)α,gβH) and system master key MSK ═ gαPK). The system disclosure parameters are published to each entity in the system 10.
During system setup, the control server 30 generates a public key pk according to a public key encryption scheme (e.g., RSA)CSAnd a private key skCS
2) User key generation for a key generation center
When a new user 20 first joins the system or an existing user's attribute set is updated, the key generation center 25 initiates a key generation algorithm. The input of the algorithm comprises MSK, user ID u and user attribute set Su. From Z PIn (Z) PComposed of all integers from 1 to p-1 whose greatest common divisor with p is 1) to obtain a random number t', which is calculated by the algorithm
Figure BDA0001081535700000071
Then from Z PSelecting random number gamma, and t ═ t'/gamma, the algorithm outputs the decryption key of user u
Figure BDA0001081535700000074
Figure BDA0001081535700000073
And control key ck for user uu=γ。
3) Encryption of data users
To encrypt the data M, the data consumer 20 initiates an encryption algorithm. The inputs to the algorithm include the public parameter PK of the key generation center 20, the public key PK of the control server 30CSWithout loss of generality and complying with the customary usage of ABE, the data M to be encrypted and an access policy a. that can be expressed in the form of linear secret sharing, i.e. a ═ (M, ρ) is here an iota × n matrix and the function ρ maps the attributes to a row vector in M1And k2And in ZPSelecting a random vector v ═ (s, y)2,…,yn). When i is 1 to iota, the algorithm calculates λi=v·MiWherein M isiIs the ith row vector of M. From ZPIn the random number r1,…,rιThe algorithm calculates k using CP-ABE1The ciphertext of (1).
Figure BDA0001081535700000081
Next, the encryption algorithm uses a symmetric key encryption scheme SE1To encrypt M and obtain
Figure BDA0001081535700000082
Using a symmetric key encryption scheme SE2To encrypt
Figure BDA0001081535700000083
And obtain
Figure BDA0001081535700000084
Encrypting k with the public key encryption scheme PKE of the control server 302And obtain CPKE=PKE(pkCS,k2). The algorithm finally outputs a ciphertext CT ═ CABE,A,CPKE,CSE2)。
4) Incomplete decryption of control server
When the control server receives a request from user u for incomplete decryption of the ciphertext CT, it initiates a first decryption algorithm to decrypt the ciphertext CT
Figure BDA00010815357000000821
Here, the
Figure BDA0001081535700000085
Figure BDA0001081535700000086
A=(M,ρ),CPKE=PKE(pkCS,k2),
Figure BDA0001081535700000087
The input of the decryption algorithm comprises user ID u, CT, DBCS,ckuγ and skcs. The algorithm first checks whether the database contains a record of user u. If not, the request for incomplete decryption is denied. Otherwise, the decryption algorithm checks the set of attributes S of user uuWhether access policy a is satisfied. If not, the request for incomplete decryption is denied. Otherwise, the decryption algorithm calculates
Figure BDA0001081535700000088
Figure BDA0001081535700000089
The algorithm then uses its private key skCSDecryption CPKE=PKE(pkCS,k2) And obtain k2Further by k2Decryption
Figure BDA00010815357000000810
And obtain
Figure BDA00010815357000000811
The algorithm outputs
Figure BDA00010815357000000812
And transmits it to user u.
5) Decryption of a user
Received from the control server 30
Figure BDA00010815357000000813
Thereafter, data user u initiates a second decryption algorithm. The inputs to the algorithm include
Figure BDA00010815357000000814
Su,dkuWherein, in the step (A),
Figure BDA00010815357000000815
Figure BDA00010815357000000816
A=(M,ρ),
Figure BDA00010815357000000817
Figure BDA00010815357000000818
Figure BDA00010815357000000819
the algorithm may check whether S is presentuPolicy a is satisfied and if not, the algorithm stops decrypting. Hereinafter, S is assumeduSatisfy a ═ (M, ρ), where M is an iota × n matrix
Figure BDA00010815357000000820
Define { omegai∈ZP}i∈IIs a constant set and satisfies the following conditions: if according to M, { λiIs a valid share of any secret S, there is ∑i∈IωiλiAnd s is true. The decryption algorithm performs the following calculations:
Figure BDA0001081535700000091
Figure BDA0001081535700000092
and k1=C/e(g,g). The algorithm then uses k1Decryption
Figure BDA0001081535700000093
And outputs the data M.
In the preceding "user Key Generation of Key Generation center" stepAnother possibility is to interchange the decryption key and the control key value of user u. That is, the key generation center 25 sets the decryption key of the user u to dkuγ, and sets the control key of user u to
Figure BDA0001081535700000094
Wherein t is t'/γ.
Thus, in the previous "incomplete decryption by the control server" step, the first decryption algorithm run by the control server 30 should be modified as follows. Ck for the algorithmuTo pair
Figure BDA0001081535700000095
Perform incomplete decryption and obtain
Figure BDA0001081535700000096
Figure BDA0001081535700000097
While the other operations of the first decryption algorithm remain unchanged.
Meanwhile, in the previous "decryption by user" step, the second decryption algorithm run by user u is modified as follows. Dk for the algorithmuDecode C'ABETo obtain
Figure BDA0001081535700000098
While the other operations of the algorithm remain unchanged.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.

Claims (10)

1. A data encryption and decryption system with fine-grained user control, comprising:
a public computer server for storing the encrypted data cipher text;
a first private computer server having a first private database for storing system public parameters, a master key, a set of user attributes, and a user ID; the master key is used for generating a user decryption key and a control key;
a second private computer server having a second private database for storing the user ID, the set of user attributes, the user control key, and a public-private key pair of the second private computer server; a public-private key pair of said second private computer server is used for incomplete decryption;
wherein the first private computer server generates the user decryption key and the control key only if the user is not revoked; the second private computer server performing an incomplete decryption operation only if the second private database contains the user ID;
the data encryption and decryption system adopts the following steps to encrypt and decrypt data:
1) providing public parameters of a first private computer server for encrypting a first symmetric key and generating a ciphertext CABEThen encrypts the data with the first symmetric key and generates a ciphertext C1(ii) a Providing the public key of the second private computer server for encrypting the second symmetric key and generating a ciphertext CPKEThen encrypted with a second symmetric key C1And generates a ciphertext C2
2) Providing the user control key to the second private computer server for incomplete decryption of the ciphertext CABEAnd generates ciphertext C'ABEWherein the generation and use of the user control key is determined by a set of user attributes;
3) providing the private key to a second private computer server for decryption CPKEAnd obtains a second symmetric key and decrypts C using the second symmetric key2To obtain C1
4) Will ciphertext C'ABEAnd C1Transmitted to the user computer, which decrypts C 'with a decryption key'ABEObtaining a first symmetric key and decrypting C using the first symmetric key1To obtain the plaintext of the data.
2. The system of claim 1, further comprising a first key generation program for generating a system public parameter, a first private computer server master key, and a user's decryption key and control key.
3. The system of claim 2, further comprising a second key generation program for generating a public-private key pair for a second private computer server.
4. The system of claim 3, wherein said second key generation program is capable of modifying the control key, the user ID, and the set of user attributes in the second private database.
5. The system of claim 3, wherein the second key generation program is capable of deleting the control key, the user ID, and the set of user attributes in the second private database.
6. The system of claim 1, wherein the common computer server is a public cloud server, a common computer, or a common mobile device.
7. A data encryption and decryption method with fine-grained user control is characterized by comprising the following steps:
1) providing public parameters of a first private computer server for encrypting a first symmetric key and generating a ciphertext CABEThen encrypts the data with the first symmetric key and generates a ciphertext C1(ii) a Providing the public key of the second private computer server for encrypting the second symmetric key and generating a ciphertext CPKEThen encrypted with a second symmetric key C1And generates a ciphertext C2
2) Providing a user control key to a second private computer serverIn the incomplete decryption of ciphertext CABEAnd generates ciphertext C'ABEWherein the generation and use of the user control key is determined by a set of user attributes;
3) providing the private key to a second private computer server for decryption CPKEAnd obtains a second symmetric key and decrypts C using the second symmetric key2To obtain C1
4) Will ciphertext C'ABEAnd C1Transmitted to the user computer, which decrypts C 'with a decryption key'ABEObtaining a first symmetric key and decrypting C using the first symmetric key1To obtain the plaintext of the data.
8. The method of claim 7, wherein the decryption key and control key correspond to a user ID and a set of user attributes; only when the second private database contains the user ID, decrypt C'ABEAnd CPKEThe step (2) is executed; encrypting the second symmetric key with the public key of the second private computer server to produce CPKEAnd encrypting C with a second symmetric key1To produce C2Can be selected not to be performed.
9. The method of claim 7 or 8, further comprising the step of modifying, in the second private computer server, the control key, the user ID, and the set of user attributes in the second private database.
10. The method of claim 9, further comprising the step of deleting the control key, the user ID, and the set of user attributes in the second private database in the second private computer server.
CN201610682250.7A 2016-08-17 2016-08-17 Data encryption and decryption system and method with fine-grained user control Expired - Fee Related CN107769915B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610682250.7A CN107769915B (en) 2016-08-17 2016-08-17 Data encryption and decryption system and method with fine-grained user control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610682250.7A CN107769915B (en) 2016-08-17 2016-08-17 Data encryption and decryption system and method with fine-grained user control

Publications (2)

Publication Number Publication Date
CN107769915A CN107769915A (en) 2018-03-06
CN107769915B true CN107769915B (en) 2020-09-22

Family

ID=61261420

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610682250.7A Expired - Fee Related CN107769915B (en) 2016-08-17 2016-08-17 Data encryption and decryption system and method with fine-grained user control

Country Status (1)

Country Link
CN (1) CN107769915B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108880798B (en) * 2018-06-28 2020-11-03 西南交通大学 Attribute basis weight encryption method for realizing fine-grained attribute revocation

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9270663B2 (en) * 2010-04-30 2016-02-23 T-Central, Inc. System and method to enable PKI- and PMI-based distributed locking of content and distributed unlocking of protected content and/or scoring of users and/or scoring of end-entity access means—added
CN102769620B (en) * 2012-07-19 2017-09-26 广州大学 A kind of safely outsourced encryption method based on attribute
CN104363215B (en) * 2014-11-04 2017-10-10 河海大学 A kind of encryption method and system based on attribute
CN104836790B (en) * 2015-03-30 2018-04-10 西安电子科技大学 Fine-grained access control method is stored based on the chain type of encryption attribute and timestamp
CN104954447B (en) * 2015-05-29 2018-02-02 桂林电子科技大学 Support the intelligent movable equipment safety service implementing method and system of attribute base encryption

Also Published As

Publication number Publication date
CN107769915A (en) 2018-03-06

Similar Documents

Publication Publication Date Title
CN113193953B (en) Multi-authority attribute-based encryption method based on block chain
EP3616384B1 (en) Orthogonal access control for groups via multi-hop transform encryption
US20190294811A1 (en) System and a method for management of confidential data
CA2539879C (en) Efficient management of cryptographic key generations
CN104901942B (en) A kind of distributed access control method based on encryption attribute
Xu et al. Dynamic user revocation and key refreshing for attribute-based encryption in cloud storage
Chen et al. Efficient decentralized attribute-based access control for cloud storage with user revocation
US10313119B2 (en) Data management device, system, re-encryption device, data sharing device, and storage medium
JP6363032B2 (en) Key change direction control system and key change direction control method
Li et al. An efficient signcryption for data access control in cloud computing
CN113411323B (en) Medical record data access control system and method based on attribute encryption
Hur et al. Removing escrow from ciphertext policy attribute-based encryption
Sabitha et al. Multi-level on-demand access control for flexible data sharing in cloud
Eltayieb et al. ASDS: Attribute‐based secure data sharing scheme for reliable cloud environment
Kumar Cryptography during data sharing and accessing over cloud
CN117200966A (en) Trusted authorization data sharing method based on distributed identity and alliance chain
CN107769915B (en) Data encryption and decryption system and method with fine-grained user control
CN116366320A (en) Distributed attribute base encryption method based on block chain revocation
Kumar DecenCrypto cloud: decentralized cryptography technique for secure communication over the clouds
Sanchol et al. A mobile cloud-based access control with efficiently outsourced decryption
Fu et al. Secure storage of data in cloud computing
Silambarasan et al. Attribute-based convergent encryption key management for secure deduplication in cloud
Jahan et al. Secure and light weight fine-grained access mechanism for outsourced data
Islam et al. Attribute‐based encryption scheme for secure data sharing in cloud with fine‐grained revocation
Chaitanya et al. Implementation of security and bandwidth reduction in multi cloud environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20200922

CF01 Termination of patent right due to non-payment of annual fee