CN108418784A - A kind of distributed cross-domain authorization and access control method based on properties secret - Google Patents
A kind of distributed cross-domain authorization and access control method based on properties secret Download PDFInfo
- Publication number
- CN108418784A CN108418784A CN201711260376.6A CN201711260376A CN108418784A CN 108418784 A CN108418784 A CN 108418784A CN 201711260376 A CN201711260376 A CN 201711260376A CN 108418784 A CN108418784 A CN 108418784A
- Authority
- CN
- China
- Prior art keywords
- user
- attribute
- key
- gid
- supplier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000013475 authorization Methods 0.000 title claims abstract description 13
- 239000011159 matrix material Substances 0.000 claims description 15
- 239000013598 vector Substances 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 8
- 238000011084 recovery Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 abstract description 9
- 238000013517 stratification Methods 0.000 abstract description 6
- 238000012946 outsourcing Methods 0.000 abstract description 3
- 230000002452 interceptive effect Effects 0.000 abstract description 2
- 239000003595 mist Substances 0.000 description 16
- 238000005516 engineering process Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 238000013500 data storage Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 244000166124 Eucalyptus globulus Species 0.000 description 1
- 229940126655 NDI-034858 Drugs 0.000 description 1
- 241000290929 Nimbus Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000009412 basement excavation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0847—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The present invention proposes a kind of distributed cross-domain authorization and access control method based on properties secret, and this method is mainly used to solve the problems, such as the cross-domain authorization under large-scale distributed environment and access control.The present invention devises a kind of more authority (Attribute Authorities, AAs stratification encryption attribute mechanism (the Hierarchical Attribute Based Encryption with controlled key delegation) and with controlled key entrusted, MA HABE CKD), support to be user's progress decentralization in multiple domains and controlled security certificate, key commission abuse is prevented, realizes non-interactive type access control based on this.This method also supports decryption outsourcing, supports the user of lightweight obtains to authorize to access system.
Description
Technical field
The invention belongs to the data safety storage access field in computer information safe subject, more particularly to distributed rings
Distributed cross-domain authorization under border and access control method.
Background technology
With computer technology, the fast development of internet, the mass data generated daily is stored in the form of digitized
On computers.Cloud computing is a kind of emerging technology, in this technique, user can with rental companies provide server (
Referred to as cloud) storage and computing resource.User only requires connect to terminal, smart mobile phone or the tablet computer of internet.Using
Program is run in cloud, rather than the machine of user.Cloud can store a large amount of data, therefore mobile subscriber need not carry them
Data.Some clouds supplier provides application program service (for example, GoogleApps, Microsoft is online), some provide basis and set
Apply support (such as:The EC2 of Amazon, Eucalyptus, Nimbus).This distributed data access process is increasingly becoming one
Kind trend;Cloud computing technology provides an effective solution scheme for the storage and processing of mass data, provides a large amount of differences
The service of classification;Wherein, mist is calculated as when the previous hot spot by public discussion, using itself low latency, location aware with
And the advantage of widely distributed nodes of locations.In real-life situation, relevant mist computing device can not only improve data
Computational efficiency, and can user be given data feedback in time.The characteristics of by using mist equipment widely distributed geographical location,
User can effectively, quickly access data.The technologies such as distributed treatment, storage and the virtualization of mist calculating are being relied on,
Mist, which calculates, beautifully to be become instantly for a kind of effective solution mode of the management, analysis and the excavation that solve data.It is calculated in mist
In environment, user can be data storage in mist equipment, but the mode of this data storage can cause user to lose logarithm
According to safety management control, to the great security risk for giving data band in mist equipment.Such as Intelligent bracelet, intelligent family
The various sensitive datas etc. for occupying and being stored inside smart office system, these privacy informations are once leaked out, can be to people
Daily life and work generate prodigious negative effect.
However by data encryption technology and access control method, guarantor of the above-mentioned user to data privacy information may be implemented
Shield demand.Traditional access control method needs a complete believable server and believable administrator to execute, in system
The quantity of user and the size of data of storage become a bottleneck of system effectiveness, if the server is captured by attacker,
The privacy of user data preserved on the server will be leaked, and be not applicable for existing mist computing environment.And data
Encryption technology then for the data of user provide stronger salvo, traditional public key cryptography or asymmetric encryption mechanisms for
Different users, system need to generate different keys, and identical file is encrypted using different keys hence for encipherer
On the server, in the user of magnanimity and huge data system, key management needs prodigious expense, this is also for storage
Conventional cryptography is applied the real life the problem of.And in mist computing environment, data owner need not know in advance
Which user road, which has, needs to access the data, it is thus only necessary to according to encryption policy to needing data to be sharing to be encrypted, this
Under kind environment, the encipherment scheme built under traditional access control mechanisms can not provide fine-grained access, so traditional
Encryption technology and access control method cannot efficiently be applied under mist computing environment.
Based on above-mentioned problem, it is considered based on encryption attribute (Attribute-BasedEncryption, ABE)
It is to be most suitable for solving the safeguard protection of the private data under mist computing environment at present and realize fine-grained data access
One-to-many encrypted access controlling mechanism may be implemented in one of technology, this method, meanwhile, there is scalability, distributed spy
Point.ABE is there are two types of the structure extended, and one is the ABE (CP-ABE) based on the Ciphertext policy and ABE based on key strategy
(KP-ABE), in CP-ABE, the key of each user is related to one group of property set, and ciphertext is then related with access structure;And
Exactly the opposite in KP-ABE, ciphertext is related to one group of property set, and the key of user is related with access structure.It is applied to when ABE
In mist computing environment, the private data being stored in mist equipment effectively can be managed and control in order to reach data owner
When, CP-ABE is more suitable for carrying out data access control, and data owner can freely define the user with which attribute can be with
Access the private data being stored in mist equipment.
However in mist environment, need exist for:User needs the key of oneself to entrust in certain circumstances
Other users can not only allow user adequately to utilize owned key in this way, while also to a certain degree
On alleviate user be required for every time to system submit registration request computing cost and efficiency.In existing encryption attribute
In research, author WangG etc. is in document " Hierarchicalattribute-basedencryptionforfinegraineda
In a ccess controlincloudstorageservices " texts, in the encryption attribute scheme of stratification, it is proposed that one
The effective key of kind entrusts mechanism, and key is entrusted between user may be implemented;Efficient secret key point is proposed in CN105915333A
Method of completing the square, but only there are one individual attribute authority (aa)s has greatly aggravated authority in the actual implementation process in distribution secret key
Burden.It is entitled in Chinese patent literature CN2015101068880.5《A kind of distributed access based on encryption attribute
Control method》Patent propose a kind of personal secrets that can not only protect data, and can realize efficient distribution
And the encryption method of the fine-granularity access control of scalability, the work of single authority is shared by using multiple authoritys
Amount, and efficient outsourcing decryption and user's revocation may be implemented, but management on levels is not carried out to attribute, efficiency is not
It is high.CN106059763A proposes the stratification ciphertext encryption policy based on more authoritys, but does not support secret key to entrust.In addition,
Author LuanI etc. is in document " MediatedCiphertext-PolicyAttribute-BasedEncryptionandIts
In an Application " texts, it is proposed that the encryption attribute mechanism with arbitration, it is proposed that cipher key separation realizes instant user
Revocation.
Invention content
In view of this, the technical problem to be solved by the present invention is to propose a kind of distributed cross-domain authorization based on properties secret
And access control method, the present invention devise a kind of more authoritative (AttributeAuthorities, AAs) and have controlled key
The stratification encryption attribute mechanism (HierarchicalAttribute-BasedEncryptionwithcontrolledk of commission
Ey delegation, MA-HABE-CKD), it supports to carry out decentralization and controlled security certificate for the user in multiple domains, prevent
Only key commission abuse, realizes non-interactive type access control based on this.This method also supports decryption outsourcing, supports lightweight
User obtain and authorize to access system, that is, the present invention a kind of can meet efficient more power under distributed environment
The demand of prestige encryption attribute, and can realize the access control mechanisms of key commission.
In order to achieve the above object, the present invention provides the following technical solution:
As shown in Figure 1, the model is made of five entities, respectively believable identity federation supplies the system model of the present invention
Answer quotient (FIP), service supplier (SPs), data owner, service node (SN) and user.Wherein FIP is responsible for user's
Certification and registration, and distribute global identity (GID), certificate and user's overall situation private key to validated user;Each SP is only
Vertical operation and be responsible for the attribute in own domain, while they be also responsible for it is close to the validated user distribution attribute of registration
Key, and the attribute key UASK of userGID,1And UASKGID,2It is sent respectively to service equipment and user;Data owner is based on
The access structure of definition carrys out encryption data, and in the storage to service node of encrypted data, service node provides storage and visits
The service of asking;When the data of a validated user access mandate, service equipment retrieves the attribute key of user first, and then utilizing should
Attribute key decrypts ciphertext and generates a decrypted token (DT) and the DT and ciphertext are issued user, and then user utilizes the overall situation
Private key and DT decrypt ciphertext, final obtain the data for needing to access.
It is provided by the invention under distributed environment, the encryption attribute method of stratification, including following steps:
S1:System initialization:Generation system common parameter, the public affairs of service supplier (ServiceProviders, SPs)/
The public private key-pair of private key pair and attribute, the public affairs of identity federation supplier (FederatedIdentityProvider, FIP)/
Private key pair;
S2:Data encryption:Data owner's encryption data, and encrypted data are stored in service node
On (ServiceNode, SN);
S3:User's registration and key generate:Request registration, identity federation supplier FIP distribute a global identity
(Global Identifier, GID), and distribute the Attribute certificate being signed and global private key to the user, SPs is then based on using
The Attribute certificate at family distributes corresponding attribute private key to it, and attribute private key is divided into two parts, and some is sent to user, another
Part is sent to service node;
S4:Access data:User submits data access request to service node SN, and the property set and if only if user meets
Access structure in ciphertext, by user and service node joint decryption ciphertext, service node undertakes part decryption calculating task, subtracts
The burden of light terminal user;
S5:User property key is entrusted:Only in the case where both user and service node SN cooperate, i.e., saved in service
Under the control of point, higher level user can be that subordinate subscriber generates attribute key, realize safe secret key commission.
Further, the step S1 includes the following steps:
S11:Identity federation supplier FIP is initialized:Security parameter is inputted, system common parameter is generated and identity federation supplies
Answer the public private key-pair of quotient;
S12:Service supplier's SPs initialization, including:
S121:Each service supplier SP receives system common parameter and the public affairs of FIP from identity federation supplier FIP
Key;
S122:Each service supplier's SP defined attributes build attribute tree and generate public/private key pair for the attribute of its management
It is right.
Further, the step S2 includes the following steps:
S21:Data owner receives system common parameter from identity federation supplier FIP and service provider respectively
With the public key of attribute;
S22:For data m to be encrypted, data owner is based on global property collection S, and to data definition, one accesses knot
Structure A indicates that wherein M is the access matrix of a l rows n row with (M, ρ, τ), and the i-th row of matrix M is mapped to S by function ρ (i)
In an attribute vectorFunctionIndicate attribute vectorTo the mapping of attribute tree τ;
S23:Data owner is from integer ZpMiddle selection random number s and random arrayAnd it is vector to enable sFirst element;
S24:It calculatesWherein MiIt is the i-th row of matrix M, i ∈ 1,2 ..., l };
S25:Choose random number ri∈Zp,i∈{1,2,...,l};
S26:Encrypt message m, output ciphertext CT;
S27:Data owner uploads to ciphertext CT on service node.
Further, the step S3 includes the following steps:
S31:User asks addition system, submits identity information to register to identity federation supplier FIP;
S32:Identity federation supplier FIP certification users first;
S33:If user is legal, user is given to distribute a global identity GID, and to user distribute a certificate and
Global private key, wherein certificate include global identity GID, the attribute list of user and the global public key of user of user,
For identity federation supplier FIP using private key to certificate signature, certificate and private key are issued user by the safe mode of application;If the use
Family is illegal, then refuses the user and system is added;
S34:After user receives the certificate that identity federation supplier FIP is sent and global private key, certificate is just issued phase
The service supplier SPs of pass;
S35:After service supplier SPs receives the certificate of user, service supplier SPs uses identity federation supplier
The public key verifications certificate of FIP;
S36:Whether the global identity GID of service supplier SPs verification users belongs to user's revocation list (URL);
IfThen service supplier SPs generates two shares of attribute private key based on the attribute list of user to user
UASKGID,1And UASKGID,2;If GID ∈ URL, service supplier SPs terminates operation;
S37:Attribute private key UASKs of the SPs userGID,1And UASKGID,2It is sent respectively to service node SN and user.
Further, the step S4 includes the following steps:
S41:The user for possessing global identity GID issues to SN transmission data access requests, and the certificate of oneself
SN;
S42:Service node SN uses the public key verifications certificate of identity federation supplier FIP, and verifies the global body of user
Whether part mark GID belongs to user's revocation list (URL);
S43:IfThen continue following operation;If GID ∈ UL, service node SN terminates operation;
S44:The attribute private key UASK of service node SN retrieval usersGID,1;
S45:Service node SN decrypts ciphertext in advance using the attribute private key of user, and generates decrypted token DT;
Wherein S45 includes the following steps:
S451:It enablesAnd I={ i:ρ(i)∈RA, wherein RAIndicate the corresponding attribute vector collection of access matrix A
It closes.If according to access matrix M, { λi}i∈IIt is effectively sharing for encryption exponent s, then there is recovery coefficient { wi∈Zp}i∈IIt can weigh
Structure goes out encryption exponentService node SN first obtains recovery coefficient { wi∈Zp}i∈I;
S452:Then service node SN calculates decrypted token DT;
S46:Decrypted token DT is sent to user by service node SN;
S47:End user uses attribute private key UASK(GID,2)Ciphertext is decrypted with decrypted token DT, if the attribute of user is full
Access structure in sufficient ciphertext, then user's successful decryption;Fail if not satisfied, then decrypting.
Further, the step S5 includes the following steps:
S51:The underlying User for possessing global identity GID' is asked to the upper-layer user for possessing global identity GID
Entrust secret key;
S52:The upper-layer user for possessing global identity GID first calculates UASK(GID',2);
S53:Upper-layer user's computation key token KT;
S54:Upper-layer user is attribute key UASK(GID',2)Entrust to underlying User;
S55:Upper-layer user sends out key commission request to service node SN, and cipher key token KT is sent to service node
SN;
S56:Whether legal the cipher key token KT that service node SN is sent according to user detects user first;
S57:If legal, key commission request is executed;If illegal, refuse key commission request;
S58:Service node SN generates corresponding attribute key UASK(GID',2), and be stored on service node SN.
The advantage of the invention is that:The present invention proposes the encryption attribute mechanism of the stratification of authority more than one, each
SP is independently operated and is mutually independent of each other that the present invention shares the workload of SP there are one former using multiple SP,
And can be effectively prevented from SP becomes the bottleneck and security breaches of system;In addition, the present invention by using FIP in system
Each user distributes the mode of a global identity GID, to reach the means for preventing user from conspiring, because FIP is only
Existing for one, possess the GID of all users in system, so FIP must be completely believable in the present system.
In addition, in the present invention, by using secret key isolation technics, the private key of user is divided into user's overall situation private key and use
Family attribute private key, wherein user's overall situation private key only have user to possess, and user property private key is then divided into two parts, a part by
User preserves, and another part is stored by SN;So in the present invention, tri- user, SP and SN entity each party do not have
The ability for having decryption ciphertext completely, when user needs to decrypt ciphertext, user needs correctly decrypt under the assistance of SN close
Text and only in the access structure during the attribute of user meets ciphertext, SN can just help user that the work of ciphertext is decrypted
Make, the mode of this data access strengthens the safety of system to a certain extent.In addition, the present invention can not only realize
The security privacy protection of data under distributed environment, and access data may be implemented and fast and effectively carry out, part is decrypted
The process of ciphertext entrusts to SN, and since SN only possesses the part attribute private key of user, the decryption that SN is merely capable of part is close
Text not only increases the efficiency of decryption in this way, while also ensuring the safety of this system.
The method that the present invention devises a novel user property key commission.In the present system, the attribute of user is
It is arranged by way of layering, SP and FIP only need to distribute key to upper-layer user, when other underlying Users are wanted to visit
When asking the data in SN, the user of lower layer needs to carry out key request to the user on upper layer, and at this time the user on upper layer can ask
The help of SN, under the assistance of the two, the user of lower layer can obtain a new attribute private key, and SN also can be that the user of lower layer gives birth to
At a new attribute private key and preserve;Therefore, the key principal method in the present invention is controlled, such advantage
The abuse that user key is entrusted can be not only prevented to pass through both user and SN simultaneously because SN is not to be trusted completely
The mode of cooperation so that key entrusts work more safe and reliable.
Description of the drawings
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into
The detailed description of one step, wherein:
Fig. 1 is system model;
Wherein:(1) user's registration;(2) distribute global private key and certificate to user;(3) attribute key request is sent;(4)、
Distribute attribute key;(5) ciphertext is uploaded;(6) access request is sent;(7) decrypted token is provided;(8) request key commission; (9)
Key is entrusted;(10) cipher key token is sent;
Fig. 2 is the flow diagram of the present invention;
Fig. 3 is System Initialization Procedure block diagram;
Fig. 4 is data encryption flow diagram;
Fig. 5 is user key product process block diagram;
Fig. 6 is to access data flow diagram;
Fig. 7 is that key entrusts flow diagram.
Specific implementation mode
The preferred embodiment of the present invention will be described in detail in conjunction with attached drawing.
Distributed cross-domain authorization and access control method provided by the invention based on properties secret, referring to Fig. 2, including with
Lower step:
S1:System initialization generates:System common parameter, the public affairs of service supplier (ServiceProviders, SPs)/
The public private key-pair of private key pair and attribute, the public affairs of identity federation supplier (FederatedIdentityProvider, FIP)/
Private key pair;
Further, include the following steps referring to Fig. 3, the step S1:
S11:Identity federation supplier FIP is initialized:Security parameter is inputted, system common parameter is generated and identity federation supplies
The public private key-pair of quotient is answered, including:
S111:Security parameter λ is inputted,
S112:System common parameter PP is generated, wherein system common parameter includes the Bilinear Groups G that two ranks are p1And G2、
Wherein g is G1Generation member and bilinear map e:G1×G1→G2;
S113:Public private key-pair (the sk of FIPFIP,pkFIP);
S12:Service supplier's SPs initialization, including:
S121:Each service supplier SP receives system common parameter { g, G from FIP1,G2, e (g, g) } and FIP
Public key pkFIP;
S122:Each service supplier SP chooses three random number αk,βk,γk∈ZpAs the private key of attribute tree, as
{αk,βk,γk, then public key is generated for attribute treeIn addition for the attribute tree of SP management, SP is additional
Select a random number vk∈Zp, and define hk,1,hk,2,…,hk,L∈ G, wherein L are the height of attribute tree, and vk,hk,1,
hk,2,…,hk,LAll it is disclosed.
S2:Data encryption:Data owner's encryption data, and encrypted data are stored on service node;
Further, include the following steps referring to Fig. 4, the step S2:
S21:Data owner receives system common parameter { g, G from FIP and SP respectively1,G2, e (g, g) } and attribute
Public key
S22:For message m to be encrypted, data owner is based on global property collection S, and to data definition, one accesses knot
Structure A indicates that wherein M is the access matrix of a l rows n row with (M, ρ, τ), and the i-th row of matrix M is mapped to S by function ρ (i)
In an attribute vectorFunctionIndicate attribute vectorTo the mapping of attribute tree τ;
S23:Data owner is from integer ZpMiddle selection random number s and random arrayAnd it is vector to enable sFirst element;
S24:It calculatesWherein MiIt is the i-th row of matrix M, i ∈ 1,2 ..., l };
S25:Choose random number ri∈Zp,i∈{1,2,...,l};
S26:Message m is encrypted, output ciphertext CT is
Wherein RAIndicate the property set in access structure A;
S27:Data owner is stored in ciphertext CT on SN.
S3:User's registration and key generate:Request registration, identity federation supplier FIP distribute a global identity
(Global Identifier, GID), and distribute the Attribute certificate being signed and global private key to the user, SPs is then based on using
The Attribute certificate at family distributes corresponding attribute private key to it, and attribute private key is divided into two parts, and some is sent to user, another
Part is sent to service node;
Further, include the following steps referring to Fig. 5, the step S3:
S31:User asks addition system, submits identity information to register to identity federation supplier FIP;
S32:Identity federation supplier FIP certification users first;
S33:If user is legal, a GID is distributed to user, and select a random number uGID∈ZpIt is complete as user
Office private key UGSKGID, then generate user's overall situation public keyThen FIP uses private key skFIPIt Generates CertificateWherein ALGIDIndicate the attribute list of user;FIP is UGSKGIDWith
Certificate ACertGIDIssue user simultaneously;If the user is illegal, refuses the user and system is added;
S34:After user receives the certificate that identity federation supplier FIP is sent and global private key, certificate is just issued phase
The service supplier SPs of pass;
S35:When service supplier SPs receives certificate ACertGIDAfterwards, SPs uses the public key pk of FIPFIPVerify certificate
ACertGID
S36:Whether the global identity GID of service supplier SPs verification users belongs to user's revocation list (URL);
IfThen service supplier SPs generates two shares of attribute private key based on the attribute list of user to user
UASKGID,1And UASKGID,2;If GID ∈ URL, service supplier SPs terminates operation;
S37:SPs is then according to the attribute list AL of userGID, corresponding attribute private key is generated to user, it is as follows:
Wherein S37 includes the following steps:
S371:Attribute private keys of the SP userIt is sent to SN;
S372:Attribute private keys of the SP userIt is sent to
User.
S4:Access data:User submits data access request to service node SN, and the property set and if only if user meets
Access structure in ciphertext, by user and service node joint decryption ciphertext, service node undertakes part decryption calculating task, subtracts
The burden of light terminal user;
Further, include the following steps referring to Fig. 6, the step S4:
S41:Possess the user of global identity GID to service node SN transmission data access requests, and oneself
Certificate issues service node SN;
S42:Service node SN uses the public key verifications certificate of identity federation supplier FIP, and verifies the global body of user
Whether part mark GID belongs to user's revocation list (URL);
S43:IfThen continue following operation;If GID ∈ URL, service node SN terminates operation;
S44:The attribute private key UASK of service node SN retrieval usersGID;
S45:Service node SN uses the attribute private key UASK of user(GID,1)Ciphertext is decrypted, and generates decrypted token DT;
Wherein, S45 includes the following steps:
S451::It enablesAnd I={ i:ρ(i)∈RA, wherein RAIndicate the corresponding attribute vectors of access matrix A
Set.If according to access matrix M, { λi}i∈IIt is effectively sharing for encryption exponent s, then there is recovery coefficient { wi∈Zp}i∈IIt can
Reconstructing encryption exponent isService node SN first obtains recovery coefficient { wi∈Zp}i∈I;
S452:Then SN calculates decrypted token DT:
S46:Decrypted token DT and ciphertext are sent to user by service node SN;
S47:End user uses attribute private key UGSK(GID,2)Ciphertext is decrypted with decrypted token DT, if the attribute of user is full
Access structure in sufficient ciphertext, then user's successful decryption,
End user obtains data m=C0/M';Fail if not satisfied, then decrypting.
S5:User property key is entrusted:Only in the case where both user and service node SN cooperate, i.e., saved in service
Under the control of point, higher level user can be that subordinate subscriber generates attribute key, realize safe secret key commission.
Further, include the following steps referring to Fig. 7, the step S5:
S51:The underlying User for possessing global identity GID' is asked to the upper-layer user for possessing global identity GID
Entrust secret key;
S52:The upper-layer user for possessing global identity GID randomly selects two random number u, t ∈ Z firstp, then use
UGSK is calculated in family GID(GID',2)={ K'(x,2,),K'(x,d+2),…,K'(x,L), wherein
S53:Upper-layer user's computation key token
S54:Upper-layer user is attribute key UASK(GID',2)Entrust to user GID';
S55:Upper-layer user sends out key commission request to service node SN, and cipher key token KT is sent to service node
SN;
S56:Whether legal the cipher key token KT that service node SN is sent according to user detects user first;
S57:If legal, key commission request is executed;If illegal, refuse key commission request;
S58:Service node SN generates corresponding attribute key And it is stored on service node SN.
Finally illustrate, the above preferred embodiment is merely illustrative of the technical solution of the present invention and unrestricted, for ability
For the technical staff in domain, various corresponding changes can be made in form and details according to above technical solution content,
But all these changes should be construed as being included in the protection domain of the claims in the present invention.
Claims (6)
1. a kind of distributed cross-domain authorization and access control method based on properties secret, it is characterised in that:Include the following steps
S1:System initialization:Generate system common parameter, the public private key-pair of service supplier SPs and the public/private key pair of attribute
To the public private key-pair of, identity federation supplier FIP;
S2:Data encryption:Data owner's encryption data, and encrypted data are stored on service node SN;
S3:User's registration and key generate:Request registration, identity federation supplier FIP distribute a global identity GID,
And distributing the Attribute certificate being signed and global private key to the user, service supplier SPs then give by the Attribute certificate based on user
It distributes corresponding attribute private key, and attribute private key is divided into two parts, and some is sent to user, and another part is sent to service
Node;
S4:Access data:User submits data access request, the property set and if only if user to meet ciphertext to service node SN
In access structure, by user and service node joint decryption ciphertext, service node undertake part decryption calculating task, mitigate eventually
The burden of end subscriber;
S5:User property key is entrusted:Only in the case where both user and service node SN cooperate, i.e., in service node
Under control, higher level user can be that subordinate subscriber generates attribute key, realize safe secret key commission.
2. a kind of distributed cross-domain authorization and access control method based on properties secret according to claim 1, special
Sign is:The step S1 includes the following steps:
S11:Identity federation supplier FIP is initialized:Security parameter is inputted, system common parameter and identity federation supplier are generated
Public private key-pair;
S12:Service supplier's SPs initialization, including:
S121:Each service supplier SP receives system common parameter and the public key of FIP from identity federation supplier FIP;
S122:Each service supplier's SP defined attributes build attribute tree and generate public private key-pair for the attribute of its management.
3. a kind of distributed cross-domain authorization and access control method based on properties secret according to claim 1, special
Sign is:The step S2 includes the following steps:
S21:Data owner receives system common parameter and category from identity federation supplier FIP and service provider respectively
The public key of property;
S22:For message m to be encrypted, data owner is based on global property collection S, gives one access structure A of data definition,
It is indicated with (M, ρ, τ), wherein M is the access matrix of a l rows n row, and the i-th row of matrix M is mapped in S by function ρ (i)
One attribute vectorFunctionIndicate attribute vectorTo the mapping of attribute tree τ;
S23:Data owner is from integer ZpMiddle selection random number s and random arrayAnd it is vector to enable sFirst element;
S24:It calculatesWherein MiIt is the i-th row of matrix M, i ∈ 1,2 ..., l };
S25:Choose random number ri∈Zp,i∈{1,2,...,l};
S26:Encrypt message m, output ciphertext CT;
S27:Data owner uploads to ciphertext CT on service node.
4. a kind of distributed cross-domain authorization and access control method based on properties secret according to claim 1, special
Sign is:The step S3 includes the following steps:
S31:User asks addition system, submits identity information to register to identity federation supplier FIP;
S32:Identity federation supplier FIP certification users first;
S33:If user is legal, a global identity GID is distributed to user, and distribute a certificate and the overall situation to user
Private key, wherein certificate include global identity GID, the attribute list of user and the global public key of user of user, identity
For supplier of alliance FIP using private key to certificate signature, certificate and private key are issued user by the safe mode of application;If the user is not
It is legal, then refuse the user and system is added;
S34:After user receives the certificate that identity federation supplier FIP is sent and global private key, just certificate is issued relevant
Service supplier SPs;
S35:After service supplier SPs receives the certificate of user, service supplier SPs uses identity federation supplier FIP's
Public key verifications certificate;
S36:Whether the global identity GID of service supplier SPs verification users belongs to user's revocation list (URL);IfThen service supplier SPs generates two shares of attribute private key based on the attribute list of user to user
UASKGID,1And UASKGID,2;If GID ∈ URL, service supplier SPs terminates operation;
S37:Attribute private key UASKs of the service supplier SPs userGID,1And UASKGID,2It is sent respectively to service node SN and use
Family.
5. a kind of distributed cross-domain authorization and access control method based on properties secret according to claim 1, special
Sign is:The step S4 includes the following steps:
S41:Possess the user of global identity GID to service node SN transmission data access requests, and the certificate of oneself
Issue service node SN;
S42:Service node SN uses the public key verifications certificate of identity federation supplier FIP, and verifies the global identity mark of user
Know whether GID belongs to user's revocation list (URL);
S43:IfThen continue following operation;If GID ∈ UL, service node SN terminates operation;
S44:The attribute private key UASK of service node SN retrieval usersGID,1;
S45:Service node SN decrypts ciphertext in advance using the attribute private key of user, and generates decrypted token DT;
Wherein S45 includes the following steps:
S451:It enablesAnd I={ i:ρ(i)∈RA, wherein RAIndicate the corresponding attribute vector set of access matrix A,
If according to access matrix M, { λi}i∈IIt is effectively sharing for encryption exponent s, then there is recovery coefficient { wi∈Zp}i∈IIt can reconstruct
Going out encryption exponent isService node SN first obtains recovery coefficient { wi∈Zp}i∈I;
S452:Then service node SN calculates decrypted token DT;
S46:Decrypted token DT is sent to user by service node SN;
S47:End user uses attribute private key UASK(GID,2)Ciphertext is decrypted with decrypted token DT, if the attribute of user meets ciphertext
In access structure, then user's successful decryption;Fail if not satisfied, then decrypting.
6. a kind of distributed cross-domain authorization and access control method based on properties secret according to claim 1, special
Sign is:The step S5 includes the following steps:
S51:The underlying User for possessing global identity GID' asks commission to the upper-layer user for possessing global identity GID
Secret key;
S52:The upper-layer user for possessing global identity GID first calculates UASK(GID',2);
S53:Upper-layer user's computation key token KT;
S54:Upper-layer user is attribute key UASK(GID',2)Entrust to underlying User;
S55:Upper-layer user sends out key commission request to service node SN, and cipher key token KT is sent to service node SN;
S56:Whether legal the cipher key token KT that service node SN is sent according to user detects user first;
S57:If legal, key commission request is executed;If illegal, refuse key commission request;
S58:Service node SN generates corresponding attribute key UASK(GID',2), and be stored on service node SN.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711260376.6A CN108418784B (en) | 2017-12-04 | 2017-12-04 | Distributed cross-domain authorization and access control method based on attribute password |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711260376.6A CN108418784B (en) | 2017-12-04 | 2017-12-04 | Distributed cross-domain authorization and access control method based on attribute password |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108418784A true CN108418784A (en) | 2018-08-17 |
CN108418784B CN108418784B (en) | 2020-09-25 |
Family
ID=63125384
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711260376.6A Active CN108418784B (en) | 2017-12-04 | 2017-12-04 | Distributed cross-domain authorization and access control method based on attribute password |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108418784B (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108881314A (en) * | 2018-08-28 | 2018-11-23 | 南京邮电大学 | Mist calculates the method and system for realizing secret protection under environment based on CP-ABE ciphertext access control |
CN109327309A (en) * | 2018-11-08 | 2019-02-12 | 北京中电华大电子设计有限责任公司 | A kind of domain traversal key management method based on IBC Yu PKI mixed system |
CN109728903A (en) * | 2018-12-22 | 2019-05-07 | 复旦大学 | A kind of block chain weak center password authorization method using properties secret |
CN109936630A (en) * | 2019-02-27 | 2019-06-25 | 重庆邮电大学 | A kind of Distributed Services access mandate and access control method based on attribute base password |
CN109981263A (en) * | 2019-02-28 | 2019-07-05 | 复旦大学 | A kind of distribution based on CP-ABE can verify that random digit generation method |
CN110781508A (en) * | 2019-10-25 | 2020-02-11 | 四川长虹电器股份有限公司 | Personal data hosting method based on block chain technology |
CN110933033A (en) * | 2019-10-27 | 2020-03-27 | 西安电子科技大学 | Cross-domain access control method for multiple Internet of things domains in smart city environment |
CN111107071A (en) * | 2019-12-10 | 2020-05-05 | 重庆邮电大学 | Electric vehicle charging service method capable of protecting privacy |
GB2587404A (en) * | 2019-09-27 | 2021-03-31 | Airbus Defence & Space Ltd | Encryption and verification method |
CN113132117A (en) * | 2021-06-18 | 2021-07-16 | 国网电子商务有限公司 | Cross-domain distributed identity authentication method and system based on block chain |
CN113127927A (en) * | 2021-04-27 | 2021-07-16 | 泰山学院 | Attribute reconstruction encryption method and system for license chain data sharing and supervision |
WO2021232193A1 (en) * | 2020-05-18 | 2021-11-25 | 深圳技术大学 | Cp-abe-based ciphertext search method, apparatus and device in fog computing, and storage medium |
CN115250205A (en) * | 2022-09-22 | 2022-10-28 | 湖北省楚天云有限公司 | Data sharing method and system based on alliance chain, electronic device and storage medium |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR3118382B1 (en) * | 2020-12-21 | 2024-04-26 | Commissariat Energie Atomique | Method and device allowing authorized and authenticated access for federated identities |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102916954A (en) * | 2012-10-15 | 2013-02-06 | 南京邮电大学 | Attribute-based encryption cloud computing safety access control method |
CN104901942A (en) * | 2015-03-10 | 2015-09-09 | 重庆邮电大学 | Distributed access control method for attribute-based encryption |
CN105592100A (en) * | 2016-01-26 | 2016-05-18 | 西安电子科技大学 | Government services cloud access control method based on attribute encryption |
CN105915333A (en) * | 2016-03-15 | 2016-08-31 | 南京邮电大学 | High-efficiency secret key distribution method based on attribute encryption |
CN105991278A (en) * | 2016-07-11 | 2016-10-05 | 河北省科学院应用数学研究所 | Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption) |
CN106850652A (en) * | 2017-02-21 | 2017-06-13 | 重庆邮电大学 | One kind arbitration can search for encryption method |
US20170272411A1 (en) * | 2013-03-15 | 2017-09-21 | Arizona Board Of Regents On Behalf Of Arizona State University | Enabling comparable data access control for lightweight mobile devices in clouds |
-
2017
- 2017-12-04 CN CN201711260376.6A patent/CN108418784B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102916954A (en) * | 2012-10-15 | 2013-02-06 | 南京邮电大学 | Attribute-based encryption cloud computing safety access control method |
US20170272411A1 (en) * | 2013-03-15 | 2017-09-21 | Arizona Board Of Regents On Behalf Of Arizona State University | Enabling comparable data access control for lightweight mobile devices in clouds |
CN104901942A (en) * | 2015-03-10 | 2015-09-09 | 重庆邮电大学 | Distributed access control method for attribute-based encryption |
CN105592100A (en) * | 2016-01-26 | 2016-05-18 | 西安电子科技大学 | Government services cloud access control method based on attribute encryption |
CN105915333A (en) * | 2016-03-15 | 2016-08-31 | 南京邮电大学 | High-efficiency secret key distribution method based on attribute encryption |
CN105991278A (en) * | 2016-07-11 | 2016-10-05 | 河北省科学院应用数学研究所 | Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption) |
CN106850652A (en) * | 2017-02-21 | 2017-06-13 | 重庆邮电大学 | One kind arbitration can search for encryption method |
Non-Patent Citations (2)
Title |
---|
HUR J ET AL;: "Attribute-Based Access Control with Efficient Revocation in Data", 《IEEE TRANSACTIONS ON PARALLEL & DISTRIBUTED SYSTEMS》 * |
王明昕: "属性加密机制在大数据安全中的应用研究", 《中国优秀硕士学位论文全文数据库信息科技辑 (月刊 )》 * |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108881314A (en) * | 2018-08-28 | 2018-11-23 | 南京邮电大学 | Mist calculates the method and system for realizing secret protection under environment based on CP-ABE ciphertext access control |
CN108881314B (en) * | 2018-08-28 | 2021-02-02 | 南京邮电大学 | Privacy protection method and system based on CP-ABE ciphertext under fog computing environment |
CN109327309A (en) * | 2018-11-08 | 2019-02-12 | 北京中电华大电子设计有限责任公司 | A kind of domain traversal key management method based on IBC Yu PKI mixed system |
CN109728903B (en) * | 2018-12-22 | 2021-09-17 | 复旦大学 | Block chain weak center password authorization method using attribute password |
CN109728903A (en) * | 2018-12-22 | 2019-05-07 | 复旦大学 | A kind of block chain weak center password authorization method using properties secret |
CN109936630A (en) * | 2019-02-27 | 2019-06-25 | 重庆邮电大学 | A kind of Distributed Services access mandate and access control method based on attribute base password |
CN109936630B (en) * | 2019-02-27 | 2021-09-28 | 重庆邮电大学 | Distributed service access authorization and access control method based on attribute-based password |
CN109981263A (en) * | 2019-02-28 | 2019-07-05 | 复旦大学 | A kind of distribution based on CP-ABE can verify that random digit generation method |
GB2587404B (en) * | 2019-09-27 | 2024-03-27 | Airbus Defence & Space Ltd | Encryption and verification method |
GB2587404A (en) * | 2019-09-27 | 2021-03-31 | Airbus Defence & Space Ltd | Encryption and verification method |
CN110781508A (en) * | 2019-10-25 | 2020-02-11 | 四川长虹电器股份有限公司 | Personal data hosting method based on block chain technology |
CN110933033B (en) * | 2019-10-27 | 2021-08-06 | 西安电子科技大学 | Cross-domain access control method for multiple Internet of things domains in smart city environment |
CN110933033A (en) * | 2019-10-27 | 2020-03-27 | 西安电子科技大学 | Cross-domain access control method for multiple Internet of things domains in smart city environment |
CN111107071A (en) * | 2019-12-10 | 2020-05-05 | 重庆邮电大学 | Electric vehicle charging service method capable of protecting privacy |
CN111107071B (en) * | 2019-12-10 | 2022-04-05 | 重庆邮电大学 | Electric vehicle charging service method capable of protecting privacy |
WO2021232193A1 (en) * | 2020-05-18 | 2021-11-25 | 深圳技术大学 | Cp-abe-based ciphertext search method, apparatus and device in fog computing, and storage medium |
CN113127927A (en) * | 2021-04-27 | 2021-07-16 | 泰山学院 | Attribute reconstruction encryption method and system for license chain data sharing and supervision |
CN113127927B (en) * | 2021-04-27 | 2022-03-18 | 泰山学院 | Attribute reconstruction encryption method and system for license chain data sharing and supervision |
CN113132117B (en) * | 2021-06-18 | 2021-08-24 | 国网电子商务有限公司 | Cross-domain distributed identity authentication method and system based on block chain |
CN113132117A (en) * | 2021-06-18 | 2021-07-16 | 国网电子商务有限公司 | Cross-domain distributed identity authentication method and system based on block chain |
CN115250205A (en) * | 2022-09-22 | 2022-10-28 | 湖北省楚天云有限公司 | Data sharing method and system based on alliance chain, electronic device and storage medium |
CN115250205B (en) * | 2022-09-22 | 2023-01-24 | 湖北省楚天云有限公司 | Data sharing method and system based on alliance chain, electronic device and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN108418784B (en) | 2020-09-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108418784A (en) | A kind of distributed cross-domain authorization and access control method based on properties secret | |
CN109559124B (en) | Cloud data security sharing method based on block chain | |
CN110099043B (en) | Multi-authorization-center access control method supporting policy hiding and cloud storage system | |
Tang et al. | Ensuring security and privacy preservation for cloud data services | |
CN108390876A (en) | Revocation outsourcing is supported to can verify that more authorization center access control methods, Cloud Server | |
Han et al. | A data sharing protocol to minimize security and privacy risks of cloud storage in big data era | |
CN107864139A (en) | A kind of cryptography attribute base access control method and system based on dynamic rules | |
CN108833393A (en) | A kind of revocable data sharing method calculated based on mist | |
CN106059763B (en) | The properties base multi-mechanism hierarchical Ciphertext policy weight encryption method of cloud environment | |
CN108111540A (en) | The hierarchical access control system and method for data sharing are supported in a kind of cloud storage | |
CN108881314A (en) | Mist calculates the method and system for realizing secret protection under environment based on CP-ABE ciphertext access control | |
CN104901942A (en) | Distributed access control method for attribute-based encryption | |
CN109936630B (en) | Distributed service access authorization and access control method based on attribute-based password | |
CN107040374A (en) | The attribute base data encryption method of user's Dynamic Revocation is supported under a kind of cloud storage environment | |
CN108600174A (en) | A kind of access control mechanisms and its implementation of big merger network | |
CN108429749B (en) | Outsourcing mandatory access control method based on hierarchical attribute encryption | |
Sethia et al. | CP-ABE for selective access with scalable revocation: A case study for mobile-based healthfolder. | |
CN107302524A (en) | A kind of ciphertext data-sharing systems under cloud computing environment | |
CN109617855A (en) | File sharing method, device, equipment and medium based on the control of CP-ABE hierarchical access | |
CN109327448A (en) | A kind of cloud file sharing method, device, equipment and storage medium | |
CN106685994A (en) | Cloud GIS (Geographic Information System) resource access control method based on GIS role grade permission | |
Ramachandran et al. | Secure and efficient data forwarding in untrusted cloud environment | |
CN117097469A (en) | Data hierarchical access control method based on attribute encryption | |
CN109981601A (en) | Business administration common data under cloud environment based on dual factors protects system and method | |
Raj et al. | A security-attribute-based access control along with user revocation for shared data in multi-owner cloud system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20240326 Address after: Room 801, 85 Kefeng Road, Huangpu District, Guangzhou City, Guangdong Province Patentee after: Guangzhou Dayu Chuangfu Technology Co.,Ltd. Country or region after: China Address before: 400065 Chongqing Nan'an District huangjuezhen pass Chongwen Road No. 2 Patentee before: CHONGQING University OF POSTS AND TELECOMMUNICATIONS Country or region before: China |