CN108768951B - Data encryption and retrieval method for protecting file privacy in cloud environment - Google Patents

Data encryption and retrieval method for protecting file privacy in cloud environment Download PDF

Info

Publication number
CN108768951B
CN108768951B CN201810412324.4A CN201810412324A CN108768951B CN 108768951 B CN108768951 B CN 108768951B CN 201810412324 A CN201810412324 A CN 201810412324A CN 108768951 B CN108768951 B CN 108768951B
Authority
CN
China
Prior art keywords
file
cloud
data
storage server
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810412324.4A
Other languages
Chinese (zh)
Other versions
CN108768951A (en
Inventor
路雪
韩德志
毕坤
王军
俞云萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai High Flying Electronics Technology Co ltd
Original Assignee
Shanghai Maritime University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Maritime University filed Critical Shanghai Maritime University
Priority to CN201810412324.4A priority Critical patent/CN108768951B/en
Publication of CN108768951A publication Critical patent/CN108768951A/en
Application granted granted Critical
Publication of CN108768951B publication Critical patent/CN108768951B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords

Abstract

The invention discloses a data encryption and retrieval method for protecting file privacy in a cloud environment. The method comprises the steps that a data owner submits an upload local file application to a cloud trusted center, the cloud trusted center verifies that identity information of the cloud trusted center is legal, a secret key and an authorization certificate are distributed to the cloud trusted center through a secret key derivation algorithm, and the legal data owner encrypts a file and uploads the file to a cloud storage server; the data access user sends an access request to the cloud trusted center, and the cloud trusted center sends an authorization certificate to the user after confirming that the identity information of the data access user is legal; and a legal data access user submits an authorization certificate and an inquiry application to the cloud storage server, the cloud storage server searches the encrypted file through the keyword after the authentication is passed, and transmits the encrypted file to the user, and the user decrypts the encrypted file. The method ensures the privacy of the data access user and the data security, and saves the storage space overhead.

Description

Data encryption and retrieval method for protecting file privacy in cloud environment
Technical Field
The invention relates to the technical field of information security, in particular to a data encryption and retrieval method for protecting file privacy in a cloud environment.
Background
The cloud storage can provide storage resources which are expandable and meet the Qos according to needs, and data access users can operate data at any time. With such a powerful and attractive advantage of cloud storage, many people and enterprises are reluctant to migrate their data into the cloud storage. The main reasons are fear of losing control over data, and some worry of people is verified about data leakage and loss in the cloud storage. Therefore, in the application process of cloud computing, security becomes the first consideration of data owners. In the cloud storage system, an access structure established by a data owner may be stolen by an untrusted cloud storage server, so that identity and sensitive information are leaked, and data may also be leaked to a third party for the benefit. Therefore, cloud storage needs to provide data storage and ciphertext retrieval issues that support privacy protection.
Some solutions have been proposed at present, for example, a distributed encryption scheme under a cloud computing environment is designed by using a key sharing strategy, and for an untrusted cloud computing service provider, the threat of data leakage can be effectively reduced; if a scheme for safely accessing outsourced data is provided, an index structure is established by using a binary tree, a key is managed by using a key derivation technology, and access right change and data dynamic change are processed by combining re-encryption and inert revocation. However, the binary tree storage structure cannot sufficiently reflect the logical relationship of data, extra communication overhead is increased due to the change of the user access right, extra storage resources are occupied by the data updating, and the revoked data access user may collude with a service provider to reveal information; if a cloud storage scheme supporting privacy protection is constructed, a data owner and a data user are distinguished, and the safety problem of data in a cloud storage server is ensured, but the data owner can easily acquire the identity information of a data access user, so that the identity information of the data access user is leaked; for example, a key derivation strategy is designed based on a symmetric key and an asymmetric key, an electronic health record system supporting privacy protection is developed, but the influence of the change of user access rights and the dynamic operation of data on key derivation is not considered.
Therefore, in order to overcome the shortcomings of the above solutions, a data encryption and retrieval method for protecting file privacy in a cloud environment needs to be provided, which needs to consider key derivation and management, dynamic change of user access rights, data sharing and file retrieval problems as a whole, and also needs to protect privacy of data access user identity information, in addition to ensuring security of data in a cloud storage server.
Disclosure of Invention
The purpose of the invention is as follows: the invention provides a data encryption and retrieval method for protecting file privacy in a cloud environment, which adopts a multi-way tree to construct a file retrieval index, distributes and manages keys through a key derivation algorithm, constructs the file retrieval index based on key words by using Bloom filters to realize ciphertext retrieval, reduces storage overhead and communication overhead and can realize high-efficiency retrieval of files.
The technical scheme is as follows: the invention provides a data encryption and retrieval method for protecting file privacy in a cloud environment, which comprises the following steps:
(1) the method comprises the steps that a data owner puts forward an access application to a cloud trusted center, the cloud trusted center issues an authorization certificate for the legal data owner after verifying that the identity information of the data owner is legal, and the file name f of the data owner is given through a key derivation algorithm KGABODnFile f ofiGenerating a secret key ki
(2) A legal data owner puts forward an uploading file application to the cloud storage server, and the legal data owner uses the file f after the cloud storage server verifies that the authorization certificate is validiKey k ofiEncrypting a File f to be uploadediThen the file fiThe file is encrypted to a cloud storage server;
(3) receiving a file f uploaded by a legal data owner by a cloud storage serveriThen, a multi-branch tree index structure is adopted to create a file retrieval index based on key words for a legal data owner;
(4) cloud storage server encrypted file fiFile number f ofniA Bloom Filter encryption cloud storage server is used for creating a file retrieval index based on keywords for a legal data owner;
(5) the data access user submits an access application to the cloud trusted center, the cloud trusted center issues an authorization certificate for the data access user after verifying that the identity information of the data access user is legal, and a key for accessing the file is deduced in the access authority of the legal data access user;
(6) the data access user submits an access application to the cloud storage server and submits an authorization certificate issued by the cloud trusted center, and after the cloud storage server verifies the validity of the authorization certificate, the legal data access user uploads a retrieval file fiThe cloud storage server retrieves the file f through a file retrieval index based on the keywordsiThe ciphertext is returned to the legal data user, and the legal data user decrypts the file fiObtaining a plaintext from the ciphertext;
further, the specific process of the step (1) is as follows:
(11) the cloud trust center generates a 128-bit root key Kr for each legitimate data owner, as shown in equation (2):
Kr=hash(ID||fn(16)||TS) (2)
(12) the cloud trust center then generates a file f from the root key Kr of the legitimate data owneriIs encrypted by the encryption key ki,kiAs shown in formula (3):
ki=r·hash(Kr) (3)
wherein r belongs to the cloud trusted center and is used for generating an encryption key kiAnd a randomly generated number;
further, the specific process of the step (2) is as follows:
(21) the cloud trusted center calls a random key generation algorithm function keygen () to generate a large prime number key CKdcUsing CKdcAs a symmetric key for communication between the data owner and the cloud trusted center, (22) the legitimate data owner starts the file f according to equation (4)iIs encrypted by the encryption key kiEncrypting a File f to be uploadediGet the file fiIs encrypted by the encryption key
Figure BDA0001648340210000034
Uploading and storing the data to a cloud storage server;
Figure BDA0001648340210000031
further, the specific process of the step (3) is as follows:
(31) firstly, the cloud storage server creates a keyword set W for each node on the file retrieval index tree based on keywords, and the keyword set of the leaf node is a file f uploaded by the cloud storage server for a legal data owneriJ key words are created, each key word in the key word set W is not repeated, the set length (W) is the number of the key words, and the length of the key word set can be continuously expanded;
(32) as a file fiCreating a file number fniFile f thereofiFile number f ofniAs shown in formula (5):
fni=(fn||fln||TS||fp) (5)
the file number fniIn the method, fln is the nth node of the first l layer of the file retrieval index tree based on the key words, TS is the file fiTime stamp of data update, fpRepresentation document fiStorage path in cloud storage server, fnIs a file fiThe name of (a);
(33) for calculating each keyword wijOf hexadecimal ASCII code values sijThe method is as follows: s, sij=ASCII(wij)16Wherein s ═ si1,si2,,si3,...sijHexadecimal ASCII value set for keywords;
further, the specific process of the step (4) is as follows:
(41) cloud storage server pair file fiFile number f ofniEncrypting the file f according to the formula (6)iFile number f ofniIs encrypted to obtain
Figure BDA0001648340210000032
Figure BDA0001648340210000033
(42) The cloud storage server establishes a Bloom Filter for each node on the file retrieval index based on the key words, and calculates the key words wijCorresponding value s of hexadecimal ASCII codeijMapping to a Bloom Filter;
each node is expressed as an m-bit array, namely a Bloom Filter is established for each node, and r independent hash functions h 1-hr are used for processing a keyword w contained in each nodeijCorresponding value s of hexadecimal ASCII codeijLeaf node is file fiA unique keyword;
the retrieval file fiThen, only s need to be pairedi1,si2,si3...sijAnd performing hash processing, and if the positions of the calculated values in the m-bit array are all 1, indicating that the searched key word is in the index. Otherwise, if the hash function is not in the array, the hash function is set to be 0, and if the hash functions have the same value, the hash function is still 1;
(43) retrieval of documents fiThen, only s need to be pairedi1,si2,si3...sijAnd performing hash processing, and if the positions of the calculated values in the m-bit array are all 1, indicating that the searched key word is in the index.
Further, the specific process of the step (5) is as follows:
(51) the data access user submits an access application to the cloud trusted center, and the cloud trusted center issues an authorization certificate for the data access user after verifying that the identity information of the data access user is legal
(52) The cloud trusted center deduces a key which can access the file from the legal data access user in the access authority of the legal data access user, and if the access authority of the data access user is changed, the cloud trusted center adopts a new key to re-encrypt the file which is originally authorized by the legal data access user with the changed access authority, so as to prevent the data access user from accessing;
further, the specific process of the step (6) is as follows:
(61) the cloud storage server verifies whether the authorization certificate of the data access user is valid;
(62) data access user with multiple keywords (w)i1||wi2||wi3||…||win) When a file retrieval request is made to a cloud storage server, the cloud storage server uses sij=ASCII(wij)16Formula, find each keyword wijCorresponding value s of hexadecimal ASCII codeij
(63) Cloud storage server usage hij=Hash(sij) Carrying out Hash function operation on the formula, and comparing si1,si2,si3...sijAre carried out one by one h1To hrProcessing by a Hash function to obtain Hash vectors (h) of multiple keywordsi1||hi2||hi3||…||hin);
H is as describedijIs a hash vector for recording sijHash function values at corresponding positions in the m-bit array;
(64) the cloud storage server searches whether an item matched with the multi-keyword hash vector exists in the keyword-based file retrieval index I, and if the item matched with the multi-keyword hash vector exists, namely the formula (8) is satisfied, the file number f is returnedniCipher text C offniFor legal data access users, the legal data access users decrypt the file f locally through the formula (9)iFile number f ofniGet the file number fniThen the file number f is obtained by the equation (10)niThe file storage path and the file name of (1); otherwise, the cloud storage server does not have the content to be retrieved, and the retrieval is finished;
Figure BDA0001648340210000041
Figure BDA0001648340210000042
fi,fp=Dkd(fni) (9)
(65) file number f to be obtained by data access userniAccording to the file storage path and the file name, the plaintext goes to the cloud storage server to obtain the ciphertext of the query file, and the ciphertext is decrypted by using a key obtained by using a key derivation algorithm to obtain the file number fniCorresponding to the plaintext of the file.
Has the advantages that: compared with the prior art: the invention has the following advantages:
1. the privacy of the identity of the data access user is ensured, and the security of the data is also protected. The cloud trusted center is only responsible for distributing the key, verifying the identity of the data access user and giving the authorization code, the cloud storage server has the data but cannot directly verify the identity of the data access user, communication between the data access user and the cloud storage server is reduced, and the key and the file are isolated.
2. The management and distribution of the key are effectively carried out, only the root key needs to be saved, and the storage space is saved.
3. By constructing the file retrieval index based on the keywords, the retrieval efficiency is improved, and the storage cost of the index on the server is reduced.
In summary, the data encryption and retrieval method for protecting the file privacy in the cloud environment provided by the invention can realize efficient retrieval of the file while reducing the storage overhead and the communication overhead.
Drawings
Fig. 1 is a diagram of a cloud storage framework supporting privacy protection.
FIG. 2 is a flow chart of a cloud file data encryption and retrieval method, which is also an abstract attached drawing of the present invention;
FIG. 3 is a keyword based document retrieval multi-way tree structure;
FIG. 4 is a schematic diagram of keyword mapping to a bloom filter;
Detailed Description
The following further describes specific embodiments of the present invention with reference to the drawings.
As shown in fig. 1, the method includes four entity data owners, a cloud trusted center, a cloud storage server, and a data access user.
The data owner: after the data owner passes the authentication of the cloud trusted center, the key generated by the cloud trusted center is used, the local file to be uploaded is encrypted and then uploaded to the cloud storage server, and the data owner can also be used as a data access user to access other files stored in the cloud storage server;
the cloud trusted center: the cloud trusted center is trusted by other entities, the identity information of the data owner and the data access user is verified, the authorized certificate is issued to the legal data access user and the legal data owner, and the file f to be uploaded by the legal data owner is obtained through a key derivation algorithmiGenerating an encryption key kiAnd a secret key kiSending to the data owner;
the cloud storage server: after verifying the validity of the authorization certificate of the data owner, the cloud storage server receives and stores an encrypted file uploaded by a legal data owner; after verifying the validity of the authorization certificate of the data access user, the cloud storage server retrieves a corresponding ciphertext according to a search keyword provided by the legal data access user and sends the ciphertext to the data access user;
the data access user: the data access user sends a key request to the cloud trusted center and sends a ciphertext acquisition request to the cloud storage server, the data access user deduces a key through a key derivation algorithm after acquiring a ciphertext from the cloud storage server, and a file plaintext is obtained after an encrypted file is decrypted; the data access user can also upload the file to the cloud storage server as a data owner.
As shown in fig. 2, the present invention provides a data encryption and retrieval method for protecting file privacy in a cloud environment, which specifically includes the following processes:
the specific implementation process of the step (1) is as follows:
1. and the cloud trusted center receives the access request of the data access user and judges whether the data access user is a legal data owner or not according to the identity information ID.
2. After judging that the data owner is legal, the data owner submits an application to the cloud trusted center and uploads a file name fnAnd file keyword wij. The cloud trusted center uses a key derivation algorithm to obtain a file name fnFile f ofiGenerating a secret key ki,
When the cloud trust center generates the encryption key through the KGABOD algorithm, a 128-bit root key Kr (ID | | f) is generated for each legitimate data owner, where Kr is hash (ID | | f)n(16) | TS). And file fiThe secret key of (a) isiR is a random number.
The specific implementation process of the step (2) is as follows:
1. the cloud trusted center calls a random key generation algorithm function keygen () to generate a large prime number key CKdcUsing CKdcAs a symmetric key for communication between the data owner and the cloud trusted center;
2. legitimate data owner startup file fiIs encrypted by the encryption key kiEncrypting a File f to be uploadediGet the file fiIs encrypted by the encryption key
Figure BDA0001648340210000061
Figure BDA0001648340210000062
Uploading and storing the data to a cloud storage server;
the specific implementation process of the step (3) is as follows:
1. as shown in FIG. 3, the cloud storage server adopts a multi-way tree index structure to establish a keyword-based file retrieval index, and a root node f11Including all keywords in the file system, and then a second level of nodes f21,f22In the third layer of nodes f31,f32,f33,f34,f35All keywords in (1), last leaf node f35As a file fiChinese character 'Zhongproper' key word wi1,wi2
2. The cloud storage server creates a keyword set W for each node on the file retrieval index tree based on the keywords;
3. the cloud storage server is used for storing allThe files each create a file number, also for file fiCreating a file number fniAs shown in formula (5):
fni=(fn||fln||TS||fp)
fni| | | f | (cloud computing)35||2018-1-1||c:/file)(5)
4. For calculating each keyword wijOf hexadecimal ASCII code values sij,sij=ASCII(wij)16Wherein s ═ si1,si2,,si3,…sijHexadecimal ASCII value set for keywords;
the specific implementation process of the step (4) is as follows:
1. cloud storage server pair file fiFile number f ofniEncrypting the file f according to the formula (6)iFile number f ofniIs encrypted to obtain
Figure BDA0001648340210000063
Figure BDA0001648340210000071
2. The cloud storage server establishes a Bloom Filter for each node on the file retrieval index based on the key words, and calculates the key words wijCorresponding value s of hexadecimal ASCII codeijMapping to a Bloom Filter;
3. retrieval of documents fiThen, only s need to be pairedi1,si2,si3...sijAnd performing hash processing, and if the positions of the calculated values in the m-bit array are all 1, indicating that the searched key word is in the index.
The specific implementation process of the step (5) is as follows:
1. the data access user submits an access application to the cloud trusted center, and the cloud trusted center issues an authorization certificate for the data access user after verifying that the identity information of the data access user is legal
2. The cloud trusted center deduces a key which can access the file from the legal data access user in the access authority of the legal data access user, and if the access authority of the data access user is changed, the cloud trusted center adopts a new key to re-encrypt the file which is originally authorized by the legal data access user with the changed access authority, so as to prevent the data access user from accessing;
the specific implementation process of the step (6) is as follows:
1. the cloud storage server verifies whether the authorization certificate of the data access user is valid;
2. legitimate data access users with keywords wi1And wi2When a file retrieval request is made to the cloud storage server, the cloud storage server passes a formula si1=ASCII(wi1)16,si2=ASCII(wi2)16Calculating fiHexadecimal ASCII code values s for medium two keywordsi1,si2If two keyword orders w are giveni1In other words "privacyi2When it is "cloud storage", then
si1=ASCII(wi1)16
ASCII (privacy)16
=0x9690+0x79c1
=0x11051
By the same token, can obtaini2=0xFA91,s={si1,si2The set of hexadecimal ASCII code values for the keyword.
3. R independent hash functions h for cloud storage server1To hrHandling hexadecimal ASCII code values s for two keywordsi1,si2I.e. h1((si1)),h2((si1))…hr((si1)),h1((si2)),h2((si2))…hr((si2) Get hash vectors (h) for two keywordsi1||hi2) As follows:
hi1=Hash(si1),hi2=Hash(si2)
4. as shown in fig. 4: the cloud storage server receives hi1,hi2Then, atSearching whether an item matched with the hash vector of the multi-keyword word exists in the file retrieval index I based on the keyword, if so, returning a file number f, namely, if the formula (7) is trueniThe ciphertext corresponding to the file is sent to a legal data access user, and the legal data access user decrypts the file f through a formula (8) locallyiFile number f ofniThe ciphertext obtains the file number fniPlaintext, and then the file number f is obtained by the formula (9)niThe file storage path and the file name of (1); otherwise, the cloud storage server does not have the content to be retrieved, and the retrieval is finished;
Figure BDA0001648340210000081
Figure BDA0001648340210000082
fi,fp=Dkd(fni) (9)
and after the legal data access user obtains the plaintext of the file number of the file, the legal data access user goes to the cloud storage server to obtain the ciphertext of the query file according to the file storage path and the file name, obtains a key by using a key derivation algorithm, and obtains the plaintext of the file corresponding to the file number by decryption.
While the present invention has been described in detail with reference to the preferred embodiments, it should be understood that the above description should not be taken as limiting the invention. Various modifications and alterations to this invention will become apparent to those skilled in the art upon reading the foregoing description. Accordingly, the scope of the invention should be determined from the following claims.

Claims (5)

1. A data encryption and retrieval method for protecting file privacy in a cloud environment is characterized by comprising the following steps:
(1) the data owner provides an access application to the cloud trusted center, and the cloud trusted center verifies that the identity information of the data owner is legal and then provides the legal data owner with the data ownerIssuing an authorization certificate and obtaining the file name f of the authorization certificate through a key derivation algorithm KGABODnFile f ofiGenerating a secret key ki(ii) a The key generation process specifically comprises the following steps:
(11) the cloud trusted center can be a file f of a legal data owneriA 128-bit root key Kr is generated, as shown in equation (2):
Kr=hash(ID||fn(16)||TS) (2)
wherein f isn(16) File f being the owner of the dataiIs a file fiAn updated timestamp;
(12) the cloud trust center then generates a file f from the root key Kr of the legitimate data owneriIs encrypted by the encryption key ki,kiAs shown in formula (3):
ki=r·hash(Kr) (3)
wherein r belongs to the cloud trusted center and is used for generating an encryption key kiAnd a randomly generated number;
(2) a legal data owner puts forward an uploading file application to the cloud storage server, and the legal data owner uses the file f after the cloud storage server verifies that the authorization certificate is validiKey k ofiEncrypting a File f to be uploadediThen the file fiUploading the encrypted file to a cloud storage server;
(3) receiving a file f uploaded by a legal data owner by a cloud storage serveriThen, a multi-branch tree index structure is adopted to create a file retrieval index based on key words for a legal data owner; in the file retrieval index based on the keywords, the root node comprises the keywords of all files of a file owner in a file system, the second layer node comprises all the keywords in the third layer node, and so on, the nth layer comprises the keywords in the n +1 layer node, and the final leaf node is the file fiThe specific key words in (1); the multi-branch tree is established by the cloud storage server with the data owner as the root, all files of the data owner are stored in the multi-branch tree with the data owner as the root node, and then keywords in the files are establishedThe specific process of establishing the multi-level index comprises the following steps:
(31) firstly, the cloud storage server creates a keyword set W for each node on the file retrieval index tree based on keywords, and the keyword set of the leaf node is a file f uploaded by the cloud storage server for a legal data owneriJ key words are created, each key word in the key word set W is not repeated, the set length (W) is the number of the key words, and the length of the key word set can be continuously expanded;
(32) as a file fiCreating a file number fniFile f thereofiFile number f ofniAs shown in formula (5):
fni=(fn||fln||TS||fp) (5)
the file number fniIn the index tree, fln is the nth node of the l layer of the file retrieval index tree based on the key words, and TS is the file fiTime stamp of data update, fpRepresentation document fiStorage path in cloud storage server, fnIs a file fiThe name of (a);
(33) for calculating each keyword wijOf hexadecimal ASCII code values sijThe method is as follows: sij=ASCII(wij)16Wherein s ═ si1,si2,si3,…sijHexadecimal ASCII value set for keywords;
(4) cloud storage server encrypted file fiFile number f ofniEncrypting a keyword file retrieval index created by a legal data owner stored in the cloud storage server by using a Bloom Filter encryption algorithm; the specific process is as follows:
(41) cloud storage server pair file fiFile number f ofniEncrypting the file f according to the formula (6)iFile number f ofniEncrypted to obtain Cfni
Cfni=hash(fn||fln||TS||fp) (6)
(42) The cloud storage server is based on keywordsEach node on the file retrieval index establishes a Bloom Filter, and the obtained keyword w isijCorresponding value s of hexadecimal ASCII codeijMapping to a Bloom Filter;
each node is expressed as an m-bit array, namely a Bloom fill is established for each node, and r independent hash functions h 1-hr are used for processing a keyword w contained in each nodeijCorresponding value s of hexadecimal ASCII codeijLeaf node is file fiA unique keyword;
(43) retrieval of documents fiThen, only s need to be pairedi1,si2,si3...sijPerforming hash processing, and if the positions of the calculated values in the m-bit array are all 1, indicating that the searched key terms are in the index; otherwise, if the hash function is not in the array, the hash function is set to be 0, and if the hash functions have the same value, the hash function is still 1;
(5) the data access user submits an access application to the cloud trusted center, the cloud trusted center issues an authorization certificate for the data access user after verifying that the identity information of the data access user is legal, and a key for accessing the file is deduced in the access authority of the legal data access user;
(6) the data access user submits an access application to the cloud storage server and submits an authorization certificate issued by the cloud trusted center, and after the cloud storage server verifies the validity of the authorization certificate, the legal data access user uploads a retrieval file fiThe cloud storage server retrieves the file f through a file retrieval index based on the keywordsiThe ciphertext is returned to the legal data user, and the legal data user decrypts the file fiThe plaintext is obtained from the ciphertext.
2. The data encryption and retrieval method for protecting file privacy in cloud environment according to claim 1, wherein the cloud trust center in step (1) issues an authorization certificate for a legitimate data owner, the authorization certificate is numbered as code, and the code is represented by formula (1):
code=g*hash(fn(16)||TS) (1)
wherein f isnIs a file fiName of (a), (f)n(16) Is fiName of (f)nIs a file fiAnd g is a random number generated by the cloud trusted center.
3. The data encryption and retrieval method for protecting file privacy in cloud environment according to claim 1, wherein the specific process of the step (2) is as follows:
(21) the cloud trusted center calls a random key generation algorithm function keygen () to generate a large prime number key CKdcUsing CKdcAs a symmetric key for communication between the data owner and the cloud trusted center;
Cfi=Eke(fi) (4)
(22) legal data owner starts file f according to formula (4)iIs encrypted by the encryption key kiEncrypting a File f to be uploadediGet the file fiCipher text C offiAnd uploading and storing the data to a cloud storage server.
4. The data encryption and retrieval method for protecting file privacy in cloud environment according to claim 1, wherein the specific process of step (5) is;
(51) the data access user submits an access application to the cloud trusted center, and the cloud trusted center issues an authorization certificate for the data access user after verifying that the identity information of the data access user is legal
(52) The cloud trusted center deduces a key which can access the file from the legal data access user in the access authority of the legal data access user, and if the access authority of the data access user is changed, the cloud trusted center adopts a new key to re-encrypt the file which is originally authorized by the legal data access user with the changed access authority, so that the access of the data access user is prevented.
5. The data encryption and retrieval method for protecting file privacy in cloud environment according to claim 1, wherein the specific process of step (6) is as follows:
(61) the cloud storage server verifies whether the authorization certificate of the data access user is valid;
(62) legitimate data access users with multiple keywords (w)i1||wi2||wi3||...||win) When a file retrieval request is made to a cloud storage server, the cloud storage server uses sij=ASCII(wij)16Formula, find each keyword wijCorresponding value s of hexadecimal ASCII codeij
(63) Cloud storage server usage hij=Hash(sij) Carrying out Hash function operation on the formula, and comparing si1,si2,si3...sijAre carried out one by one h1To hrProcessing by a Hash function to obtain Hash vectors (h) of multiple keywordsi1||hi2||hi3||...||hin);
H is as describedijIs a hash vector for recording sijHash function values at corresponding positions in the m-bit array;
(64) the cloud storage server searches whether an item matched with the multi-keyword hash vector exists in the keyword-based file retrieval index I, if so, namely, the formula (7) is satisfied, the file number f is returnedniCipher text C offniFor legal data access users, the legal data access users decrypt the file f locally through the formula (8)iFile number f ofniGet the file number fniThen the file number f is obtained by the equation (9)niThe file storage path and the file name of (1); otherwise, the cloud storage server does not have the content to be retrieved, and the retrieval is finished;
Figure FDA0002956172910000041
fni=Dec(Cfni) (8)
fi,fp=Dkd(fni) (9)
(65) file number f to be obtained by data access userniAccording to the file storage path and the file name, the plaintext goes to the cloud storage server to obtain the ciphertext of the query file, and the ciphertext is decrypted by using a key obtained by using a key derivation algorithm to obtain the file number fniCorresponding to the plaintext of the file.
CN201810412324.4A 2018-05-03 2018-05-03 Data encryption and retrieval method for protecting file privacy in cloud environment Active CN108768951B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810412324.4A CN108768951B (en) 2018-05-03 2018-05-03 Data encryption and retrieval method for protecting file privacy in cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810412324.4A CN108768951B (en) 2018-05-03 2018-05-03 Data encryption and retrieval method for protecting file privacy in cloud environment

Publications (2)

Publication Number Publication Date
CN108768951A CN108768951A (en) 2018-11-06
CN108768951B true CN108768951B (en) 2021-06-08

Family

ID=64009437

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810412324.4A Active CN108768951B (en) 2018-05-03 2018-05-03 Data encryption and retrieval method for protecting file privacy in cloud environment

Country Status (1)

Country Link
CN (1) CN108768951B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059630B (en) * 2019-04-19 2022-06-14 福州大学 Verifiable outsourced monitoring video pedestrian re-identification method with privacy protection
CN110263570B (en) * 2019-05-10 2020-09-25 电子科技大学 Gene data desensitization method for realizing efficient similarity query and access control
CN110176984B (en) * 2019-05-28 2020-11-03 创意信息技术股份有限公司 Data structure construction for secure string pattern matching and matching method
CN110737905B (en) * 2019-09-19 2021-11-23 深圳市先河系统技术有限公司 Data authorization method, data authorization device and computer storage medium
CN112257096B (en) * 2020-11-23 2022-09-27 中电万维信息技术有限责任公司 Searching method for cloud storage ciphertext encrypted data
CN112749420A (en) * 2020-12-23 2021-05-04 上海同态信息科技有限责任公司 Private data cooperation method taking hash function as attribute
CN112822009B (en) * 2021-01-26 2022-07-22 西安邮电大学 Attribute ciphertext efficient sharing system supporting ciphertext deduplication
CN114302394B (en) * 2021-11-19 2023-11-03 深圳震有科技股份有限公司 Network direct memory access method and system under 5G UPF
CN115033908B (en) * 2022-08-11 2022-10-21 西南石油大学 Cloud storage-based oil and gas exploration fine-grained dense-state data retrieval method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143159A (en) * 2011-01-13 2011-08-03 北京邮电大学 Database key management method in DAS (database-as-a-service) model

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9760637B2 (en) * 2015-09-11 2017-09-12 Skyhigh Networks, Inc. Wildcard search in encrypted text using order preserving encryption

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143159A (en) * 2011-01-13 2011-08-03 北京邮电大学 Database key management method in DAS (database-as-a-service) model

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud";Bing Wang;《IEEE》;20140708;全文 *
"The study and design on secure-cloud storage system";Liu Hao,Dezhi Han;《IEEE》;20111024;全文 *
"一种云计算的隐私类型阈值模型和隐私保护方法";徐寒冰,韩德志;《数学的实践与认识》;20140331;全文 *
"云计算环境中支持模糊检索的加密算法";黄汝维;《广西大学学报》;20170630;全文 *

Also Published As

Publication number Publication date
CN108768951A (en) 2018-11-06

Similar Documents

Publication Publication Date Title
CN108768951B (en) Data encryption and retrieval method for protecting file privacy in cloud environment
US11381398B2 (en) Method for re-keying an encrypted data file
US10803194B2 (en) System and a method for management of confidential data
CN108418681B (en) Attribute-based ciphertext retrieval system and method supporting proxy re-encryption
CN108881314B (en) Privacy protection method and system based on CP-ABE ciphertext under fog computing environment
Kumar et al. Secure storage and access of data in cloud computing
CN108989026B (en) Method for revoking user attribute in publishing/subscribing environment
US20040010699A1 (en) Secure data management techniques
KR102224998B1 (en) Computer-implemented system and method for protecting sensitive data via data re-encryption
CN113569271B (en) Threshold proxy re-encryption method based on attribute condition
CN108632385B (en) Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure
CN112989375B (en) Hierarchical optimization encryption lossless privacy protection method
EP1501238B1 (en) Method and system for key distribution comprising a step of authentication and a step of key distribution using a KEK (key encryption key)
WO2014078951A1 (en) End-to-end encryption method for digital data sharing through a third party
US20170351871A1 (en) Data Owner Controlled Data Storage Privacy Protection Technique
CN105721146B (en) A kind of big data sharing method towards cloud storage based on SMC
Mahalakshmi et al. Effectuation of secure authorized deduplication in hybrid cloud
KR101140576B1 (en) Multi?user search system and method of encrypted document
CN114679340B (en) File sharing method, system, device and readable storage medium
CN116611083A (en) Medical data sharing method and system
KR20210058313A (en) Data access control method and system using attribute-based password for secure and efficient data sharing in cloud environment
CN116248289A (en) Industrial Internet identification analysis access control method based on ciphertext attribute encryption
Panguluri et al. Enabling multi-factor authentication and verification in searchable encryption
Lin et al. A secure fine-grained access control mechanism for networked storage systems
Nithisha et al. A Secured Data Storage Mechanism Using Baye’s Theorem and Matrix for Effective Data Communication in Cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230413

Address after: Building 17, No. 1500, Zuchongzhi Road, Pudong New Area Pilot Free Trade Zone, Shanghai, 201210

Patentee after: SHANGHAI HIGH-FLYING ELECTRONICS TECHNOLOGY Co.,Ltd.

Address before: 201306 1550 Harbour Road, Lingang New Town, Pudong New Area, Shanghai

Patentee before: Shanghai Maritime University

TR01 Transfer of patent right