CN109327448A - A kind of cloud file sharing method, device, equipment and storage medium - Google Patents

A kind of cloud file sharing method, device, equipment and storage medium Download PDF

Info

Publication number
CN109327448A
CN109327448A CN201811251351.4A CN201811251351A CN109327448A CN 109327448 A CN109327448 A CN 109327448A CN 201811251351 A CN201811251351 A CN 201811251351A CN 109327448 A CN109327448 A CN 109327448A
Authority
CN
China
Prior art keywords
file
access
key
lsss
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811251351.4A
Other languages
Chinese (zh)
Other versions
CN109327448B (en
Inventor
王树兰
黄美东
王磊
王汇文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Technology University
Original Assignee
Shenzhen Technology University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Technology University filed Critical Shenzhen Technology University
Priority to CN201811251351.4A priority Critical patent/CN109327448B/en
Publication of CN109327448A publication Critical patent/CN109327448A/en
Priority to PCT/CN2019/079646 priority patent/WO2020082688A1/en
Application granted granted Critical
Publication of CN109327448B publication Critical patent/CN109327448B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention is applicable in ciphertext access control technology field, provide a kind of cloud file sharing method, device, equipment and storage medium, this method comprises: when receiving the file application requests of file owner's transmission, according to content key set, shared file set is treated using symmetric encipherment algorithm to be encrypted, obtain file cipher text set, according to common parameter and LSSS access control policy, function is calculated using encryption to encrypt content cipher key sets, obtain key ciphertext set corresponding with content key set, file cipher text set and key ciphertext set are uploaded to Cloud Server, to realize cloud file-sharing, to which LSSS access control policy through the invention meets AND gate, the access tree construction of OR-gate and " thresholding ", realize flexible fine-granularity access control, and reduce ciphertext Storage overhead, communication overhead and the computation complexity of decryption, improve the safe coefficient of encryption efficiency, decryption efficiency and shared data.

Description

A kind of cloud file sharing method, device, equipment and storage medium
Technical field
The invention belongs to ciphertext access control technology field more particularly to a kind of cloud file sharing methods, device, equipment And storage medium.
Background technique
As the development of cloud computing and big data use the increase step by step of scale, data become the information of most worthy, The data of oneself are stored on Cloud Server by people has become a kind of trend, and the use of cloud data and shares to people Offering convenience property of life and work while, also bring unprecedented data safety risk, therefore, how to realize to cloud Controlled share of data becomes urgent problem to be solved.
In order to solve the controlled sharing problem of cloud data, while private data being avoided to be stolen, traditional method is to pass through User encrypts data to be shared, then Cloud Server is transmitted in the form of ciphertext, this to be divided using encipherment scheme The user that these encryption datas are sent out to special group is very inefficient, and cannot ensure that data are overall safeties, if wanting to ensure to count According to safety can realize that wherein access control is that unauthorized user is prevented to access by designing the access control of encryption mechanism First of security perimeter of cloud private data, so access control technology is particularly important.
In order to avoid the sensitive data of superuser unauthorized access user, while can be realized in cloud storage environment again Fine-granularity access control, Sahai et al. proposed in 2005 attribute base encryption (Attribute BasedEncryption, ABE concept), ABE can carry out fine granularity control to shared data and reduce the workload of private key storage and distribution, however Basic ABE can not support flexible access control policy.Therefore, Bethencourt et al. is proposed suitable for access control The ciphertext policy ABE base of class application encrypts (Ciphertext Policy-Attribute Based Encryption, CP- ABE specifically whose decryption to require no knowledge about when the side's of encryption encryption information by flexible access strategy by) mechanism, CP-ABE, And decryption side only needs to meet corresponding conditions and can decrypt.Many scholars at home and abroad study CP-ABE algorithm, although obtaining Obtained many achievements but the specific implementation model that is combined with practical application there are also many problems demands to study, for example, how structure Access control structure easy to maintain is made, the ability to express etc. of access control how is enhanced.
Summary of the invention
The purpose of the present invention is to provide a kind of cloud file sharing method, device, equipment and storage mediums, it is intended to solve Since the prior art can not provide a kind of effective access control method, lead to shared data low problem safely.
On the one hand, the present invention provides a kind of cloud file sharing method, the method includes the following steps:
When receiving the file application requests of file owner's transmission, according to pre-set content key set, make Shared file set is treated with symmetric encipherment algorithm to be encrypted, and file cipher text set is obtained;
The LSSS access control policy constructed according to pre-generated common parameter and in advance, uses preset encryption function The content key set is encrypted, key ciphertext set corresponding with the content key set, the key are obtained Ciphertext set includes the LSSS access control policy;
The file cipher text set and the key ciphertext set are uploaded to Cloud Server, to realize that cloud file is total It enjoys.
On the other hand, the present invention provides a kind of cloud file sharing device, described device includes:
First encryption unit, for when receiving the file application requests of file owner's transmission, according to presetting Content key set, treat shared file set using symmetric encipherment algorithm and encrypted, obtain file cipher text set;
Second encryption unit, the common parameter pre-generated for basis and the LSSS access control policy constructed in advance, The content key set is encrypted using preset encryption function, obtains key corresponding with the content key set Ciphertext set, the key ciphertext set include the LSSS access control policy;And
Ciphertext uploading unit, for the file cipher text set and the key ciphertext set to be uploaded to Cloud Server, To realize cloud file-sharing.
On the other hand, the present invention also provides a kind of calculating equipment, including memory, processor and it is stored in described deposit In reservoir and the computer program that can run on the processor, the processor are realized such as when executing the computer program Step described in above-mentioned cloud file sharing method.
On the other hand, the present invention also provides a kind of computer readable storage medium, the computer readable storage mediums It is stored with computer program, is realized as described in above-mentioned cloud file sharing method when the computer program is executed by processor Step.
The present invention is when receiving the file application requests of file owner's transmission, according to content key set, using pair Claim Encryption Algorithm to treat shared file set to be encrypted, obtain file cipher text set, according to common parameter and LSSS access control System strategy, encrypts content cipher key sets using preset encryption function, obtains key corresponding with content key set File cipher text set and key ciphertext set are uploaded to Cloud Server by ciphertext set, to realize cloud file-sharing, thus logical The access tree construction that LSSS access control policy of the invention meets AND gate, OR-gate and " thresholding " is crossed, is realized flexibly Fine-granularity access control, and reduce the storage overhead, communication overhead and the computation complexity of decryption of ciphertext, improve plus The safe coefficient of close efficiency, decryption efficiency and shared data.
Detailed description of the invention
Fig. 1 is the implementation flow chart for the cloud file sharing method that the embodiment of the present invention one provides;
Fig. 2 is the implementation flow chart of cloud file sharing method provided by Embodiment 2 of the present invention;
Fig. 3 is the file access tree schematic diagram constructed in cloud file sharing method provided by Embodiment 2 of the present invention;
Fig. 4 is the schematic diagram in cloud file sharing method provided by Embodiment 2 of the present invention to file access tree optimization;
Fig. 5 is to be converted into the file access tree of optimization in cloud file sharing method provided by Embodiment 2 of the present invention The schematic diagram of LSSS matrix;
Fig. 6 is the structural schematic diagram for the cloud file sharing device that the embodiment of the present invention three provides;
Fig. 7 is the structural schematic diagram for the cloud file sharing device that the embodiment of the present invention four provides;And
Fig. 8 is the structural schematic diagram for the calculating equipment that the embodiment of the present invention five provides.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
Specific implementation of the invention is described in detail below in conjunction with specific embodiment:
Embodiment one:
Fig. 1 shows the implementation process of the cloud file sharing method of the offer of the embodiment of the present invention one, for ease of description, Only parts related to embodiments of the present invention are shown, and details are as follows:
In step s101, when receiving the file application requests of file owner's transmission, according to pre-set interior Hold cipher key sets, treats shared file set using symmetric encipherment algorithm and encrypted, obtain file cipher text set.
The embodiment of the present invention is suitable for data processing platform (DPP), equipment or server, such as personal computing devices, server Deng.The embodiment of the present invention mainly includes four file owner, file access person, attribute authority and Cloud Server realities Body, wherein a large amount of file can be carried out primary encryption by file owner, and encrypted ciphertext is stored to Cloud Server, Realize that multifile is shared;File access person is stored in the file of Cloud Server according to the access of itself access authority;In attribute authority The heart is also responsible for defining system property set, it trusts completely, main function other than being responsible for the management of key It is the registration for receiving user, key distribution, user's checking and management attribute domain etc.;Cloud Server main function is to provide ciphertext Storage and file transfer services.
In embodiments of the present invention, when receiving the file application requests of file owner's transmission, possessed according to file The pre-set content key set ck={ ck of person1,......,ckk, using symmetric encipherment algorithm (for example, data encryption is calculated Method (Data Encryption Standard, DES), Advanced Encryption Standard (Advanced Encryption Standard, AES it) etc.) treats shared file set to be encrypted, obtains file cipher text set Wherein, file set to be shared includes one or more files to be shared, content key set ck={ ck1,......,ckkIn K-th of content key ckkKey when symmetric encipherment algorithm is used for k-th of file to be shared in file set to be shared,For the corresponding file cipher text of k-th of file to be shared.
Before treating shared file set using symmetric encipherment algorithm and being encrypted, it is preferable that in controlled attribute authorization The heart generates common parameter (public key) PK and main private key MSK by system initialization function Setup (λ), to improve public ginseng The degree of belief of several and main private key.Wherein, λ is default security parameter.
Common parameter (public key) PK and master are generated by system initialization function Setup (λ) in controlled attribute authorization center When private key MSK, it is preferable that implemented by following step:
1) the Bilinear Groups G that a Prime Orders are p, is chosen0、GT, bilinear map e:G0×G0→GT, and choose bilinearity Group G0A generation member g;
2) a hash function H:{ 0,1, is defined }*→G0, and in Zp: two members are randomly choosed in { 0,1 ..., p-1 } domain Plain α and β;
3), pass through formula PK=(G0,p,g,e(g,g)α, h=gβ) common parameter PK is calculated, pass through formula MSK=(gα, Main private key MSK β) is calculated, PK opens to the outside world as public key, and MSK is taken care of as master key by attribute authority.
Through the above steps 1)~3 to) generation that realizes common parameter PK and main private key MSK, it further improves The degree of belief of common parameter and main private key.
In step s 102, the LSSS access control policy constructed according to pre-generated common parameter and in advance uses Preset encryption function encrypts content cipher key sets, obtains key ciphertext set corresponding with content key set.
In embodiments of the present invention, file owner is by common parameter PK, internal content cipher key sets ck= {ck1,......,ckkAnd LSSS access control policy (M, ρ) be input to encryption function CT=Encrypt (PK, ck, (M, In ρ)), content cipher key sets are encrypted by the encryption function, obtain key ciphertext collection corresponding with content key set CT is closed, and key ciphertext set CT includes LSSS access control policy (M, ρ), wherein LSSS access control policy (M, ρ)= {(M1,ρ),(M2,ρ),...,(Mk, ρ) }, the M in LSSS access control policy (M, ρ) is l × n matrix, and l is ciphertext attribute Number, every sub- access strategy (Mi, ρ) in (i ∈ [1, k]) function ρ function by matrix MiIn every a line reflected one by one with attribute It penetrates.
When being encrypted using encryption function CT=Encrypt (PK, ck, (M, ρ)) to content cipher key sets, preferably Ground the encryption to content cipher key sets is realized by following step:
1) in Zp: k random number s is selected in { 0,1 ..., p-1 } domain1、s2、...、skIt is right as encryption exponent secret value In all i=1,2 ..., k calculates CiAnd Ci':
2) one group of random vector set is selectedWherein, LSSS Every sub- access strategy (M in access control policyj, ρ) and (j ∈ [1, k]) and random vectorIt is corresponding, y2,...,ynBe for Sharing encryption exponent secret value si(i∈[1,k]);
3) it calculatesAnd in Zp: l random number λ is selected in { 0,1 ..., p-1 } domain1,j、λ2,j、...、λl,jAs attribute mask, wherein i ∈ [1, l], j ∈ [1, k], Mi,jFor j-th of matrix MjThe i-th row,For with Machine vector setIn j-th of vector;
4) for i ∈ [1, l], C is calculated1,iAnd C2,i:C2,ii,ji,j
5) according to ciphertext formulaMeter Calculate key ciphertext set CT.
Through the above steps 1)~5 to) encryption to file cipher text set is realized, it obtains and file set to be shared Corresponding key ciphertext set improves efficiency and safe coefficient to shared file encryption.
In step s 103, file cipher text set and key ciphertext set are uploaded to Cloud Server, to realize cloud text Part is shared.
In embodiments of the present invention, file owner is by file cipher text set Eck(M) and it is corresponding with this document ciphertext set Key ciphertext set CT be uploaded to Cloud Server, so that file access person accesses corresponding file in Cloud Server, thus real Existing cloud file-sharing.
In embodiments of the present invention, when receiving the file application requests of file owner's transmission, according to content key Set, treats shared file set using symmetric encipherment algorithm and is encrypted, obtain file cipher text set, according to common parameter and LSSS access control policy encrypts content cipher key sets using encryption function, obtains corresponding with content key set File cipher text set and key ciphertext set are uploaded to Cloud Server by key ciphertext set, to realize cloud file-sharing, from And LSSS access control policy through the invention meets the access tree construction of AND gate, OR-gate and " thresholding ", realizes Flexible fine-granularity access control, and the storage overhead, communication overhead and the computation complexity of decryption of ciphertext are reduced, it improves The safe coefficient of encryption efficiency, decryption efficiency and shared data.
Embodiment two:
Fig. 2 shows the implementation processes of cloud file sharing method provided by Embodiment 2 of the present invention, for ease of description, Only parts related to embodiments of the present invention are shown, and details are as follows:
In step s 201, when receiving the file application requests of file owner's transmission, file owner's root is controlled Each file in shared file set, which is treated, according to preset system property set constructs corresponding file access tree one by one.
In embodiments of the present invention, when receiving the file application requests of file owner's transmission, file owner's root The system property set defined according to attribute authority treats each file in shared file set and constructs corresponding file one by one Access tree, i.e., different files have different access strategies.
As illustratively, file owner is by file set M={ m1,m2,m3Cloud Server is uploaded to after encryption, it is first First, according to system property set Y={ E, H, I, M, N, O, P, Q, R, S, T } to file m1Construct file access tree T1, to file m2 Construct file access tree T2, to file m3Construct file access tree T3, Fig. 3 shows file access tree T1, file access tree T2With And file access tree T3, T1The attribute set Y of corresponding access strategy1={ E, H, I, M, N, O, P, Q, R, S, T }, T2It is corresponding The attribute set Y of access strategy2={ H, M, N }, T3The attribute set Y of corresponding access strategy3={ M, N }.
In step S202, it is excellent that transmission node is carried out to each file access tree according to the preset transmission node principle of optimality Change.
In embodiments of the present invention, each file access tree is being transmitted according to the preset transmission node principle of optimality When node optimization, it is preferable that according to top-down mode, traversed from the root node of each file access tree, work as traversal Out in file access tree transmission node be not all child nodes under hierarchy node and the transmission node do not include yet hierarchy node, Or transmission node and its child node then delete corresponding transmission node subtree when not carrying any hierarchy node information Remove, to be optimized to file access tree, thus realize child node (attribute) reduce, avoid subsequent non-essential cryptographic calculation and Data storage, improves encryption efficiency, reduces data storage overhead.
As illustratively, Fig. 4 shows the hierarchical access tree T that data owner defines according to system property set, layering It include four hierarchy nodes (i.e. four access levels (x1, y1), (x2, y2), (x3, y3) and (x4, y4)) in access tree T, System property collection is combined into S={ E, H, I, K, N, O, P, Q, R, S, T }, threshold set node be T=r, A, B, C, D, F, G, J, L, M }, wherein transmission node is { r, A, B, C, D, F, G }, however, transmission node B, D, F do not carry class information, it therefore, will The corresponding transmission node subtree of transmission node B, D, F is deleted, hierarchical access tree T' after being optimized, as shown in Figure 4.
In step S203, file access tree after optimization, all is converted to according to preset matrix conversion rule Corresponding sub- LSSS matrix.
In embodiments of the present invention, according to preset matrix conversion rule by file access tree after optimization, all When being converted to corresponding sub- LSSS matrix, it is preferable that firstly, one global counter variable c of initialization is 1, traversed file After access tree, then c, that is, vector extreme length is from top to bottom marked the node of file access tree, is labeled as to working as When the father node of vector v is " OR " door, then its child node is also indicated as v (variable c is constant), when the father labeled as vector v saves It is the vector v distributed by the father node by a sub- vertex ticks when point is " AND " door | 1 (father node | child node connection), mark Another child node for remembering the father node is vector (0 ..., 0) | -1, wherein what (0 ..., 0) indicated is that the length of 0 vector is The leaf node (i.e. attribute) that vector marks is converted into each in LSSS matrix by c finally, once completing the label entirely set Row will fill vector 0 in vector tail portion, to reach identical vector length, to pass through son if these vector lengths are different LSSS matrix, which is realized, stores non-essential child node (attribute) without computations and data, improves and adds to shared file Close efficiency, and reduce the storage overhead of ciphertext.
As illustratively, Fig. 5 is shown the file access tree T after optimization1′、T2' and T3' according to matrix conversion rule It is converted into corresponding sub- LSSS matrix M respectively1、M2And M3
In step S204, file set to be shared is constructed by all corresponding sub- access strategies of sub- LSSS matrix LSSS access control policy.
In embodiments of the present invention, according to file set M={ m to be shared1,......,mkIn quantity of documents generate pair Answer the sub- LSSS matrix M of quantity1、M2、...、Mk, every sub- LSSS matrix Mj(j ∈ [1, k]) corresponds to a sub- access strategy (Mj, ρ), the LSSS access control policy of file set to be shared is then the set of sub- access strategy, i.e. LSSS access control policy is (M, ρ)={ (M1,ρ),(M2,ρ),...,(Mk, ρ) }, and sub- LSSS matrix M1Attribute including all access strategies, i.e., it is sub There are such relationships for attribute in LSSS matrix:
In step S205, according to pre-set content key set, shared file is treated using symmetric encipherment algorithm Set is encrypted, and file cipher text set is obtained.
In step S206, according to common parameter and LSSS access control policy, using preset encryption function to content Cipher key sets are encrypted, and key ciphertext set corresponding with content key part set is obtained.
In step S207, file cipher text set and key ciphertext set are uploaded to Cloud Server, to realize cloud text Part is shared.
In the step of present invention is implemented, and step S205~step S207 specific embodiment can refer to embodiment one The description of S101- step S103, details are not described herein.
In step S208, when receive file access person transmission file access request when, control file access person from Attribute authority obtains the private key for user of file access person, and private key for user includes user property collection corresponding with file access person It closes.
In embodiments of the present invention, when receiving the file access request of file access person's transmission, attribute authority According to this document access request, using main private key MSK and the corresponding user property set of this document visitor as input, by close The private key for user of key generating function KeyGen (MSK, S) generation file access person.
File access person is before sending file access request, it is preferable that file access person carries out in attribute authority Registration, in registration, attribute authority verifies the legitimacy of file access person's identity, is this article after being verified Part visitor's distributing user attribute set, to improve the safety of cloud file access.
When generating the private key for user of file access person by key-function KeyGen (MSK, S), it is preferable that work as text After the legitimate verification of part visitor's identity passes through, pass through formulaCalculation document The private key for user of visitor, wherein K0=gαhr, K1=gr,R is Zp: 0,1 ..., and p-1 } domain In a random element, user property set S={ A1,...,Ax, AxFor x-th of attribute in S, to further increase cloud text The safety of part access.
In step S209, according to common parameter and private key for user, using preset decryption function in Cloud Server Key ciphertext set is decrypted, and obtains access content key set corresponding with user property set.
In embodiments of the present invention, file access person is by common parameter PK, private key for user SK and key ciphertext set CT It is input in decryption function Decrypt (PK, CT, SK), by the decryption function to the key ciphertext set CT in Cloud Server It is decrypted, obtains access content key set corresponding with user property set.
When key ciphertext set is decrypted, it is preferable that realize the solution to key ciphertext set by following step It is close:
1) according to LSSS access control policy, the file access strategy for meeting user property set is obtained.
In embodiments of the present invention, when acquisition meets the file access strategy of user property set, it is preferable that judgement is used Whether family attribute set S meets LSSS access control policy (M, ρ)={ (M1,ρ),(M2,ρ),...,(Mk, ρ) } in any one A sub- access strategy is then, by the sub- access strategy (M of satisfactionj, ρ) and (j ∈ [1, k]) be set as file access strategy, otherwise, This document visitor does not have access shared file permission, i.e. shared file access failure.
Data consumer's dependence authorization center obtains private key SK first, if the attribute set S of user and access strategy (M, ρ)={ (M1,ρ),...,(Mk, ρ) } any one of all mismatch, then the user do not have access authority, i.e., decryption failure; Otherwise, it indicates that the user has access authority, can decrypt and obtain corresponding clear data.If meeting access strategy (M1, ρ), then It can decrypt and obtain all the elements key ck, finally obtain All Files;When due to access strategy design, by access strategy (M1,ρ) Being defined as that access authority is maximum, i.e., it includes all properties of entire access strategy, and so on, user can obtain its visit Ask the clear data in extent of competence.
2) corresponding access content key set is decrypted according to file access strategy.
In embodiments of the present invention, when being designed due to access strategy, by sub- access strategy (M1, ρ) and it is defined as access authority Maximum, i.e., it includes all properties of entire access strategy, therefore, when file access strategy is (M1, ρ) when, then it can decrypt All the elements key ck is obtained, All Files are finally obtained, and so on, file access person can decrypt its access authority model Interior content key is enclosed, to access corresponding clear data.
When decrypting corresponding access content key set according to file access strategy, it is preferable that
Firstly, passing through ∑i∈Sωi·Mi,j=(1,0 ..., 0) calculate ωi, and make ωi∈Zp, wherein Mi,jFor matrix MjThe i-th row, then pass through formulaMeter Calculate i-th of user property Ai, finally, passing through formulaCalculate correspondence Access content key, with by these access content keys is constituted access content key set.
Through the above steps, the adaptability and confidence level of the access content key decrypted can be improved.
In step S210, according to access content key set, using symmetrical decipherment algorithm to the file in Cloud Server Ciphertext set is decrypted, and obtains that content key set is corresponding accesses plaintext document set with access.
In embodiments of the present invention, according to access content key set, using symmetrical decipherment algorithm to the text in Cloud Server Part ciphertext set Eck(M) it is decrypted, obtains that content key set is corresponding accesses plaintext document set with access, for example, if Ck={ ck is combined into according to the access content key collection that user property decrypting set goes outi,cki+1,......,ckk, according to the access Content key set, is decrypted using symmetrical decipherment algorithm, then the access plaintext document collection obtained is combined into M={ mi,mi+1,..., mk}。
In embodiments of the present invention, when file-sharing, attribute unrelated in the file access tree of each file to be shared is moved It removes, while each file access tree is converted into sub- LSSS matrix, using multiple sub- LSSS matrixes as the access structure in ciphertext, When file access, the file access for meeting the self-contained user property of file access person is obtained in LSSS access control policy Strategy decrypts corresponding content key according to this document access strategy, while obtaining corresponding file by symmetrically decryption, thus LSSS access control policy through the invention meets the access tree construction of AND gate, OR-gate and " thresholding ", realizes spirit Fine-granularity access control living, and the storage overhead, communication overhead and the computation complexity of decryption of ciphertext are reduced, it improves The safe coefficient of encryption efficiency, decryption efficiency and shared data.
Embodiment three:
The structure that Fig. 6 shows the cloud file sharing device of the offer of the embodiment of the present invention three is only shown for ease of description Go out part related to the embodiment of the present invention, including:
First encryption unit 61, for when receiving the file application requests of file owner's transmission, according to setting in advance The content key set set is treated shared file set using symmetric encipherment algorithm and is encrypted, obtains file cipher text set;
Second encryption unit 62, for according to the common parameter pre-generated and the LSSS access control plan constructed in advance Slightly, content cipher key sets are encrypted using preset encryption function, obtain key ciphertext corresponding with content key set Set;And
Ciphertext uploading unit 63, for file cipher text set and key ciphertext set to be uploaded to Cloud Server, to realize Cloud file-sharing.
In embodiments of the present invention, each unit of cloud file sharing device can be real by corresponding hardware or software unit Existing, each unit can be independent soft and hardware unit, also can integrate as a soft and hardware unit, herein not to limit this Invention.Specifically, the embodiment of each unit can refer to the description of previous embodiment one, and details are not described herein.
Example IV:
The structure that Fig. 7 shows the cloud file sharing device of the offer of the embodiment of the present invention four is only shown for ease of description Go out part related to the embodiment of the present invention, including:
Access tree structural unit 70, when receiving the file application requests of file owner's transmission, control file possesses Person treats each file in shared file set according to preset system property set and constructs corresponding file access tree one by one;
Node optimization unit 71, for being transmitted according to the preset transmission node principle of optimality to each file access tree Node optimization;
Matrix conversion unit 72, for according to preset matrix conversion rule by file access tree after optimization, all Be converted to corresponding sub- LSSS matrix;
Access strategy construction unit 73, it is to be shared for being constructed by all corresponding sub- access strategies of sub- LSSS matrix The LSSS access control policy of file set;
First encryption unit 74, for being treated altogether using symmetric encipherment algorithm according to pre-set content key set It enjoys file set to be encrypted, obtains file cipher text set;
Second encryption unit 75, for using preset encryption function according to common parameter and LSSS access control policy Content cipher key sets are encrypted, key ciphertext set corresponding with content key set is obtained;
Ciphertext uploading unit 76, for file cipher text set and key ciphertext set to be uploaded to Cloud Server, to realize Cloud file-sharing;
Private key for user acquiring unit 77, for when receiving the file access request of file access person's transmission, control to be literary Part visitor's dependence authorization center obtains the private key for user of file access person, and private key for user includes corresponding with file access person User property set;And
Key ciphertext decryption unit 78 is used for according to common parameter and private key for user, using preset decryption function to cloud Key ciphertext set in server is decrypted, and obtains access content key set corresponding with user property set;And
File cipher text decryption unit 79 is used for according to access content key set, using symmetrical decipherment algorithm to cloud service File cipher text set in device is decrypted, and obtains that content key set is corresponding accesses plaintext document set with access.
Preferably, key ciphertext decryption unit 78 includes:
Access strategy acquiring unit 781, for obtaining the text for meeting user property set according to LSSS access control policy Part access strategy;And
Content key decryption unit 782, for decrypting corresponding access content key set according to file access strategy.
In embodiments of the present invention, each unit of cloud file sharing device can be real by corresponding hardware or software unit Existing, each unit can be independent soft and hardware unit, also can integrate as a soft and hardware unit, herein not to limit this Invention.Specifically, the embodiment of each unit can refer to the description of preceding method embodiment, and details are not described herein.
Embodiment five:
Fig. 8 shows the structure of the calculating equipment of the offer of the embodiment of the present invention five, for ease of description, illustrates only and this The relevant part of inventive embodiments.
The calculating equipment 8 of the embodiment of the present invention includes processor 80, memory 81 and is stored in memory 81 and can The computer program 82 run on processor 80.The processor 80 realizes that above-mentioned cloud file is total when executing computer program 82 Enjoy the step in embodiment of the method, such as step S101 to S103 shown in FIG. 1.Alternatively, processor 80 executes computer program The function of each unit in above-mentioned each Installation practice, such as the function of unit 61 to 63 shown in Fig. 6 are realized when 82.
In embodiments of the present invention, when receiving the file application requests of file owner's transmission, according to content key Set, treats shared file set using symmetric encipherment algorithm and is encrypted, obtain file cipher text set, according to common parameter and LSSS access control policy encrypts content cipher key sets using encryption function, obtains corresponding with content key set File cipher text set and key ciphertext set are uploaded to Cloud Server by key ciphertext set, to realize cloud file-sharing, from And LSSS access control policy through the invention meets the access tree construction of AND gate, OR-gate and " thresholding ", realizes Flexible fine-granularity access control, and the storage overhead, communication overhead and the computation complexity of decryption of ciphertext are reduced, it improves The safe coefficient of encryption efficiency, decryption efficiency and shared data.
The calculating equipment of the embodiment of the present invention can be personal computing devices, server.Processor 80 in the calculating equipment 8 Realize that the step of realizing when the file sharing method of cloud can refer to the description of preceding method embodiment when executing computer program 82, Details are not described herein.
Embodiment six:
In embodiments of the present invention, a kind of computer readable storage medium is provided, which deposits Computer program is contained, which realizes the step in above-mentioned cloud file sharing method embodiment when being executed by processor Suddenly, for example, step S101 to S103 shown in FIG. 1.Alternatively, the computer program realizes above-mentioned each device when being executed by processor The function of each unit in embodiment, such as the function of unit 61 to 63 shown in Fig. 6.
In embodiments of the present invention, when receiving the file application requests of file owner's transmission, according to content key Set, treats shared file set using symmetric encipherment algorithm and is encrypted, obtain file cipher text set, according to common parameter and LSSS access control policy encrypts content cipher key sets using encryption function, obtains corresponding with content key set File cipher text set and key ciphertext set are uploaded to Cloud Server by key ciphertext set, to realize cloud file-sharing, from And LSSS access control policy through the invention meets the access tree construction of AND gate, OR-gate and " thresholding ", realizes Flexible fine-granularity access control, and the storage overhead, communication overhead and the computation complexity of decryption of ciphertext are reduced, it improves The safe coefficient of encryption efficiency, decryption efficiency and shared data.
The computer readable storage medium of the embodiment of the present invention may include can carry computer program code any Entity or device, recording medium, for example, the memories such as ROM/RAM, disk, CD, flash memory.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.

Claims (10)

1. a kind of cloud file sharing method, which is characterized in that the method includes the following steps:
When receiving the file application requests of file owner's transmission, according to pre-set content key set, using pair Claim Encryption Algorithm to treat shared file set to be encrypted, obtains file cipher text set;
The LSSS access control policy constructed according to pre-generated common parameter and in advance, using preset encryption function to institute It states content key set to be encrypted, obtains key ciphertext set corresponding with the content key set, the key ciphertext Set includes the LSSS access control policy;
The file cipher text set and the key ciphertext set are uploaded to Cloud Server, to realize cloud file-sharing.
2. the method as described in claim 1, which is characterized in that carried out by symmetric encipherment algorithm to file set to be shared Before the step of encryption, the method also includes:
The file owner is controlled according to preset system property set to each file one in the file set to be shared The corresponding file access tree of one construction;
Transmission node optimization is carried out to each file access tree according to the preset transmission node principle of optimality;
After optimization, all file access trees are converted into corresponding sub- LSSS square according to preset matrix conversion rule Battle array;
The LSSS access of the file set to be shared is constructed by the corresponding sub- access strategy of all sub- LSSS matrixes Control strategy.
3. the method as described in claim 1, which is characterized in that close the file cipher text set and the key ciphertext collection After the step of reaching Cloud Server, the method also includes:
When receiving the file access request of file access person's transmission, controls file access person's dependence authorization center and obtain The private key for user of the file access person is obtained, the private key for user includes user property collection corresponding with the file access person It closes;
According to the common parameter and the private key for user, using preset decryption function to described close in the Cloud Server Key ciphertext set is decrypted, and obtains access content key set corresponding with the user property set;
According to the access content key set, using symmetrical decipherment algorithm to the file cipher text collection in the Cloud Server Conjunction is decrypted, and obtains corresponding with the access content key set accessing plaintext document set.
4. method as claimed in claim 3, which is characterized in that using preset decryption function to the institute in the Cloud Server State the step of key ciphertext set is decrypted, comprising:
According to the LSSS access control policy, the file access strategy for meeting the user property set is obtained;
The corresponding access content key set is decrypted according to the file access strategy.
5. a kind of cloud file sharing device, which is characterized in that described device includes:
First encryption unit, for when receive file owner transmission file application requests when, according to pre-set interior Hold cipher key sets, treats shared file set using symmetric encipherment algorithm and encrypted, obtain file cipher text set;
Second encryption unit, for using according to the common parameter pre-generated and the LSSS access control policy constructed in advance Preset encryption function encrypts the content key set, obtains key ciphertext corresponding with the content key set Set, the key ciphertext set include the LSSS access control policy;And
Ciphertext uploading unit, for the file cipher text set and the key ciphertext set to be uploaded to Cloud Server, with reality Existing cloud file-sharing.
6. device as claimed in claim 5, which is characterized in that described device further include:
Access tree structural unit, for controlling the file owner according to preset system property set to the text to be shared Each file constructs corresponding file access tree one by one in part set;
Node optimization unit, for carrying out transmission section to each file access tree according to the preset transmission node principle of optimality Point optimization;
Matrix conversion unit, for being turned after optimization, all file access trees according to preset matrix conversion rule It is changed to corresponding sub- LSSS matrix;And
Access strategy construction unit, for described to altogether by the corresponding sub- access strategy building of all sub- LSSS matrixes Enjoy the LSSS access control policy of file set.
7. device as claimed in claim 5, which is characterized in that described device further include:
Private key for user acquiring unit, for controlling the file when receiving the file access request of file access person's transmission Visitor's dependence authorization center obtains the private key for user of the file access person, and the private key for user includes to visit with the file The corresponding user property set of the person of asking;
Key ciphertext decryption unit, for using preset decryption function pair according to the common parameter and the private key for user The key ciphertext set in the Cloud Server is decrypted, and obtains access content corresponding with the user property set Cipher key sets;And
File cipher text decryption unit, for being taken to the cloud using symmetrical decipherment algorithm according to the access content key set The file cipher text set in business device is decrypted, and obtains corresponding with the access content key set accessing plaintext document Set.
8. device as claimed in claim 7, which is characterized in that the key ciphertext decryption unit includes:
Access strategy acquiring unit, for according to the LSSS access control policy, acquisition to meet the user property set File access strategy;And
Content key decryption unit, for decrypting the corresponding access content key collection according to the file access strategy It closes.
9. a kind of calculating equipment, including memory, processor and storage are in the memory and can be on the processor The computer program of operation, which is characterized in that the processor realizes such as Claims 1-4 when executing the computer program The step of any one the method.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, and feature exists In when the computer program is executed by processor the step of any one of such as Claims 1-4 of realization the method.
CN201811251351.4A 2018-10-25 2018-10-25 Cloud file sharing method, device, equipment and storage medium Active CN109327448B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201811251351.4A CN109327448B (en) 2018-10-25 2018-10-25 Cloud file sharing method, device, equipment and storage medium
PCT/CN2019/079646 WO2020082688A1 (en) 2018-10-25 2019-03-26 Cloud-end file sharing method and apparatus, and device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811251351.4A CN109327448B (en) 2018-10-25 2018-10-25 Cloud file sharing method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN109327448A true CN109327448A (en) 2019-02-12
CN109327448B CN109327448B (en) 2020-10-09

Family

ID=65261812

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811251351.4A Active CN109327448B (en) 2018-10-25 2018-10-25 Cloud file sharing method, device, equipment and storage medium

Country Status (2)

Country Link
CN (1) CN109327448B (en)
WO (1) WO2020082688A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110888853A (en) * 2019-11-26 2020-03-17 廊坊新奥燃气有限公司 Data management system and method
WO2020082688A1 (en) * 2018-10-25 2020-04-30 深圳技术大学 Cloud-end file sharing method and apparatus, and device and storage medium
WO2020082687A1 (en) * 2018-10-25 2020-04-30 深圳技术大学 File sharing method and apparatus based on cp-abe layered access control, and device and medium
CN112559468A (en) * 2021-02-26 2021-03-26 中关村科学城城市大脑股份有限公司 Data sharing method and system based on urban brain

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8559631B1 (en) * 2013-02-09 2013-10-15 Zeutro Llc Systems and methods for efficient decryption of attribute-based encryption
CN104022868A (en) * 2014-02-18 2014-09-03 杭州师范大学 Outsourcing decryption method of attribute-based encryption based on ciphertext policy
CN104036050A (en) * 2014-07-04 2014-09-10 福建师范大学 Complex query method for encrypted cloud data
WO2014174045A1 (en) * 2013-04-24 2014-10-30 Nec Europe Ltd. Method and system for enforcing access control policies on data
CN104883254A (en) * 2015-06-12 2015-09-02 深圳大学 Cloud computing platform oriented cryptograph access control system and access control method thereof
CN105406967A (en) * 2015-12-10 2016-03-16 西安电子科技大学 Hierarchical attribute encryption method
CN106411962A (en) * 2016-12-15 2017-02-15 中国科学技术大学 Data storage method combining user side access control and cloud access control

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105897812B (en) * 2015-04-10 2019-04-23 杭州远眺科技有限公司 It is a kind of suitable for mixing the data safety sharing method under cloud environment
CN105991278B (en) * 2016-07-11 2019-06-28 河北省科学院应用数学研究所 A kind of ciphertext access control method based on CP-ABE
CN109327448B (en) * 2018-10-25 2020-10-09 深圳技术大学(筹) Cloud file sharing method, device, equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8559631B1 (en) * 2013-02-09 2013-10-15 Zeutro Llc Systems and methods for efficient decryption of attribute-based encryption
WO2014174045A1 (en) * 2013-04-24 2014-10-30 Nec Europe Ltd. Method and system for enforcing access control policies on data
CN104022868A (en) * 2014-02-18 2014-09-03 杭州师范大学 Outsourcing decryption method of attribute-based encryption based on ciphertext policy
CN104036050A (en) * 2014-07-04 2014-09-10 福建师范大学 Complex query method for encrypted cloud data
CN104883254A (en) * 2015-06-12 2015-09-02 深圳大学 Cloud computing platform oriented cryptograph access control system and access control method thereof
CN105406967A (en) * 2015-12-10 2016-03-16 西安电子科技大学 Hierarchical attribute encryption method
CN106411962A (en) * 2016-12-15 2017-02-15 中国科学技术大学 Data storage method combining user side access control and cloud access control

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
KAN YANG等: ""Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud"", 《IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS》 *
吴杰铭: ""基于属性加密算法的云存储研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020082688A1 (en) * 2018-10-25 2020-04-30 深圳技术大学 Cloud-end file sharing method and apparatus, and device and storage medium
WO2020082687A1 (en) * 2018-10-25 2020-04-30 深圳技术大学 File sharing method and apparatus based on cp-abe layered access control, and device and medium
CN110888853A (en) * 2019-11-26 2020-03-17 廊坊新奥燃气有限公司 Data management system and method
CN112559468A (en) * 2021-02-26 2021-03-26 中关村科学城城市大脑股份有限公司 Data sharing method and system based on urban brain

Also Published As

Publication number Publication date
WO2020082688A1 (en) 2020-04-30
CN109327448B (en) 2020-10-09

Similar Documents

Publication Publication Date Title
CN109559124A (en) A kind of cloud data safety sharing method based on block chain
CN104486315B (en) A kind of revocable key outsourcing decryption method based on contents attribute
CN110099043A (en) The hiding more authorization center access control methods of support policy, cloud storage system
CN106059763B (en) The properties base multi-mechanism hierarchical Ciphertext policy weight encryption method of cloud environment
Zaghloul et al. P-MOD: Secure privilege-based multilevel organizational data-sharing in cloud computing
CN107864139A (en) A kind of cryptography attribute base access control method and system based on dynamic rules
CN109327448A (en) A kind of cloud file sharing method, device, equipment and storage medium
CN108390876A (en) Revocation outsourcing is supported to can verify that more authorization center access control methods, Cloud Server
CN108418784A (en) A kind of distributed cross-domain authorization and access control method based on properties secret
CN105100083B (en) A kind of secret protection and support user's revocation based on encryption attribute method and system
CN107359986A (en) The outsourcing encryption and decryption CP ABE methods of user revocation
CN106656997B (en) One kind being based on the cross-domain friend-making method for secret protection of mobile social networking proxy re-encryption
CN108111540A (en) The hierarchical access control system and method for data sharing are supported in a kind of cloud storage
CN109617855A (en) File sharing method, device, equipment and medium based on the control of CP-ABE hierarchical access
CN115296817B (en) Data access control method based on block chain technology and attribute encryption
Jiang et al. Attribute-based encryption with blockchain protection scheme for electronic health records
CN106612169A (en) Safe data sharing method in cloud environment
CN108600174A (en) A kind of access control mechanisms and its implementation of big merger network
Chaudhary et al. RMA-CPABE: A multi-authority CPABE scheme with reduced ciphertext size for IoT devices
CN106612175A (en) Proxy re-encryption algorithm for multi-element access control in mobile cloud
CN113055164A (en) Cipher text strategy attribute encryption algorithm based on state cipher
CN117097469A (en) Data hierarchical access control method based on attribute encryption
Zhang et al. A traceable and revocable multi-authority attribute-based access control scheme for mineral industry data secure storage in blockchain
CN116319058A (en) Access control method based on attribute and strategy hiding of blockchain
CN114124392B (en) Data controlled circulation method, system, device and medium supporting access control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant