CN109327448A - A kind of cloud file sharing method, device, equipment and storage medium - Google Patents
A kind of cloud file sharing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN109327448A CN109327448A CN201811251351.4A CN201811251351A CN109327448A CN 109327448 A CN109327448 A CN 109327448A CN 201811251351 A CN201811251351 A CN 201811251351A CN 109327448 A CN109327448 A CN 109327448A
- Authority
- CN
- China
- Prior art keywords
- file
- access
- key
- lsss
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The present invention is applicable in ciphertext access control technology field, provide a kind of cloud file sharing method, device, equipment and storage medium, this method comprises: when receiving the file application requests of file owner's transmission, according to content key set, shared file set is treated using symmetric encipherment algorithm to be encrypted, obtain file cipher text set, according to common parameter and LSSS access control policy, function is calculated using encryption to encrypt content cipher key sets, obtain key ciphertext set corresponding with content key set, file cipher text set and key ciphertext set are uploaded to Cloud Server, to realize cloud file-sharing, to which LSSS access control policy through the invention meets AND gate, the access tree construction of OR-gate and " thresholding ", realize flexible fine-granularity access control, and reduce ciphertext Storage overhead, communication overhead and the computation complexity of decryption, improve the safe coefficient of encryption efficiency, decryption efficiency and shared data.
Description
Technical field
The invention belongs to ciphertext access control technology field more particularly to a kind of cloud file sharing methods, device, equipment
And storage medium.
Background technique
As the development of cloud computing and big data use the increase step by step of scale, data become the information of most worthy,
The data of oneself are stored on Cloud Server by people has become a kind of trend, and the use of cloud data and shares to people
Offering convenience property of life and work while, also bring unprecedented data safety risk, therefore, how to realize to cloud
Controlled share of data becomes urgent problem to be solved.
In order to solve the controlled sharing problem of cloud data, while private data being avoided to be stolen, traditional method is to pass through
User encrypts data to be shared, then Cloud Server is transmitted in the form of ciphertext, this to be divided using encipherment scheme
The user that these encryption datas are sent out to special group is very inefficient, and cannot ensure that data are overall safeties, if wanting to ensure to count
According to safety can realize that wherein access control is that unauthorized user is prevented to access by designing the access control of encryption mechanism
First of security perimeter of cloud private data, so access control technology is particularly important.
In order to avoid the sensitive data of superuser unauthorized access user, while can be realized in cloud storage environment again
Fine-granularity access control, Sahai et al. proposed in 2005 attribute base encryption (Attribute BasedEncryption,
ABE concept), ABE can carry out fine granularity control to shared data and reduce the workload of private key storage and distribution, however
Basic ABE can not support flexible access control policy.Therefore, Bethencourt et al. is proposed suitable for access control
The ciphertext policy ABE base of class application encrypts (Ciphertext Policy-Attribute Based Encryption, CP-
ABE specifically whose decryption to require no knowledge about when the side's of encryption encryption information by flexible access strategy by) mechanism, CP-ABE,
And decryption side only needs to meet corresponding conditions and can decrypt.Many scholars at home and abroad study CP-ABE algorithm, although obtaining
Obtained many achievements but the specific implementation model that is combined with practical application there are also many problems demands to study, for example, how structure
Access control structure easy to maintain is made, the ability to express etc. of access control how is enhanced.
Summary of the invention
The purpose of the present invention is to provide a kind of cloud file sharing method, device, equipment and storage mediums, it is intended to solve
Since the prior art can not provide a kind of effective access control method, lead to shared data low problem safely.
On the one hand, the present invention provides a kind of cloud file sharing method, the method includes the following steps:
When receiving the file application requests of file owner's transmission, according to pre-set content key set, make
Shared file set is treated with symmetric encipherment algorithm to be encrypted, and file cipher text set is obtained;
The LSSS access control policy constructed according to pre-generated common parameter and in advance, uses preset encryption function
The content key set is encrypted, key ciphertext set corresponding with the content key set, the key are obtained
Ciphertext set includes the LSSS access control policy;
The file cipher text set and the key ciphertext set are uploaded to Cloud Server, to realize that cloud file is total
It enjoys.
On the other hand, the present invention provides a kind of cloud file sharing device, described device includes:
First encryption unit, for when receiving the file application requests of file owner's transmission, according to presetting
Content key set, treat shared file set using symmetric encipherment algorithm and encrypted, obtain file cipher text set;
Second encryption unit, the common parameter pre-generated for basis and the LSSS access control policy constructed in advance,
The content key set is encrypted using preset encryption function, obtains key corresponding with the content key set
Ciphertext set, the key ciphertext set include the LSSS access control policy;And
Ciphertext uploading unit, for the file cipher text set and the key ciphertext set to be uploaded to Cloud Server,
To realize cloud file-sharing.
On the other hand, the present invention also provides a kind of calculating equipment, including memory, processor and it is stored in described deposit
In reservoir and the computer program that can run on the processor, the processor are realized such as when executing the computer program
Step described in above-mentioned cloud file sharing method.
On the other hand, the present invention also provides a kind of computer readable storage medium, the computer readable storage mediums
It is stored with computer program, is realized as described in above-mentioned cloud file sharing method when the computer program is executed by processor
Step.
The present invention is when receiving the file application requests of file owner's transmission, according to content key set, using pair
Claim Encryption Algorithm to treat shared file set to be encrypted, obtain file cipher text set, according to common parameter and LSSS access control
System strategy, encrypts content cipher key sets using preset encryption function, obtains key corresponding with content key set
File cipher text set and key ciphertext set are uploaded to Cloud Server by ciphertext set, to realize cloud file-sharing, thus logical
The access tree construction that LSSS access control policy of the invention meets AND gate, OR-gate and " thresholding " is crossed, is realized flexibly
Fine-granularity access control, and reduce the storage overhead, communication overhead and the computation complexity of decryption of ciphertext, improve plus
The safe coefficient of close efficiency, decryption efficiency and shared data.
Detailed description of the invention
Fig. 1 is the implementation flow chart for the cloud file sharing method that the embodiment of the present invention one provides;
Fig. 2 is the implementation flow chart of cloud file sharing method provided by Embodiment 2 of the present invention;
Fig. 3 is the file access tree schematic diagram constructed in cloud file sharing method provided by Embodiment 2 of the present invention;
Fig. 4 is the schematic diagram in cloud file sharing method provided by Embodiment 2 of the present invention to file access tree optimization;
Fig. 5 is to be converted into the file access tree of optimization in cloud file sharing method provided by Embodiment 2 of the present invention
The schematic diagram of LSSS matrix;
Fig. 6 is the structural schematic diagram for the cloud file sharing device that the embodiment of the present invention three provides;
Fig. 7 is the structural schematic diagram for the cloud file sharing device that the embodiment of the present invention four provides;And
Fig. 8 is the structural schematic diagram for the calculating equipment that the embodiment of the present invention five provides.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
Specific implementation of the invention is described in detail below in conjunction with specific embodiment:
Embodiment one:
Fig. 1 shows the implementation process of the cloud file sharing method of the offer of the embodiment of the present invention one, for ease of description,
Only parts related to embodiments of the present invention are shown, and details are as follows:
In step s101, when receiving the file application requests of file owner's transmission, according to pre-set interior
Hold cipher key sets, treats shared file set using symmetric encipherment algorithm and encrypted, obtain file cipher text set.
The embodiment of the present invention is suitable for data processing platform (DPP), equipment or server, such as personal computing devices, server
Deng.The embodiment of the present invention mainly includes four file owner, file access person, attribute authority and Cloud Server realities
Body, wherein a large amount of file can be carried out primary encryption by file owner, and encrypted ciphertext is stored to Cloud Server,
Realize that multifile is shared;File access person is stored in the file of Cloud Server according to the access of itself access authority;In attribute authority
The heart is also responsible for defining system property set, it trusts completely, main function other than being responsible for the management of key
It is the registration for receiving user, key distribution, user's checking and management attribute domain etc.;Cloud Server main function is to provide ciphertext
Storage and file transfer services.
In embodiments of the present invention, when receiving the file application requests of file owner's transmission, possessed according to file
The pre-set content key set ck={ ck of person1,......,ckk, using symmetric encipherment algorithm (for example, data encryption is calculated
Method (Data Encryption Standard, DES), Advanced Encryption Standard (Advanced Encryption Standard,
AES it) etc.) treats shared file set to be encrypted, obtains file cipher text set
Wherein, file set to be shared includes one or more files to be shared, content key set ck={ ck1,......,ckkIn
K-th of content key ckkKey when symmetric encipherment algorithm is used for k-th of file to be shared in file set to be shared,For the corresponding file cipher text of k-th of file to be shared.
Before treating shared file set using symmetric encipherment algorithm and being encrypted, it is preferable that in controlled attribute authorization
The heart generates common parameter (public key) PK and main private key MSK by system initialization function Setup (λ), to improve public ginseng
The degree of belief of several and main private key.Wherein, λ is default security parameter.
Common parameter (public key) PK and master are generated by system initialization function Setup (λ) in controlled attribute authorization center
When private key MSK, it is preferable that implemented by following step:
1) the Bilinear Groups G that a Prime Orders are p, is chosen0、GT, bilinear map e:G0×G0→GT, and choose bilinearity
Group G0A generation member g;
2) a hash function H:{ 0,1, is defined }*→G0, and in Zp: two members are randomly choosed in { 0,1 ..., p-1 } domain
Plain α and β;
3), pass through formula PK=(G0,p,g,e(g,g)α, h=gβ) common parameter PK is calculated, pass through formula MSK=(gα,
Main private key MSK β) is calculated, PK opens to the outside world as public key, and MSK is taken care of as master key by attribute authority.
Through the above steps 1)~3 to) generation that realizes common parameter PK and main private key MSK, it further improves
The degree of belief of common parameter and main private key.
In step s 102, the LSSS access control policy constructed according to pre-generated common parameter and in advance uses
Preset encryption function encrypts content cipher key sets, obtains key ciphertext set corresponding with content key set.
In embodiments of the present invention, file owner is by common parameter PK, internal content cipher key sets ck=
{ck1,......,ckkAnd LSSS access control policy (M, ρ) be input to encryption function CT=Encrypt (PK, ck, (M,
In ρ)), content cipher key sets are encrypted by the encryption function, obtain key ciphertext collection corresponding with content key set
CT is closed, and key ciphertext set CT includes LSSS access control policy (M, ρ), wherein LSSS access control policy (M, ρ)=
{(M1,ρ),(M2,ρ),...,(Mk, ρ) }, the M in LSSS access control policy (M, ρ) is l × n matrix, and l is ciphertext attribute
Number, every sub- access strategy (Mi, ρ) in (i ∈ [1, k]) function ρ function by matrix MiIn every a line reflected one by one with attribute
It penetrates.
When being encrypted using encryption function CT=Encrypt (PK, ck, (M, ρ)) to content cipher key sets, preferably
Ground the encryption to content cipher key sets is realized by following step:
1) in Zp: k random number s is selected in { 0,1 ..., p-1 } domain1、s2、...、skIt is right as encryption exponent secret value
In all i=1,2 ..., k calculates CiAnd Ci':
2) one group of random vector set is selectedWherein, LSSS
Every sub- access strategy (M in access control policyj, ρ) and (j ∈ [1, k]) and random vectorIt is corresponding, y2,...,ynBe for
Sharing encryption exponent secret value si(i∈[1,k]);
3) it calculatesAnd in Zp: l random number λ is selected in { 0,1 ..., p-1 } domain1′,j、λ2
′,j、...、λl′,jAs attribute mask, wherein i ∈ [1, l], j ∈ [1, k], Mi,jFor j-th of matrix MjThe i-th row,For with
Machine vector setIn j-th of vector;
4) for i ∈ [1, l], C is calculated1,iAnd C2,i:C2,i=λi,j-λi′,j;
5) according to ciphertext formulaMeter
Calculate key ciphertext set CT.
Through the above steps 1)~5 to) encryption to file cipher text set is realized, it obtains and file set to be shared
Corresponding key ciphertext set improves efficiency and safe coefficient to shared file encryption.
In step s 103, file cipher text set and key ciphertext set are uploaded to Cloud Server, to realize cloud text
Part is shared.
In embodiments of the present invention, file owner is by file cipher text set Eck(M) and it is corresponding with this document ciphertext set
Key ciphertext set CT be uploaded to Cloud Server, so that file access person accesses corresponding file in Cloud Server, thus real
Existing cloud file-sharing.
In embodiments of the present invention, when receiving the file application requests of file owner's transmission, according to content key
Set, treats shared file set using symmetric encipherment algorithm and is encrypted, obtain file cipher text set, according to common parameter and
LSSS access control policy encrypts content cipher key sets using encryption function, obtains corresponding with content key set
File cipher text set and key ciphertext set are uploaded to Cloud Server by key ciphertext set, to realize cloud file-sharing, from
And LSSS access control policy through the invention meets the access tree construction of AND gate, OR-gate and " thresholding ", realizes
Flexible fine-granularity access control, and the storage overhead, communication overhead and the computation complexity of decryption of ciphertext are reduced, it improves
The safe coefficient of encryption efficiency, decryption efficiency and shared data.
Embodiment two:
Fig. 2 shows the implementation processes of cloud file sharing method provided by Embodiment 2 of the present invention, for ease of description,
Only parts related to embodiments of the present invention are shown, and details are as follows:
In step s 201, when receiving the file application requests of file owner's transmission, file owner's root is controlled
Each file in shared file set, which is treated, according to preset system property set constructs corresponding file access tree one by one.
In embodiments of the present invention, when receiving the file application requests of file owner's transmission, file owner's root
The system property set defined according to attribute authority treats each file in shared file set and constructs corresponding file one by one
Access tree, i.e., different files have different access strategies.
As illustratively, file owner is by file set M={ m1,m2,m3Cloud Server is uploaded to after encryption, it is first
First, according to system property set Y={ E, H, I, M, N, O, P, Q, R, S, T } to file m1Construct file access tree T1, to file m2
Construct file access tree T2, to file m3Construct file access tree T3, Fig. 3 shows file access tree T1, file access tree T2With
And file access tree T3, T1The attribute set Y of corresponding access strategy1={ E, H, I, M, N, O, P, Q, R, S, T }, T2It is corresponding
The attribute set Y of access strategy2={ H, M, N }, T3The attribute set Y of corresponding access strategy3={ M, N }.
In step S202, it is excellent that transmission node is carried out to each file access tree according to the preset transmission node principle of optimality
Change.
In embodiments of the present invention, each file access tree is being transmitted according to the preset transmission node principle of optimality
When node optimization, it is preferable that according to top-down mode, traversed from the root node of each file access tree, work as traversal
Out in file access tree transmission node be not all child nodes under hierarchy node and the transmission node do not include yet hierarchy node,
Or transmission node and its child node then delete corresponding transmission node subtree when not carrying any hierarchy node information
Remove, to be optimized to file access tree, thus realize child node (attribute) reduce, avoid subsequent non-essential cryptographic calculation and
Data storage, improves encryption efficiency, reduces data storage overhead.
As illustratively, Fig. 4 shows the hierarchical access tree T that data owner defines according to system property set, layering
It include four hierarchy nodes (i.e. four access levels (x1, y1), (x2, y2), (x3, y3) and (x4, y4)) in access tree T,
System property collection is combined into S={ E, H, I, K, N, O, P, Q, R, S, T }, threshold set node be T=r, A, B, C, D, F, G, J, L,
M }, wherein transmission node is { r, A, B, C, D, F, G }, however, transmission node B, D, F do not carry class information, it therefore, will
The corresponding transmission node subtree of transmission node B, D, F is deleted, hierarchical access tree T' after being optimized, as shown in Figure 4.
In step S203, file access tree after optimization, all is converted to according to preset matrix conversion rule
Corresponding sub- LSSS matrix.
In embodiments of the present invention, according to preset matrix conversion rule by file access tree after optimization, all
When being converted to corresponding sub- LSSS matrix, it is preferable that firstly, one global counter variable c of initialization is 1, traversed file
After access tree, then c, that is, vector extreme length is from top to bottom marked the node of file access tree, is labeled as to working as
When the father node of vector v is " OR " door, then its child node is also indicated as v (variable c is constant), when the father labeled as vector v saves
It is the vector v distributed by the father node by a sub- vertex ticks when point is " AND " door | 1 (father node | child node connection), mark
Another child node for remembering the father node is vector (0 ..., 0) | -1, wherein what (0 ..., 0) indicated is that the length of 0 vector is
The leaf node (i.e. attribute) that vector marks is converted into each in LSSS matrix by c finally, once completing the label entirely set
Row will fill vector 0 in vector tail portion, to reach identical vector length, to pass through son if these vector lengths are different
LSSS matrix, which is realized, stores non-essential child node (attribute) without computations and data, improves and adds to shared file
Close efficiency, and reduce the storage overhead of ciphertext.
As illustratively, Fig. 5 is shown the file access tree T after optimization1′、T2' and T3' according to matrix conversion rule
It is converted into corresponding sub- LSSS matrix M respectively1、M2And M3。
In step S204, file set to be shared is constructed by all corresponding sub- access strategies of sub- LSSS matrix
LSSS access control policy.
In embodiments of the present invention, according to file set M={ m to be shared1,......,mkIn quantity of documents generate pair
Answer the sub- LSSS matrix M of quantity1、M2、...、Mk, every sub- LSSS matrix Mj(j ∈ [1, k]) corresponds to a sub- access strategy (Mj,
ρ), the LSSS access control policy of file set to be shared is then the set of sub- access strategy, i.e. LSSS access control policy is
(M, ρ)={ (M1,ρ),(M2,ρ),...,(Mk, ρ) }, and sub- LSSS matrix M1Attribute including all access strategies, i.e., it is sub
There are such relationships for attribute in LSSS matrix:
In step S205, according to pre-set content key set, shared file is treated using symmetric encipherment algorithm
Set is encrypted, and file cipher text set is obtained.
In step S206, according to common parameter and LSSS access control policy, using preset encryption function to content
Cipher key sets are encrypted, and key ciphertext set corresponding with content key part set is obtained.
In step S207, file cipher text set and key ciphertext set are uploaded to Cloud Server, to realize cloud text
Part is shared.
In the step of present invention is implemented, and step S205~step S207 specific embodiment can refer to embodiment one
The description of S101- step S103, details are not described herein.
In step S208, when receive file access person transmission file access request when, control file access person from
Attribute authority obtains the private key for user of file access person, and private key for user includes user property collection corresponding with file access person
It closes.
In embodiments of the present invention, when receiving the file access request of file access person's transmission, attribute authority
According to this document access request, using main private key MSK and the corresponding user property set of this document visitor as input, by close
The private key for user of key generating function KeyGen (MSK, S) generation file access person.
File access person is before sending file access request, it is preferable that file access person carries out in attribute authority
Registration, in registration, attribute authority verifies the legitimacy of file access person's identity, is this article after being verified
Part visitor's distributing user attribute set, to improve the safety of cloud file access.
When generating the private key for user of file access person by key-function KeyGen (MSK, S), it is preferable that work as text
After the legitimate verification of part visitor's identity passes through, pass through formulaCalculation document
The private key for user of visitor, wherein K0=gαhr, K1=gr,R is Zp: 0,1 ..., and p-1 } domain
In a random element, user property set S={ A1,...,Ax, AxFor x-th of attribute in S, to further increase cloud text
The safety of part access.
In step S209, according to common parameter and private key for user, using preset decryption function in Cloud Server
Key ciphertext set is decrypted, and obtains access content key set corresponding with user property set.
In embodiments of the present invention, file access person is by common parameter PK, private key for user SK and key ciphertext set CT
It is input in decryption function Decrypt (PK, CT, SK), by the decryption function to the key ciphertext set CT in Cloud Server
It is decrypted, obtains access content key set corresponding with user property set.
When key ciphertext set is decrypted, it is preferable that realize the solution to key ciphertext set by following step
It is close:
1) according to LSSS access control policy, the file access strategy for meeting user property set is obtained.
In embodiments of the present invention, when acquisition meets the file access strategy of user property set, it is preferable that judgement is used
Whether family attribute set S meets LSSS access control policy (M, ρ)={ (M1,ρ),(M2,ρ),...,(Mk, ρ) } in any one
A sub- access strategy is then, by the sub- access strategy (M of satisfactionj, ρ) and (j ∈ [1, k]) be set as file access strategy, otherwise,
This document visitor does not have access shared file permission, i.e. shared file access failure.
Data consumer's dependence authorization center obtains private key SK first, if the attribute set S of user and access strategy (M,
ρ)={ (M1,ρ),...,(Mk, ρ) } any one of all mismatch, then the user do not have access authority, i.e., decryption failure;
Otherwise, it indicates that the user has access authority, can decrypt and obtain corresponding clear data.If meeting access strategy (M1, ρ), then
It can decrypt and obtain all the elements key ck, finally obtain All Files;When due to access strategy design, by access strategy (M1,ρ)
Being defined as that access authority is maximum, i.e., it includes all properties of entire access strategy, and so on, user can obtain its visit
Ask the clear data in extent of competence.
2) corresponding access content key set is decrypted according to file access strategy.
In embodiments of the present invention, when being designed due to access strategy, by sub- access strategy (M1, ρ) and it is defined as access authority
Maximum, i.e., it includes all properties of entire access strategy, therefore, when file access strategy is (M1, ρ) when, then it can decrypt
All the elements key ck is obtained, All Files are finally obtained, and so on, file access person can decrypt its access authority model
Interior content key is enclosed, to access corresponding clear data.
When decrypting corresponding access content key set according to file access strategy, it is preferable that
Firstly, passing through ∑i∈Sωi·Mi,j=(1,0 ..., 0) calculate ωi, and make ωi∈Zp, wherein Mi,jFor matrix
MjThe i-th row, then pass through formulaMeter
Calculate i-th of user property Ai, finally, passing through formulaCalculate correspondence
Access content key, with by these access content keys is constituted access content key set.
Through the above steps, the adaptability and confidence level of the access content key decrypted can be improved.
In step S210, according to access content key set, using symmetrical decipherment algorithm to the file in Cloud Server
Ciphertext set is decrypted, and obtains that content key set is corresponding accesses plaintext document set with access.
In embodiments of the present invention, according to access content key set, using symmetrical decipherment algorithm to the text in Cloud Server
Part ciphertext set Eck(M) it is decrypted, obtains that content key set is corresponding accesses plaintext document set with access, for example, if
Ck={ ck is combined into according to the access content key collection that user property decrypting set goes outi,cki+1,......,ckk, according to the access
Content key set, is decrypted using symmetrical decipherment algorithm, then the access plaintext document collection obtained is combined into M={ mi,mi+1,...,
mk}。
In embodiments of the present invention, when file-sharing, attribute unrelated in the file access tree of each file to be shared is moved
It removes, while each file access tree is converted into sub- LSSS matrix, using multiple sub- LSSS matrixes as the access structure in ciphertext,
When file access, the file access for meeting the self-contained user property of file access person is obtained in LSSS access control policy
Strategy decrypts corresponding content key according to this document access strategy, while obtaining corresponding file by symmetrically decryption, thus
LSSS access control policy through the invention meets the access tree construction of AND gate, OR-gate and " thresholding ", realizes spirit
Fine-granularity access control living, and the storage overhead, communication overhead and the computation complexity of decryption of ciphertext are reduced, it improves
The safe coefficient of encryption efficiency, decryption efficiency and shared data.
Embodiment three:
The structure that Fig. 6 shows the cloud file sharing device of the offer of the embodiment of the present invention three is only shown for ease of description
Go out part related to the embodiment of the present invention, including:
First encryption unit 61, for when receiving the file application requests of file owner's transmission, according to setting in advance
The content key set set is treated shared file set using symmetric encipherment algorithm and is encrypted, obtains file cipher text set;
Second encryption unit 62, for according to the common parameter pre-generated and the LSSS access control plan constructed in advance
Slightly, content cipher key sets are encrypted using preset encryption function, obtain key ciphertext corresponding with content key set
Set;And
Ciphertext uploading unit 63, for file cipher text set and key ciphertext set to be uploaded to Cloud Server, to realize
Cloud file-sharing.
In embodiments of the present invention, each unit of cloud file sharing device can be real by corresponding hardware or software unit
Existing, each unit can be independent soft and hardware unit, also can integrate as a soft and hardware unit, herein not to limit this
Invention.Specifically, the embodiment of each unit can refer to the description of previous embodiment one, and details are not described herein.
Example IV:
The structure that Fig. 7 shows the cloud file sharing device of the offer of the embodiment of the present invention four is only shown for ease of description
Go out part related to the embodiment of the present invention, including:
Access tree structural unit 70, when receiving the file application requests of file owner's transmission, control file possesses
Person treats each file in shared file set according to preset system property set and constructs corresponding file access tree one by one;
Node optimization unit 71, for being transmitted according to the preset transmission node principle of optimality to each file access tree
Node optimization;
Matrix conversion unit 72, for according to preset matrix conversion rule by file access tree after optimization, all
Be converted to corresponding sub- LSSS matrix;
Access strategy construction unit 73, it is to be shared for being constructed by all corresponding sub- access strategies of sub- LSSS matrix
The LSSS access control policy of file set;
First encryption unit 74, for being treated altogether using symmetric encipherment algorithm according to pre-set content key set
It enjoys file set to be encrypted, obtains file cipher text set;
Second encryption unit 75, for using preset encryption function according to common parameter and LSSS access control policy
Content cipher key sets are encrypted, key ciphertext set corresponding with content key set is obtained;
Ciphertext uploading unit 76, for file cipher text set and key ciphertext set to be uploaded to Cloud Server, to realize
Cloud file-sharing;
Private key for user acquiring unit 77, for when receiving the file access request of file access person's transmission, control to be literary
Part visitor's dependence authorization center obtains the private key for user of file access person, and private key for user includes corresponding with file access person
User property set;And
Key ciphertext decryption unit 78 is used for according to common parameter and private key for user, using preset decryption function to cloud
Key ciphertext set in server is decrypted, and obtains access content key set corresponding with user property set;And
File cipher text decryption unit 79 is used for according to access content key set, using symmetrical decipherment algorithm to cloud service
File cipher text set in device is decrypted, and obtains that content key set is corresponding accesses plaintext document set with access.
Preferably, key ciphertext decryption unit 78 includes:
Access strategy acquiring unit 781, for obtaining the text for meeting user property set according to LSSS access control policy
Part access strategy;And
Content key decryption unit 782, for decrypting corresponding access content key set according to file access strategy.
In embodiments of the present invention, each unit of cloud file sharing device can be real by corresponding hardware or software unit
Existing, each unit can be independent soft and hardware unit, also can integrate as a soft and hardware unit, herein not to limit this
Invention.Specifically, the embodiment of each unit can refer to the description of preceding method embodiment, and details are not described herein.
Embodiment five:
Fig. 8 shows the structure of the calculating equipment of the offer of the embodiment of the present invention five, for ease of description, illustrates only and this
The relevant part of inventive embodiments.
The calculating equipment 8 of the embodiment of the present invention includes processor 80, memory 81 and is stored in memory 81 and can
The computer program 82 run on processor 80.The processor 80 realizes that above-mentioned cloud file is total when executing computer program 82
Enjoy the step in embodiment of the method, such as step S101 to S103 shown in FIG. 1.Alternatively, processor 80 executes computer program
The function of each unit in above-mentioned each Installation practice, such as the function of unit 61 to 63 shown in Fig. 6 are realized when 82.
In embodiments of the present invention, when receiving the file application requests of file owner's transmission, according to content key
Set, treats shared file set using symmetric encipherment algorithm and is encrypted, obtain file cipher text set, according to common parameter and
LSSS access control policy encrypts content cipher key sets using encryption function, obtains corresponding with content key set
File cipher text set and key ciphertext set are uploaded to Cloud Server by key ciphertext set, to realize cloud file-sharing, from
And LSSS access control policy through the invention meets the access tree construction of AND gate, OR-gate and " thresholding ", realizes
Flexible fine-granularity access control, and the storage overhead, communication overhead and the computation complexity of decryption of ciphertext are reduced, it improves
The safe coefficient of encryption efficiency, decryption efficiency and shared data.
The calculating equipment of the embodiment of the present invention can be personal computing devices, server.Processor 80 in the calculating equipment 8
Realize that the step of realizing when the file sharing method of cloud can refer to the description of preceding method embodiment when executing computer program 82,
Details are not described herein.
Embodiment six:
In embodiments of the present invention, a kind of computer readable storage medium is provided, which deposits
Computer program is contained, which realizes the step in above-mentioned cloud file sharing method embodiment when being executed by processor
Suddenly, for example, step S101 to S103 shown in FIG. 1.Alternatively, the computer program realizes above-mentioned each device when being executed by processor
The function of each unit in embodiment, such as the function of unit 61 to 63 shown in Fig. 6.
In embodiments of the present invention, when receiving the file application requests of file owner's transmission, according to content key
Set, treats shared file set using symmetric encipherment algorithm and is encrypted, obtain file cipher text set, according to common parameter and
LSSS access control policy encrypts content cipher key sets using encryption function, obtains corresponding with content key set
File cipher text set and key ciphertext set are uploaded to Cloud Server by key ciphertext set, to realize cloud file-sharing, from
And LSSS access control policy through the invention meets the access tree construction of AND gate, OR-gate and " thresholding ", realizes
Flexible fine-granularity access control, and the storage overhead, communication overhead and the computation complexity of decryption of ciphertext are reduced, it improves
The safe coefficient of encryption efficiency, decryption efficiency and shared data.
The computer readable storage medium of the embodiment of the present invention may include can carry computer program code any
Entity or device, recording medium, for example, the memories such as ROM/RAM, disk, CD, flash memory.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.
Claims (10)
1. a kind of cloud file sharing method, which is characterized in that the method includes the following steps:
When receiving the file application requests of file owner's transmission, according to pre-set content key set, using pair
Claim Encryption Algorithm to treat shared file set to be encrypted, obtains file cipher text set;
The LSSS access control policy constructed according to pre-generated common parameter and in advance, using preset encryption function to institute
It states content key set to be encrypted, obtains key ciphertext set corresponding with the content key set, the key ciphertext
Set includes the LSSS access control policy;
The file cipher text set and the key ciphertext set are uploaded to Cloud Server, to realize cloud file-sharing.
2. the method as described in claim 1, which is characterized in that carried out by symmetric encipherment algorithm to file set to be shared
Before the step of encryption, the method also includes:
The file owner is controlled according to preset system property set to each file one in the file set to be shared
The corresponding file access tree of one construction;
Transmission node optimization is carried out to each file access tree according to the preset transmission node principle of optimality;
After optimization, all file access trees are converted into corresponding sub- LSSS square according to preset matrix conversion rule
Battle array;
The LSSS access of the file set to be shared is constructed by the corresponding sub- access strategy of all sub- LSSS matrixes
Control strategy.
3. the method as described in claim 1, which is characterized in that close the file cipher text set and the key ciphertext collection
After the step of reaching Cloud Server, the method also includes:
When receiving the file access request of file access person's transmission, controls file access person's dependence authorization center and obtain
The private key for user of the file access person is obtained, the private key for user includes user property collection corresponding with the file access person
It closes;
According to the common parameter and the private key for user, using preset decryption function to described close in the Cloud Server
Key ciphertext set is decrypted, and obtains access content key set corresponding with the user property set;
According to the access content key set, using symmetrical decipherment algorithm to the file cipher text collection in the Cloud Server
Conjunction is decrypted, and obtains corresponding with the access content key set accessing plaintext document set.
4. method as claimed in claim 3, which is characterized in that using preset decryption function to the institute in the Cloud Server
State the step of key ciphertext set is decrypted, comprising:
According to the LSSS access control policy, the file access strategy for meeting the user property set is obtained;
The corresponding access content key set is decrypted according to the file access strategy.
5. a kind of cloud file sharing device, which is characterized in that described device includes:
First encryption unit, for when receive file owner transmission file application requests when, according to pre-set interior
Hold cipher key sets, treats shared file set using symmetric encipherment algorithm and encrypted, obtain file cipher text set;
Second encryption unit, for using according to the common parameter pre-generated and the LSSS access control policy constructed in advance
Preset encryption function encrypts the content key set, obtains key ciphertext corresponding with the content key set
Set, the key ciphertext set include the LSSS access control policy;And
Ciphertext uploading unit, for the file cipher text set and the key ciphertext set to be uploaded to Cloud Server, with reality
Existing cloud file-sharing.
6. device as claimed in claim 5, which is characterized in that described device further include:
Access tree structural unit, for controlling the file owner according to preset system property set to the text to be shared
Each file constructs corresponding file access tree one by one in part set;
Node optimization unit, for carrying out transmission section to each file access tree according to the preset transmission node principle of optimality
Point optimization;
Matrix conversion unit, for being turned after optimization, all file access trees according to preset matrix conversion rule
It is changed to corresponding sub- LSSS matrix;And
Access strategy construction unit, for described to altogether by the corresponding sub- access strategy building of all sub- LSSS matrixes
Enjoy the LSSS access control policy of file set.
7. device as claimed in claim 5, which is characterized in that described device further include:
Private key for user acquiring unit, for controlling the file when receiving the file access request of file access person's transmission
Visitor's dependence authorization center obtains the private key for user of the file access person, and the private key for user includes to visit with the file
The corresponding user property set of the person of asking;
Key ciphertext decryption unit, for using preset decryption function pair according to the common parameter and the private key for user
The key ciphertext set in the Cloud Server is decrypted, and obtains access content corresponding with the user property set
Cipher key sets;And
File cipher text decryption unit, for being taken to the cloud using symmetrical decipherment algorithm according to the access content key set
The file cipher text set in business device is decrypted, and obtains corresponding with the access content key set accessing plaintext document
Set.
8. device as claimed in claim 7, which is characterized in that the key ciphertext decryption unit includes:
Access strategy acquiring unit, for according to the LSSS access control policy, acquisition to meet the user property set
File access strategy;And
Content key decryption unit, for decrypting the corresponding access content key collection according to the file access strategy
It closes.
9. a kind of calculating equipment, including memory, processor and storage are in the memory and can be on the processor
The computer program of operation, which is characterized in that the processor realizes such as Claims 1-4 when executing the computer program
The step of any one the method.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, and feature exists
In when the computer program is executed by processor the step of any one of such as Claims 1-4 of realization the method.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811251351.4A CN109327448B (en) | 2018-10-25 | 2018-10-25 | Cloud file sharing method, device, equipment and storage medium |
PCT/CN2019/079646 WO2020082688A1 (en) | 2018-10-25 | 2019-03-26 | Cloud-end file sharing method and apparatus, and device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811251351.4A CN109327448B (en) | 2018-10-25 | 2018-10-25 | Cloud file sharing method, device, equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109327448A true CN109327448A (en) | 2019-02-12 |
CN109327448B CN109327448B (en) | 2020-10-09 |
Family
ID=65261812
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811251351.4A Active CN109327448B (en) | 2018-10-25 | 2018-10-25 | Cloud file sharing method, device, equipment and storage medium |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109327448B (en) |
WO (1) | WO2020082688A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110888853A (en) * | 2019-11-26 | 2020-03-17 | 廊坊新奥燃气有限公司 | Data management system and method |
WO2020082688A1 (en) * | 2018-10-25 | 2020-04-30 | 深圳技术大学 | Cloud-end file sharing method and apparatus, and device and storage medium |
WO2020082687A1 (en) * | 2018-10-25 | 2020-04-30 | 深圳技术大学 | File sharing method and apparatus based on cp-abe layered access control, and device and medium |
CN112559468A (en) * | 2021-02-26 | 2021-03-26 | 中关村科学城城市大脑股份有限公司 | Data sharing method and system based on urban brain |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8559631B1 (en) * | 2013-02-09 | 2013-10-15 | Zeutro Llc | Systems and methods for efficient decryption of attribute-based encryption |
CN104022868A (en) * | 2014-02-18 | 2014-09-03 | 杭州师范大学 | Outsourcing decryption method of attribute-based encryption based on ciphertext policy |
CN104036050A (en) * | 2014-07-04 | 2014-09-10 | 福建师范大学 | Complex query method for encrypted cloud data |
WO2014174045A1 (en) * | 2013-04-24 | 2014-10-30 | Nec Europe Ltd. | Method and system for enforcing access control policies on data |
CN104883254A (en) * | 2015-06-12 | 2015-09-02 | 深圳大学 | Cloud computing platform oriented cryptograph access control system and access control method thereof |
CN105406967A (en) * | 2015-12-10 | 2016-03-16 | 西安电子科技大学 | Hierarchical attribute encryption method |
CN106411962A (en) * | 2016-12-15 | 2017-02-15 | 中国科学技术大学 | Data storage method combining user side access control and cloud access control |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105897812B (en) * | 2015-04-10 | 2019-04-23 | 杭州远眺科技有限公司 | It is a kind of suitable for mixing the data safety sharing method under cloud environment |
CN105991278B (en) * | 2016-07-11 | 2019-06-28 | 河北省科学院应用数学研究所 | A kind of ciphertext access control method based on CP-ABE |
CN109327448B (en) * | 2018-10-25 | 2020-10-09 | 深圳技术大学(筹) | Cloud file sharing method, device, equipment and storage medium |
-
2018
- 2018-10-25 CN CN201811251351.4A patent/CN109327448B/en active Active
-
2019
- 2019-03-26 WO PCT/CN2019/079646 patent/WO2020082688A1/en active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8559631B1 (en) * | 2013-02-09 | 2013-10-15 | Zeutro Llc | Systems and methods for efficient decryption of attribute-based encryption |
WO2014174045A1 (en) * | 2013-04-24 | 2014-10-30 | Nec Europe Ltd. | Method and system for enforcing access control policies on data |
CN104022868A (en) * | 2014-02-18 | 2014-09-03 | 杭州师范大学 | Outsourcing decryption method of attribute-based encryption based on ciphertext policy |
CN104036050A (en) * | 2014-07-04 | 2014-09-10 | 福建师范大学 | Complex query method for encrypted cloud data |
CN104883254A (en) * | 2015-06-12 | 2015-09-02 | 深圳大学 | Cloud computing platform oriented cryptograph access control system and access control method thereof |
CN105406967A (en) * | 2015-12-10 | 2016-03-16 | 西安电子科技大学 | Hierarchical attribute encryption method |
CN106411962A (en) * | 2016-12-15 | 2017-02-15 | 中国科学技术大学 | Data storage method combining user side access control and cloud access control |
Non-Patent Citations (2)
Title |
---|
KAN YANG等: ""Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud"", 《IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS》 * |
吴杰铭: ""基于属性加密算法的云存储研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020082688A1 (en) * | 2018-10-25 | 2020-04-30 | 深圳技术大学 | Cloud-end file sharing method and apparatus, and device and storage medium |
WO2020082687A1 (en) * | 2018-10-25 | 2020-04-30 | 深圳技术大学 | File sharing method and apparatus based on cp-abe layered access control, and device and medium |
CN110888853A (en) * | 2019-11-26 | 2020-03-17 | 廊坊新奥燃气有限公司 | Data management system and method |
CN112559468A (en) * | 2021-02-26 | 2021-03-26 | 中关村科学城城市大脑股份有限公司 | Data sharing method and system based on urban brain |
Also Published As
Publication number | Publication date |
---|---|
WO2020082688A1 (en) | 2020-04-30 |
CN109327448B (en) | 2020-10-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109559124A (en) | A kind of cloud data safety sharing method based on block chain | |
CN104486315B (en) | A kind of revocable key outsourcing decryption method based on contents attribute | |
CN110099043A (en) | The hiding more authorization center access control methods of support policy, cloud storage system | |
CN106059763B (en) | The properties base multi-mechanism hierarchical Ciphertext policy weight encryption method of cloud environment | |
Zaghloul et al. | P-MOD: Secure privilege-based multilevel organizational data-sharing in cloud computing | |
CN107864139A (en) | A kind of cryptography attribute base access control method and system based on dynamic rules | |
CN109327448A (en) | A kind of cloud file sharing method, device, equipment and storage medium | |
CN108390876A (en) | Revocation outsourcing is supported to can verify that more authorization center access control methods, Cloud Server | |
CN108418784A (en) | A kind of distributed cross-domain authorization and access control method based on properties secret | |
CN105100083B (en) | A kind of secret protection and support user's revocation based on encryption attribute method and system | |
CN107359986A (en) | The outsourcing encryption and decryption CP ABE methods of user revocation | |
CN106656997B (en) | One kind being based on the cross-domain friend-making method for secret protection of mobile social networking proxy re-encryption | |
CN108111540A (en) | The hierarchical access control system and method for data sharing are supported in a kind of cloud storage | |
CN109617855A (en) | File sharing method, device, equipment and medium based on the control of CP-ABE hierarchical access | |
CN115296817B (en) | Data access control method based on block chain technology and attribute encryption | |
Jiang et al. | Attribute-based encryption with blockchain protection scheme for electronic health records | |
CN106612169A (en) | Safe data sharing method in cloud environment | |
CN108600174A (en) | A kind of access control mechanisms and its implementation of big merger network | |
Chaudhary et al. | RMA-CPABE: A multi-authority CPABE scheme with reduced ciphertext size for IoT devices | |
CN106612175A (en) | Proxy re-encryption algorithm for multi-element access control in mobile cloud | |
CN113055164A (en) | Cipher text strategy attribute encryption algorithm based on state cipher | |
CN117097469A (en) | Data hierarchical access control method based on attribute encryption | |
Zhang et al. | A traceable and revocable multi-authority attribute-based access control scheme for mineral industry data secure storage in blockchain | |
CN116319058A (en) | Access control method based on attribute and strategy hiding of blockchain | |
CN114124392B (en) | Data controlled circulation method, system, device and medium supporting access control |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |