CN110213299B - Multi-attribute authorization encryption method and device suitable for mobile cloud environment - Google Patents

Multi-attribute authorization encryption method and device suitable for mobile cloud environment Download PDF

Info

Publication number
CN110213299B
CN110213299B CN201910599571.4A CN201910599571A CN110213299B CN 110213299 B CN110213299 B CN 110213299B CN 201910599571 A CN201910599571 A CN 201910599571A CN 110213299 B CN110213299 B CN 110213299B
Authority
CN
China
Prior art keywords
data
request
stored
normal
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910599571.4A
Other languages
Chinese (zh)
Other versions
CN110213299A (en
Inventor
凌捷
梁艳丽
谢锐
柳毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong University of Technology
Original Assignee
Guangdong University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong University of Technology filed Critical Guangdong University of Technology
Priority to CN201910599571.4A priority Critical patent/CN110213299B/en
Publication of CN110213299A publication Critical patent/CN110213299A/en
Application granted granted Critical
Publication of CN110213299B publication Critical patent/CN110213299B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • H04L67/5681Pre-fetching or pre-delivering data based on network characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Abstract

The application discloses a multi-attribute authorization encryption method suitable for a mobile cloud environment, which comprises the steps that when a client side initiates a data storage request to a cloud storage server, a mobile agent intercepts the data storage request; obtaining data to be stored according to the data storage request, wherein the data to be stored is obtained by encrypting data information through an ABE algorithm; judging whether the connection relation between the cloud storage server and the cloud storage server is normal or not; if the connection relation is abnormal, storing the data to be stored until the connection relation is recovered to be normal; if the data to be stored is normal, uploading the data to be stored to the cloud storage server; the data storage method can effectively solve the problem of data information leakage caused by poor network between the user side and the cloud side, and ensures the safety of user information; the application also discloses a multi-attribute authorization encryption device suitable for the mobile cloud environment, and the multi-attribute authorization encryption device also has the beneficial effects.

Description

Multi-attribute authorization encryption method and device suitable for mobile cloud environment
Technical Field
The application relates to the technical field of data security, in particular to a multi-attribute authorization encryption method suitable for a mobile cloud environment and a multi-attribute authorization encryption device suitable for the mobile cloud environment.
Background
With the rapid development of cloud computing technology and mobile applications, mobile cloud computing has become an emerging technical means of mobile services, and due to the limited storage and processing capabilities of mobile devices, many users begin to save video, photos, music and other data to the cloud. However, as the hacking technology is improved, the security of data may be damaged, and the privacy of a user may be leaked, so that a new method for controlling access to cloud-side sensitive data is required. To achieve this, various information security techniques need to be used to secure the data and the user privacy before storing the data in the cloud infrastructure.
In the prior art, by an attribute authorized encryption (ABE) technology, confidentiality of data can be ensured, and a malicious user can be prevented from accessing personal data without authorization. However, the existing ABE scheme has a serious problem that a mobile network is not good, so that the accessibility and the storability of data information at any time cannot be ensured, when the connection between a user side and a cloud side is weak or is directly disconnected, the data information to be stored or accessed will suffer from serious information leakage, and the safety of the user information cannot be effectively ensured.
Therefore, how to effectively solve the problem of data information leakage caused by poor network between the user side and the cloud side and ensure the user information security is a problem to be solved urgently by technical personnel in the field.
Disclosure of Invention
The multi-attribute authorization encryption method suitable for the mobile cloud environment can effectively solve the problem of data information leakage caused by poor network between a user side and a cloud side, and ensures the safety of user information; another object of the present application is to provide a multi-attribute authorization encryption apparatus suitable for a mobile cloud environment, which also has the above beneficial effects.
In order to solve the technical problem, the present application provides a multi-attribute authorization encryption method suitable for a mobile cloud environment, where the method includes:
when a client side initiates a data storage request to a cloud storage server, a mobile agent pair intercepts the data storage request;
obtaining data to be stored according to the data storage request, wherein the data to be stored is obtained by encrypting data information through an ABE algorithm; (ii) a
Judging whether the connection relation between the cloud storage server and the cloud storage server is normal or not;
if not, storing the data to be stored until the connection relationship is recovered to be normal;
and if the data to be stored is normal, uploading the data to be stored to the cloud storage server.
Preferably, the encrypting the data information by the ABE algorithm to obtain the data to be stored includes:
the client side initiates a certificate issuing request to a certificate issuing organization and receives a verification certificate fed back by the certificate issuing organization based on the certificate issuing request;
sending the verification certificate to an attribute authority for verification;
when the authentication is passed, receiving an encryption key and a static attribute set fed back by the attribute authority;
and calling a dynamic attribute set, and encrypting the data information through the encryption key, the static attribute set and the dynamic attribute set to obtain the data to be stored.
Preferably, the issuing a certificate issue request to a certificate authority and receiving a verification certificate fed back by the certificate authority based on the certificate issue request includes:
the certificate authority receives the certificate issuing request initiated by the client;
acquiring the identity information of the client according to the certificate issuing request;
verifying the identity information of the client through a preset identity list;
and when the verification passes, feeding back the verification certificate to the client.
Preferably, if there are a plurality of attribute authorities, the encrypting the data information by the encryption key, the static attribute set, and the dynamic attribute set to obtain the data to be stored includes:
interpolating each encryption key fed back by the attribute authorization mechanisms by Lagrange's interpolation theorem to obtain a combined key;
and encrypting the data information through the combined key, the static attribute set and the dynamic attribute set to obtain the data to be stored.
Preferably, the multi-attribute authorization encryption method suitable for the mobile cloud environment further includes:
when an access terminal initiates a data acquisition request to the cloud storage server, the mobile agent intercepts the data acquisition request;
uploading the data acquisition request to the cloud storage server;
receiving request data fed back by the cloud storage server based on the data acquisition request;
judging whether the connection relation between the access terminal and the access terminal is normal or not;
if not, storing the request data until the connection relationship is recovered to be normal;
and if the request data are normal, sending the request data to the access terminal.
In order to solve the above technical problem, the present application provides a multi-attribute authorization encryption device suitable for a mobile cloud environment, the device including:
the mobile agent is used for intercepting the data storage request when the client side initiates the data storage request to the cloud storage server;
the data acquisition module is used for acquiring data to be stored according to the data storage request, wherein the data to be stored is obtained by encrypting data information through an ABE algorithm;
the connection judging module is used for judging whether the connection relation between the cloud storage server and the connection judging module is normal or not;
the data caching module is used for storing the data to be stored if the connection relation is abnormal until the connection relation is recovered to be normal;
and the data storage module is used for uploading the data to be stored to the cloud storage server if the connection relation is normal.
Preferably, the apparatus further comprises:
the access intercepting module is used for intercepting the data acquisition request by the mobile agent when the access terminal initiates the data acquisition request to the cloud storage server;
the request uploading module is used for uploading the data acquisition request to the cloud storage server;
the data feedback module is used for receiving request data fed back by the cloud storage server based on the data acquisition request;
the network judgment module is used for judging whether the connection relation between the network and the access terminal is normal or not;
the first data caching module is used for storing the request data if the connection relation is abnormal until the connection relation is recovered to be normal;
and the first data storage module is used for sending the request data to the access terminal if the connection relation is normal.
The multi-attribute authorization encryption method suitable for the mobile cloud environment comprises the steps that when a client side initiates a data storage request to a cloud storage server, a mobile agent intercepts the data storage request; obtaining data to be stored according to the data storage request, wherein the data to be stored is obtained by encrypting data information through an ABE algorithm; judging whether the connection relation between the cloud storage server and the cloud storage server is normal or not; if the connection relation is abnormal, storing the data to be stored until the connection relation is recovered to be normal; and if the data to be stored is normal, uploading the data to be stored to the cloud storage server.
Therefore, the multi-attribute authorization encryption method suitable for the mobile cloud environment provided by the application has the advantages that when a client side sends a data storage request to a cloud side, the data storage request is intercepted by setting a mobile agent pair, before the data storage request is uploaded to the cloud side, whether the network connection between the client side and the cloud side is normal or not is judged firstly, if the network connection is abnormal, the data to be stored is temporarily stored directly until the network connection is recovered to be normal, namely, when the network connection between the client side and the cloud side is poor, the data to be stored is temporarily stored through the mobile agent, leakage of data information is avoided, and after the network connection is recovered to be normal, the data to be stored is uploaded to the cloud side, so that the problem of data information leakage caused by poor network between the client side and the cloud side can be effectively solved, and the safety of user information is guaranteed.
The multi-attribute authorization encryption device suitable for the mobile cloud environment also has the beneficial effects, and is not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flowchart of a multi-attribute authorization encryption method suitable for a mobile cloud environment according to the present application;
fig. 2 is a schematic flowchart of a data information encryption method provided in the present application;
fig. 3 is a schematic structural diagram of a cloud storage system provided in the present application;
fig. 4 is a schematic structural diagram of a multi-attribute authorization encryption device suitable for a mobile cloud environment according to the present application.
Detailed Description
The core of the application is to provide a multi-attribute authorization encryption method suitable for a mobile cloud environment, the multi-attribute authorization encryption method suitable for the mobile cloud environment can effectively solve the problem of data information leakage caused by poor network between a user side and a cloud side, and the safety of user information is ensured; another core of the present application is to provide a multi-attribute authorization encryption apparatus suitable for a mobile cloud environment, which also has the above beneficial effects.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a multi-attribute authorization encryption method suitable for a mobile cloud environment according to the present application, where the method includes:
s101: when a client side initiates a data storage request to a cloud storage server, a mobile agent intercepts the data storage request;
the method comprises the steps of intercepting a data storage request, specifically, when a client needs to perform cloud data storage, initiating the data storage request to a cloud storage server, wherein the data storage request carries data information needing to be stored, namely the following data to be stored; at the moment, the mobile agent is arranged to monitor the client in real time, and when the client is monitored to initiate a data storage request to the cloud storage server, the data storage request is intercepted.
S102: obtaining data to be stored according to the data storage request, wherein the data to be stored is obtained by encrypting data information through an ABE algorithm;
the step aims to achieve the acquisition of the data to be stored, specifically, when the mobile agent intercepts a data storage request, the data to be stored can be acquired from the data storage request, the process can be achieved through a data analysis technology, and for the specific implementation process, the detailed description is omitted here.
In addition, in order to further ensure the security of the data information, the data to be stored may be encrypted data, so that before the client initiates a data storage request to the cloud storage server, the data information to be stored may be encrypted to obtain the data to be stored, and then the data is stored.
The method for encrypting the data information is realized by adopting an ABE algorithm. The ABE algorithm is an attribute authorization encryption method, can ensure the confidentiality of data and prevent a malicious user from accessing personal data without authorization, and in a mobile cloud environment, a data owner encrypts the data by using an encryption method based on attribute encryption and stores the encrypted data by using a fine-grained access strategy, and meanwhile, the user is required to have access authority for accessing specific data to acquire the data. The ABE algorithm can be divided into single authority ABE (SA-ABE) and multi-authority ABE (MA-ABE). Wherein, the SA-ABE only relates to one authority which monitors all attributes and distributes keys for data encryption and decryption to data owners or users respectively, and the MA-ABE is that various authorities independently participate in monitoring the attributes and distributing the encryption and decryption keys.
S103: judging whether the connection relation between the cloud storage server and the cloud storage server is normal or not; if not, executing S104, otherwise, executing S105;
s104: storing the data to be stored until the connection relation is recovered to normal;
s105: and uploading the data to be stored to a cloud storage server.
It can be understood that, the mobile agent pair is equivalent to a data transmission medium between the client and the cloud storage server, after obtaining the data to be stored, the mobile agent pair does not upload the data to the cloud storage server temporarily, but first determines whether the network connection between the mobile agent pair and the cloud storage server is in a normal state, that is, the mobile agent pair aims to determine the network connection relationship between the front end and the back end before uploading the data to be stored; further, when the connection is normal, the data to be stored is directly uploaded to a cloud storage server, so that cloud storage of data information is completed; on the contrary, if the network connection is in an abnormal state, the data to be stored is directly cached until the network connection is recovered to be normal and then is continuously uploaded, so that the problem of data loss caused by abnormal network connection is effectively avoided. The data to be stored may be specifically stored in a storage medium preset in the mobile agent pair, and of course, the specific type of the storage medium is not unique, and this is not limited in this application.
The multi-attribute authorization encryption method suitable for the mobile cloud environment provided by the application comprises the steps that when a client side sends a data storage request to a cloud side, the data storage request is intercepted through a mobile agent, before the data storage request is uploaded to the cloud side, whether the network connection between the client side and the cloud side is normal or not is judged at first, if the network connection is abnormal, data to be stored is temporarily stored directly until the network connection is recovered to be normal, namely, when the network connection between the client side and the cloud side is poor, the data to be stored is temporarily stored through the mobile agent, leakage of data information is avoided, and after the network connection is recovered to be normal, the data to be stored is uploaded to the cloud side, so that the problem of data information leakage caused by poor network between the client side and the cloud side can be effectively solved, and the safety of user information is guaranteed.
On the basis of the above embodiments, the present embodiment provides a more specific multi-attribute authorization encryption method suitable for a mobile cloud environment, and aims to introduce encryption of data information more specifically.
Referring to fig. 2, fig. 2 is a schematic flow chart of a data information encryption method provided in the present application, and preferably, the encrypting the data information by using the ABE algorithm to obtain the data to be stored may include:
s201: initiating a certificate issuing request to a certificate issuing organization, and receiving a verification certificate fed back by the certificate issuing organization based on the certificate issuing request;
s202: sending the verification certificate to an attribute authority for verification;
s203: when the authentication is passed, receiving an encryption key and a static attribute set fed back by an attribute authority;
s204: and calling the dynamic attribute set, and encrypting the data information through the encryption key, the static attribute set and the dynamic attribute set to obtain the data to be stored.
The embodiment provides a more specific data information encryption method based on the ABE algorithm, and the method comprises the steps that firstly, a certificate authority generates a private key and a public key, and the public key is sent to an attribute authority; the method comprises the steps of firstly generating a verification certificate by using a private key and issuing the verification certificate to a client side, further uploading the verification certificate to an attribute authorization mechanism by the client side when a certificate issuing request initiated by the client side is received by the certificate issuing mechanism, verifying the verification certificate by the attribute authorization mechanism based on the public key, issuing an encryption key for data encryption and a maintained static attribute set thereof to the client side when the verification is passed, and finally realizing the encryption of data information by the client side by using the encryption key, the static attribute set and a self-maintained dynamic attribute set. Therefore, the data encryption based on the dynamic attribute is realized through the method, namely, the real-time verification is realized, and the data security is more effectively improved.
Preferably, the initiating a certificate issue request to the certificate authority and receiving a verification certificate fed back by the certificate authority based on the certificate issue request may include: a certificate authority receives a certificate issuing request initiated by a client; acquiring identity information of a client according to a certificate issuing request; verifying the identity information of the client through a preset identity list; and when the verification is passed, feeding back the verification certificate to the client.
For the issuing process of the verification certificate, the application provides a more specific implementation method, specifically, the certificate issuing organization stores the identity information of each legal client in advance and stores the identity information in a list form, therefore, when a certificate issuing request initiated by a certain client is received, the certificate issuing request can be analyzed to obtain the identity information of the client, the client is further authenticated through the pre-stored identity list, and when the authentication passes, the verification certificate can be issued to the client.
Preferably, if there are a plurality of attribute authorities, the encrypting the data information by the encryption key, the static attribute set, and the dynamic attribute set to obtain the data to be stored may include: interpolating each encryption key fed back by a plurality of attribute authorization mechanisms through Lagrange's interpolation theorem to obtain a combined key; and encrypting the data information by combining the key, the static attribute set and the dynamic attribute set to obtain the data to be stored.
Because the MA-ABE has higher security performance than the SA-ABE, in the present application, the MA-ABE is used to encrypt the data information to be uploaded, that is, the ABE encryption based on multiple attribute authorities is used to encrypt, so that multiple encryption keys and multiple static attribute sets fed back by multiple attribute authorities are received, further, the multiple encryption keys are interpolated by lagrangian interpolation theorem to obtain a combined key, and then the combined key is used to implement the encryption process of the data information.
According to the multi-attribute authorization encryption method suitable for the mobile cloud environment, encryption processing is performed on data information before data storage is performed, and the safety of the data information is further improved.
On the basis of the embodiment, the embodiment provides another multi-attribute authorization encryption method suitable for a mobile cloud environment, and aims to realize the access function of cloud storage data after data storage.
As a preferred embodiment, the multi-attribute authorization encryption method suitable for the mobile cloud environment may further include: when an access terminal initiates a data acquisition request to a cloud storage server, a mobile agent intercepts the data acquisition request; uploading the data acquisition request to a cloud storage server; receiving request data fed back by a cloud storage server based on a data acquisition request; judging whether the connection relation between the access terminal and the access terminal is normal or not; if not, storing the request data until the connection relation is recovered to be normal; and if the request data are normal, sending the request data to the access terminal.
Specifically, when an access terminal needs to access the storage data at the cloud end, a data access request is sent to a cloud storage server, at this time, the access terminal is also monitored in real time through a mobile agent, the data access request is intercepted and forwarded to the cloud storage server, when the access data fed back by the cloud storage server is received, the access data is also not directly sent to the access terminal, whether the network connection between the access terminal and the access terminal is in a normal state is judged firstly, if not, the access data is temporarily stored until the network connection is recovered to be normal, and then the access data is fed back to the access terminal, so that the problem of data information loss caused by network interruption is effectively avoided, and the safety of user information is ensured.
It can be understood that the access end is essentially the same as the client, and the client can also be used as the access end to implement data access and the access end can also be used as the client to implement data storage.
Preferably, the mobile agent pair may include a client agent and a server agent; and when the connection relation is abnormal, storing the data to be stored through the client agent or storing the request data through the server agent.
For the mobile agent pair, a specific implementation form is provided, namely the mobile agent pair consists of a client agent and a server agent, wherein the client agent is connected with the client or an access terminal and monitors the client and the access terminal in real time for intercepting and caching data to be stored; the server agent is connected with the cloud server and monitors the cloud server in real time, and the server agent is used for intercepting and caching access data, namely, when the network connection is poor, the request of a user and the response from the cloud are queued in the cache of the corresponding agent, so that the system can work continuously.
According to the embodiment, the mobile agent is used for realizing the access of the user to the cloud storage data information, when the network connection between the visitor and the cloud is abnormal, the mobile agent is directly used for temporarily storing the accessed data information, the leakage of the data information is effectively avoided, and the safety of the user information is ensured.
On the basis of the foregoing embodiments, an embodiment of the present application provides a more specific multi-attribute authorization encryption method suitable for a mobile cloud environment, please refer to fig. 3, where fig. 3 is a schematic structural diagram of a cloud storage system provided by the present application, and the multi-attribute authorization encryption method suitable for a mobile cloud environment provided by the embodiment of the present application may include the following processes:
(1) issuance and verification of certificates:
a Certificate Authority (CA) stores identity lists of related data owners (clients) and users (access terminals) in advance so as to authenticate the identities of the data owners and users who send requests to the CA and issues certificates (authentication certificates); in addition, the CA generates a pair of keys { SKc, PKc }, where SKc is a private key and PKc is a public key, where the private key is maintained by the CA and the public key is distributed to all Attribute Authorities (AAs).
When the CA receives a request (storage request or access request) of a data owner or a user, if the requester exists in the identity list, a certificate is issued, otherwise, the request is rejected; wherein the certificate is obtained by applying an SM3 encryption algorithm to the unique identifier of the requestor and the hash value of the CA, and calculating the hash value using h denotes an SM3 encryption algorithm; the encryption of the certificate is to use the private key of the CA, and set the valid time period of the certificate as T, so as to avoid the unauthorized use of the certificate, specifically, the encryption or decryption of the certificate may be represented as: h [ Requester _ ID)]→CertificatejWherein, the Requester _ ID is Requester ID, CertificatejRepresents the credential fed back to the jth requester, j belonging to either the user set U or the data owner set O.
(2) And (3) anonymous encryption and decryption key distribution:
the method comprises the steps that a plurality of AAs are used as a Key Generation Center (KGC), each KGC generates a pair of a public key and a private key, the public key is used for data encryption, the private key is used for data decryption, after CA authentication, a data owner or a user can request the KGC for partial encryption or decryption keys, the KGC can distribute encryption and decryption keys under the condition that the identity of the data owner or the user is unknown, anonymous distribution of the keys is achieved, and therefore the data owner or the user can interpolate all corresponding keys by using the Lagrange interpolation theorem to obtain a combined key.
(3) Encryption and decryption of data information:
the data owner or user sends a certificate to the AAs to request to acquire a partial encryption or decryption key, the requested AAs verifies the certificate by decrypting the certificate by using a public key of the CA, if the verification is successful, a global algorithm is called, and data information is encrypted and decrypted by using a static attribute set and a dynamic attribute set, and the specific implementation process comprises the following steps:
s1: global setting: inputting a security parameter lambda, calling a global algorithm, and outputting global parameters p1 and p2, specifically represented as: global (λ) → p1, p 2; wherein, λ belongs to natural number set N, and the specific value is determined by the system;
s2: generating an attribute key: the private key of each AAs is used as input, a corresponding public key is generated as output, and the ith AAs randomly selects a private key kiThe global parameters p1 and p2 calculate corresponding public keys K through bilinear pairing mappingiSpecifically, it is represented as: ki ═ e (p1, p2)ki
S3: data information encryption: taking an original message (data information in a plaintext form), a static attribute set S maintained by each AAs and a dynamic attribute set D of owner mobile equipment as input, and taking a ciphertext (data to be stored) as output;
first, a data owner forms a natural number group Z having a prime number q as a generatorqAnd randomly selecting alpha and beta, and encrypting the original message M: e [ M ]]=M Km βIn which K ismRepresenting a combined public key obtained from a partial public key received from each individual AAs by applying a lagrange interpolation polynomial, m representing the number of AAs; further, the hash value of the dynamic attribute set is calculated: d' ═ h [ D1](ii) a Finally, ciphertext data C is obtainedM:CM=[E[M],Ki,1≤i≤m]And uploading it to memory;
s4: data decryption: the cipher text, the decryption key received by the AAs and the dynamic attribute of the user mobile equipment are used as input, and the original message is used as output;
first, the user requests a partial decryption key K from the responsible AAsiEach AAs verifies the relevant static attribute and provides the corresponding private key ki(ii) a Obtaining a combined private key k using a lagrange interpolation polynomialm(ii) a Further, the user computes a hash value of the dynamic property set obtained from the mobile device: d ═ h [ D2]Only if the hash value of the user's dynamic property set matches the hash value stored by the data owner is: d ═ D ", the party can decrypt the data, its decryption process is:
Figure BDA0002118821450000111
s5: data storage and access:
the encrypted data information is uploaded to a data storage server through a mobile agent pair, specifically, a Client Side Agent (CSA) intercepts a storage request of a user and forwards the storage request to a Cloud Storage Server (CSS) through a server agent (SSA); in addition, the CSS may also reply to the CSA via the SSA during the data access process. Therefore, during the network connection weak or disconnection mode, the request of the user and the response from the cloud server are queued in the cache of the corresponding agent, so that the system can work in the weak network or disconnection mode, and meanwhile, the leakage of data information is effectively avoided.
According to the multi-attribute authorization encryption method suitable for the mobile cloud environment, when a client side sends a data storage request to a cloud side, the data storage request is intercepted through a mobile agent, before the data storage request is uploaded to the cloud side, whether the network connection between the client side and the cloud side is normal or not is judged firstly, if the network connection is abnormal, the data to be stored is temporarily stored directly until the network connection is recovered to be normal, namely, when the network connection between the client side and the cloud side is poor, the data to be stored is temporarily stored through the mobile agent, leakage of data information is avoided, and after the network connection is recovered to be normal, the data to be stored is uploaded to the cloud side.
To solve the above problem, please refer to fig. 4, where fig. 4 is a schematic structural diagram of a multi-attribute authorization encryption device suitable for a mobile cloud environment according to the present application, the device may include:
the request intercepting module 10 is used for intercepting a data storage request by a mobile agent when a client initiates the data storage request to a cloud storage server;
the data acquisition module 20 is configured to acquire data to be stored according to a data storage request;
the connection judging module 30 is configured to judge whether a connection relationship with the cloud storage server is normal;
the data caching module 40 is used for storing the data to be stored if the connection relationship is abnormal until the connection relationship is recovered to be normal;
and the data storage module 50 is configured to upload the data to be stored to the cloud storage server if the connection relationship is normal.
Therefore, the multi-attribute authorization encryption device suitable for the mobile cloud environment provided by the application can be used for intercepting a data storage request by setting a mobile agent when the client side sends the data storage request to the cloud side, firstly judging whether the network connection between the client side and the cloud side is normal or not before uploading the data storage request to the cloud side, and if the network connection is not normal, directly temporarily storing the data to be stored until the network connection is recovered to be normal, namely when the network connection between the client side and the cloud side is poor, temporarily storing the data to be stored through the mobile agent, so that the leakage of data information is avoided, and after the network connection is recovered to be normal, the data to be stored is uploaded to the cloud side.
As a preferred embodiment, the multi-attribute authorization encryption device suitable for a mobile cloud environment may further include:
the access intercepting module is used for intercepting a data acquisition request by the mobile agent when the access terminal initiates the data acquisition request to the cloud storage server;
the request uploading module is used for uploading the data acquisition request to the cloud storage server;
the data feedback module is used for receiving request data fed back by the cloud storage server based on the data acquisition request;
the network judgment module is used for judging whether the connection relation between the network judgment module and the access terminal is normal or not;
the first data caching module is used for storing the request data if the connection relation is abnormal until the connection relation is recovered to be normal;
and the first data storage module is used for sending the request data to the access terminal if the connection relation is normal.
For the introduction of the apparatus provided in the present application, please refer to the above method embodiments, which are not described herein again.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The multi-attribute authorization encryption method and device suitable for the mobile cloud environment provided by the application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and these improvements and modifications also fall into the elements of the protection scope of the claims of the present application.

Claims (7)

1. A multi-attribute authorization encryption method suitable for a mobile cloud environment, the method comprising:
when a client side initiates a data storage request to a cloud storage server, a mobile agent pair intercepts the data storage request;
obtaining data to be stored according to the data storage request, wherein the data to be stored is obtained by encrypting data information through an ABE algorithm;
judging whether the connection relation between the cloud storage server and the cloud storage server is normal or not;
if not, storing the data to be stored until the connection relationship is recovered to be normal;
if the data to be stored is normal, uploading the data to be stored to the cloud storage server;
the data information is encrypted through the ABE algorithm to obtain the data to be stored, and the method comprises the following steps:
the client side initiates a certificate issuing request to a certificate issuing organization and receives a verification certificate fed back by the certificate issuing organization based on the certificate issuing request;
sending the verification certificate to an attribute authority for verification;
when the authentication is passed, receiving an encryption key and a static attribute set fed back by the attribute authority;
and calling a dynamic attribute set, and encrypting the data information through the encryption key, the static attribute set and the dynamic attribute set to obtain the data to be stored.
2. The method of claim 1, wherein the initiating a certificate issuance request to a certificate authority and receiving a verification certificate fed back by the certificate authority based on the certificate issuance request comprises:
the certificate authority receives the certificate issuing request initiated by the client;
acquiring the identity information of the client according to the certificate issuing request;
verifying the identity information of the client through a preset identity list;
and when the verification passes, feeding back the verification certificate to the client.
3. The method of claim 1, wherein if there are a plurality of attribute authorities, the encrypting the data information through the encryption key, the static attribute set, and the dynamic attribute set to obtain the data to be stored comprises:
interpolating each encryption key fed back by the attribute authorization mechanisms by Lagrange's interpolation theorem to obtain a combined key;
and encrypting the data information through the combined key, the static attribute set and the dynamic attribute set to obtain the data to be stored.
4. The method of any of claims 1 to 3, further comprising:
when an access terminal initiates a data acquisition request to the cloud storage server, the mobile agent intercepts the data acquisition request;
uploading the data acquisition request to the cloud storage server;
receiving request data fed back by the cloud storage server based on the data acquisition request;
judging whether the connection relation between the access terminal and the access terminal is normal or not;
if not, storing the request data until the connection relationship is recovered to be normal;
and if the request data are normal, sending the request data to the access terminal.
5. The method of claim 4, wherein the mobile proxy pair comprises a client proxy and a server proxy; and when the connection relation is abnormal, storing the data to be stored through the client agent or storing the request data through the server agent.
6. A multi-attribute authorization encryption system suitable for a mobile cloud environment, comprising:
the mobile agent is used for intercepting the data storage request when the client side initiates the data storage request to the cloud storage server;
the data acquisition module is used for acquiring data to be stored according to the data storage request, wherein the data to be stored is obtained by encrypting data information through an ABE algorithm;
the connection judging module is used for judging whether the connection relation between the cloud storage server and the connection judging module is normal or not;
the data caching module is used for storing the data to be stored if the connection relation is abnormal until the connection relation is recovered to be normal;
the data storage module is used for uploading the data to be stored to the cloud storage server if the connection relation is normal;
the data information is encrypted through the ABE algorithm to obtain the data to be stored, and the method comprises the following steps:
the client side initiates a certificate issuing request to a certificate issuing organization and receives a verification certificate fed back by the certificate issuing organization based on the certificate issuing request;
sending the verification certificate to an attribute authority for verification;
when the authentication is passed, receiving an encryption key and a static attribute set fed back by the attribute authority;
and calling a dynamic attribute set, and encrypting the data information through the encryption key, the static attribute set and the dynamic attribute set to obtain the data to be stored.
7. The system of claim 6, further comprising:
the access intercepting module is used for intercepting the data acquisition request by the mobile agent when the access terminal initiates the data acquisition request to the cloud storage server;
the request uploading module is used for uploading the data acquisition request to the cloud storage server;
the data feedback module is used for receiving request data fed back by the cloud storage server based on the data acquisition request;
the network judgment module is used for judging whether the connection relation between the network and the access terminal is normal or not;
the first data caching module is used for storing the request data if the connection relation is abnormal until the connection relation is recovered to be normal;
and the first data storage module is used for sending the request data to the access terminal if the connection relation is normal.
CN201910599571.4A 2019-07-04 2019-07-04 Multi-attribute authorization encryption method and device suitable for mobile cloud environment Active CN110213299B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910599571.4A CN110213299B (en) 2019-07-04 2019-07-04 Multi-attribute authorization encryption method and device suitable for mobile cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910599571.4A CN110213299B (en) 2019-07-04 2019-07-04 Multi-attribute authorization encryption method and device suitable for mobile cloud environment

Publications (2)

Publication Number Publication Date
CN110213299A CN110213299A (en) 2019-09-06
CN110213299B true CN110213299B (en) 2022-05-06

Family

ID=67796187

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910599571.4A Active CN110213299B (en) 2019-07-04 2019-07-04 Multi-attribute authorization encryption method and device suitable for mobile cloud environment

Country Status (1)

Country Link
CN (1) CN110213299B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11632243B1 (en) * 2020-03-31 2023-04-18 Juniper Networks, Inc. Multi-key exchange

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107342990A (en) * 2017-06-23 2017-11-10 西南交通大学 A kind of attribute base net network ring signatures method of distributed authorization
CN107846309A (en) * 2017-10-20 2018-03-27 深圳益邦阳光有限公司 Suspension data forward method, electronic equipment and storage medium based on remote monitoring
CN108881291A (en) * 2018-07-19 2018-11-23 上海海事大学 A kind of weight properties base encryption method based on layered authorization mechanism
CN109818757A (en) * 2019-03-18 2019-05-28 广东工业大学 Cloud storage data access control method, Attribute certificate awarding method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107342990A (en) * 2017-06-23 2017-11-10 西南交通大学 A kind of attribute base net network ring signatures method of distributed authorization
CN107846309A (en) * 2017-10-20 2018-03-27 深圳益邦阳光有限公司 Suspension data forward method, electronic equipment and storage medium based on remote monitoring
CN108881291A (en) * 2018-07-19 2018-11-23 上海海事大学 A kind of weight properties base encryption method based on layered authorization mechanism
CN109818757A (en) * 2019-03-18 2019-05-28 广东工业大学 Cloud storage data access control method, Attribute certificate awarding method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Multi-authority Attribute Based Encryption;Melissa Chase;《Theory of Cryptography Conference TCC2007》;20070224;第515-534页 *
基于多授权机构ABE的云存储访问控制研究;连景钗;《中国优秀硕士学位论文全文数据库信息科技辑》;20151215;正文第5、18、31-36页 *

Also Published As

Publication number Publication date
CN110213299A (en) 2019-09-06

Similar Documents

Publication Publication Date Title
CN110855671B (en) Trusted computing method and system
US9065637B2 (en) System and method for securing private keys issued from distributed private key generator (D-PKG) nodes
US7688975B2 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
US10824744B2 (en) Secure client-server communication
CN110958209B (en) Bidirectional authentication method, system and terminal based on shared secret key
CN113691502B (en) Communication method, device, gateway server, client and storage medium
CN111770088A (en) Data authentication method, device, electronic equipment and computer readable storage medium
JP2023500570A (en) Digital signature generation using cold wallet
CN110838915B (en) Cloud storage data sharing method for forward security key aggregation
CN113037478A (en) Quantum key distribution system and method
CN102999710A (en) Method, equipment and system for safely sharing digital content
CN113992702B (en) Ceph distributed file system storage state password reinforcement method and system
CN110213299B (en) Multi-attribute authorization encryption method and device suitable for mobile cloud environment
CN113868684A (en) Signature method, device, server, medium and signature system
CN111756722B (en) Multi-authorization attribute-based encryption method and system without key escrow
US20090164782A1 (en) Method and apparatus for authentication of service application processes in high availability clusters
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
CN115604030B (en) Data sharing method, device, electronic equipment and storage medium
CN114218598B (en) Service processing method, device, equipment and storage medium
CN114039793B (en) Encryption communication method, system and storage medium
CN113886781B (en) Multi-authentication encryption method, system, electronic device and medium based on block chain
CN116232763B (en) Selectively disclosed dynamic combination verifiable credential generation method and system
CN113037686B (en) Multi-database secure communication method and system, computer readable storage medium
CN115766268A (en) Processing method, device, equipment and storage medium
CN116248257A (en) PMU communication access control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant