CN110460604A - A kind of encryption of cloud storage, decryption and verification method and system - Google Patents

A kind of encryption of cloud storage, decryption and verification method and system Download PDF

Info

Publication number
CN110460604A
CN110460604A CN201910754778.4A CN201910754778A CN110460604A CN 110460604 A CN110460604 A CN 110460604A CN 201910754778 A CN201910754778 A CN 201910754778A CN 110460604 A CN110460604 A CN 110460604A
Authority
CN
China
Prior art keywords
ciphertext
outsourcing
data
key
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910754778.4A
Other languages
Chinese (zh)
Inventor
凌捷
石宇清
李斯
谢锐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong University of Technology
Original Assignee
Guangdong University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong University of Technology filed Critical Guangdong University of Technology
Priority to CN201910754778.4A priority Critical patent/CN110460604A/en
Publication of CN110460604A publication Critical patent/CN110460604A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

This application discloses a kind of encryption of cloud storage, decryption and verification method and systems, are applied to transmission terminal in data, comprising: advance with the encryption parameter in system common parameter for encryption and generate interim ciphertext;Using the complete certificate parameter of verify data, interim ciphertext, clear data and access structure is used in system common parameter, outsourcing ciphertext is generated;Outsourcing ciphertext is sent to Cloud Server;The application is in the case where data upload terminal energy sources abundance, it advances with the encryption parameter in system common parameter for encryption and generates interim ciphertext, the excessive partial routine encrypted using system common parameter that consumes energy in ciphering process is pre-processed in advance, even if in this way in the insufficient situation of the energy, calculation amount and energy-output ratio when reducing encryption data, interim ciphertext, certificate parameter, clear data and access structure can directly be utilized, generate outsourcing ciphertext, shorten encryption times, reduces calculation amount and energy consumption.

Description

A kind of encryption of cloud storage, decryption and verification method and system
Technical field
The present invention relates to cloud storage ciphertext access control field, in particular to a kind of cloud storage encryption, decryption and authentication Method and system.
Background technique
Attribute base encryption (attribute-based encryption, ABE) is a kind of expansible one-to-many encryption equipment System allows user according to user property encrypting and decrypting data, is highly suitable for carrying out spirit to the encryption data being stored in the cloud Fine-granularity access control living.The major defect of traditional ABE scheme first is that encryption and decryption operation with access strategy complexity Increase and increase, thus bring computing cost is one for resource-constrained mobile device (such as mobile phone) fatal makes Use bottleneck.
And in practical application, user may need to be encrypted and decrypted work using mobile device, existing encryption and The calculation amount that decrypting process generates is excessive to energy consumption, and mobile device is difficult to bear.
Low energy consumption is not limited to the encryption and decryption method of hardware device therefore, it is necessary to a kind of.
Summary of the invention
In view of this, the purpose of the present invention is to provide a kind of encryption of cloud storage, decryption and verification method and system, energy consumption It is low, calculation amount is small.Its concrete scheme is as follows:
A kind of cloud storage encryption method is applied to transmission terminal in data, comprising:
It advances with the encryption parameter in system common parameter for encryption and generates interim ciphertext;
Using in the system common parameter be used for the complete certificate parameter of verify data, the interim ciphertext, plaintext number According to and access structure, generate outsourcing ciphertext;
The outsourcing ciphertext is sent to Cloud Server, so that the Cloud Server carries out outsourcing solution to the outsourcing ciphertext It is close;
Wherein, the system common parameter is the parameter generated according to security parameter that attribute authority is issued in advance.
Optionally, described to utilize in system common parameter for the complete certificate parameter of verify data, interim ciphertext, plaintext Data and access structure generate the process of outsourcing ciphertext, comprising:
Utilize Hash verifying functions double in the system common parameter and cipher key-extraction function, interim ciphertext, clear data And access structure, generate outsourcing ciphertext.
Optionally, the generating process of the interim ciphertext, comprising:
Using the parameter of the group and bilinear map obtained in the system common parameter using group's generator algorithm, generate The interim ciphertext.
The invention also discloses a kind of cloud storage decryption methods, are applied to Cloud Server, comprising:
Receive the decruption key that data using terminal is sent;
The outsourcing ciphertext that transmission terminal is sent in data is received, the outsourcing ciphertext includes visit corresponding with owner's property set Ask structure and interim ciphertext;
Judge whether the decruption key and the access structure in the outsourcing ciphertext are corresponding;
If corresponding, the encryption parameter in decruption key and system common parameter for encryption is utilized, it is close to the outsourcing Text is decrypted, and obtains conversion ciphertext;
The conversion ciphertext is sent to data using terminal;
If it is not, then terminating decryption;
Wherein, owner's property set is the property set that data owner possesses, and the decruption key is attribute authority Mechanism issue in advance using the system common parameter, system master key, Cloud Server public key, data consumer public key and The key that the user attributes collection that the data consumer possesses generates.
Optionally, after the termination decryption, further includes:
Sending permission deficiency prompt information is to the data using terminal.
The invention also discloses a kind of cloud storage decryption verification methods, are applied to data using terminal, comprising:
Utilize system common parameter, the user of system master key, Cloud Server public key, client public key and data consumer Property set generates and sends decruption key to Cloud Server;
The conversion ciphertext that the Cloud Server is sent is received, the conversion ciphertext is to carry out outsourcing to outsourcing ciphertext to decrypt It arrives;
Using data consumer's private key, the conversion ciphertext is decrypted, obtains the key seed in the conversion ciphertext;
Using the complete certificate parameter of verify data is used in the key seed and system common parameter, the cloud is verified Whether the outsourcing decryption of server is correct;
If correct, the conversion ciphertext is decrypted using the key seed, obtains symmetric key;
The conversion ciphertext is decrypted using the symmetric key, obtains clear data;
If incorrect, decryption is terminated.
Optionally, described to utilize the key seed and the certificate parameter, verify the outsourcing decryption of the Cloud Server Whether correct process, comprising:
Equation H is verified using the key seed and the certificate parameter1(H0(ck) | | ct ') whether=Token true.
The invention also discloses a kind of cloud storage encryption systems, are applied to transmission terminal in data, comprising:
Interim ciphertext generation module generates temporarily for advancing with the encryption parameter in system common parameter for encryption Ciphertext;
Outsourcing ciphertext generation module, for completely verifying ginseng for verify data using in the system common parameter Several, the described interim ciphertext, clear data and access structure generate outsourcing ciphertext;
Outsourcing ciphertext sending module, for sending the outsourcing ciphertext to Cloud Server, so that the Cloud Server is to institute It states outsourcing ciphertext and carries out outsourcing decryption;
Wherein, the system common parameter is the parameter generated according to security parameter that attribute authority is issued in advance.
The invention also discloses a kind of cloud storage decryption systems, are applied to Cloud Server, comprising:
Decruption key receiving module, the decruption key that using terminal is sent for receiving data;
Outsourcing ciphertext receiving module, the outsourcing ciphertext that upper transmission terminal is sent for receiving data, the outsourcing ciphertext include Access structure corresponding with owner's property set and interim ciphertext;
Decrypted rights judgment module, for judging whether the decruption key and the access structure in the outsourcing ciphertext are right It answers;
Outsourcing deciphering module, if determining the decruption key and the outsourcing ciphertext for the decrypted rights judgment module In access structure it is corresponding, then utilize the encryption parameter in decruption key and system common parameter for encrypting, to the outsourcing Ciphertext is decrypted, and obtains conversion ciphertext;
Ciphertext sending module is converted, for sending the conversion ciphertext to data using terminal;
Decryption terminates module, if determining the decruption key and the outsourcing ciphertext for the decrypted rights judgment module In access structure do not correspond to, then terminate decryption;
Wherein, owner's property set is the property set that data owner possesses, and the decruption key is attribute authority Mechanism issue in advance using the system common parameter, system master key, Cloud Server public key, data consumer public key and The key that the user attributes collection that the data consumer possesses generates.
The invention also discloses a kind of cloud storage decryption verification systems, are applied to data using terminal, comprising:
Decruption key sending module, for utilizing system common parameter, system master key, Cloud Server public key, Yong Hugong The user attributes collection of key and data consumer, generates and sends decruption key to Cloud Server;
Ciphertext receiving module is converted, the conversion ciphertext sent for receiving the Cloud Server, the conversion ciphertext is pair Outsourcing ciphertext carries out what outsourcing was decrypted;
Ciphertext deciphering module is converted, for utilizing data consumer's private key, the conversion ciphertext is decrypted, obtains described turn Change the key seed in ciphertext;
Cryptogram validation module is converted, it is complete for verify data in the key seed and system common parameter for utilizing Certificate parameter, verify the Cloud Server outsourcing decryption it is whether correct;
Symmetric key decryption module, if determining the outsourcing decryption of the Cloud Server for the conversion cryptogram validation module Verifying is correct, then is decrypted using the key seed to the conversion ciphertext, obtain symmetric key;
Clear data deciphering module obtains clear data for decrypting using the symmetric key to the conversion ciphertext;
Decryption terminates module, if determining the outsourcing decryption verification of the Cloud Server for the conversion cryptogram validation module It is incorrect, then terminate decryption.
In the present invention, cloud storage encryption method is applied to transmission terminal in data, comprising: advance with system common parameter In for the encryption parameter of encryption generate interim ciphertext;Ginseng is completely verified using verify data is used in system common parameter Several, interim ciphertext, clear data and access structure generate outsourcing ciphertext;Outsourcing ciphertext is sent to Cloud Server, for cloud service Device carries out outsourcing decryption to outsourcing ciphertext;Wherein, system common parameter is joined for what attribute authority was issued in advance according to safety The parameter that number generates.
The present invention advances in system common parameter in the case where data upload terminal energy sources abundance for encryption Encryption parameter generates interim ciphertext, by the excessive partial routine encrypted using system common parameter that consumes energy in ciphering process It is pre-processed in advance, even if calculation amount and the energy in this way when in the insufficient situation of the energy, reducing encryption data Consumption can directly utilize interim ciphertext, certificate parameter, clear data and access structure, generate outsourcing ciphertext, shorten encryption Time reduces calculation amount and energy consumption.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of cloud storage encryption method flow diagram disclosed by the embodiments of the present invention;
Fig. 2 is a kind of cloud storage decryption method flow diagram disclosed by the embodiments of the present invention;
Fig. 3 is a kind of cloud storage verification method flow diagram disclosed by the embodiments of the present invention;
Fig. 4 is a kind of cloud storage encryption system structural schematic diagram disclosed by the embodiments of the present invention;
Fig. 5 is a kind of cloud storage decryption system structural schematic diagram disclosed by the embodiments of the present invention;
Fig. 6 is that a kind of cloud storage disclosed by the embodiments of the present invention verifies system structure diagram.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
It is shown in Figure 1 the embodiment of the invention discloses a kind of cloud storage encryption method, it is applied to transmission terminal in data, This method comprises:
S11: it advances with the encryption parameter in system common parameter for encryption and generates interim ciphertext.
Specifically, system common parameter is generated by attribute authority using security parameter, attribute authority after generation System common parameter is issued to data owner, Cloud Server and data consumer, data owner needs to upload by data Terminal receives and therefore storage system common parameter has pre-saved system common parameter in transmission terminal in data.
Further, system common parameter includes: input security parameter λ ∈ 1 in the generating process of attribute authority;It adjusts With group's generator algorithmThe description D of group and bilinear map is obtained, i.e.,G table Show source group, GTIndicate target complex, enabling system property domain U==p ,=p is the finite field { 0,1,2 ..., p-1 } that mould p is constituted;With Machine selects g, h, u, v, w ∈ G, α ∈=p, wherein the generation member that g is G, h, u, v, w are the random element of G;And construct Hash letter NumberAnd the cipher key-extraction function H' of safety, wherein H0And H1I.e. Double Hash verify function,Indicate GTIn element be mapped to fixation it is a length of0,1 string,It is a length of to indicate that 0,1 arbitrarily long string is mapped to fixation0,1 string;Output system common parameter Pp=(D, g, h, u, v, w, e (g, g)α,H0,H1, H') and system master key msk, msk=α.
Wherein, transmission terminal can be mobile terminal in data, and mobile terminal is limited compared to its energy supply of the end PC, calculates Speed is slow, if using system common parameter, clear data and access structure, directly generating outsourcing ciphertext in non-charging, disappearing A large amount of electric energy is consumed, meanwhile, time-consuming for encryption, and needing to encrypt for a long time causes uplink time long, poor user experience, wherein benefit The process time encrypted with system common parameter is long, especially consumes energy, for this purpose, can be in advance in the mobile terminal free time or mobile whole It is when the charging of end, time consumption and energy consumption is biggish, it is carried out in advance using the partial routine that system common parameter encrypts, so as to subsequent needs It when encryption, can directly be encrypted using intermediate result, shortening encryption times reduces energy consumption, specifically, can use system Encryption parameter in common parameter for encryption generates the interim ciphertext for encryption, recycles the public ginseng of interim ciphertext, system In number be used for the complete certificate parameter of verify data, clear data and access structure, generate outsourcing ciphertext, shorten encryption times and Energy consumption.
Specifically, the generating process of interim ciphertext includes: firstly, transmission terminal is random using system common parameter pp in data S ∈=p is selected, encapsulation key key, key=e (g, g) are calculatedαs、C0=gs;Then, it is selected at random for every a line of access matrix M Select { zj,xj,tj}j∈[P]∈=p is calculated Wherein, access knot Structure (M, ρ) is a LSSS (linear secret sharing scheme) access structure, wherein M is the matrix of l × n rank, ρ be 1, 2 ..., n } to the mapping of=p, i.e. a line of matrix M is mapped to an attribute;Finally, interim ciphertext it is exported, it=(s, key,C0,{Cj,1,Cj,2,Cj,3}j∈[P])。
Wherein, s indicates the random number selected from=p, C0, Cj,1, Cj,2And Cj,3Indicate the ciphertext of the interim ciphertext it of composition Grouping, zj, xj, tjIndicate 3 random numbers selected from=p for the jth row of M.
S12: utilize in system common parameter for the complete certificate parameter of verify data, interim ciphertext, clear data and Access structure generates outsourcing ciphertext.
Specifically, using the complete certificate parameter of verify data, interim ciphertext, clear data is used in system common parameter And access structure, generate the process of outsourcing ciphertext, comprising: obtain system common parameter pp, interim ciphertext it, clear data msg With access structure (M, ρ);Firstly, transmission terminal randomly chooses key seed ck, ck ∈ G in dataT, calculate symmetric key sk, sk =H'(ck), data ciphertext ct ' is generated using sk encryption msg, calculates verifying token Token, Token=H1(H0(ck)|| ct′);Then, y is randomly choosed from=p2To ynA random number, y2,…,yn∈=p generates a n-dimensional vectorForIt calculatesIt calculates C=cke (g, g)αs、Cj,4=z 'j-zjmod P and CJ, 5=tj(xj-ρ(j))modp;Finally, output outsourcing ciphertext ct=((M, ρ), ct ', C, C0,{Cj,1,Cj,2,Cj,3,Cj,4, Cj,5}j∈[l], Token), wherein C, Cj,4And Cj,5It is the ciphertext block for forming outsourcing ciphertext ct.
Wherein, access structure is data owner's sets itself, and owner's property set, access knot are preserved in access structure Structure limits the data for only having attribute to meet owner's property set in access structure for limiting the object that outsourcing ciphertext is faced User can access the clear data in outsourcing ciphertext.
S13: outsourcing ciphertext is sent to Cloud Server, so that Cloud Server carries out outsourcing decryption to outsourcing ciphertext.
Specifically, completing the upper of encryption data by outsourcing ciphertext after line encrypts, can be exported to Cloud Server It passes, so that subsequent Cloud Server carries out outsourcing decryption to outsourcing ciphertext.
As it can be seen that the embodiment of the present invention advances with system common parameter in the case where data upload terminal energy sources abundance In for the encryption parameter of encryption generate interim ciphertext, will consume energy in ciphering process excessive is added using system common parameter Close partial routine is pre-processed in advance, even if in this way when in the insufficient situation of the energy, reducing encryption data Calculation amount and energy-output ratio can directly utilize interim ciphertext, certificate parameter, clear data and access structure, generate outsourcing Ciphertext shortens encryption times, reduces calculation amount and energy consumption.
Correspondingly, the embodiment of the invention also discloses a kind of cloud storage decryption method, it is shown in Figure 2, it is applied to cloud and takes Business device, this method comprises:
S21: the decruption key that data using terminal is sent is received;
S22: the outsourcing ciphertext that transmission terminal is sent in data is received, outsourcing ciphertext includes visit corresponding with owner's property set Ask structure and interim ciphertext;
S23: judge whether decruption key and the access structure in outsourcing ciphertext are corresponding.
Specifically, decruption key is the system common parameter issued in advance using attribute authority, system master key, cloud The key that the user attributes collection that server public key, the public key of data consumer and data consumer possess generates, therefore, decryption It include the user attributes collection that data consumer possesses in key, the access structure in outsourcing ciphertext includes gathering around for data owner The person's of having property set, so whether having the number in access structure by comparing the attribute that the user attributes in decruption key are concentrated According to occurring in owner's property set of owner, it can judge whether decruption key can be decrypted outsourcing ciphertext.
Wherein, Cloud Server public key is to be generated using system common parameter, input system common parameter pp, is utilized CSetup algorithm randomly chooses yc∈Zp;Then Cloud Server public key is disclosedIt can also be arranged together simultaneously Cloud Server private key skc=yc
S24: if corresponding, utilizing the encryption parameter in decruption key and system common parameter for encryption, close to outsourcing Text is decrypted, and obtains conversion ciphertext.
Specifically, if user attributes in owner's property set and decruption key in access structure in outsourcing ciphertext There are identical attributes for collection, then determine that decruption key has the right to decrypt outsourcing ciphertext, then utilize decruption key and the public ginseng of system Encryption parameter in number for encryption, is decrypted outsourcing ciphertext, obtains conversion ciphertext.
Specifically, the process of outsourcing decryption, comprising: input system common parameter pp, decruption key tkSWith outsourcing ciphertext Ct, first, it is determined that whether the user attributes collection S of decruption key meets access structure (M, ρ), if satisfied, then enabling I={ i: ρ (i) ∈ S }, calculation constant ωi∈ZpSo that ∑i∈Iωiz′i=s;Then, it calculates Finally, output conversion ciphertext tc=(ct ', C, C ', Token);Wherein, C ' expression group At a ciphertext block of conversion ciphertext.
S25: conversion ciphertext is sent to data using terminal;
S26: if it is not, then terminating decryption.
Specifically, if user attributes in owner's property set and decruption key in access structure in outsourcing ciphertext Identical attribute is not present in collection, then proves that decruption key haves no right that outsourcing ciphertext is decrypted.
S27: sending permission deficiency prompt information to data using terminal.
It is understood that can improve and use with sending permission deficiency prompt information to data using terminal if terminating decryption Family experience terminates decryption so that data consumer learns oneself insufficient permission.
As it can be seen that Cloud Server of the embodiment of the present invention, which receives data using terminal, sends decruption key, data owner is received The outsourcing ciphertext of upload judges that being judged whether decruption key has permission using property set decrypts outsourcing ciphertext, if so, then utilizing Script is transferred to Cloud Server in the decrypting process part of data using terminal, improved by decryption key decryption outsourcing ciphertext Speed is decrypted, the performance and horsepower requirements to data using terminal are reduced.
Correspondingly, the embodiment of the invention also discloses a kind of cloud storage decryption verification method, it is shown in Figure 3, it is applied to Data using terminal, this method comprises:
S31: making for system common parameter, system master key, Cloud Server public key, client public key and data consumer is utilized User's property set generates and sends decruption key to Cloud Server.
Specifically, system common parameter and system master key are that attribute authority is pre-generated and issued, cloud service Device public key is that Cloud Server is pre-generated and issued, and client public key is to be pre-generated using system common parameter.
Specifically, the generating process of decruption key includes: input system common parameter pp, system master key msk, cloud service Device public key ppc, client public key ppuWith correspond to data consumer user attributes collection S, firstly, random selection k index {ri}i∈[k]∈Zp, wherein k is the attribute number in user property collection S, [k]={ 1,2 ..., k }, { ri}i∈[k]∈ZpIndicate k A index { r1,r2,…,rkIt is to be chosen from=p, i ∈ [k] indicates that the value range of i is 1 to k, in addition random choosing Select 2 indexes β, r;Then, it calculates AiIndicate ith attribute;Finally, output decruption key sk associated with user attributes collection SS=(S, K0,K1,K2,{Ki,3, Ki,4}i∈[k]), wherein K0、K1、K2、Ki,3、Ki,4Indicate composition decruption key skSKey grouping.
Wherein, input system common parameter pp.Firstly, USetup algorithm randomly chooses zu∈Zp;Then public data uses The client public key of personAnd private key for user sk is setu=zu
S32: receiving the conversion ciphertext that Cloud Server is sent, and conversion ciphertext is to carry out outsourcing to outsourcing ciphertext to decrypt to obtain 's;
S33: utilizing data consumer's private key, to conversion ciphertext decryption, obtains the key seed in conversion ciphertext.
Specifically, due to the output that outsourcing decrypting process is converted there may be decryption error or maliciously, for this reason, it may be necessary to right Conversion ciphertext is verified, to ensure to convert the accuracy of ciphertext decryption.
Specifically, utilizing encapsulation key key and data consumer's private key sk in conversion ciphertext tcu=zu, computation key kind Son
Wherein, data consumer's private key advances with system common parameter and obtains.
S34: it utilizes in key seed and system common parameter for the complete certificate parameter of verify data, verifies cloud service Whether the outsourcing decryption of device is correct.
Specifically, verifying equation H using key seed and certificate parameter1(H0(ck) | | ct ') whether=Token true.
S35: if correct, conversion ciphertext is decrypted using key seed, obtains symmetric key.
Specifically, utilizing key seed if correct, calculating symmetric key sk=H'(ck).
S36: conversion ciphertext is decrypted using symmetric key, obtains clear data.
Specifically, decrypting conversion ciphertext decryption ct ' using symmetric key sk obtains clear data msg.
S37: if incorrect, decryption is terminated.
Specifically, terminating also exportable prompt information after decryption, user's checking failure is prompted.
As it can be seen that the embodiment of the present invention completely verifies ginseng for verify data using system common parameter in conversion ciphertext Whether number, data consumer's private key and public key, verifying conversion ciphertext decrypt correctly, it is ensured that the accuracy of clear data.
In addition, the embodiment of the invention also discloses a kind of cloud storage encryption system, it is shown in Figure 4, it is applied in data Transmission terminal, the system include:
Interim ciphertext generation module 11 faces for advancing with the encryption parameter generation in system common parameter for encryption Shi Miwen;
Outsourcing ciphertext generation module 12, for utilize in system common parameter be used for the complete certificate parameter of verify data, Interim ciphertext, clear data and access structure, generate outsourcing ciphertext;
Outsourcing ciphertext sending module 13, for sending outsourcing ciphertext to Cloud Server, so that Cloud Server is to outsourcing ciphertext Carry out outsourcing decryption;
Wherein, system common parameter is the parameter generated according to security parameter that attribute authority is issued in advance.
Specifically, outsourcing ciphertext generation module 12, be specifically used for using Hash verifying functions double in system common parameter and Cipher key-extraction function, interim ciphertext, clear data and access structure generate outsourcing ciphertext.
Specifically, interim ciphertext generation module 11, utilizes group's generator algorithm specifically for utilizing in system common parameter The parameter of obtained group and bilinear map generate interim ciphertext.
In addition, the embodiment of the invention also discloses a kind of cloud storage decryption system, it is shown in Figure 5, it is applied to cloud service Device, the system include:
Decruption key receiving module 21, the decruption key that using terminal is sent for receiving data;
Outsourcing ciphertext receiving module 22, the outsourcing ciphertext that upper transmission terminal is sent for receiving data, outsourcing ciphertext include with The corresponding access structure of owner's property set and interim ciphertext;
Decrypted rights judgment module 23, for judging whether decruption key and the access structure in outsourcing ciphertext are corresponding;
Outsourcing deciphering module 24, if determining the access in decruption key and outsourcing ciphertext for decrypted rights judgment module 23 Structure is corresponding, then utilizes the encryption parameter in decruption key and system common parameter for encryption, outsourcing ciphertext is decrypted, Obtain conversion ciphertext;
Ciphertext sending module 25 is converted, for sending conversion ciphertext to data using terminal;
Decryption terminates module 26, if determining the access in decruption key and outsourcing ciphertext for decrypted rights judgment module 23 Structure does not correspond to, then terminates decryption;
Wherein, owner's property set is the property set that data owner possesses, and decruption key is that attribute authority is preparatory That issues is gathered around using system common parameter, system master key, Cloud Server public key, the public key of data consumer and data consumer The key that some user attributes collection generate.
It further include prompt information sending module 27, for sending permission deficiency prompt information to data using terminal.
In addition, the embodiment of the invention also discloses a kind of cloud storage decryption verification system, it is shown in Figure 6, it is applied to number According to using terminal, which includes:
Decruption key sending module 31, for utilizing system common parameter, system master key, Cloud Server public key, user The user attributes collection of public key and data consumer, generates and sends decruption key to Cloud Server;
Ciphertext receiving module 32 is converted, for receiving the conversion ciphertext of Cloud Server transmission, conversion ciphertext is close to outsourcing Text carries out what outsourcing was decrypted;
Ciphertext deciphering module 33 is converted, for utilizing data consumer's private key, to conversion ciphertext decryption, obtains conversion ciphertext In key seed;
Cryptogram validation module 34 is converted, it is complete for verify data in key seed and system common parameter for utilizing Whether certificate parameter, the outsourcing decryption for verifying Cloud Server are correct;
Symmetric key decryption module 35, if determining the outsourcing decryption verification of 34 Cloud Servers for converting cryptogram validation module Correctly, then conversion ciphertext is decrypted using key seed, obtains symmetric key;
Clear data deciphering module 36 obtains clear data for decrypting using symmetric key to conversion ciphertext;
Decryption terminates module 37, if the outsourcing decryption verification for convert the judgement Cloud Server of cryptogram validation module 34 is not just Really, then decryption is terminated.
Specifically, conversion cryptogram validation module 34, is specifically used for verifying equation H using key seed and certificate parameter1(H0 (ck) | | ct ') whether=Token true.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that A little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article or The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged Except there is also other identical elements in the process, method, article or apparatus that includes the element.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered Think beyond the scope of this invention.
Technology contents provided by the present invention are described in detail above, specific case used herein is to this hair Bright principle and embodiment is expounded, method of the invention that the above embodiments are only used to help understand and its Core concept;At the same time, for those skilled in the art, according to the thought of the present invention, in specific embodiment and application There will be changes in range, in conclusion the contents of this specification are not to be construed as limiting the invention.

Claims (10)

1. a kind of cloud storage encryption method, which is characterized in that be applied to transmission terminal in data, comprising:
It advances with the encryption parameter in system common parameter for encryption and generates interim ciphertext;
Using in the system common parameter be used for the complete certificate parameter of verify data, the interim ciphertext, clear data and Access structure generates outsourcing ciphertext;
The outsourcing ciphertext is sent to Cloud Server, so that the Cloud Server carries out outsourcing decryption to the outsourcing ciphertext;
Wherein, the system common parameter is the parameter generated according to security parameter that attribute authority is issued in advance.
2. cloud storage encryption method according to claim 1, which is characterized in that described utilize in system common parameter is used for The complete certificate parameter of verify data, interim ciphertext, clear data and access structure generate the process of outsourcing ciphertext, comprising:
Utilize Hash verifying functions double in the system common parameter and cipher key-extraction function, interim ciphertext, clear data and visit It asks structure, generates outsourcing ciphertext.
3. cloud storage encryption method according to claim 1 or 2, which is characterized in that the generating process of the interim ciphertext, Include:
Using the parameter of the group and bilinear map obtained in the system common parameter using group's generator algorithm, described in generation Interim ciphertext.
4. a kind of cloud storage decryption method, which is characterized in that be applied to Cloud Server, comprising:
Receive the decruption key that data using terminal is sent;
The outsourcing ciphertext that transmission terminal is sent in data is received, the outsourcing ciphertext includes access knot corresponding with owner's property set Structure and interim ciphertext;
Judge whether the decruption key and the access structure in the outsourcing ciphertext are corresponding;
If corresponding, utilize the encryption parameter in decruption key and system common parameter for encrypting, to the outsourcing ciphertext into Row decryption obtains conversion ciphertext;
The conversion ciphertext is sent to data using terminal;
If it is not, then terminating decryption;
Wherein, owner's property set is the property set that data owner possesses, and the decruption key is attribute authority That issues in advance utilizes the system common parameter, system master key, Cloud Server public key, the public key of data consumer and described The key that the user attributes collection that data consumer possesses generates.
5. cloud storage decryption method according to claim 4, which is characterized in that after the termination decryption, further includes:
Sending permission deficiency prompt information is to the data using terminal.
6. a kind of cloud storage decryption verification method, which is characterized in that be applied to data using terminal, comprising:
Using system common parameter, system master key, Cloud Server public key, client public key and data consumer user attributes Collection, generates and sends decruption key to Cloud Server;
The conversion ciphertext that the Cloud Server is sent is received, the conversion ciphertext is to carry out outsourcing to outsourcing ciphertext to decrypt to obtain 's;
Using data consumer's private key, the conversion ciphertext is decrypted, obtains the key seed in the conversion ciphertext;
Using the complete certificate parameter of verify data is used in the key seed and system common parameter, the cloud service is verified Whether the outsourcing decryption of device is correct;
If correct, the conversion ciphertext is decrypted using the key seed, obtains symmetric key;
The conversion ciphertext is decrypted using the symmetric key, obtains clear data;
If incorrect, decryption is terminated.
7. cloud storage decryption verification method according to claim 6, which is characterized in that it is described using the key seed and The certificate parameter, verify the Cloud Server outsourcing decryption whether correct process, comprising:
Equation H is verified using the key seed and the certificate parameter1(H0(ck) | | ct ') whether=Token true.
8. a kind of cloud storage encryption system, which is characterized in that be applied to transmission terminal in data, comprising:
Interim ciphertext generation module, it is interim close for advancing with the encryption parameter for being used to encrypt in system common parameter generation Text;
Outsourcing ciphertext generation module, for utilizing in the system common parameter for the complete certificate parameter of verify data, institute Interim ciphertext, clear data and access structure are stated, outsourcing ciphertext is generated;
Outsourcing ciphertext sending module, for sending the outsourcing ciphertext to Cloud Server, so that the Cloud Server is to described outer Packet ciphertext carries out outsourcing decryption;
Wherein, the system common parameter is the parameter generated according to security parameter that attribute authority is issued in advance.
9. a kind of cloud storage decryption system, which is characterized in that be applied to Cloud Server, comprising:
Decruption key receiving module, the decruption key that using terminal is sent for receiving data;
Outsourcing ciphertext receiving module, the outsourcing ciphertext that upper transmission terminal is sent for receiving data, the outsourcing ciphertext include and gather around The corresponding access structure of the person's of having property set and interim ciphertext;
Decrypted rights judgment module, for judging whether the decruption key and the access structure in the outsourcing ciphertext are corresponding;
Outsourcing deciphering module, if determining in the decruption key and the outsourcing ciphertext for the decrypted rights judgment module Access structure is corresponding, then the encryption parameter in decruption key and system common parameter for encryption is utilized, to the outsourcing ciphertext It is decrypted, obtains conversion ciphertext;
Ciphertext sending module is converted, for sending the conversion ciphertext to data using terminal;
Decryption terminates module, if determining in the decruption key and the outsourcing ciphertext for the decrypted rights judgment module Access structure does not correspond to, then terminates decryption;
Wherein, owner's property set is the property set that data owner possesses, and the decruption key is attribute authority That issues in advance utilizes the system common parameter, system master key, Cloud Server public key, the public key of data consumer and described The key that the user attributes collection that data consumer possesses generates.
10. a kind of cloud storage decryption verification system, which is characterized in that be applied to data using terminal, comprising:
Decruption key sending module, for using system common parameter, system master key, Cloud Server public key, client public key and The user attributes collection of data consumer, generates and sends decruption key to Cloud Server;
Ciphertext receiving module is converted, the conversion ciphertext sent for receiving the Cloud Server, the conversion ciphertext is to outsourcing Ciphertext carries out what outsourcing was decrypted;
Ciphertext deciphering module is converted, for utilizing data consumer's private key, the conversion ciphertext is decrypted, it is close to obtain the conversion Key seed in text;
Cryptogram validation module is converted, for completely testing using in the key seed and system common parameter for verify data Parameter is demonstrate,proved, whether the outsourcing decryption for verifying the Cloud Server is correct;
Symmetric key decryption module, if determining the outsourcing decryption verification of the Cloud Server for the conversion cryptogram validation module Correctly, then the conversion ciphertext is decrypted using the key seed, obtains symmetric key;
Clear data deciphering module obtains clear data for decrypting using the symmetric key to the conversion ciphertext;
Decryption terminates module, if determining the outsourcing decryption verification of the Cloud Server not just for the conversion cryptogram validation module Really, then decryption is terminated.
CN201910754778.4A 2019-08-15 2019-08-15 A kind of encryption of cloud storage, decryption and verification method and system Pending CN110460604A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910754778.4A CN110460604A (en) 2019-08-15 2019-08-15 A kind of encryption of cloud storage, decryption and verification method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910754778.4A CN110460604A (en) 2019-08-15 2019-08-15 A kind of encryption of cloud storage, decryption and verification method and system

Publications (1)

Publication Number Publication Date
CN110460604A true CN110460604A (en) 2019-11-15

Family

ID=68486894

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910754778.4A Pending CN110460604A (en) 2019-08-15 2019-08-15 A kind of encryption of cloud storage, decryption and verification method and system

Country Status (1)

Country Link
CN (1) CN110460604A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106230590A (en) * 2016-07-22 2016-12-14 安徽大学 A kind of ciphertext policy ABE base encryption method of many authorized organizations
CN106487506A (en) * 2016-10-08 2017-03-08 西安电子科技大学 A kind of many mechanisms KP ABE method supporting pre-encrypt and outsourcing deciphering

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106230590A (en) * 2016-07-22 2016-12-14 安徽大学 A kind of ciphertext policy ABE base encryption method of many authorized organizations
CN106487506A (en) * 2016-10-08 2017-03-08 西安电子科技大学 A kind of many mechanisms KP ABE method supporting pre-encrypt and outsourcing deciphering

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
仲红 等: "高效且可验证的多授权机构属性基加密方案", 《软件学报》 *

Similar Documents

Publication Publication Date Title
CN104753917B (en) Key management system and method based on ID
CN101938473B (en) Single-point login system and single-point login method
CN108881314B (en) Privacy protection method and system based on CP-ABE ciphertext under fog computing environment
CN107959566A (en) Quantal data key agreement system and quantal data cryptographic key negotiation method
US20040165728A1 (en) Limiting service provision to group members
CN101771699A (en) Method and system for improving SaaS application security
CN102075544A (en) Encryption system, encryption method and decryption method for local area network shared file
CN107086911A (en) A kind of proxy re-encryption method for entrusting checking of CCA safety
CN105471918B (en) A kind of agency's weight Universal designated verifier signature method
CN107547530A (en) On-line/off-line keyword search methodology and its cloud computing application system based on attribute under mobile cloud environment
CN108513704B (en) Remote distribution method and system of terminal master key
CN105635135A (en) Encryption system based on attribute sets and relational predicates and access control method
CN105656881B (en) A kind of electronic health record can verify that outsourcing storage and retrieval system and method
CN105119719B (en) A kind of key management method of safe storage system
CN107124409A (en) A kind of access authentication method and device
CN101777984B (en) Method and system for secure transaction
CN109347627A (en) Data encryption/decryption method, device, computer equipment and storage medium
CN109831430B (en) Safe, controllable and efficient data sharing method and system under cloud computing environment
CN101325483B (en) Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method
CN110474898A (en) Data encrypting and deciphering and key location mode, device, equipment and readable storage medium storing program for executing
CN106301776B (en) A kind of more authorization center outsourcing attribute base encryption methods and system of keyword search
CN103118351A (en) Generation method and device of rechargeable card data
CN109639677A (en) A kind of cloud storage outsourcing decryption properties base encryption method limiting access times
CN111371561A (en) Alliance block chain data access control method based on CP-ABE algorithm
CN110460604A (en) A kind of encryption of cloud storage, decryption and verification method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination