CN110460604A - A kind of encryption of cloud storage, decryption and verification method and system - Google Patents
A kind of encryption of cloud storage, decryption and verification method and system Download PDFInfo
- Publication number
- CN110460604A CN110460604A CN201910754778.4A CN201910754778A CN110460604A CN 110460604 A CN110460604 A CN 110460604A CN 201910754778 A CN201910754778 A CN 201910754778A CN 110460604 A CN110460604 A CN 110460604A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- outsourcing
- data
- key
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
This application discloses a kind of encryption of cloud storage, decryption and verification method and systems, are applied to transmission terminal in data, comprising: advance with the encryption parameter in system common parameter for encryption and generate interim ciphertext;Using the complete certificate parameter of verify data, interim ciphertext, clear data and access structure is used in system common parameter, outsourcing ciphertext is generated;Outsourcing ciphertext is sent to Cloud Server;The application is in the case where data upload terminal energy sources abundance, it advances with the encryption parameter in system common parameter for encryption and generates interim ciphertext, the excessive partial routine encrypted using system common parameter that consumes energy in ciphering process is pre-processed in advance, even if in this way in the insufficient situation of the energy, calculation amount and energy-output ratio when reducing encryption data, interim ciphertext, certificate parameter, clear data and access structure can directly be utilized, generate outsourcing ciphertext, shorten encryption times, reduces calculation amount and energy consumption.
Description
Technical field
The present invention relates to cloud storage ciphertext access control field, in particular to a kind of cloud storage encryption, decryption and authentication
Method and system.
Background technique
Attribute base encryption (attribute-based encryption, ABE) is a kind of expansible one-to-many encryption equipment
System allows user according to user property encrypting and decrypting data, is highly suitable for carrying out spirit to the encryption data being stored in the cloud
Fine-granularity access control living.The major defect of traditional ABE scheme first is that encryption and decryption operation with access strategy complexity
Increase and increase, thus bring computing cost is one for resource-constrained mobile device (such as mobile phone) fatal makes
Use bottleneck.
And in practical application, user may need to be encrypted and decrypted work using mobile device, existing encryption and
The calculation amount that decrypting process generates is excessive to energy consumption, and mobile device is difficult to bear.
Low energy consumption is not limited to the encryption and decryption method of hardware device therefore, it is necessary to a kind of.
Summary of the invention
In view of this, the purpose of the present invention is to provide a kind of encryption of cloud storage, decryption and verification method and system, energy consumption
It is low, calculation amount is small.Its concrete scheme is as follows:
A kind of cloud storage encryption method is applied to transmission terminal in data, comprising:
It advances with the encryption parameter in system common parameter for encryption and generates interim ciphertext;
Using in the system common parameter be used for the complete certificate parameter of verify data, the interim ciphertext, plaintext number
According to and access structure, generate outsourcing ciphertext;
The outsourcing ciphertext is sent to Cloud Server, so that the Cloud Server carries out outsourcing solution to the outsourcing ciphertext
It is close;
Wherein, the system common parameter is the parameter generated according to security parameter that attribute authority is issued in advance.
Optionally, described to utilize in system common parameter for the complete certificate parameter of verify data, interim ciphertext, plaintext
Data and access structure generate the process of outsourcing ciphertext, comprising:
Utilize Hash verifying functions double in the system common parameter and cipher key-extraction function, interim ciphertext, clear data
And access structure, generate outsourcing ciphertext.
Optionally, the generating process of the interim ciphertext, comprising:
Using the parameter of the group and bilinear map obtained in the system common parameter using group's generator algorithm, generate
The interim ciphertext.
The invention also discloses a kind of cloud storage decryption methods, are applied to Cloud Server, comprising:
Receive the decruption key that data using terminal is sent;
The outsourcing ciphertext that transmission terminal is sent in data is received, the outsourcing ciphertext includes visit corresponding with owner's property set
Ask structure and interim ciphertext;
Judge whether the decruption key and the access structure in the outsourcing ciphertext are corresponding;
If corresponding, the encryption parameter in decruption key and system common parameter for encryption is utilized, it is close to the outsourcing
Text is decrypted, and obtains conversion ciphertext;
The conversion ciphertext is sent to data using terminal;
If it is not, then terminating decryption;
Wherein, owner's property set is the property set that data owner possesses, and the decruption key is attribute authority
Mechanism issue in advance using the system common parameter, system master key, Cloud Server public key, data consumer public key and
The key that the user attributes collection that the data consumer possesses generates.
Optionally, after the termination decryption, further includes:
Sending permission deficiency prompt information is to the data using terminal.
The invention also discloses a kind of cloud storage decryption verification methods, are applied to data using terminal, comprising:
Utilize system common parameter, the user of system master key, Cloud Server public key, client public key and data consumer
Property set generates and sends decruption key to Cloud Server;
The conversion ciphertext that the Cloud Server is sent is received, the conversion ciphertext is to carry out outsourcing to outsourcing ciphertext to decrypt
It arrives;
Using data consumer's private key, the conversion ciphertext is decrypted, obtains the key seed in the conversion ciphertext;
Using the complete certificate parameter of verify data is used in the key seed and system common parameter, the cloud is verified
Whether the outsourcing decryption of server is correct;
If correct, the conversion ciphertext is decrypted using the key seed, obtains symmetric key;
The conversion ciphertext is decrypted using the symmetric key, obtains clear data;
If incorrect, decryption is terminated.
Optionally, described to utilize the key seed and the certificate parameter, verify the outsourcing decryption of the Cloud Server
Whether correct process, comprising:
Equation H is verified using the key seed and the certificate parameter1(H0(ck) | | ct ') whether=Token true.
The invention also discloses a kind of cloud storage encryption systems, are applied to transmission terminal in data, comprising:
Interim ciphertext generation module generates temporarily for advancing with the encryption parameter in system common parameter for encryption
Ciphertext;
Outsourcing ciphertext generation module, for completely verifying ginseng for verify data using in the system common parameter
Several, the described interim ciphertext, clear data and access structure generate outsourcing ciphertext;
Outsourcing ciphertext sending module, for sending the outsourcing ciphertext to Cloud Server, so that the Cloud Server is to institute
It states outsourcing ciphertext and carries out outsourcing decryption;
Wherein, the system common parameter is the parameter generated according to security parameter that attribute authority is issued in advance.
The invention also discloses a kind of cloud storage decryption systems, are applied to Cloud Server, comprising:
Decruption key receiving module, the decruption key that using terminal is sent for receiving data;
Outsourcing ciphertext receiving module, the outsourcing ciphertext that upper transmission terminal is sent for receiving data, the outsourcing ciphertext include
Access structure corresponding with owner's property set and interim ciphertext;
Decrypted rights judgment module, for judging whether the decruption key and the access structure in the outsourcing ciphertext are right
It answers;
Outsourcing deciphering module, if determining the decruption key and the outsourcing ciphertext for the decrypted rights judgment module
In access structure it is corresponding, then utilize the encryption parameter in decruption key and system common parameter for encrypting, to the outsourcing
Ciphertext is decrypted, and obtains conversion ciphertext;
Ciphertext sending module is converted, for sending the conversion ciphertext to data using terminal;
Decryption terminates module, if determining the decruption key and the outsourcing ciphertext for the decrypted rights judgment module
In access structure do not correspond to, then terminate decryption;
Wherein, owner's property set is the property set that data owner possesses, and the decruption key is attribute authority
Mechanism issue in advance using the system common parameter, system master key, Cloud Server public key, data consumer public key and
The key that the user attributes collection that the data consumer possesses generates.
The invention also discloses a kind of cloud storage decryption verification systems, are applied to data using terminal, comprising:
Decruption key sending module, for utilizing system common parameter, system master key, Cloud Server public key, Yong Hugong
The user attributes collection of key and data consumer, generates and sends decruption key to Cloud Server;
Ciphertext receiving module is converted, the conversion ciphertext sent for receiving the Cloud Server, the conversion ciphertext is pair
Outsourcing ciphertext carries out what outsourcing was decrypted;
Ciphertext deciphering module is converted, for utilizing data consumer's private key, the conversion ciphertext is decrypted, obtains described turn
Change the key seed in ciphertext;
Cryptogram validation module is converted, it is complete for verify data in the key seed and system common parameter for utilizing
Certificate parameter, verify the Cloud Server outsourcing decryption it is whether correct;
Symmetric key decryption module, if determining the outsourcing decryption of the Cloud Server for the conversion cryptogram validation module
Verifying is correct, then is decrypted using the key seed to the conversion ciphertext, obtain symmetric key;
Clear data deciphering module obtains clear data for decrypting using the symmetric key to the conversion ciphertext;
Decryption terminates module, if determining the outsourcing decryption verification of the Cloud Server for the conversion cryptogram validation module
It is incorrect, then terminate decryption.
In the present invention, cloud storage encryption method is applied to transmission terminal in data, comprising: advance with system common parameter
In for the encryption parameter of encryption generate interim ciphertext;Ginseng is completely verified using verify data is used in system common parameter
Several, interim ciphertext, clear data and access structure generate outsourcing ciphertext;Outsourcing ciphertext is sent to Cloud Server, for cloud service
Device carries out outsourcing decryption to outsourcing ciphertext;Wherein, system common parameter is joined for what attribute authority was issued in advance according to safety
The parameter that number generates.
The present invention advances in system common parameter in the case where data upload terminal energy sources abundance for encryption
Encryption parameter generates interim ciphertext, by the excessive partial routine encrypted using system common parameter that consumes energy in ciphering process
It is pre-processed in advance, even if calculation amount and the energy in this way when in the insufficient situation of the energy, reducing encryption data
Consumption can directly utilize interim ciphertext, certificate parameter, clear data and access structure, generate outsourcing ciphertext, shorten encryption
Time reduces calculation amount and energy consumption.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of cloud storage encryption method flow diagram disclosed by the embodiments of the present invention;
Fig. 2 is a kind of cloud storage decryption method flow diagram disclosed by the embodiments of the present invention;
Fig. 3 is a kind of cloud storage verification method flow diagram disclosed by the embodiments of the present invention;
Fig. 4 is a kind of cloud storage encryption system structural schematic diagram disclosed by the embodiments of the present invention;
Fig. 5 is a kind of cloud storage decryption system structural schematic diagram disclosed by the embodiments of the present invention;
Fig. 6 is that a kind of cloud storage disclosed by the embodiments of the present invention verifies system structure diagram.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
It is shown in Figure 1 the embodiment of the invention discloses a kind of cloud storage encryption method, it is applied to transmission terminal in data,
This method comprises:
S11: it advances with the encryption parameter in system common parameter for encryption and generates interim ciphertext.
Specifically, system common parameter is generated by attribute authority using security parameter, attribute authority after generation
System common parameter is issued to data owner, Cloud Server and data consumer, data owner needs to upload by data
Terminal receives and therefore storage system common parameter has pre-saved system common parameter in transmission terminal in data.
Further, system common parameter includes: input security parameter λ ∈ 1 in the generating process of attribute authority;It adjusts
With group's generator algorithmThe description D of group and bilinear map is obtained, i.e.,G table
Show source group, GTIndicate target complex, enabling system property domain U==p ,=p is the finite field { 0,1,2 ..., p-1 } that mould p is constituted;With
Machine selects g, h, u, v, w ∈ G, α ∈=p, wherein the generation member that g is G, h, u, v, w are the random element of G;And construct Hash letter
NumberAnd the cipher key-extraction function H' of safety, wherein H0And H1I.e.
Double Hash verify function,Indicate GTIn element be mapped to fixation it is a length of0,1 string,It is a length of to indicate that 0,1 arbitrarily long string is mapped to fixation0,1 string;Output system common parameter
Pp=(D, g, h, u, v, w, e (g, g)α,H0,H1, H') and system master key msk, msk=α.
Wherein, transmission terminal can be mobile terminal in data, and mobile terminal is limited compared to its energy supply of the end PC, calculates
Speed is slow, if using system common parameter, clear data and access structure, directly generating outsourcing ciphertext in non-charging, disappearing
A large amount of electric energy is consumed, meanwhile, time-consuming for encryption, and needing to encrypt for a long time causes uplink time long, poor user experience, wherein benefit
The process time encrypted with system common parameter is long, especially consumes energy, for this purpose, can be in advance in the mobile terminal free time or mobile whole
It is when the charging of end, time consumption and energy consumption is biggish, it is carried out in advance using the partial routine that system common parameter encrypts, so as to subsequent needs
It when encryption, can directly be encrypted using intermediate result, shortening encryption times reduces energy consumption, specifically, can use system
Encryption parameter in common parameter for encryption generates the interim ciphertext for encryption, recycles the public ginseng of interim ciphertext, system
In number be used for the complete certificate parameter of verify data, clear data and access structure, generate outsourcing ciphertext, shorten encryption times and
Energy consumption.
Specifically, the generating process of interim ciphertext includes: firstly, transmission terminal is random using system common parameter pp in data
S ∈=p is selected, encapsulation key key, key=e (g, g) are calculatedαs、C0=gs;Then, it is selected at random for every a line of access matrix M
Select { zj,xj,tj}j∈[P]∈=p is calculated Wherein, access knot
Structure (M, ρ) is a LSSS (linear secret sharing scheme) access structure, wherein M is the matrix of l × n rank, ρ be 1,
2 ..., n } to the mapping of=p, i.e. a line of matrix M is mapped to an attribute;Finally, interim ciphertext it is exported, it=(s,
key,C0,{Cj,1,Cj,2,Cj,3}j∈[P])。
Wherein, s indicates the random number selected from=p, C0, Cj,1, Cj,2And Cj,3Indicate the ciphertext of the interim ciphertext it of composition
Grouping, zj, xj, tjIndicate 3 random numbers selected from=p for the jth row of M.
S12: utilize in system common parameter for the complete certificate parameter of verify data, interim ciphertext, clear data and
Access structure generates outsourcing ciphertext.
Specifically, using the complete certificate parameter of verify data, interim ciphertext, clear data is used in system common parameter
And access structure, generate the process of outsourcing ciphertext, comprising: obtain system common parameter pp, interim ciphertext it, clear data msg
With access structure (M, ρ);Firstly, transmission terminal randomly chooses key seed ck, ck ∈ G in dataT, calculate symmetric key sk, sk
=H'(ck), data ciphertext ct ' is generated using sk encryption msg, calculates verifying token Token, Token=H1(H0(ck)||
ct′);Then, y is randomly choosed from=p2To ynA random number, y2,…,yn∈=p generates a n-dimensional vectorForIt calculatesIt calculates C=cke (g, g)αs、Cj,4=z 'j-zjmod
P and CJ, 5=tj(xj-ρ(j))modp;Finally, output outsourcing ciphertext ct=((M, ρ), ct ', C, C0,{Cj,1,Cj,2,Cj,3,Cj,4,
Cj,5}j∈[l], Token), wherein C, Cj,4And Cj,5It is the ciphertext block for forming outsourcing ciphertext ct.
Wherein, access structure is data owner's sets itself, and owner's property set, access knot are preserved in access structure
Structure limits the data for only having attribute to meet owner's property set in access structure for limiting the object that outsourcing ciphertext is faced
User can access the clear data in outsourcing ciphertext.
S13: outsourcing ciphertext is sent to Cloud Server, so that Cloud Server carries out outsourcing decryption to outsourcing ciphertext.
Specifically, completing the upper of encryption data by outsourcing ciphertext after line encrypts, can be exported to Cloud Server
It passes, so that subsequent Cloud Server carries out outsourcing decryption to outsourcing ciphertext.
As it can be seen that the embodiment of the present invention advances with system common parameter in the case where data upload terminal energy sources abundance
In for the encryption parameter of encryption generate interim ciphertext, will consume energy in ciphering process excessive is added using system common parameter
Close partial routine is pre-processed in advance, even if in this way when in the insufficient situation of the energy, reducing encryption data
Calculation amount and energy-output ratio can directly utilize interim ciphertext, certificate parameter, clear data and access structure, generate outsourcing
Ciphertext shortens encryption times, reduces calculation amount and energy consumption.
Correspondingly, the embodiment of the invention also discloses a kind of cloud storage decryption method, it is shown in Figure 2, it is applied to cloud and takes
Business device, this method comprises:
S21: the decruption key that data using terminal is sent is received;
S22: the outsourcing ciphertext that transmission terminal is sent in data is received, outsourcing ciphertext includes visit corresponding with owner's property set
Ask structure and interim ciphertext;
S23: judge whether decruption key and the access structure in outsourcing ciphertext are corresponding.
Specifically, decruption key is the system common parameter issued in advance using attribute authority, system master key, cloud
The key that the user attributes collection that server public key, the public key of data consumer and data consumer possess generates, therefore, decryption
It include the user attributes collection that data consumer possesses in key, the access structure in outsourcing ciphertext includes gathering around for data owner
The person's of having property set, so whether having the number in access structure by comparing the attribute that the user attributes in decruption key are concentrated
According to occurring in owner's property set of owner, it can judge whether decruption key can be decrypted outsourcing ciphertext.
Wherein, Cloud Server public key is to be generated using system common parameter, input system common parameter pp, is utilized
CSetup algorithm randomly chooses yc∈Zp;Then Cloud Server public key is disclosedIt can also be arranged together simultaneously
Cloud Server private key skc=yc。
S24: if corresponding, utilizing the encryption parameter in decruption key and system common parameter for encryption, close to outsourcing
Text is decrypted, and obtains conversion ciphertext.
Specifically, if user attributes in owner's property set and decruption key in access structure in outsourcing ciphertext
There are identical attributes for collection, then determine that decruption key has the right to decrypt outsourcing ciphertext, then utilize decruption key and the public ginseng of system
Encryption parameter in number for encryption, is decrypted outsourcing ciphertext, obtains conversion ciphertext.
Specifically, the process of outsourcing decryption, comprising: input system common parameter pp, decruption key tkSWith outsourcing ciphertext
Ct, first, it is determined that whether the user attributes collection S of decruption key meets access structure (M, ρ), if satisfied, then enabling I={ i: ρ
(i) ∈ S }, calculation constant ωi∈ZpSo that ∑i∈Iωiz′i=s;Then, it calculates Finally, output conversion ciphertext tc=(ct ', C, C ', Token);Wherein, C ' expression group
At a ciphertext block of conversion ciphertext.
S25: conversion ciphertext is sent to data using terminal;
S26: if it is not, then terminating decryption.
Specifically, if user attributes in owner's property set and decruption key in access structure in outsourcing ciphertext
Identical attribute is not present in collection, then proves that decruption key haves no right that outsourcing ciphertext is decrypted.
S27: sending permission deficiency prompt information to data using terminal.
It is understood that can improve and use with sending permission deficiency prompt information to data using terminal if terminating decryption
Family experience terminates decryption so that data consumer learns oneself insufficient permission.
As it can be seen that Cloud Server of the embodiment of the present invention, which receives data using terminal, sends decruption key, data owner is received
The outsourcing ciphertext of upload judges that being judged whether decruption key has permission using property set decrypts outsourcing ciphertext, if so, then utilizing
Script is transferred to Cloud Server in the decrypting process part of data using terminal, improved by decryption key decryption outsourcing ciphertext
Speed is decrypted, the performance and horsepower requirements to data using terminal are reduced.
Correspondingly, the embodiment of the invention also discloses a kind of cloud storage decryption verification method, it is shown in Figure 3, it is applied to
Data using terminal, this method comprises:
S31: making for system common parameter, system master key, Cloud Server public key, client public key and data consumer is utilized
User's property set generates and sends decruption key to Cloud Server.
Specifically, system common parameter and system master key are that attribute authority is pre-generated and issued, cloud service
Device public key is that Cloud Server is pre-generated and issued, and client public key is to be pre-generated using system common parameter.
Specifically, the generating process of decruption key includes: input system common parameter pp, system master key msk, cloud service
Device public key ppc, client public key ppuWith correspond to data consumer user attributes collection S, firstly, random selection k index
{ri}i∈[k]∈Zp, wherein k is the attribute number in user property collection S, [k]={ 1,2 ..., k }, { ri}i∈[k]∈ZpIndicate k
A index { r1,r2,…,rkIt is to be chosen from=p, i ∈ [k] indicates that the value range of i is 1 to k, in addition random choosing
Select 2 indexes β, r;Then, it calculates
AiIndicate ith attribute;Finally, output decruption key sk associated with user attributes collection SS=(S, K0,K1,K2,{Ki,3,
Ki,4}i∈[k]), wherein K0、K1、K2、Ki,3、Ki,4Indicate composition decruption key skSKey grouping.
Wherein, input system common parameter pp.Firstly, USetup algorithm randomly chooses zu∈Zp;Then public data uses
The client public key of personAnd private key for user sk is setu=zu。
S32: receiving the conversion ciphertext that Cloud Server is sent, and conversion ciphertext is to carry out outsourcing to outsourcing ciphertext to decrypt to obtain
's;
S33: utilizing data consumer's private key, to conversion ciphertext decryption, obtains the key seed in conversion ciphertext.
Specifically, due to the output that outsourcing decrypting process is converted there may be decryption error or maliciously, for this reason, it may be necessary to right
Conversion ciphertext is verified, to ensure to convert the accuracy of ciphertext decryption.
Specifically, utilizing encapsulation key key and data consumer's private key sk in conversion ciphertext tcu=zu, computation key kind
Son
Wherein, data consumer's private key advances with system common parameter and obtains.
S34: it utilizes in key seed and system common parameter for the complete certificate parameter of verify data, verifies cloud service
Whether the outsourcing decryption of device is correct.
Specifically, verifying equation H using key seed and certificate parameter1(H0(ck) | | ct ') whether=Token true.
S35: if correct, conversion ciphertext is decrypted using key seed, obtains symmetric key.
Specifically, utilizing key seed if correct, calculating symmetric key sk=H'(ck).
S36: conversion ciphertext is decrypted using symmetric key, obtains clear data.
Specifically, decrypting conversion ciphertext decryption ct ' using symmetric key sk obtains clear data msg.
S37: if incorrect, decryption is terminated.
Specifically, terminating also exportable prompt information after decryption, user's checking failure is prompted.
As it can be seen that the embodiment of the present invention completely verifies ginseng for verify data using system common parameter in conversion ciphertext
Whether number, data consumer's private key and public key, verifying conversion ciphertext decrypt correctly, it is ensured that the accuracy of clear data.
In addition, the embodiment of the invention also discloses a kind of cloud storage encryption system, it is shown in Figure 4, it is applied in data
Transmission terminal, the system include:
Interim ciphertext generation module 11 faces for advancing with the encryption parameter generation in system common parameter for encryption
Shi Miwen;
Outsourcing ciphertext generation module 12, for utilize in system common parameter be used for the complete certificate parameter of verify data,
Interim ciphertext, clear data and access structure, generate outsourcing ciphertext;
Outsourcing ciphertext sending module 13, for sending outsourcing ciphertext to Cloud Server, so that Cloud Server is to outsourcing ciphertext
Carry out outsourcing decryption;
Wherein, system common parameter is the parameter generated according to security parameter that attribute authority is issued in advance.
Specifically, outsourcing ciphertext generation module 12, be specifically used for using Hash verifying functions double in system common parameter and
Cipher key-extraction function, interim ciphertext, clear data and access structure generate outsourcing ciphertext.
Specifically, interim ciphertext generation module 11, utilizes group's generator algorithm specifically for utilizing in system common parameter
The parameter of obtained group and bilinear map generate interim ciphertext.
In addition, the embodiment of the invention also discloses a kind of cloud storage decryption system, it is shown in Figure 5, it is applied to cloud service
Device, the system include:
Decruption key receiving module 21, the decruption key that using terminal is sent for receiving data;
Outsourcing ciphertext receiving module 22, the outsourcing ciphertext that upper transmission terminal is sent for receiving data, outsourcing ciphertext include with
The corresponding access structure of owner's property set and interim ciphertext;
Decrypted rights judgment module 23, for judging whether decruption key and the access structure in outsourcing ciphertext are corresponding;
Outsourcing deciphering module 24, if determining the access in decruption key and outsourcing ciphertext for decrypted rights judgment module 23
Structure is corresponding, then utilizes the encryption parameter in decruption key and system common parameter for encryption, outsourcing ciphertext is decrypted,
Obtain conversion ciphertext;
Ciphertext sending module 25 is converted, for sending conversion ciphertext to data using terminal;
Decryption terminates module 26, if determining the access in decruption key and outsourcing ciphertext for decrypted rights judgment module 23
Structure does not correspond to, then terminates decryption;
Wherein, owner's property set is the property set that data owner possesses, and decruption key is that attribute authority is preparatory
That issues is gathered around using system common parameter, system master key, Cloud Server public key, the public key of data consumer and data consumer
The key that some user attributes collection generate.
It further include prompt information sending module 27, for sending permission deficiency prompt information to data using terminal.
In addition, the embodiment of the invention also discloses a kind of cloud storage decryption verification system, it is shown in Figure 6, it is applied to number
According to using terminal, which includes:
Decruption key sending module 31, for utilizing system common parameter, system master key, Cloud Server public key, user
The user attributes collection of public key and data consumer, generates and sends decruption key to Cloud Server;
Ciphertext receiving module 32 is converted, for receiving the conversion ciphertext of Cloud Server transmission, conversion ciphertext is close to outsourcing
Text carries out what outsourcing was decrypted;
Ciphertext deciphering module 33 is converted, for utilizing data consumer's private key, to conversion ciphertext decryption, obtains conversion ciphertext
In key seed;
Cryptogram validation module 34 is converted, it is complete for verify data in key seed and system common parameter for utilizing
Whether certificate parameter, the outsourcing decryption for verifying Cloud Server are correct;
Symmetric key decryption module 35, if determining the outsourcing decryption verification of 34 Cloud Servers for converting cryptogram validation module
Correctly, then conversion ciphertext is decrypted using key seed, obtains symmetric key;
Clear data deciphering module 36 obtains clear data for decrypting using symmetric key to conversion ciphertext;
Decryption terminates module 37, if the outsourcing decryption verification for convert the judgement Cloud Server of cryptogram validation module 34 is not just
Really, then decryption is terminated.
Specifically, conversion cryptogram validation module 34, is specifically used for verifying equation H using key seed and certificate parameter1(H0
(ck) | | ct ') whether=Token true.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that
A little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article or
The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged
Except there is also other identical elements in the process, method, article or apparatus that includes the element.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure
And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond the scope of this invention.
Technology contents provided by the present invention are described in detail above, specific case used herein is to this hair
Bright principle and embodiment is expounded, method of the invention that the above embodiments are only used to help understand and its
Core concept;At the same time, for those skilled in the art, according to the thought of the present invention, in specific embodiment and application
There will be changes in range, in conclusion the contents of this specification are not to be construed as limiting the invention.
Claims (10)
1. a kind of cloud storage encryption method, which is characterized in that be applied to transmission terminal in data, comprising:
It advances with the encryption parameter in system common parameter for encryption and generates interim ciphertext;
Using in the system common parameter be used for the complete certificate parameter of verify data, the interim ciphertext, clear data and
Access structure generates outsourcing ciphertext;
The outsourcing ciphertext is sent to Cloud Server, so that the Cloud Server carries out outsourcing decryption to the outsourcing ciphertext;
Wherein, the system common parameter is the parameter generated according to security parameter that attribute authority is issued in advance.
2. cloud storage encryption method according to claim 1, which is characterized in that described utilize in system common parameter is used for
The complete certificate parameter of verify data, interim ciphertext, clear data and access structure generate the process of outsourcing ciphertext, comprising:
Utilize Hash verifying functions double in the system common parameter and cipher key-extraction function, interim ciphertext, clear data and visit
It asks structure, generates outsourcing ciphertext.
3. cloud storage encryption method according to claim 1 or 2, which is characterized in that the generating process of the interim ciphertext,
Include:
Using the parameter of the group and bilinear map obtained in the system common parameter using group's generator algorithm, described in generation
Interim ciphertext.
4. a kind of cloud storage decryption method, which is characterized in that be applied to Cloud Server, comprising:
Receive the decruption key that data using terminal is sent;
The outsourcing ciphertext that transmission terminal is sent in data is received, the outsourcing ciphertext includes access knot corresponding with owner's property set
Structure and interim ciphertext;
Judge whether the decruption key and the access structure in the outsourcing ciphertext are corresponding;
If corresponding, utilize the encryption parameter in decruption key and system common parameter for encrypting, to the outsourcing ciphertext into
Row decryption obtains conversion ciphertext;
The conversion ciphertext is sent to data using terminal;
If it is not, then terminating decryption;
Wherein, owner's property set is the property set that data owner possesses, and the decruption key is attribute authority
That issues in advance utilizes the system common parameter, system master key, Cloud Server public key, the public key of data consumer and described
The key that the user attributes collection that data consumer possesses generates.
5. cloud storage decryption method according to claim 4, which is characterized in that after the termination decryption, further includes:
Sending permission deficiency prompt information is to the data using terminal.
6. a kind of cloud storage decryption verification method, which is characterized in that be applied to data using terminal, comprising:
Using system common parameter, system master key, Cloud Server public key, client public key and data consumer user attributes
Collection, generates and sends decruption key to Cloud Server;
The conversion ciphertext that the Cloud Server is sent is received, the conversion ciphertext is to carry out outsourcing to outsourcing ciphertext to decrypt to obtain
's;
Using data consumer's private key, the conversion ciphertext is decrypted, obtains the key seed in the conversion ciphertext;
Using the complete certificate parameter of verify data is used in the key seed and system common parameter, the cloud service is verified
Whether the outsourcing decryption of device is correct;
If correct, the conversion ciphertext is decrypted using the key seed, obtains symmetric key;
The conversion ciphertext is decrypted using the symmetric key, obtains clear data;
If incorrect, decryption is terminated.
7. cloud storage decryption verification method according to claim 6, which is characterized in that it is described using the key seed and
The certificate parameter, verify the Cloud Server outsourcing decryption whether correct process, comprising:
Equation H is verified using the key seed and the certificate parameter1(H0(ck) | | ct ') whether=Token true.
8. a kind of cloud storage encryption system, which is characterized in that be applied to transmission terminal in data, comprising:
Interim ciphertext generation module, it is interim close for advancing with the encryption parameter for being used to encrypt in system common parameter generation
Text;
Outsourcing ciphertext generation module, for utilizing in the system common parameter for the complete certificate parameter of verify data, institute
Interim ciphertext, clear data and access structure are stated, outsourcing ciphertext is generated;
Outsourcing ciphertext sending module, for sending the outsourcing ciphertext to Cloud Server, so that the Cloud Server is to described outer
Packet ciphertext carries out outsourcing decryption;
Wherein, the system common parameter is the parameter generated according to security parameter that attribute authority is issued in advance.
9. a kind of cloud storage decryption system, which is characterized in that be applied to Cloud Server, comprising:
Decruption key receiving module, the decruption key that using terminal is sent for receiving data;
Outsourcing ciphertext receiving module, the outsourcing ciphertext that upper transmission terminal is sent for receiving data, the outsourcing ciphertext include and gather around
The corresponding access structure of the person's of having property set and interim ciphertext;
Decrypted rights judgment module, for judging whether the decruption key and the access structure in the outsourcing ciphertext are corresponding;
Outsourcing deciphering module, if determining in the decruption key and the outsourcing ciphertext for the decrypted rights judgment module
Access structure is corresponding, then the encryption parameter in decruption key and system common parameter for encryption is utilized, to the outsourcing ciphertext
It is decrypted, obtains conversion ciphertext;
Ciphertext sending module is converted, for sending the conversion ciphertext to data using terminal;
Decryption terminates module, if determining in the decruption key and the outsourcing ciphertext for the decrypted rights judgment module
Access structure does not correspond to, then terminates decryption;
Wherein, owner's property set is the property set that data owner possesses, and the decruption key is attribute authority
That issues in advance utilizes the system common parameter, system master key, Cloud Server public key, the public key of data consumer and described
The key that the user attributes collection that data consumer possesses generates.
10. a kind of cloud storage decryption verification system, which is characterized in that be applied to data using terminal, comprising:
Decruption key sending module, for using system common parameter, system master key, Cloud Server public key, client public key and
The user attributes collection of data consumer, generates and sends decruption key to Cloud Server;
Ciphertext receiving module is converted, the conversion ciphertext sent for receiving the Cloud Server, the conversion ciphertext is to outsourcing
Ciphertext carries out what outsourcing was decrypted;
Ciphertext deciphering module is converted, for utilizing data consumer's private key, the conversion ciphertext is decrypted, it is close to obtain the conversion
Key seed in text;
Cryptogram validation module is converted, for completely testing using in the key seed and system common parameter for verify data
Parameter is demonstrate,proved, whether the outsourcing decryption for verifying the Cloud Server is correct;
Symmetric key decryption module, if determining the outsourcing decryption verification of the Cloud Server for the conversion cryptogram validation module
Correctly, then the conversion ciphertext is decrypted using the key seed, obtains symmetric key;
Clear data deciphering module obtains clear data for decrypting using the symmetric key to the conversion ciphertext;
Decryption terminates module, if determining the outsourcing decryption verification of the Cloud Server not just for the conversion cryptogram validation module
Really, then decryption is terminated.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910754778.4A CN110460604B (en) | 2019-08-15 | 2019-08-15 | Cloud storage encryption, decryption and verification method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910754778.4A CN110460604B (en) | 2019-08-15 | 2019-08-15 | Cloud storage encryption, decryption and verification method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110460604A true CN110460604A (en) | 2019-11-15 |
CN110460604B CN110460604B (en) | 2022-05-06 |
Family
ID=68486894
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910754778.4A Active CN110460604B (en) | 2019-08-15 | 2019-08-15 | Cloud storage encryption, decryption and verification method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110460604B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113434862A (en) * | 2021-06-24 | 2021-09-24 | 国网河南省电力公司 | Data black box type credible calculation method |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106230590A (en) * | 2016-07-22 | 2016-12-14 | 安徽大学 | A kind of ciphertext policy ABE base encryption method of many authorized organizations |
CN106487506A (en) * | 2016-10-08 | 2017-03-08 | 西安电子科技大学 | A kind of many mechanisms KP ABE method supporting pre-encrypt and outsourcing deciphering |
WO2018045568A1 (en) * | 2016-09-09 | 2018-03-15 | 深圳大学 | Access control method oriented to cloud storage service platform and system thereof |
CN109639677A (en) * | 2018-12-13 | 2019-04-16 | 广东工业大学 | A kind of cloud storage outsourcing decryption properties base encryption method limiting access times |
-
2019
- 2019-08-15 CN CN201910754778.4A patent/CN110460604B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106230590A (en) * | 2016-07-22 | 2016-12-14 | 安徽大学 | A kind of ciphertext policy ABE base encryption method of many authorized organizations |
WO2018045568A1 (en) * | 2016-09-09 | 2018-03-15 | 深圳大学 | Access control method oriented to cloud storage service platform and system thereof |
CN106487506A (en) * | 2016-10-08 | 2017-03-08 | 西安电子科技大学 | A kind of many mechanisms KP ABE method supporting pre-encrypt and outsourcing deciphering |
CN109639677A (en) * | 2018-12-13 | 2019-04-16 | 广东工业大学 | A kind of cloud storage outsourcing decryption properties base encryption method limiting access times |
Non-Patent Citations (1)
Title |
---|
仲红 等: "高效且可验证的多授权机构属性基加密方案", 《软件学报》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113434862A (en) * | 2021-06-24 | 2021-09-24 | 国网河南省电力公司 | Data black box type credible calculation method |
Also Published As
Publication number | Publication date |
---|---|
CN110460604B (en) | 2022-05-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104753917B (en) | Key management system and method based on ID | |
CN109639677B (en) | Cloud storage outsourcing decryption attribute-based encryption method capable of limiting access times | |
CN108881314B (en) | Privacy protection method and system based on CP-ABE ciphertext under fog computing environment | |
CN110460439A (en) | Information transferring method, device, client, server-side and storage medium | |
CN109831430B (en) | Safe, controllable and efficient data sharing method and system under cloud computing environment | |
CN111371561A (en) | Alliance block chain data access control method based on CP-ABE algorithm | |
CN108513704B (en) | Remote distribution method and system of terminal master key | |
CN110474898A (en) | Data encrypting and deciphering and key location mode, device, equipment and readable storage medium storing program for executing | |
CN101938473B (en) | Single-point login system and single-point login method | |
CN110807206B (en) | College certificate storage management system based on block chain and attribute password | |
CN109347627A (en) | Data encryption/decryption method, device, computer equipment and storage medium | |
CN102075544A (en) | Encryption system, encryption method and decryption method for local area network shared file | |
US20230019301A1 (en) | Attribute-based encryption (abe) method with multiple tracing attribute authorities for cloud-assisted internet-of-things (iot) | |
GB2398713A (en) | Anonymous access to online services for users registered with a group membership authority | |
CN110838915B (en) | Cloud storage data sharing method for forward security key aggregation | |
CN109478214A (en) | Device and method for certificate registration | |
CN102986162B (en) | Based on license dynamic management approach, the Apparatus and system of TCM or TPM | |
CN105471918B (en) | A kind of agency's weight Universal designated verifier signature method | |
CN107086911A (en) | A kind of proxy re-encryption method for entrusting checking of CCA safety | |
CN105635135A (en) | Encryption system based on attribute sets and relational predicates and access control method | |
CN101325483B (en) | Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method | |
CN110365469A (en) | It is a kind of support data-privacy protect cloud storage in data integrity verification method | |
CN109815747A (en) | Offline auditing method, electronic device and readable storage medium storing program for executing based on block chain | |
CN105119719B (en) | A kind of key management method of safe storage system | |
CN109889332A (en) | Equation testing encryption method based on certificate |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |