CN110502918A - A kind of electronic document access control method and system based on classification safety encryption - Google Patents
A kind of electronic document access control method and system based on classification safety encryption Download PDFInfo
- Publication number
- CN110502918A CN110502918A CN201910614814.7A CN201910614814A CN110502918A CN 110502918 A CN110502918 A CN 110502918A CN 201910614814 A CN201910614814 A CN 201910614814A CN 110502918 A CN110502918 A CN 110502918A
- Authority
- CN
- China
- Prior art keywords
- electronic document
- user
- level
- key
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Document Processing Apparatus (AREA)
Abstract
The invention discloses a kind of electronic document access control methods and system based on classification safety encryption.The level of confidentiality of electronic document is arranged in the method for the present invention first, and then electron file sender distributes grading key, carries out graded encryption to electronic document, carries out hierarchical access control, final updating key.Present system includes user's registration/management module, electronic document Encryption management module, electronic document graded encryption module, electronic document classification deciphering module, encryption key distribution management module, cipher key calculation recovery module, electronic document transmission/reception module and database module.The present invention carries out graded encryption to electronic document according to the level of confidentiality of electronic document and carries out classification decryption and access control to electronic document according to the security level of user, realize the multi-level safety of electronic document, the effective protection safety of electronic document.The present invention realizes the hierarchical access control of electronic document by graded encryption and classification decryption.
Description
Technical field
The invention belongs to safety of electronic file to manage field, and in particular to a kind of electronic document based on classification safety encryption
Access control method and system.
Background technique
It is single in departments, Party and government offices at different levels, defence and military and enterprises and institutions with the deep development of the degree of office automation
In position, more and more information exist in the form of electronic document, so that the safety of electronic document and sharing are by more next
More attention.The electronic document of state secret and trade secret information is especially related to, once it divulges a secret, it will it seriously affects
To national security, interests and the development of enterprise.
The extent of damage of safety and interests caused by after generally divulging a secret according to it for electronic document, divides it
Level security protection.For business secret, it is secret that electronic document can be divided into core business secret, important business secret, general business
Four grades such as close and open;For state secret, electronic document is generally divided into top-secret, secret, secret, internal and disclosure etc. five
A rank.Equally, the division for needing to carry out rank is also known according to different work using the user of these electronic documents, such as
It can be core concerning security matters personnel, important concerning security matters personnel, general concerning security matters personnel and non-concerning security matters personnel the safety status classification of user.
But access the technology of control to electronic document at present, both do not solved for user security grade to electronics effectively
The safe handling problem of file does not also solve the visit that graded encryption and multi-stage authentication are carried out to electronic document from cryptography angle
It asks control problem, thus the behavior of user's unauthorized access electronic document can not be effectively prevent.Moreover, the electronics of current many units
File is mainly stored in unit service device database in the form of plaintext, without encrypting to electronic document, is easy
Cause the leakage of sensitive information.
Summary of the invention
The purpose of the present invention is directed to the safety and sharing problem of Current electronic file, proposes a kind of based on classification safety
The electronic document access control method and system of encryption are, it can be achieved that carry out graded encryption to electronic document, it is ensured that different safety levels
Other user is able to access that the electronic document needed for oneself, effectively prevents the leakage of important electronic document information.
It is a kind of based on classification safety encryption electronic document access control method, it can be achieved that carrying out classification visit to electronic document
It asks control, specifically includes and graded encryption is carried out to electronic document according to the level of confidentiality of electronic document and according to the security level control of user
Make its access to electronic document.
Each user in system registers with unique identity ID number, and each user has been set centainly
Security level,Expression security level is CiAll users set, niIndicate that security level is
CiAll numbers of users, Ui,mBe security level be CiUser set in m-th of user, m ∈ 1,2 ..., ni};Each use
Family Ui,mA unique secret value s is obtained by safe lanei,m, individual private key as user.The safe lane is to add
Secret letter road or physical route.
The access control method specifically includes:
The level of confidentiality of step 1. setting electronic document:
Electronic document all has unique electronic document ID, when security level is CiElectronic document sender Ui,aIt needs to send out
When power transmission subfile j, the level of confidentiality F of the electronic document is set first in clientt, and the close of electronic document ID and electronic document
Grade FtIt is sent to server.The level of confidentiality of the electronic document is electronic document sender Ui,aAccording to fixed close foundation accordingly to electricity
The confidential of subfile setting.
Preferably, for being related to the application scenarios of state secret, t ∈ { 1,2,3,4,5 }, F1、F2、F3、F4、F5Table respectively
Show that the level of confidentiality of electronic document is open, internal, secret, secret, top-secret;For being related to the application scenarios of business secret, t ∈ 1,
2,3,4 }, F1、F2、F3、F4The level of confidentiality of electronic document is respectively indicated as open, general business secret, important business secret, core
Business secret.
The level of confidentiality for the electronic document that the user can set is equal to or less than the security level of user, i.e. t≤i.Such as
Security level is C2User, the safe level of confidentiality that can be set to electronic document is F1And F2, and electronic document cannot be set and be pacified
Full level of confidentiality is F3、F4Or F5。
Step 2. electron file sender distributes grading key Kt:
(1) server by utilizing set GiIn user individual private key, construction access multinomialWherein VIDiFor a virtual identifying, its value is different from the individual private key of all users,
It is for each electronic document j and Λi(x) it randomly selects.It is C for level of confidentialityiUser Ui,m, Λi(si,m)=1;For other
The user U of level of confidentialityj,m,Then Λi(sj,m) it is a random value.Virtual identifying VIDjPurpose be in order to enable all
Λi(x) different comprising the individual private key of identical user in.
(2) computation key distributes multinomial:
If electronic document level of confidentiality is equal to the security level of user, t=i, then grading key KtEncryption key distribution multinomial be
Φi(x)=Λi(x)·Kt;
If electronic document level of confidentiality is less than the security level of user, t < i, then grading key KtEncryption key distribution multinomial be
Φi(x)=Λi(x)·Ki∪EKi(Kt), EK() indicates asymmetric encryption function;
(3) by encryption key distribution multinomial Φi(x) it is sent to client, client is according to the encryption key distribution multinomial received
Φi(x) and user Ui,aIndividual private key si,aCalculate Φi(si,a) recover the graded encryption key K of electronic document jt.Specifically such as
Under:
If electronic document level of confidentiality is equal to the security level of user, t=i, then for legitimate user Ui,a, Λj(si,a)=1,
Therefore graded encryption key K can directly be calculatedt=Φi(si,a);For the user U of other levels of confidentialityj,m,Λi
(sj,m) it is random value, therefore the user of other levels of confidentiality can only obtain a random value, and graded encryption key can not be calculated
Kt;
If electronic document level of confidentiality is less than the security level of user, t < i, then user Ui,aKey K is calculated firsti=Φi
(si,a), then calculate Kt=DKi(EKi(Kt)), graded encryption key K can be obtainedt;For the user U of other levels of confidentialityj,m,Λi(sj,m) it is random value, therefore the user of other levels of confidentiality can only obtain a random value, and can not be calculated
Graded encryption key Kt。
Step 3. carries out graded encryption to electronic document j:
Utilize grading key KtWith Encryption Algorithm EtIt is F to level of confidentialitytElectronic document j encrypted, and encrypted electricity
The ciphertext of subfile j is sent to server and is stored.
For the electronic document of different security level, Encryption Algorithm EtIt can be the same or different.
The Encryption Algorithm is symmetric encipherment algorithm, such as SM4, AES, therefore, the grading key K in the present inventiontIt is
Electronic document encryption key and electronic document decruption key.
The grading key KtBeing respectively applied to safe level of confidentiality is FtElectronic document encryption and decryption.
It is C that the grading key, which will be respectively allocated to security level,tUser.
Step 4. hierarchical access control:
When security level is CiUser Ui,bApplication access level of confidentiality is FtElectronic document j when, server check user Ui,b
Security level: if security level be less than electronic document j level of confidentiality, refuse the access application;If user Ui,bSecurity level
More than or equal to the level of confidentiality of electronic document j, then the ciphertext of electronic document j and grading key KtDistribute to user Ui,b。
Electron file access person Ui,bDistribute grading key KtMethod particularly includes:
(1) server distributes multinomial Φ grading keyi(x) it is sent to client:
If electronic document level of confidentiality FtEqual to the security level C of useri, then distributed to the grading key that client is sent multinomial
Formula is Φi(x)=Λi(x)·Kt;
If electronic document level of confidentiality FtLess than the security level C of useri, then distributed to the grading key that client is sent multinomial
Formula is
(2) client is according to the encryption key distribution multinomial Φ receivedi(x) and user Ui,bIndividual private key si,bIt calculates and restores
The classification decruption key K of electronic document j outt.Method particularly includes:
If electronic document level of confidentiality FtEqual to the security level C of useri, then user Ui,bDirectly calculate classification decruption key Kt
=Φi(si,a);
If electronic document level of confidentiality FtLess than the security level C of useri, then user Ui,bKey K is calculated firsti=Φi
(si,b), then calculateClassification decruption key K can be obtainedt。
Then, user Ui,bUtilize grading key KtWith decipherment algorithm DtElectronic document j is decrypted, is recovered in plain text,
User Ui,bElectronic document j can be read and be checked.
The decipherment algorithm DtCorresponding to Encryption Algorithm Et, even electronic document is with Encryption Algorithm EtEncryption, then with solution
Close algorithm DtIt is decrypted.
The security level of the user has to be larger than or equal to the electronic document level of confidentiality that can be accessed, i.e. i >=t.Such as pacify
Full rank is C2User, can only access safety level of confidentiality be F1And F2Electronic document, and be unable to access safety level of confidentiality be F3、F4Or
F5Electronic document.
The update of step 5. key:
If needing to increase level of confidentiality in system is CiNew user, then only need to be according to user's set GiGenerate new grading key
Distribute multinomial.If deletion level of confidentiality is CiUser, then need the encryption key to the electronic document, encryption key distribution is multinomial
Formula and the ciphertext of electronic document are updated, to prevent the user from continuing to access electronic document j.Method particularly includes:
It (1) be level of confidentiality is FtElectronic document j randomly choose a new grading key Kt';
(2) it calculates new grading key and distributes multinomial:
If electronic document level of confidentiality FtEqual to the security level C of useri, then new grading key distribution multinomial is Φi′(x)
=Λ 'i(x)·K′t;
If electronic document level of confidentiality FtLess than the security level C of useri, then new grading key distribution multinomial be
(3) multinomial Φ is distributed grading keyi' (x) be sent to client;
(4) new graded encryption key K is usedt' encrypted electronic file j and store.
The present invention also provides a kind of electronic document access control system based on classification safety encryption in turn, for realizing right
Electronic document carries out graded encryption and is accessed control according to the security level of user to electronic document, specifically includes user and infuses
Volume/management module, electronic document Encryption management module, electronic document graded encryption module, electronic document classification deciphering module, close
Key allocation managing module, cipher key calculation recovery module, electronic document transmission/reception module and database module.Phase between module
Mutually linkage forms the unified electronic document access control system based on classification safety encryption.
User's registration/the management module, registration and management for system user.
The electronic document Encryption management module, for being that secret classifications are arranged in electronic document according to fixed close foundation.It is secret
The number of rank can carry out different settings according to actual application environment.Preferably for state secret, electronic document is set
Level of confidentiality is top secret, and secret is secret, five grades such as internal and open;For business secret, the level of confidentiality that electronic document is arranged is core
Heart business secret, important business secret, general business secret disclose four grades.
The electronic document graded encryption module, for calling Encryption Algorithm pair according to the graded encryption key of electronic document
Electronic document is encrypted in plain text.For the electronic document of different security level, Encryption Algorithm can be the same or different.It is preferred that
Ground, the Encryption Algorithm are symmetric encipherment algorithm, such as SM4, AES, and therefore, the electronic document encryption key in the present invention is also
Electronic document decruption key.
The electronic document is classified deciphering module, for the classification decruption key and decipherment algorithm according to electronic document to electricity
Subfile ciphertext is decrypted.
The encryption key distribution management module is distributed the key of different stage for it for the security level according to user, is made
Higher leveled grading key can not be obtained by obtaining low security level user, and high security level user can obtain the grading key of the same level
With the classification decruption key for being lower than itself rank, the electronic document of the accessible low level of higher-level user, and low level are realized
User cannot access high level electronic document, complete electronic document classification safety control.
The cipher key calculation recovery module, for the individual private key according to the grading key distribution multinomial and user that receive
The grading key of electronic document is calculated, and the key is sent to electronic document graded encryption module or electronic document classification decryption
Module.
The electronic document transmission/reception module, for realizing sending and receiving for electronic document ciphertext.
The database module, for store user information, electronic document ciphertext, the level of confidentiality of electronic document, grading key,
Encryption key distribution multinomial, individual private key of each user etc..
The operation of above-mentioned all modules is all transparent, details of the user without knowing specific implementation to user.
The beneficial effects of the present invention are:
(1) present invention establishes a kind of electronic document access control method and system based on classification safety encryption, realizes
Graded encryption is carried out to electronic document according to the level of confidentiality of electronic document and electronic document is carried out according to the security level of user
Classification decryption and access control, the multi-level safety for realizing electronic document by " primary encryption, multistage decryption ", solve electricity
Safety problem in subfile safe transmission and sharing application, especially access privilege control problem are effective using technological means
Protect the safety of electronic document.
(2) present invention improves safety of the electronic document in storage and use process, passes through graded encryption and classification
Decryption, realizes grading authorized, solves the problems, such as the access control of different security level users, realizes the classification of electronic document
Access control.And electronic document remains encrypted state during application system circulates, and ensure that the biography of electronic document
Defeated safety.
Detailed description of the invention
Fig. 1 is graded encryption electronic document flow chart;
Fig. 2 is classification decryption and access control flow chart;
Fig. 3 is present system structural schematic diagram;
Specific embodiment
Implementation of the invention is described in further detail with reference to the accompanying drawing, but protection scope of the present invention is not limited to
It is as described below.
Each user in system registers with unique identity ID number, and each user has been set centainly
Security level,Expression security level is CiAll users set, niExpression safety level is Ci
All numbers of users, Ui,mBe security level be CiM-th of user in the set of user, m ∈ 1,2 ..., ni};Each user
Ui,mA unique secret value s is obtained by safe lanei,m, individual private key as user.Safe lane is encryption channel
Or physical route.
As shown in Figure 1, security level is CiUser Ui,aClassification is carried out to electronic document j according to electronic document level of confidentiality to add
Close detailed process the following steps are included:
Step a1: user Ui,aIt inputs username and password and logs in client.
Step a2: user Ui,aElectronic document j is created, client is that electronic document j generates unique electronic document ID.
Step a3: user Ui,aFor electronic document j, level of confidentiality F is sett.The level of confidentiality of the electronic document is user Ui,aAccording to phase
The confidential that the fixed close foundation answered sets electronic document.
For being related to the application scenarios of state secret, t ∈ { 1,2,3,4,5 }, F1、F2、F3、F4、F5Respectively indicate electronics text
The level of confidentiality of part is open, internal, secret, secret, top-secret;For being related to the application scenarios of business secret, t ∈ { 1,2,3,4 },
F1、F2、F3、F4It is secret for open, general business secret, important business secret, core business to respectively indicate the level of confidentiality of electronic document
It is close.
The level of confidentiality for the electronic document that user can set is equal to or less than the security level of user, i.e. t≤i.Such as it is safe
Rank is C2User, the safe level of confidentiality that can be set to electronic document is F1And F2, and it is close to set safety to electronic document
Grade is F3、F4Or F5。
Step a4: client sends electronic document ID and electronic document level of confidentiality FtTo server.
Step a5: server gives user Ui,aDistribute grading key Kt。
(1) server is according to the security level C of useri, utilize set GiIn all users individual private key, construction visit
Ask multinomialWherein VIDiFor a virtual identifying, its value is different from of all users
Body private key is for each electronic document j and Λi(x) it randomly selects.It is C for level of confidentialityiUser Ui,m, Ui,m∈Gi, Λi
(si,m)=1.And for the user U of other levels of confidentialityj,m,Λi(sj,m) it is a random value.
(2) computation key distributes multinomial.
If electronic document level of confidentiality FtEqual to the security level C of useri, then grading key KtEncryption key distribution multinomial be Φi
(x)=Λi(x)·Kt。
If electronic document level of confidentiality FtLess than the security level C of useri, then grading key KtEncryption key distribution multinomial beEK() indicates asymmetric encryption function.
(3) encryption key distribution multinomial Φi(x) it is sent to client, client is according to the encryption key distribution multinomial received
Φi(x) and user Ui,aIndividual private key si,aCalculate Φi(si,a) recover the graded encryption key K of electronic document jt.Specific side
Method are as follows:
If electronic document level of confidentiality FtEqual to the security level C of useri, then for legitimate user Ui,a, Λj(si,a)=1, because
This can directly calculate graded encryption key Kt=Φi(si,a), for the user U of other levels of confidentialityj,m,Λi(sj,m)
It is a random value, therefore the user of other levels of confidentiality can only obtain a random value, and graded encryption key can not be calculated
Kt。
If electronic document level of confidentiality FtLess than the security level C of useri, then user Ui,aFirst calculate key Ki=Φi
(si,a), then calculateGraded encryption key K can be obtainedt.For the user U of other levels of confidentialityj,m,Λi(sj,m) it is a random value, therefore the user of other levels of confidentiality can only obtain a random value, and can not calculate
Obtain graded encryption key Kt。
Step a6: client carries out graded encryption to electronic document j.Utilize grading key KtWith Encryption Algorithm EtTo level of confidentiality
For FtElectronic document j encrypted.
For the electronic document of different security level, Encryption Algorithm EtIt can be the same or different.
The Encryption Algorithm is symmetric encipherment algorithm, such as SM4, AES, grading key KtIt is electronic document encryption key
It is also electronic document decruption key.
The grading key Kt, being respectively applied to safe level of confidentiality is FtElectronic document encryption and decryption.
The grading key Kt, will be respectively allocated to security level is CtUser.
Step a7: the ciphertext of encrypted electronic document j is sent to server by client, and is stored in server data
Library.
As shown in Fig. 2, security level is CiUser Ui,bApplication access level of confidentiality is FtElectronic document j specifically controlled
Journey the following steps are included:
Step b1: user Ui,bIt inputs username and password and logs in client.
Step b2: user Ui,bApplication access electronic document j, client send the request to server.
Step b3: server checks user Ui,bSecurity level, if security level be less than electronic document j level of confidentiality, refuse
The exhausted access application.If user Ui,bSecurity level be greater than or equal to electronic document j level of confidentiality, then the ciphertext of electronic document j
And grading key KtDistribute to user Ui,b。
It is described to give user Ui,bDistribute grading key KtMethod particularly includes:
(1) server distributes multinomial Φ grading keyi(x) it is sent to client.
If electronic document level of confidentiality FtEqual to the security level C of useri, then distributed to the grading key that client is sent multinomial
Formula is Φi(x)=Λi(x)·Kt。
If electronic document level of confidentiality FtLess than the security level C of useri, then distributed to the grading key that client is sent multinomial
Formula is
(2) client is according to the encryption key distribution multinomial Φ receivedi(x) and user Ui,bIndividual private key si,bIt calculates and restores
The classification decruption key K of electronic document j outt.Method particularly includes:
If electronic document level of confidentiality FtEqual to the security level C of useri, then user Ui,bDirectly calculate classification decruption key Kt
=Φi(si,a)。
If electronic document level of confidentiality FtLess than the security level C of useri, then user Ui,bFirst calculate key Ki=Φi
(si,b), then calculateClassification decruption key K can be obtainedt。
Step b4: client utilizes grading key KtWith decipherment algorithm DtElectronic document j is decrypted, is recovered in plain text,
Then user Ui,bElectronic document j can be read and be checked.
The decipherment algorithm DtCorresponding to Encryption Algorithm Et。
The security level of the user has to be larger than or equal to the electronic document level of confidentiality that can be accessed, i.e. Ci≥Ft.Such as pacify
Full rank is C2User, can only access safety level of confidentiality be F1And F2Electronic document, and be unable to access safety level of confidentiality be F3And F4
Electronic document.
Fig. 3 is a kind of electronic document access control system structural schematic diagram based on classification safety encryption, specifically includes use
Family registration/management module, electronic document Encryption management module, electronic document graded encryption module, electronic document classification decryption mould
Block, encryption key distribution management module, cipher key calculation recovery module, electronic document transmission/reception module and database module.
User's registration/management module is used for the registration and management of system user.
Electronic document Encryption management module is used to according to fixed close foundation be that secret classifications are arranged in electronic document.Secret classifications
Number can carry out different settings according to actual application environment.For state secret, the level of confidentiality of electronic document is set for top secret, machine
It is close, secret, five grades such as internal and open;For business secret, the level of confidentiality that electronic document is arranged is that core business is secret, weight
Business secret is wanted, general business secret discloses four grades.
Electronic document graded encryption module is used to call Encryption Algorithm to electronics according to the graded encryption key of electronic document
Plaintext document is encrypted.For the electronic document of different security level, Encryption Algorithm can be the same or different.Preferably, institute
Stating Encryption Algorithm is symmetric encipherment algorithm, such as SM4, AES, electronic document encryption key are also electronic document decruption key.
Electronic document is classified deciphering module, for the classification decruption key and decipherment algorithm according to electronic document to electronics text
Part ciphertext is decrypted.The decipherment algorithm corresponds to aforementioned Encryption Algorithm.
Encryption key distribution management module is used to distribute the key of different stage for it according to the security level of user, so that low peace
Full class subscribers can not obtain higher leveled grading key, and high security level user can obtain the grading key of the same level and be lower than
The classification decruption key of itself rank, the electronic document of the realization accessible low level of higher-level user, and the user of low level
High level electronic document cannot be accessed, the classification safety control of electronic document is completed.
Cipher key calculation recovery module is used to be calculated according to the individual private key of the grading key distribution multinomial and user that receive
The grading key of electronic document, and the key is sent to electronic document graded encryption module or electronic document classification decryption mould
Block.
Electronic document transmission/reception module sends and receives for realizing electronic document ciphertext.
Database module is for storing user information, electronic document ciphertext, the level of confidentiality of electronic document, grading key, key
Distribute multinomial, individual private key of each user etc..
The operation of all modules is all transparent, details of the user without knowing specific implementation to user.
By above system, may be implemented according to the level of confidentiality of electronic document to electronic document carry out graded encryption and according to
The security level at family accesses control to electronic document.
Claims (8)
1. a kind of electronic document access control method based on classification safety encryption, including the level of confidentiality according to electronic document to electronics
File carries out graded encryption and controls its access to electronic document according to the security level of user;
Each user in system registers with unique identity ID number, and each user is set security level,Expression security level is CiAll users set, niExpression security level is CiAll users
Number, Ui,mBe security level be CiUser set in m-th of user, m ∈ 1,2 ..., ni};Each user Ui,mPass through safety
Channel obtains a unique secret value si,m, individual private key as user;It is characterized in that this method is specifically:
The level of confidentiality of step 1. setting electronic document:
Electronic document all has unique electronic document ID, when security level is CiElectronic document sender Ui,aIt needs to send electronics
When file j, the level of confidentiality F of the electronic document is set first in clientt, and the level of confidentiality F of electronic document ID and electronic documenttHair
Give server;The level of confidentiality of the electronic document is electronic document sender Ui,aAccording to fixed close foundation accordingly to electronic document
The confidential of setting;The level of confidentiality for the electronic document that user can set is equal to or less than the security level of user, i.e. t≤i;
Step 2. electron file sender distributes grading key Kt:
(2-1) server by utilizing set GiIn user individual private key, construction access multinomialWherein VIDiFor a virtual identifying, value is different from the individual private key of all users, is
For each electronic document j and Λi(x) it randomly selects;It is C for level of confidentialityiUser Ui,m, Λi(si,m)=1;It is close for other
The user U of gradej,m,Then Λi(sj,m) it is a random value;
(2-2) computation key distributes multinomial:
If electronic document level of confidentiality is equal to the security level of user, t=i, then grading key KtEncryption key distribution multinomial be Φi(x)
=Λi(x)·Kt;
If electronic document level of confidentiality is less than the security level of user, t < i, then grading key KtEncryption key distribution multinomial beEK() indicates asymmetric encryption function;
(2-3) is by encryption key distribution multinomial Φi(x) it is sent to client, client is according to the encryption key distribution multinomial Φ receivedi
(x) and user Ui,aIndividual private key si,aCalculate Φi(si,a) recover the graded encryption key K of electronic document jt;
Step 3. carries out graded encryption to electronic document j:
Utilize grading key KtWith Encryption Algorithm EtIt is F to level of confidentialitytElectronic document j encrypted, and encrypted electronics text
The ciphertext of part j is sent to server and is stored;Grading key KtBeing respectively applied to safe level of confidentiality is FtElectronic document encryption
And decryption;For the electronic document of different security level, Encryption Algorithm EtIt can be the same or different;Grading key will be divided respectively
Dispensing security level is CtUser;
Step 4. hierarchical access control:
When security level is CiUser Ui,bApplication access level of confidentiality is FtElectronic document j when, server check user Ui,bPeace
Full rank: if security level is less than the level of confidentiality of electronic document j, refuse the access application;If user Ui,bSecurity level be greater than
Or the level of confidentiality equal to electronic document j, then the ciphertext of electronic document j and grading key KtDistribute to user Ui,b;
The security level of the user is greater than or equal to the electronic document level of confidentiality that can be accessed, i.e. i >=t;
The update of step 5. key:
If needing to increase level of confidentiality in system is CiNew user, then only need to be according to user's set GiGenerate new grading key distribution
Multinomial;If deletion level of confidentiality is CiUser, then need the encryption key to the electronic document, encryption key distribution multinomial with
And the ciphertext of electronic document is updated, to prevent the user from continuing to access electronic document j;Method particularly includes:
(5-1) is that level of confidentiality is FtElectronic document j randomly choose a new grading key K 't;
(5-2) calculates new grading key and distributes multinomial:
If electronic document level of confidentiality FtEqual to the security level C of useri, then new grading key distribution multinomial is Φ 'i(x)=
Λ′i(x)·K′t;
If electronic document level of confidentiality FtLess than the security level C of useri, then new grading key distribution multinomial be
(5-3) distributes multinomial Φ grading keyi' (x) be sent to client;
(5-4) uses new graded encryption key K 'tEncrypted electronic file j is simultaneously stored.
2. a kind of electronic document access control method based on classification safety encryption as described in claim 1, it is characterised in that:
The safe lane is encryption channel or physical route.
3. a kind of electronic document access control method based on classification safety encryption as described in claim 1, it is characterised in that:
The level of confidentiality of the electronic document, for being related to the application scenarios of state secret, t ∈ { 1,2,3,4,5 }, F1、F2、F3、F4、F5Point
Not Biao Shi electronic document level of confidentiality be open, internal, secret, secret, it is top-secret;For being related to the application scenarios of business secret, t ∈
{ 1,2,3,4 }, F1、F2、F3、F4The level of confidentiality of electronic document is respectively indicated as open, general business secret, important business secret, core
Heart business secret.
4. a kind of electronic document access control method based on classification safety encryption as described in claim 1, which is characterized in that
Φ is calculated in (2-3)i(si,a) recover the graded encryption key K of electronic document jtThe specific method is as follows:
If electronic document level of confidentiality is equal to the security level of user, t=i, then for legitimate user Ui,a, Λj(si,a)=1, therefore can
Directly calculate graded encryption key Kt=Φi(si,a);For the user U of other levels of confidentialityj,m,Λi(sj,m) be with
Machine value, therefore the user of other levels of confidentiality can only obtain a random value, and graded encryption key K can not be calculatedt;
If electronic document level of confidentiality is less than the security level of user, t < i, then user Ui,aKey K is calculated firsti=Φi(si,a),
Then it calculatesGraded encryption key K can be obtainedt;For the user U of other levels of confidentialityj,m,
Λi(sj,m) it is random value, therefore the user of other levels of confidentiality can only obtain a random value, and graded encryption can not be calculated
Key Kt。
5. a kind of electronic document access control method based on classification safety encryption as described in claim 1, it is characterised in that:
Encryption Algorithm E described in step 3tFor symmetric encipherment algorithm.
6. a kind of electronic document access control method based on classification safety encryption as described in claim 1, it is characterised in that:
Electron file access person U in step 4i,bDistribute grading key KtMethod particularly includes:
(4-1) server distributes multinomial Φ grading keyi(x) it is sent to client:
If electronic document level of confidentiality FtEqual to the security level C of useri, then it is to the grading key distribution multinomial that client is sent
Φi(x)=Λi(x)·Kt;
If electronic document level of confidentiality FtLess than the security level C of useri, then it is to the grading key distribution multinomial that client is sent
(4-2) client is according to the encryption key distribution multinomial Φ receivedi(x) and user Ui,bIndividual private key si,bCalculating recovers
The classification decruption key K of electronic document jt;Method particularly includes:
If electronic document level of confidentiality FtEqual to the security level C of useri, then user Ui,bDirectly calculate classification decruption key Kt=Φi
(si,a);
If electronic document level of confidentiality FtLess than the security level C of useri, then user Ui,bKey K is calculated firsti=Φi(si,b), so
After calculateClassification decruption key K can be obtainedt;
Then, user Ui,bUtilize grading key KtWith decipherment algorithm DtElectronic document j is decrypted, is recovered in plain text, user
Ui,bElectronic document j can be read and be checked.
7. a kind of electronic document access control method based on classification safety encryption as claimed in claim 6, it is characterised in that:
The decipherment algorithm DtCorresponding to Encryption Algorithm Et, even electronic document is with Encryption Algorithm EtEncryption, then it is calculated with decryption
Method DtIt is decrypted.
8. it is a kind of realize based on classification safety encryption electronic document access control method system, it is characterised in that: including with
Family registration/management module, electronic document Encryption management module, electronic document graded encryption module, electronic document classification decryption mould
Block, encryption key distribution management module, cipher key calculation recovery module, electronic document transmission/reception module and database module;Module it
Between mutually link, form the unified electronic document access control system based on classification safety encryption;
User's registration/the management module, registration and management for system user;
The electronic document Encryption management module, for being that secret classifications are arranged in electronic document according to fixed close foundation;Secret classifications
Number different settings is carried out according to actual application environment;
The electronic document graded encryption module, for calling Encryption Algorithm to electronics according to the graded encryption key of electronic document
Plaintext document is encrypted;For the electronic document of different security level, Encryption Algorithm can be the same or different;
The electronic document is classified deciphering module, for the classification decruption key and decipherment algorithm according to electronic document to electronics text
Part ciphertext is decrypted;
The encryption key distribution management module distributes the key of different stage for the security level according to user, so that low for it
Security level user can not obtain higher leveled grading key, and high security level user can obtain the grading key of the same level and low
In the classification decruption key of itself rank, the electronic document of the accessible low level of higher-level user is realized, and the use of low level
Family cannot access high level electronic document, complete the classification safety control of electronic document;
The cipher key calculation recovery module, for being calculated according to the individual private key of the grading key distribution multinomial and user that receive
The grading key of electronic document, and the key is sent to electronic document graded encryption module or electronic document classification decryption mould
Block;
The electronic document transmission/reception module, for realizing sending and receiving for electronic document ciphertext;
The database module, for storing user information, electronic document ciphertext, the level of confidentiality of electronic document, grading key, key
Distribute the individual private key of multinomial, each user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910614814.7A CN110502918A (en) | 2019-07-09 | 2019-07-09 | A kind of electronic document access control method and system based on classification safety encryption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910614814.7A CN110502918A (en) | 2019-07-09 | 2019-07-09 | A kind of electronic document access control method and system based on classification safety encryption |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110502918A true CN110502918A (en) | 2019-11-26 |
Family
ID=68585566
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910614814.7A Pending CN110502918A (en) | 2019-07-09 | 2019-07-09 | A kind of electronic document access control method and system based on classification safety encryption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110502918A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111340459A (en) * | 2020-03-25 | 2020-06-26 | 江苏安泰信息科技发展有限公司 | Evaluation report management system and operation method for safety production and occupational health |
| CN111953676A (en) * | 2020-08-10 | 2020-11-17 | 四川阵风科技有限公司 | File encryption method based on hardware equipment grade |
| CN112131589A (en) * | 2020-09-27 | 2020-12-25 | 江苏天创科技有限公司 | Expandable information security service system |
| CN112235298A (en) * | 2020-10-14 | 2021-01-15 | 国网电子商务有限公司 | Data security classification dynamic access control method based on zero trust model |
| CN112272090A (en) * | 2020-10-27 | 2021-01-26 | 深圳安捷丽新技术有限公司 | Key generation method and device |
| CN112307449A (en) * | 2020-11-10 | 2021-02-02 | 上海市数字证书认证中心有限公司 | Permission hierarchical management method and device, electronic equipment and readable storage medium |
| CN113079011A (en) * | 2021-03-18 | 2021-07-06 | 长鑫存储技术有限公司 | Key pushing method, file operating method, storage medium and computer equipment |
| WO2021139075A1 (en) * | 2020-01-09 | 2021-07-15 | 平安科技(深圳)有限公司 | Contract encryption and decryption method and apparatus, and device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100246827A1 (en) * | 2009-03-27 | 2010-09-30 | Microsoft Corporation | User-specified sharing of data via policy and/or inference from a hierarchical cryptographic store |
| CN104917604A (en) * | 2014-03-12 | 2015-09-16 | 北京信威通信技术股份有限公司 | Key distribution method |
| WO2016108987A1 (en) * | 2014-10-23 | 2016-07-07 | Northrop Grumman Systems Corporation | Multi-level security system for enabling secure file sharing across multiple security levels and method thereof |
| CN108959891A (en) * | 2018-07-19 | 2018-12-07 | 南京邮电大学 | Brain electricity identity identifying method based on privacy sharing |
| CN109614792A (en) * | 2018-11-29 | 2019-04-12 | 中国电子科技集团公司第三十研究所 | A kind of hierarchial file structure key management method |
-
2019
- 2019-07-09 CN CN201910614814.7A patent/CN110502918A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100246827A1 (en) * | 2009-03-27 | 2010-09-30 | Microsoft Corporation | User-specified sharing of data via policy and/or inference from a hierarchical cryptographic store |
| CN104917604A (en) * | 2014-03-12 | 2015-09-16 | 北京信威通信技术股份有限公司 | Key distribution method |
| WO2016108987A1 (en) * | 2014-10-23 | 2016-07-07 | Northrop Grumman Systems Corporation | Multi-level security system for enabling secure file sharing across multiple security levels and method thereof |
| CN108959891A (en) * | 2018-07-19 | 2018-12-07 | 南京邮电大学 | Brain electricity identity identifying method based on privacy sharing |
| CN109614792A (en) * | 2018-11-29 | 2019-04-12 | 中国电子科技集团公司第三十研究所 | A kind of hierarchial file structure key management method |
Non-Patent Citations (3)
| Title |
|---|
| TAO PENG 等: "A Multilevel Access Control Scheme for Data Security in Transparent Computing", 《COMPUTING IN SCIENCE & ENGINEERING》 * |
| 余彩霞 等: ""基于多级安全加密的电子文件流转中的访问控制研究"", 《档案学通讯》 * |
| 王秋华: "无线网络的密钥分配与协商技术研究", 《中国博士学位论文全文数据库 信息科技辑》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021139075A1 (en) * | 2020-01-09 | 2021-07-15 | 平安科技(深圳)有限公司 | Contract encryption and decryption method and apparatus, and device and storage medium |
| CN111340459A (en) * | 2020-03-25 | 2020-06-26 | 江苏安泰信息科技发展有限公司 | Evaluation report management system and operation method for safety production and occupational health |
| CN111953676A (en) * | 2020-08-10 | 2020-11-17 | 四川阵风科技有限公司 | File encryption method based on hardware equipment grade |
| CN111953676B (en) * | 2020-08-10 | 2022-07-15 | 四川阵风科技有限公司 | File encryption method based on hardware equipment grade |
| CN112131589A (en) * | 2020-09-27 | 2020-12-25 | 江苏天创科技有限公司 | Expandable information security service system |
| CN112235298A (en) * | 2020-10-14 | 2021-01-15 | 国网电子商务有限公司 | Data security classification dynamic access control method based on zero trust model |
| CN112235298B (en) * | 2020-10-14 | 2022-03-01 | 国网电子商务有限公司 | Data security classification dynamic access control method and device and electronic equipment |
| CN112272090A (en) * | 2020-10-27 | 2021-01-26 | 深圳安捷丽新技术有限公司 | Key generation method and device |
| CN112272090B (en) * | 2020-10-27 | 2024-04-19 | 深圳安捷丽新技术有限公司 | Key generation method and device |
| CN112307449A (en) * | 2020-11-10 | 2021-02-02 | 上海市数字证书认证中心有限公司 | Permission hierarchical management method and device, electronic equipment and readable storage medium |
| CN112307449B (en) * | 2020-11-10 | 2022-12-27 | 上海市数字证书认证中心有限公司 | Authority hierarchical management method, device, electronic equipment and readable storage medium |
| CN113079011A (en) * | 2021-03-18 | 2021-07-06 | 长鑫存储技术有限公司 | Key pushing method, file operating method, storage medium and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110502918A (en) | A kind of electronic document access control method and system based on classification safety encryption | |
| CN107864139B (en) | Cryptographic attribute base access control method and system based on dynamic rules | |
| CN108881314B (en) | Privacy protection method and system based on CP-ABE ciphertext under fog computing environment | |
| Timothy et al. | A hybrid cryptography algorithm for cloud computing security | |
| CN104363215B (en) | A kind of encryption method and system based on attribute | |
| CN104486315B (en) | A kind of revocable key outsourcing decryption method based on contents attribute | |
| US7739501B2 (en) | Cryptographic key construct | |
| CN109246096A (en) | Multi-functional fine-grained access control method suitable for cloud storage | |
| CN108737374A (en) | The method for secret protection that data store in a kind of block chain | |
| CN107483585A (en) | The efficient data integrality auditing system and method for safe duplicate removal are supported in cloud environment | |
| Zhang et al. | DOPIV: Post-quantum secure identity-based data outsourcing with public integrity verification in cloud storage | |
| CN112989375B (en) | Hierarchical optimization encryption lossless privacy protection method | |
| CN109165526A (en) | A kind of big data security and privacy guard method, device and storage medium | |
| Sumathi et al. | A group-key-based sensitive attribute protection in cloud storage using modified random Fibonacci cryptography | |
| CN111563733A (en) | Ring signature privacy protection system and method for digital wallet | |
| Tong et al. | Privacy-preserving Boolean range query with temporal access control in mobile computing | |
| CN108737365A (en) | A kind of network data information guard method and device | |
| Kaleem et al. | New Efficient Cryptographic Techniques For Cloud Computing Security | |
| Agarkhed et al. | Security and privacy for data storage service scheme in cloud computing | |
| CN113190859A (en) | Data hierarchical encryption method based on block chain | |
| CN116805078A (en) | Logistics information platform data intelligent management system and method based on big data | |
| Hu | Study of file encryption and decryption system using security key | |
| CN110493259A (en) | A kind of encrypting and deciphering system and method ensureing cloud electronic data security | |
| CN115118416A (en) | Distributed database system based on privacy protection and confidentiality method | |
| Salim et al. | Applying geo-encryption and attribute based encryption to implement secure access control in the cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20191126 |
|
| WD01 | Invention patent application deemed withdrawn after publication |