CN111064701A - Shared data security access control method, device, equipment and medium - Google Patents

Shared data security access control method, device, equipment and medium Download PDF

Info

Publication number
CN111064701A
CN111064701A CN201911088616.8A CN201911088616A CN111064701A CN 111064701 A CN111064701 A CN 111064701A CN 201911088616 A CN201911088616 A CN 201911088616A CN 111064701 A CN111064701 A CN 111064701A
Authority
CN
China
Prior art keywords
access control
key
attribute
identity information
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911088616.8A
Other languages
Chinese (zh)
Inventor
李雪雷
朱效民
赵雅倩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Electronic Information Industry Co Ltd
Original Assignee
Inspur Electronic Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Electronic Information Industry Co Ltd filed Critical Inspur Electronic Information Industry Co Ltd
Priority to CN201911088616.8A priority Critical patent/CN111064701A/en
Publication of CN111064701A publication Critical patent/CN111064701A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method, a device, equipment and a medium for controlling the secure access of shared data, wherein the method comprises the following steps: when a data access request is received, judging whether the visitor identity information is legal or not according to the visitor identity information and an access control list; if yes, acquiring attribute information corresponding to the visitor identity information from the access control list; if the attribute information meets the access control strategy, partial decryption is carried out on a target ciphertext by using a escrow key and a control key which correspond to the visitor identity information in the access control list to obtain a partial decrypted target ciphertext; and sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext. Therefore, the flexible, safe and efficient fine-grained access control of outsourced data can be realized, and reliable safe support is provided for the cloud computing center service.

Description

Shared data security access control method, device, equipment and medium
Technical Field
The present application relates to the field of cloud computing data security technologies, and in particular, to a method, an apparatus, a device, and a medium for controlling secure access to shared data.
Background
With the continuous development and popularization of cloud computing, cloud data centers provide more and more services for customers, wherein outsourcing data storage is an important service content brought by the cloud computing. Data outsourcing storage can greatly reduce purchase and operation and maintenance expenses of IT hardware of users, cloud storage service can be freely customized according to the data volume in a big data era, and elastic support is further provided for business development. However, outsourcing of business data inevitably brings about a certain risk of data leakage. Firstly, the cloud data center belongs to a credible third party with curiosity, and the safety of stored data can be threatened by corruption and illegal behaviors in the cloud data center, so that internal leakage of the data is easily caused. Secondly, an external attacker invades the cloud data center through various hardware, software and network protection bugs of the cloud computing system, steals customer data, and certain security threats are caused.
In order to prevent data leakage, the cloud data center needs to establish a more sophisticated system protection mechanism. Conventional solutions include access control lists and data encryption. However, as the cloud computing is a novel outsourcing service provided by a third-party service provider, both internal and external attackers exist, so that the two methods cannot independently complete the security protection task of outsourcing data storage provided by the cloud data center. In particular, access control lists are not resistant to internal corruption and external attacks; traditional data encryption cannot provide flexible fine-grained access control because symmetric encryption has key management and leakage problems, while asymmetric encryption cannot provide a one-to-many data sharing mechanism.
Disclosure of Invention
In view of this, an object of the present application is to provide a method, an apparatus, a device, and a medium for controlling secure access to shared data, which can implement flexible, secure, and efficient fine-grained access control of outsourced data, provide reliable security support for a cloud computing center service, facilitate improving the reliability of the cloud computing service, expand the service range of the cloud computing service, and enhance the reliability of a user on the cloud computing data storage service. The specific scheme is as follows:
in a first aspect, the present application discloses a method for controlling secure access to shared data, comprising:
when a data access request is received, judging whether the visitor identity information is legal or not according to the visitor identity information and an access control list;
if the visitor identity information is legal, acquiring attribute information corresponding to the visitor identity information from the access control list, and judging whether the attribute information meets an access control strategy or not;
if the attribute information meets the access control strategy, partial decryption is carried out on a target ciphertext by using a escrow key and a control key which correspond to the visitor identity information in the access control list to obtain a partial decrypted target ciphertext;
and sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext.
Optionally, before determining whether the visitor identity information is legal according to the visitor identity information and the access control list, the method further includes:
setting the attribute range of the shared data system, configuring security level parameters and configuring a system master key according to the security level;
the access control list is initialized.
Optionally, after initializing the access control list, the method further includes:
determining user identity information, and endowing corresponding attribute, authority and version value to a user, wherein the attribute comprises an activated attribute and an inactivated attribute;
generating a key value set of the user comprising the escrow key, the control key and the decryption private key according to the attributes of the user and the system master key;
adding the user information, the escrow key, and the control key to the access control list;
and sending the decryption private key to a corresponding account of the user through a secret channel.
Optionally, after sending the decryption private key to the corresponding account of the user through a secret channel, the method further includes:
formulating the access control strategy according to the shared data content;
encrypting the shared data by utilizing the access control strategy and the attribute encryption technology to obtain a ciphertext;
and uploading the ciphertext and the access control strategy to a cloud data center for outsourcing storage.
Optionally, the method for controlling secure access to shared data further includes:
and updating the authority of the user and the access control list according to the attribute change information of the user.
Optionally, the updating the access control list according to the attribute change information of the user includes:
deactivating a managed key value of the user in the control access list corresponding to the activated attribute if the activated attribute of the user is revoked;
if the inactive attribute of the user is activated, a managed key value of the user corresponding to the inactive attribute is activated to update the access control list.
Optionally, the partially decrypting the target ciphertext by using the escrow key and the control key corresponding to the visitor identity information in the access control list to obtain a partially decrypted target ciphertext includes:
adjusting the escrow key by using the control key according to the version information of the target ciphertext to obtain a target escrow key of which the version is matched with that of the target ciphertext;
and carrying out partial decryption on the target ciphertext by using the target escrow key to obtain a partial decrypted target ciphertext.
In a second aspect, the present application discloses a shared data security access control device, including:
the first judgment module is used for judging whether the visitor identity information is legal or not according to the visitor identity information and the access control list when the data access request is received;
the attribute information acquisition module is used for acquiring attribute information corresponding to the visitor identity information from the access control list when the visitor identity information is legal;
the second judging module is used for judging whether the attribute information meets the access control strategy or not;
the partial decryption module is used for performing partial decryption on a target ciphertext by using a escrow key and a control key which correspond to the visitor identity information in the access control list when the attribute information meets an access control strategy to obtain a partial decrypted target ciphertext;
and the ciphertext sending module is used for sending the partial decryption target ciphertext to corresponding equipment of an accessor so that the accessor can decrypt the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext.
In a third aspect, the present application discloses a shared data security access control device, including:
a memory and a processor;
wherein the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the shared data security access control method disclosed in the foregoing.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the aforementioned disclosed shared data security access control method.
Therefore, when a data access request is received, whether the identity information of the visitor is legal or not is judged according to the identity information of the visitor and an access control list; if the visitor identity information is legal, acquiring attribute information corresponding to the visitor identity information from the access control list, and judging whether the attribute information meets an access control strategy or not; if the attribute information meets the access control strategy, partial decryption is carried out on a target ciphertext by using a escrow key and a control key which correspond to the visitor identity information in the access control list to obtain a partial decrypted target ciphertext; and then sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext. Therefore, after receiving a data access request, judging whether the visitor identity information is legal or not according to visitor identity information and an access control list, acquiring attribute information corresponding to the visitor identity information from the access control list after the visitor identity information is legal, judging whether the attribute information meets an access control strategy or not, and after the attribute information meets the access control strategy, partially decrypting a target ciphertext by using a key and a control key which are in the access control list and correspond to the visitor identity information to obtain a partially decrypted target ciphertext; and sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext. Therefore, the problem of data leakage caused by internal corruption and external attack can be solved, flexible, safe and efficient fine-grained access control of outsourced data is realized, reliable safe support is provided for cloud computing center service, the reliability of the cloud computing service is favorably improved, the service range of the cloud computing service is expanded, and the reliability of a user on the cloud computing data storage service is enhanced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a method for controlling secure access to shared data as disclosed herein;
FIG. 2 is a flow chart of a specific method for controlling secure access to shared data according to the present disclosure;
FIG. 3 is a diagram of a particular access control tree disclosed herein;
FIG. 4 is a flowchart of a specific method for controlling secure access to shared data according to the present disclosure;
FIG. 5 is a schematic diagram of a escrow key adjustment disclosed herein;
FIG. 6 is a schematic structural diagram of a shared data security access control apparatus disclosed in the present application;
FIG. 7 is a block diagram of a shared data security access control device disclosed herein;
fig. 8 is a diagram of a server structure disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to prevent data leakage, the cloud data center needs to establish a more sophisticated system protection mechanism. While access control lists cannot resist internal corruption and external attacks, traditional data encryption cannot provide flexible fine-grained access control because symmetric encryption has key management and leakage problems, while asymmetric encryption cannot provide a one-to-many data sharing mechanism. In view of this, the present application provides a shared data security access control method, which can resist internal corruption and external attack, implement flexible, secure, and efficient fine-grained access control of outsourced data, provide reliable security support for cloud computing center services, facilitate improving the reliability of cloud computing services, expand the service scope of cloud computing services, and enhance the reliability of users on cloud computing data storage services.
The embodiment of the application discloses a method for controlling the security access of shared data, which is shown in fig. 1 and comprises the following steps:
step S11: and when a data access request is received, judging whether the visitor identity information is legal or not according to the visitor identity information and the access control list.
In this embodiment, access control is a main policy for security protection and protection of a network and a system, the main task of the access control list is to ensure that network and system resources are not illegally used and accessed, and the access control list can implement attribute control on access to outsource storage data. The content in the access control list includes, but is not limited to, user identity information, attributes, escrow keys, and the like. When an accessor initiates an access request to shared data in cloud computing, identity information of the accessor needs to be provided, when the data access request is received, whether the identity information of the accessor is legal or not is judged according to the identity information of the accessor and the access control list, and if the identity information of the accessor is legal, the next step is carried out. And if the visitor identity information is illegal, prohibiting the data from being accessed.
Step S12: and if the visitor identity information is legal, acquiring attribute information corresponding to the visitor identity information from the access control list, and judging whether the attribute information meets an access control strategy or not.
It can be understood that, the access of the cloud computing shared data requires that the visitor possess corresponding attributes, so after the identity information of the visitor is legal, the attribute information corresponding to the identity information of the visitor needs to be acquired from the access control list, and whether the attribute information meets the access control policy is determined.
Step S13: and if the attribute information meets the access control strategy, partially decrypting the target ciphertext by using the escrow key and the control key which correspond to the visitor identity information in the access control list to obtain a partially decrypted target ciphertext.
In a specific implementation process, if the attribute information does not meet the access control strategy, access to corresponding data is prohibited; and if the attribute information meets the access control strategy, partially decrypting the target ciphertext by using the escrow key corresponding to the visitor identity information in the access control list to obtain a partially decrypted target ciphertext. In this way, the amount of computation for the visitor's client to obtain plaintext can be reduced.
Step S14: and sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext.
It can be understood that, after the partial decryption target ciphertext is obtained, the partial decryption target ciphertext is sent to the corresponding device of the visitor, so that the visitor decrypts the partial decryption target ciphertext by using the decryption private key to obtain the target plaintext.
Therefore, when a data access request is received, whether the identity information of the visitor is legal or not is judged according to the identity information of the visitor and an access control list; if the visitor identity information is legal, acquiring attribute information corresponding to the visitor identity information from the access control list, and judging whether the attribute information meets an access control strategy or not; if the attribute information meets the access control strategy, partial decryption is carried out on a target ciphertext by using a escrow key and a control key which correspond to the visitor identity information in the access control list to obtain a partial decrypted target ciphertext; and then sending the partial decryption target ciphertext to an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext. Therefore, after receiving a data access request, judging whether the visitor identity information is legal or not according to visitor identity information and an access control list, acquiring attribute information corresponding to the visitor identity information from the access control list after the visitor identity information is legal, judging whether the attribute information meets an access control strategy or not, and after the attribute information meets the access control strategy, partially decrypting a target ciphertext by using a key and a control key which are in the access control list and correspond to the visitor identity information to obtain a partially decrypted target ciphertext; and sending the partial decryption target ciphertext to an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext. Therefore, the problem of data leakage caused by internal corruption and external attack can be solved, flexible, safe and efficient fine-grained access control of outsourced data is realized, reliable safe support is provided for cloud computing center service, the reliability of the cloud computing service is favorably improved, the service range of the cloud computing service is expanded, and the reliability of a user on the cloud computing data storage service is enhanced.
Referring to fig. 2, an embodiment of the present application discloses a specific method for controlling secure access to shared data, where the method includes:
step S201: and setting the attribute range of the shared data system, configuring security level parameters and configuring a system master key according to the security level.
In this embodiment, when data is outsourced and stored, a series of operations need to be performed to ensure the security of the outsourced and stored data. First, the attribute range of the shared data system, the configuration security level parameters and the configuration system master key need to be set according to the security level. Wherein the security level parameter correspondingly increases system computational complexity with an increase in the security level, such as: the security level may affect the length of the system master key and escrow key. The system master key is private by the system builder. Specifically, according to the security level, an attribute management range of the shared data system is determined, an attribute value of the shared data system is set, and then a security level parameter of the system and a system master key are selected.
Step S202: the access control list is initialized.
In a specific implementation process, the access control list needs to be initialized so as to add new user identity information, attributes, rights and other information.
Step S203: and determining the identity information of the user, and giving corresponding attribute, authority and version value to the user, wherein the attribute comprises an activated attribute and an inactivated attribute.
In this embodiment, it is also necessary to determine user information that can access the shared data, and assign corresponding attribute, authority, and version value to the user. Wherein the version value is an age, and the attributes include an activated attribute and an inactivated attribute. And determining user identity information, and endowing corresponding attribute, authority and version value to the user so that the system can control the access behavior of an accessor according to the user identity information, the attribute, the authority, the version value and the like.
Step S204: and generating a key value group of the user, which comprises a managed key, a control key and a decryption private key, according to the attributes of the user and the system master key.
In this embodiment, after the corresponding attribute is given to the user, the key value group of the user needs to be generated according to the attribute of the user and the system master key, where the key value group includes a managed key (TK), a Control Key (CK), and a decryption private key (SK).
Step S205: adding the user information, the escrow key, and the control key to the access control list.
It will be appreciated that after generating the set of key values for the user, the user identity information, the escrow key, and the control key need to be added to the access control list. Table 1 below is a specific access control list.
TABLE 1
Lists Attribute 1 Attribute 2 Attribute 3 Attribute N Control key
User 1 TK_11 TK_12 TK_13 TK_1N CK_01
User 2 TK_21 TK_22 TK_23 TK_2N CK_02
User 1 and user 2 in the table are two different user identity information. Each user may have N attributes and TK _ xy represents the escrow key value corresponding to the y-th attribute of user x. TK _ xy is deactivated when the y-th attribute does not belong to the activated attribute of user x.
Step S206: and sending the decryption private key to a corresponding account of the user through a secret channel.
In a specific implementation process, the generated decryption private key needs to be sent to a corresponding account or a corresponding device of the user through a secret channel, so that the user can decrypt a received partial decryption target ciphertext by using the decryption private key.
Step S207: and establishing an access control strategy according to the shared data content.
In this embodiment, an access control policy needs to be formulated according to the content of the shared data, so that when an accessor initiates access to the shared data, whether the accessor can access the target data is determined. Wherein the access control policy can be formulated in the form of an access control tree. Referring to fig. 3, a specific access control tree diagram is shown, where the access control tree describes the access control policy as follows: to access the encrypted ciphertext of this access control tree, one of the following five conditions, the first, needs to be satisfied: ("computer academy" and "Master" and "two studies") and "teacher"; and the second method comprises the following steps: "teacher" and "network laboratory"; and the third is that: "teacher" and "cloud laboratory"; the fourth one is: ("computer academy" and "Master" and "two studies") and "network laboratories"; and a fifth mode: ("computer academy" and "Master" and "two studies") and "cloud laboratory".
Step S208: and encrypting the shared data by utilizing the access control strategy and the attribute encryption technology to obtain a ciphertext.
In this embodiment, the access control policy and the attribute encryption technology need to be used to encrypt shared data to obtain a ciphertext. One-to-many data access control can be achieved based on attribute-based encryption (ABE), also known as Fuzzy identity-based encryption, which is mainly classified into two major categories: ciphertext policy attribute encryption (CP-ABE) and key policy attribute encryption (KP-ABE). In CP-ABE, the cipher text is associated with the access policy defined by the encryptor, and the key is associated with the user attribute; in KP-ABE, the cipher text is related to user attribute, and the key is related to access policy.
Step S209: and uploading the ciphertext and the access control strategy to a cloud data center for outsourcing storage.
It can be understood that after obtaining the ciphertext, the ciphertext and the access control policy need to be uploaded to the cloud data center for outsourced storage. And uploading the access control strategy to a cloud data center for outsourcing storage so as to judge whether the attribute of the visitor meets the access control strategy.
Step S210: and when a data access request is received, judging whether the visitor identity information is legal or not according to the visitor identity information and the access control list.
Step S211: and if the visitor identity information is legal, acquiring attribute information corresponding to the visitor identity information from the access control list, and judging whether the attribute information meets an access control strategy or not.
Step S212: and if the attribute information meets the access control strategy, partially decrypting the target ciphertext by using the escrow key and the control key which correspond to the visitor identity information in the access control list to obtain a partially decrypted target ciphertext.
Step S213: and sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext.
Referring to fig. 4, an embodiment of the present application discloses a specific method for controlling secure access to shared data, where the method includes:
step S31: and when a data access request is received, judging whether the visitor identity information is legal or not according to the visitor identity information and the access control list.
Step S32: and if the visitor identity information is legal, acquiring attribute information corresponding to the visitor identity information from the access control list, and judging whether the attribute information meets an access control strategy or not.
Step S33: and if the attribute information meets the access control strategy, adjusting the escrow key by using the control key according to the version information of the target ciphertext to obtain the target escrow key of which the version is matched with that of the target ciphertext.
In this embodiment, the escrow key needs to be adjusted by using the control key to obtain a target escrow key whose version matches the version of the target ciphertext. As shown in FIG. 5, isEscrow Key Regulation schematic, TKnIndicating the version of the escrow key as n-version, CTnThe version representing the target ciphertext is n, and when the version of the escrow key is TK4And the version of the target ciphertext is CT7Then, TK is added4Adding 3CK, adjusting to CT7Matched TKs7When the version of the escrow key is TK4And the version of the target ciphertext is CT1Then, TK is added4Subtract 3CK, adjust to CT1Matched TKs1. That is, the number representing the version in the escrow key needs to be made the same as in the target ciphertext.
Step S34: and carrying out partial decryption on the target ciphertext by using the target escrow key to obtain a partial decrypted target ciphertext.
Step S35: and sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext.
In the process of executing the shared data security access control method, the method further comprises: and updating the authority of the user and the access control list according to the attribute change information of the user. The updating the authority of the user and the access control list according to the attribute change information of the user comprises: deactivating a managed key value of the user in the control access list corresponding to the activated attribute if the activated attribute of the user is revoked; if the inactive attribute of the user is activated, a managed key value of the user corresponding to the inactive attribute is activated to update the access control list. Specifically, the authority of the user, the key value group, the access control list, and the like need to be updated according to the attribute change information of the user. If the inactivated attribute of the user is activated, activating a managed key value of the user corresponding to the inactivated attribute to update the access control list; if the activated attribute of the user is revoked, a managed key value of the user in the control access list corresponding to the activated attribute is deactivated, or timeliness of the corresponding attribute is set according to an access control policy.
Referring to fig. 6, an embodiment of the present application discloses a shared data security access control apparatus, including:
the first judging module 11 is configured to, when receiving a data access request, judge whether the visitor identity information is legal according to visitor identity information and an access control list;
an attribute information obtaining module 12, configured to obtain, when the visitor identity information is legal, attribute information corresponding to the visitor identity information from the access control list;
a second judging module 13, configured to judge whether the attribute information satisfies an access control policy;
a partial decryption module 14, configured to, when the attribute information satisfies an access control policy, perform partial decryption on a target ciphertext by using a escrow key and a control key in the access control list, where the escrow key and the control key correspond to the visitor identity information, to obtain a partial decrypted target ciphertext;
a ciphertext sending module 15, configured to send the partial decryption target ciphertext to a corresponding device of the visitor, so that the visitor decrypts the partial decryption target ciphertext by using the decryption private key to obtain the target plaintext
Therefore, when a data access request is received, whether the identity information of the visitor is legal or not is judged according to the identity information of the visitor and an access control list; if the visitor identity information is legal, acquiring attribute information corresponding to the visitor identity information from the access control list, and judging whether the attribute information meets an access control strategy or not; if the attribute information meets the access control strategy, partial decryption is carried out on a target ciphertext by using a escrow key and a control key which correspond to the visitor identity information in the access control list to obtain a partial decrypted target ciphertext; and then sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext. Therefore, after receiving a data access request, judging whether the visitor identity information is legal or not according to visitor identity information and an access control list, acquiring attribute information corresponding to the visitor identity information from the access control list after the visitor identity information is legal, judging whether the attribute information meets an access control strategy or not, and after the attribute information meets the access control strategy, partially decrypting a target ciphertext by using a key and a control key which are in the access control list and correspond to the visitor identity information to obtain a partially decrypted target ciphertext; and sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext. Therefore, the problem of data leakage caused by internal corruption and external attack can be solved, flexible, safe and efficient fine-grained access control of outsourced data is realized, reliable safe support is provided for cloud computing center service, the reliability of the cloud computing service is favorably improved, the service range of the cloud computing service is expanded, and the reliability of a user on the cloud computing data storage service is enhanced.
Further, referring to fig. 7, an embodiment of the present application further discloses a shared data security access control device, including: a processor 21 and a memory 22.
Wherein the memory 22 is used for storing a computer program; the processor 21 is configured to execute the computer program to implement the shared data security access control method disclosed in the foregoing embodiment.
For a specific process of the above shared data security access control method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
Referring to fig. 8, the present application discloses a server 20 including a processor 21 and a memory 22 in the foregoing embodiments. For the steps that the processor 21 can specifically execute, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not described herein again.
Further, the terminal 20 in this embodiment may further specifically include: a power supply 23, a communication interface 24, an input-output interface 25, and a communication bus 26; the power supply 23 is configured to provide a working voltage for each hardware device on the terminal 20; the communication interface 24 can be a data transmission channel between the terminal 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol that can be used in the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain data input from the outside or output data to the outside, and a specific interface type thereof may be selected according to a specific application requirement, which is not specifically limited herein.
Further, an embodiment of the present application also discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the following steps:
when a data access request is received, judging whether the visitor identity information is legal or not according to the visitor identity information and an access control list; if the visitor identity information is legal, acquiring attribute information corresponding to the visitor identity information from the access control list, and judging whether the attribute information meets an access control strategy or not; if the attribute information meets the access control strategy, partial decryption is carried out on a target ciphertext by using a escrow key and a control key which correspond to the visitor identity information in the access control list to obtain a partial decrypted target ciphertext; and sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext.
Therefore, when a data access request is received, whether the identity information of the visitor is legal or not is judged according to the identity information of the visitor and an access control list; if the visitor identity information is legal, acquiring attribute information corresponding to the visitor identity information from the access control list, and judging whether the attribute information meets an access control strategy or not; if the attribute information meets the access control strategy, partial decryption is carried out on a target ciphertext by using a escrow key and a control key which correspond to the visitor identity information in the access control list to obtain a partial decrypted target ciphertext; and then sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext. Therefore, after receiving a data access request, judging whether the visitor identity information is legal or not according to visitor identity information and an access control list, acquiring attribute information corresponding to the visitor identity information from the access control list after the visitor identity information is legal, judging whether the attribute information meets an access control strategy or not, and after the attribute information meets the access control strategy, partially decrypting a target ciphertext by using a key and a control key which are in the access control list and correspond to the visitor identity information to obtain a partially decrypted target ciphertext; and sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext. Therefore, the problem of data leakage caused by internal corruption and external attack can be solved, the flexible, safe and efficient fine-grained access control of outsourced data is realized, reliable safe support is provided for cloud computing center service, the reliability of the cloud computing service is favorably improved, the service range of the cloud computing service is expanded, and the reliability of a user on the cloud computing data storage service is enhanced.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: setting the attribute range of the shared data system, configuring security level parameters and configuring a system master key according to the security level; the access control list is initialized.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: determining user identity information, and endowing corresponding attribute, authority and version value to a user, wherein the attribute comprises an activated attribute and an inactivated attribute; generating a key value set of the user comprising the escrow key, the control key and the decryption private key according to the attributes of the user and the system master key; adding the user information, the escrow key, and the control key to the access control list; and sending the decryption private key to a corresponding account of the user through a secret channel.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: formulating the access control strategy according to the shared data content; encrypting the shared data by utilizing the access control strategy and the attribute encryption technology to obtain a ciphertext; and uploading the ciphertext and the access control strategy to a cloud data center for outsourcing storage.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: and updating the authority of the user and the access control list according to the attribute change information of the user.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: deactivating a managed key value of the user in the control access list corresponding to the activated attribute if the activated attribute of the user is revoked; if the inactive attribute of the user is activated, a managed key value of the user corresponding to the inactive attribute is activated to update the access control list.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: adjusting the escrow key by using the control key according to the version information of the target ciphertext to obtain a target escrow key of which the version is matched with the version of the target ciphertext; and carrying out partial decryption on the target ciphertext by using the target escrow key to obtain a partial decrypted target ciphertext.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of other elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above detailed description is given to a method, an apparatus, a device, and a medium for controlling secure access to shared data, and a specific example is applied in the present disclosure to explain the principle and the implementation of the present disclosure, and the description of the above embodiment is only used to help understand the method and the core idea of the present disclosure; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. A method for controlling secure access to shared data, comprising:
when a data access request is received, judging whether the visitor identity information is legal or not according to the visitor identity information and an access control list;
if the visitor identity information is legal, acquiring attribute information corresponding to the visitor identity information from the access control list, and judging whether the attribute information meets an access control strategy or not;
if the attribute information meets the access control strategy, partial decryption is carried out on a target ciphertext by using a escrow key and a control key which correspond to the visitor identity information in the access control list to obtain a partial decrypted target ciphertext;
and sending the partial decryption target ciphertext to corresponding equipment of an accessor, so that the accessor decrypts the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext.
2. The method according to claim 1, wherein before determining whether the visitor identity information is valid according to the visitor identity information and the access control list, the method further comprises:
setting the attribute range of the shared data system, configuring security level parameters and configuring a system master key according to the security level;
the access control list is initialized.
3. The method of claim 2, wherein initializing the access control list further comprises:
determining user identity information, and endowing corresponding attribute, authority and version value to a user, wherein the attribute comprises an activated attribute and an inactivated attribute;
generating a key value set of the user comprising the escrow key, the control key and the decryption private key according to the attributes of the user and the system master key;
adding the user information, the escrow key, and the control key to the access control list;
and sending the decryption private key to a corresponding account of the user through a secret channel.
4. The method for controlling secure access to shared data according to claim 3, wherein after sending the decryption private key to the corresponding account of the user through the secret channel, the method further comprises:
formulating the access control strategy according to the shared data content;
encrypting the shared data by utilizing the access control strategy and the attribute encryption technology to obtain a ciphertext;
and uploading the ciphertext and the access control strategy to a cloud data center for outsourcing storage.
5. The method of claim 3, further comprising:
and updating the authority of the user and the access control list according to the attribute change information of the user.
6. The method according to claim 5, wherein the updating the access control list according to the attribute change information of the user comprises:
deactivating a managed key value of the user in the control access list corresponding to the activated attribute if the activated attribute of the user is revoked;
if the inactive attribute of the user is activated, a managed key value of the user corresponding to the inactive attribute is activated to update the access control list.
7. The method according to any one of claims 3 to 6, wherein the partially decrypting the target ciphertext by using the escrow key and the control key corresponding to the visitor identity information in the access control list to obtain a partially decrypted target ciphertext comprises:
adjusting the escrow key by using the control key according to the version information of the target ciphertext to obtain a target escrow key of which the version is matched with that of the target ciphertext;
and carrying out partial decryption on the target ciphertext by using the target escrow key to obtain a partial decrypted target ciphertext.
8. A shared data security access control apparatus, comprising:
the first judgment module is used for judging whether the visitor identity information is legal or not according to the visitor identity information and the access control list when the data access request is received;
the attribute information acquisition module is used for acquiring attribute information corresponding to the visitor identity information from the access control list when the visitor identity information is legal;
the second judging module is used for judging whether the attribute information meets the access control strategy or not;
the partial decryption module is used for performing partial decryption on a target ciphertext by using a escrow key and a control key which correspond to the visitor identity information in the access control list when the attribute information meets an access control strategy to obtain a partial decrypted target ciphertext;
and the ciphertext sending module is used for sending the partial decryption target ciphertext to an accessor so that the accessor can decrypt the partial decryption target ciphertext by using a decryption private key to obtain a target plaintext.
9. A shared data security access control device comprising:
a memory and a processor;
wherein the memory is used for storing a computer program;
the processor, configured to execute the computer program to implement the method for controlling secure access to shared data according to any one of claims 1 to 7.
10. A computer readable storage medium holding a computer program, wherein the computer program when executed by a processor implements the shared data security access control method of any of claims 1 to 7.
CN201911088616.8A 2019-11-08 2019-11-08 Shared data security access control method, device, equipment and medium Pending CN111064701A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911088616.8A CN111064701A (en) 2019-11-08 2019-11-08 Shared data security access control method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911088616.8A CN111064701A (en) 2019-11-08 2019-11-08 Shared data security access control method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN111064701A true CN111064701A (en) 2020-04-24

Family

ID=70298553

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911088616.8A Pending CN111064701A (en) 2019-11-08 2019-11-08 Shared data security access control method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN111064701A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111914289A (en) * 2020-07-15 2020-11-10 中国民航信息网络股份有限公司 Protection method and device for application program configuration information
CN112887273A (en) * 2021-01-11 2021-06-01 苏州浪潮智能科技有限公司 Key management method and related equipment
CN113792345A (en) * 2021-09-18 2021-12-14 国网电子商务有限公司 Data access control method and device
CN114050929A (en) * 2021-11-10 2022-02-15 北京安天网络安全技术有限公司 Multi-party secure communication method, equipment and medium based on attribute encryption
CN115150142A (en) * 2022-06-24 2022-10-04 深圳市北科瑞声科技股份有限公司 Data access processing method, system, equipment and storage medium
CN116910784A (en) * 2023-07-17 2023-10-20 北京炼石网络技术有限公司 Device, method and system for data availability and non-rotatable secure sharing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102667719A (en) * 2009-11-20 2012-09-12 微软公司 Controlling resource access based on resource properties
US20160241399A1 (en) * 2013-03-15 2016-08-18 Arizona Board Of Regents On Behalf Of Arizona State University Efficient Privacy-Preserving Ciphertext-Policy Attribute Based Encryption and Broadcast Encryption
CN108322447A (en) * 2018-01-05 2018-07-24 中电长城网际系统应用有限公司 Data sharing method and system, terminal under cloud environment and Cloud Server
CN108810004A (en) * 2018-06-22 2018-11-13 西安电子科技大学 More authorization center access control methods, cloud storage system can be revoked based on agency

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102667719A (en) * 2009-11-20 2012-09-12 微软公司 Controlling resource access based on resource properties
US20160241399A1 (en) * 2013-03-15 2016-08-18 Arizona Board Of Regents On Behalf Of Arizona State University Efficient Privacy-Preserving Ciphertext-Policy Attribute Based Encryption and Broadcast Encryption
CN108322447A (en) * 2018-01-05 2018-07-24 中电长城网际系统应用有限公司 Data sharing method and system, terminal under cloud environment and Cloud Server
CN108810004A (en) * 2018-06-22 2018-11-13 西安电子科技大学 More authorization center access control methods, cloud storage system can be revoked based on agency

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111914289A (en) * 2020-07-15 2020-11-10 中国民航信息网络股份有限公司 Protection method and device for application program configuration information
CN111914289B (en) * 2020-07-15 2023-11-24 中国民航信息网络股份有限公司 Application program configuration information protection method and device
CN112887273A (en) * 2021-01-11 2021-06-01 苏州浪潮智能科技有限公司 Key management method and related equipment
CN112887273B (en) * 2021-01-11 2022-05-20 苏州浪潮智能科技有限公司 Key management method and related equipment
US11943345B2 (en) 2021-01-11 2024-03-26 Inspur Suzhou Intelligent Technology Co., Ltd. Key management method and related device
CN113792345A (en) * 2021-09-18 2021-12-14 国网电子商务有限公司 Data access control method and device
CN114050929A (en) * 2021-11-10 2022-02-15 北京安天网络安全技术有限公司 Multi-party secure communication method, equipment and medium based on attribute encryption
CN115150142A (en) * 2022-06-24 2022-10-04 深圳市北科瑞声科技股份有限公司 Data access processing method, system, equipment and storage medium
CN116910784A (en) * 2023-07-17 2023-10-20 北京炼石网络技术有限公司 Device, method and system for data availability and non-rotatable secure sharing
CN116910784B (en) * 2023-07-17 2024-04-30 北京炼石网络技术有限公司 Device, method and system for data availability and non-rotatable secure sharing

Similar Documents

Publication Publication Date Title
CN111064701A (en) Shared data security access control method, device, equipment and medium
CN110099043B (en) Multi-authorization-center access control method supporting policy hiding and cloud storage system
US11310041B2 (en) Method and apparatus for achieving fine-grained access control with discretionary user revocation over cloud data
JP4976646B2 (en) Method and apparatus for managing and displaying contact authentication in a peer-to-peer collaboration system
CN106664202B (en) Method, system and computer readable medium for providing encryption on multiple devices
US7454021B2 (en) Off-loading data re-encryption in encrypted data management systems
US8954740B1 (en) Session key proxy decryption method to secure content in a one-to-many relationship
CN109587101B (en) Digital certificate management method, device and storage medium
US20160112458A1 (en) Establishing trust between applications on a computer
US10735186B2 (en) Revocable stream ciphers for upgrading encryption in a shared resource environment
EP2973140A1 (en) Establishing trust between applications on a computer
KR101615137B1 (en) Data access method based on attributed
KR101648364B1 (en) Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption
US20170099144A1 (en) Embedded encryption platform comprising an algorithmically flexible multiple parameter encryption system
CN112422287B (en) Multi-level role authority control method and device based on cryptography
Sumathi et al. A group-key-based sensitive attribute protection in cloud storage using modified random Fibonacci cryptography
Murala et al. Secure dynamic groups data sharing with modified revocable attribute-based encryption in cloud
CN114679340A (en) File sharing method, system, device and readable storage medium
Chandar et al. Hierarchical attribute based proxy re-encryption access control in cloud computing
KR20210109667A (en) Systems and methods for secure electronic data transmission
Jaithunbi et al. Preservation of data integrity in public cloud using enhanced vigenere cipher based obfuscation
Malik et al. Cloud computing security improvement using Diffie Hellman and AES
Dasari et al. An effective framework for ensuring data privacy in private cloud
Salunke et al. Secure data sharing in distributed cloud environment
CN109933994B (en) Data hierarchical storage method and device and computing equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200424