CN111541731B - Electronic file access control method based on block chain and knowledge range encryption - Google Patents
Electronic file access control method based on block chain and knowledge range encryption Download PDFInfo
- Publication number
- CN111541731B CN111541731B CN202010154634.8A CN202010154634A CN111541731B CN 111541731 B CN111541731 B CN 111541731B CN 202010154634 A CN202010154634 A CN 202010154634A CN 111541731 B CN111541731 B CN 111541731B
- Authority
- CN
- China
- Prior art keywords
- electronic file
- user
- file
- ciphertext
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2151—Time stamp
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses an electronic file access control method based on block chain and knowledge range encryption. The prior art has the problems of electronic file security and shareability. The method includes the steps that firstly, system initialization is carried out, a file owner encrypts and uploads an electronic file according to a knowledge range, and a storage position index of a file ciphertext is obtained; a file visitor downloads and decrypts the electronic file ciphertext to obtain an electronic file plaintext; the key is updated when the knowledge range of the electronic file changes. The electronic file is stored in a database under the chain in a ciphertext form, and the knowledge range, the key distribution polynomial and the position index of the file ciphertext in the database are stored in the block chain, so that the integrity and the non-tamper property of the ciphertext file are ensured, the file storage safety is realized, and the efficient sharing of the file is ensured. The method improves the safety of the electronic file in the storing and sharing process and realizes the fine-grained access control of the electronic file.
Description
Technical Field
The invention belongs to the field of electronic file security control, and particularly relates to an electronic file access control method based on block chain and knowledge range encryption.
Background
Currently, in e-government and enterprise networks, more and more information is stored and distributed in the form of electronic files, which have become one of the important data assets of organizations such as various levels of districts, departments, enterprises and institutions. Once the electronic document is lost, the core benefits and self-safety of the units such as various levels of party administration, departments, enterprises and public institutions and the like can be seriously affected, and even the national safety and benefits are threatened. How to ensure the security and the sharing of these electronic documents has become a management problem for organizations and organizations such as various levels of districts, departments, enterprises and institutions.
Many commercial secrets or national secrets are involved in unit networks of various levels of party administrative organs, departments, enterprises and public institutions and the like, and the information needs to be controlled within a minimum knowledge range according to a secret management minimization principle to prevent secret leakage. Access control to electronic files is an important approach to improve the security of electronic files, but if these electronic files are stored in a clear text form, file sharing is facilitated, but the security of the files cannot be guaranteed. In order to ensure the security of an electronic file, in the prior art, a file is usually encrypted and then stored in a server, but the file is encrypted, so that the sharing of the file becomes very difficult, and the problems of whether a file ciphertext is maliciously tampered and whether the file ciphertext is complete exist. The conventional encryption and decryption method is used, and the existing method for sharing files is that when an accessor requests to access an electronic file from a file owner, the file owner encrypts the electronic file by using a public key of the accessor and then transmits the electronic file to the accessor, and the accessor receives an electronic file ciphertext and then decrypts the electronic file by using a private key of the accessor to obtain an electronic file plaintext. The way of realizing data sharing by public key encryption and decryption increases the expense and burden of data owners. In addition, at present, access control of 'one file one secret' to the electronic file cannot be performed according to the knowledge range, and the behavior that the user is unauthorized to access the electronic file cannot be effectively prevented. Therefore, how to safely store and share electronic files is an urgent problem to be solved.
Disclosure of Invention
The invention aims to provide an electronic file access control method based on block chain and knowledge range encryption aiming at the problems of electronic file security and shareability in the prior art.
The electronic file is stored in a database under the chain in a ciphertext form, and the knowledge range, the key distribution polynomial and the position index of the file ciphertext in the database are stored in the block chain, so that the integrity and the non-tamper property of the ciphertext file are ensured, the file storage safety is realized, and the efficient sharing of the file is ensured. The electronic files are encrypted and access controlled according to the knowledge range, and different electronic files correspond to different keys, namely a 'one-file-one-secret' mechanism. The method is based on the block chain technology, so that on one hand, the leakage of important electronic file information is prevented, and on the other hand, the legal user in the knowledge range can be ensured to decrypt and access the electronic file required by the user.
The invention is realized by the following method:
step (1), initializing a system; the method comprises the following steps:
(1-1) each user puts forward a registration application to the system and obtains a unique identification ID number ID corresponding to the real identity information of the useriThe user set is expressed as U ═ U1,U2,…,Un},UiIs ID of ID numberiI ∈ (1,2, …, n), n indicates that n users are registered in the system;
(1-2) Each user UiAfter the successful registration and logging in the system, the user end executes a public and private key pair generation algorithm to generate a pair of public and private key Pairs (PK)i,SKi) The data is stored in the user side for the user to use;
(1-3) user UiPublic key PKiSending the personal identity information of the user to a certificate authority, storing the personal identity information into a user information list by the certificate authority, and issuing a digital certificate for the user;
(1-4) certificate authority for each registered user UiSelecting a unique secret value as user UiOf the individual private key si,si∈Fq,FqIs a finite field; will siBy user UiPublic key PKiEncrypted and sent to user Ui;
(1-5) user UiBy its own private key SKiAfter decryption, the individual private key s of the user is obtainediAnd storing the data to the user side.
Encrypting and uploading the electronic file to obtain a storage position index of a file ciphertext; the method comprises the following steps:
(2-1) setting an electronic file knowledge range and writing the electronic file knowledge range into a block chain;
when the electronic file owner UaWhen the electronic file j needs to be uploaded, firstly, the user end sets the knowledge range G of the electronic filejKnowledge range GjFor a set of legitimate users having access to an electronic file j, GjE is U; then, a blockchain transaction is created, and the identifier FID of the electronic file j is establishedjAnd a knowledge range Gj、UaPublic key PKaCurrent time stamp TjAnd UaSigning the above informationWriting into a transaction; finally, broadcasting the transaction to a blockchain network; the block chain network node verifies the transaction, and after the verification is passed, the transaction is stored in the block being generated and further written into the block chain;
(2-2) generating an encryption key and a key distribution polynomial for the electronic file j, and writing the key distribution polynomial into the block chain;
the certificate authority obtains the file identifier and the knowledge range information in the transaction information on the blockchain from the finite field FqIn which an encryption key K is randomly selected for an electronic file jjAnd according to the knowledge range G of the electronic file jjConstruction of a secret key KjThe distribution polynomial of (c):
first, use GjIndividual private key s of a legitimate useriConstructing an access polynomialWherein VIDjIs a virtual identifier whose value is notThe same individual private key as all users, the polynomial lambda for each electronic file and accessj(x) Randomly selected, x is an argument of a polynomial; for legal users U in the knowledge rangei,Λj(si) 1 is ═ 1; for illegal users U outside the knowledge rangef,Λj(sf) Is a random value; then, a key distribution polynomial is calculatedFinally, the identifier FID of the electronic file jjKey distribution polynomial phij(x) Public key PK of certificate authorityCACurrent time stamp TjAnd the signature of the information by the certificate authorityWriting the transaction into a block chain network, and broadcasting the transaction to the block chain network; the block chain network node verifies the transaction, and after the verification is passed, the transaction is stored in the block being generated and further written into the block chain;
(2-3) uploading the encrypted electronic file to a file storage server, and acquiring a storage position index of the file, wherein the specific steps are as follows:
Uathe user terminal of (1) first distributes a polynomial phi according to a secret key obtained on a block chainj(x) And the individual private key s of the useraCalculating and recovering encryption key K of electronic file jj,Kj=Φj(sa);
Using an encryption algorithm E and an encryption key KjFor the plaintext data M of the electronic file jjEncrypting to obtain the ciphertext of the electronic file jAnd calculating the hash value of the ciphertext
Cipher text of electronic file jUploading the data to a file storage server for storage to obtain a ciphertext storage position index URL of the electronic file jj;
FID file identifier of electronic file jjFile storage location index URLjHash value of file ciphertextUaPublic key PKaCurrent time stamp TjAnd UaSignature on the above informationWriting into a blockchain transaction, and then broadcasting the transaction onto a blockchain network; and the blockchain network node verifies the transaction, and under the condition that the transaction passes the verification, the blockchain network node places the transaction into a block and writes the transaction into a blockchain.
Step (3), downloading the electronic file ciphertext and decrypting;
the downloading of the electronic file ciphertext specifically comprises: when the user UbWhen applying for accessing the electronic file j, the URL is indexed by the file storage position obtained on the block chainjApplication for downloading ciphertext of electronic file j from file storage serverServer checks user UbIf the current download request is in the knowledge range of the electronic file j, if the current download request is not in the knowledge range of the electronic file j, the download request is rejected, and the user UbFailure to access the electronic file; if the user UbWithin the knowledge range of the electronic file j, the user U is allowedbDownloading ciphertext of electronic file jThe file storage server records the behavior of downloading the electronic file j on the block chain;
The specific steps for decrypting the electronic file are as follows: user UbAccording to the hash value of the ciphertext of the electronic file j obtained on the block chain, the user side of the system can obtain the hash value of the ciphertext of the electronic file jAnd ciphertext of electronic file j downloaded from file storage serverVerifying the integrity of the ciphertext; if the verification ciphertext is incomplete, the ciphertext is falsified, and decryption is not performed; if the verification ciphertext is complete, decrypting; user UbAccording to the key distribution polynomial phi obtained on the block chainj(x) And user UbOf the individual private key sbCalculating and recovering decryption key K of electronic file jj,Kj=Φj(sb) (ii) a Using a decryption algorithm D and a decryption key KjCiphertext to electronic file jDecrypting to recover plaintext dataUser UbThe electronic file j can be read and viewed.
Step (4), updating the key;
when the knowledge range of the electronic file j is changed, if a new user is added in the knowledge range, only a new key distribution polynomial is generated for the new user according to the new knowledge range and written into the block chain; if the user in the knowledge range is deleted, the encryption key, the key distribution polynomial and the ciphertext of the electronic file need to be updated so as to prevent the user who is not in the knowledge range from continuously accessing the electronic file; the specific method comprises the following steps:
(4-1) Slave field FqRandomly selecting a new electronic file encryption key K for the electronic file jj′;
(4-3) distributing Key to polynomial Φ'j(x) Converting into a blockchain transaction, then broadcasting to a blockchain network, and placing the transaction into a block by a blockchain network node and writing the transaction into a blockchain;
(4-4) with a new encryption key K'jEncrypting a plaintext of the electronic file j to generate a new ciphertext of the electronic file j, and calculating a hash value of the new ciphertext;
(4-5) uploading the new ciphertext of the electronic file j to a file storage server for storage to obtain a new file storage position index;
(4-6) indexing the file identifier of the electronic file j, the new file storage position, the hash value of the new ciphertext and UaPublic key, current timestamp, and UaThe signature of the information is written into a blockchain transaction and then broadcast to a blockchain network, and the blockchain network node places the transaction into a block and writes the transaction into a blockchain.
The block chain network consists of a plurality of block chain network nodes, and the block chain network nodes comprise user equipment, a certificate authority, a file storage server and other nodes in any form; the block chain network node is responsible for operating a consensus algorithm, generating a block, and maintaining the generated block chain, wherein the block chain is a alliance chain or a private chain.
Further, the encryption algorithm E in the step (2) adopts a symmetric encryption algorithm, and the decryption algorithm D and the encryption algorithm E in the step (3) use the same key.
The invention uses the block chain technology to ensure the integrity and the non-tamper property of the ciphertext file and the safety of file storage; the efficient sharing of files is guaranteed by the ciphertext file storage index and the key distribution polynomial on the block chain. While reducing the overhead and burden on the data owner.
The invention realizes the encryption and access control of the electronic file according to the knowledge range based on the block chain technology, and solves the safety problem in the sharing of the electronic file, in particular the access authority control problem. The electronic file is always in an encrypted state in the circulation process of the application system, and the electronic file is shared under the condition of a ciphertext, so that the leakage of important electronic file information is prevented, legal users in a knowledge range can access the electronic file required by the users, and the safety of the electronic file is effectively protected by using technical means.
The invention improves the safety of the electronic file in the storing and sharing process and realizes a 'one-word-one-secret' mechanism. Different electronic files correspond to different encryption and decryption keys, and only users within the knowledge range can access and decrypt the electronic files, so that the access control of the electronic files is specifically controlled by individuals, and the fine-grained access control of the electronic files is realized.
Drawings
FIG. 1 is a general flow chart of the method of the present invention
FIG. 2 is an initialization flow diagram of an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a process of encrypting and uploading an electronic file by a file owner to obtain a file storage location index according to an embodiment of the present invention;
FIG. 4 is a flowchart of a file visitor accessing an electronic file, in accordance with an embodiment of the present invention;
Detailed Description
The following describes the embodiments of the present invention in further detail with reference to the drawings.
As shown in fig. 1, a block chain and knowledge range encryption-based electronic file access control method specifically includes the following steps:
step 2, the file owner encrypts and uploads the electronic file according to the knowledge range to obtain a storage position index of the file ciphertext;
step 3, the file visitor downloads the electronic file ciphertext and decrypts the electronic file ciphertext to obtain the electronic file plaintext;
and 4, updating the key when the knowledge range of the electronic file is changed.
For a better understanding of the method and process of the embodiments of the invention, one timeThe electronic file sharing process is explained in detail. In the process, the user UaIs the owner of the file, user UbIs the visitor to the file. For the management and authentication of the user, the user UaAnd user UbInitialization is required when a system is logged in for the first time, and the process is as shown in fig. 2, and specifically includes:
(1) user UaAnd user UbThe user makes a registration application to the system and obtains a unique identification ID number ID corresponding to the real identity information of the useraAnd IDb。
(2) User UaAnd user UbAfter the successful registration and logging in the system, the user end executes a public and private key pair generation algorithm to respectively generate a pair of public and private key Pairs (PK)a,SKa) And (PK)b,SKb) And stored in the user terminal for the user to use.
(3) User UaAnd user UbPublic key PKaAnd PKbAnd personal identification information of itself to a certificate authority. (4) The certificate authority stores the information in a user information list and provides the user U with the informationaAnd user UbIssuing a digital certificate. The certificate authority is responsible for issuing and managing digital certificates of system users and distributing and managing keys.
(5) Certificate authority is user UaAnd user UbRespectively selecting a unique secret value sa∈FqAnd sb∈FqAs the user's individual private key; using user U in combinationaAnd user UbPublic key PKaAnd PKbEncrypted and respectively sent to the user UaAnd user Ub。
(6) User UaAnd user UbAnd respectively decrypting by using the private keys to obtain the individual private keys and storing the individual private keys to the user side.
File owner U of the embodiment of the inventionaThe process of encrypting and uploading the electronic file according to the knowledge range and acquiring the file storage location is shown in fig. 3, and specifically:
step a 1: setting an electronic file knowledge range and writing the electronic file knowledge range into a block chain, specifically:
(1) user UaAnd setting a knowledge range for the electronic file j at the user side. The knowledge range refers to a legitimate user who can access the electronic file. The set of legal users of the electronic file j is Gj,Gj∈U。
(2) Create a blockchain transaction, FID the identifier of the electronic file jjThe knowledge range G of the electronic file jj、UaPublic key PKaCurrent time stamp TjAnd UaIs signedWrites the transaction and broadcasts the transaction to the blockchain network.
(3) The blockchain network node stores the transaction into the block being generated and further writes to the blockchain.
The blockchain network is composed of a plurality of network nodes, and the network nodes can comprise user equipment, a certificate authority and a file storage server, and can also comprise any other nodes. The block chain network node is responsible for operating a consensus algorithm, generating a block and maintaining the generated block chain. The block chain is a federation chain or a private chain.
Step a 2: an encryption key and a key distribution polynomial are generated for the electronic file j and the key distribution polynomial is written to the blockchain.
The certificate authority obtains the file identifier and the knowledge range information in the transaction information on the blockchain from the limited field FqIn the method, an encryption key K is randomly selected for an electronic file jjAnd according to the knowledge range G of the electronic file jjBuilding a secret key KjThe distribution polynomial of (1) is specifically:
(1) using the set GjConstructing an access polynomial from the individual private key of the legitimate userWherein VIDjIs a virtual identifier whose value is different from that of all usersPrivate key for each electronic file and Λj(x) And (4) randomly selecting. For legal users U in the knowledge rangei,Λj(si) 1. For illegal users U outside the known rangef,Λj(sf) Is a random value. Virtual identification VIDjIs to make all Λj(x) Even if the private keys of the individual users who are the same and legitimate are included, are different from each other.
(2) Calculating a key distribution polynomialThe legal users in the knowledge range of the key distribution polynomial guarantee can calculate the encryption key KjAnd illegal users out of the known range can not calculate the encryption key KjOnly one random value can be obtained.
(3) FID identifier of electronic file jjKey distribution polynomial phij(x) Public key PK of certificate authorityCACurrent time stamp TjAnd the signature of the information by the certificate authorityWrites the transaction and broadcasts the transaction to the blockchain network.
(4) The blockchain network node stores the transaction in the block being generated and further writes to the blockchain.
Step a 3: uploading the encrypted electronic file to a file storage server, and acquiring a storage position index of the file, wherein the method specifically comprises the following steps:
(1).Uathe user terminal of (1) first distributes a polynomial phi according to a secret key obtained on a block chainj(x) And the individual private key s of the useraCalculating and recovering encryption key K of electronic file jj,Kj=Φj(sa)。
(2) Using an encryption algorithm E and an encryption key KjFor electronic filePlaintext data M of jjEncrypting to obtain the ciphertext of the electronic file jAnd calculating the hash value of the ciphertextThe encryption algorithm used for encryption is a symmetric encryption algorithm such as SM4, AES, etc., and thus the electronic file encryption key is also an electronic file decryption key.
(3) Cipher text of electronic document jAnd uploading to a file storage server for storage. The server returns the ciphertext storage position index URL of the electronic file j to the userj。
(4) FID the file identifier of the electronic file jjFile storage location index URLjHash value of file ciphertextUaPublic key PKaCurrent time stamp TjAnd UaSignature on the above informationWrites to the blockchain transaction and broadcasts the transaction to the blockchain network.
(5) The blockchain network node places the transaction into the block being generated and further writes to the blockchain.
As shown in FIG. 4, file accessor UbThe specific process of downloading the electronic file ciphertext and decrypting the electronic file ciphertext to obtain the electronic file plaintext comprises the following steps of:
step b 1: downloading the electronic file ciphertext, specifically comprising the following steps:
(1) user UbIndexing URLs by file storage location obtained on blockchainsjApplication for downloading ciphertext of electronic file j from file storage server
(2) The server checks the user UbIf the electronic file j is not in the knowledge range of the electronic file j, the download application is rejected, and a user UbFailure to access the electronic file; if the user UbWithin the knowledge range of the electronic file j, the user U is allowedbDownloading ciphertext of electronic file j
(3) The file storage server records the act of downloading the electronic file j on the blockchain, thereby facilitating investigation and determination of responsibility attribution when file information leakage occurs online.
Step b 2: the electronic file is decrypted. The method comprises the following specific steps:
(1) user UbAccording to the hash value of the ciphertext of the electronic file j obtained on the block chain, the user side of the system can obtain the hash value of the ciphertext of the electronic file jAnd ciphertext of electronic file j downloaded from file storage serverAnd verifying the integrity of the ciphertext. If the verification ciphertext is incomplete, the ciphertext is falsified, and decryption is not performed; and if the ciphertext is verified to be complete, decrypting.
(2) User UbAccording to the key distribution polynomial phi obtained on the block chainj(x) And user UbOf the individual private key sbCalculating and recovering decryption key K of electronic file jj,Kj=Φj(sb)。
(3) Using decryption algorithm D and decryption key KjCiphertext to electronic file jDecrypting to recover plaintext dataThen the user UbThe electronic file j can be read and viewed.
When the knowledge range of the electronic file j changes, the key or the key distribution polynomial needs to be updated. If a new user is added in the knowledge range, only a new key distribution polynomial is generated for the new user according to the new knowledge range and written into the block chain. If the user in the known range is deleted, the encryption key, the key distribution polynomial and the ciphertext of the electronic file need to be updated so as to prevent the user who is not in the known range from continuously accessing the electronic file.
The specific method comprises the following steps:
(1) from domain FqRandomly selecting a new electronic file encryption key K for the electronic file jj′。
(3) Distribute key to polynomial phi'j(x) Converted to a blockchain transaction and then broadcast onto the blockchain network.
(4) The blockchain network node places the transaction into a block and writes to a blockchain.
(5) Adopt a new encryption key K'jEncrypting the plaintext of the electronic file j to generate a new ciphertext of the electronic file jAnd calculating the hash value of the new ciphertext
(6) New cipher text of electronic document jUploading to a file storage server for storage to obtainNew file storage location index URL'j。
(7) FID the file identifier of the electronic file jjAnd new file storage location index URL'jHash value of new ciphertextUaPublic key PKaCurrent timestamp T'jAnd UaSignature on the above informationThe blockchain transaction is written and broadcast to the blockchain network.
(8) The blockchain network node places the transaction into the block being generated and further writes to the blockchain.
Claims (3)
1. An electronic file access control method based on block chain and knowledge range encryption is characterized in that the method specifically comprises the following steps:
step (1), initializing a system; the method comprises the following steps:
(1-1) each user puts forward a registration application to the system and obtains a unique identification ID number ID corresponding to the real identity information of the useriThe user set is expressed as U ═ U1,U2,…,Un},UiIs ID of ID numberiI ∈ (1,2, …, n), n indicates that n users are registered in the system;
(1-2) Each user UiAfter the successful registration and logging in the system, the user end executes a public and private key pair generation algorithm to generate a pair of public and private key Pairs (PK)i,SKi) The data is stored at the user side for the user to use;
(1-3) user UiPublic key PKiSending the personal identity information of the user to a certificate authority, storing the personal identity information into a user information list by the certificate authority, and issuing a digital certificate for the user;
(1-4) certificate authority for each registered user UiSelecting a unique secret value as user UiPrivate of (1)Key si,si∈Fq,FqIs a finite field; will siBy user UiPublic key PKiEncrypted and sent to user Ui;
(1-5) user UiBy its own private key SKiAfter decryption, the individual private key s of the user is obtainediAnd storing the data to the user side;
encrypting and uploading the electronic file to obtain a storage position index of a file ciphertext; the method comprises the following steps:
(2-1) setting an electronic file knowledge range and writing the electronic file knowledge range into a block chain;
when the electronic file owner UaWhen the electronic file j needs to be uploaded, firstly, the user end sets the knowledge range G of the electronic filejKnowledge range GjFor a set of legitimate users having access to an electronic file j, GjE is U; then, a blockchain transaction is created, and the identifier FID of the electronic file j is establishedjAnd a learning range Gj、UaPublic key PKaCurrent time stamp TjAnd UaSigning the above informationWriting into a transaction; finally, broadcasting the transaction to a block chain network; the block chain network node verifies the transaction, and after the verification is passed, the transaction is stored in the block being generated and further written into the block chain;
(2-2) generating an encryption key and a key distribution polynomial for the electronic file j, and writing the key distribution polynomial into the block chain;
the certificate authority obtains the file identifier and the knowledge range information in the transaction information on the blockchain from the finite field FqIn the method, an encryption key K is randomly selected for an electronic file jjAnd according to the knowledge range G of the electronic file jjBuilding a secret key KjThe distribution polynomial of (1):
first, using GjIndividual private key s of medium-legal useriConstructing an access polynomialWherein VIDjFor virtual identification, whose value is different from the individual private keys of all users, for each electronic file and access polynomial Λj(x) Randomly selected, x is an independent variable of a polynomial; for legal users U in the knowledge rangei,Λj(si) 1 is ═ 1; for illegal users U outside the knowledge rangef,Λj(sf) Is a random value; then, a key distribution polynomial is calculatedFinally, the identifier FID of the electronic file j is usedjKey distribution polynomial phij(x) Public key PK of certificate authorityCACurrent time stamp TjAnd the signature of the information by the certificate authorityWriting into a transaction, and then broadcasting the transaction onto a blockchain network; the block chain network node verifies the transaction, and after the transaction passes the verification, the transaction is stored in the block being generated and further written into the block chain;
(2-3) uploading the encrypted electronic file to a file storage server, and acquiring a storage position index of the file, wherein the specific steps are as follows:
Uathe user terminal of (1) first distributes a polynomial phi according to a secret key obtained on a block chainj(x) And the individual private key s of the useraCalculating and recovering encryption key K of electronic file jj,Kj=Φj(sa);
Using an encryption algorithm E and an encryption key KjFor the plaintext data M of the electronic file jjEncrypting to obtain the ciphertext of the electronic file jAnd calculating the hash value of the ciphertextThe encryption algorithm E adopts a symmetric encryption algorithm, and the electronic file encryption key is also an electronic file decryption key;
ciphertext of electronic file jUploading the data to a file storage server for storage to obtain a ciphertext storage position index URL of the electronic file jj;
FID file identifier of electronic file jjFile storage location index URLjHash value of file ciphertextUaPublic key PKaCurrent time stamp TjAnd UaSigning the above informationWriting into a blockchain transaction, and then broadcasting the transaction onto a blockchain network; the block chain network node verifies the transaction, and under the condition that the transaction passes the verification, the block chain network node places the transaction into a block and writes the transaction into a block chain;
step (3), downloading the electronic file ciphertext and decrypting;
the downloading of the electronic file ciphertext specifically comprises the following steps: when the user UbWhen applying for accessing the electronic file j, the URL is indexed by the file storage position obtained on the block chainjApplication for downloading ciphertext of electronic file j from file storage serverServer checks user UbIf the current download request is in the knowledge range of the electronic file j, if the current download request is not in the knowledge range of the electronic file j, the download request is rejected, and the user UbFailure to access the electronic file; if the user UbWithin the knowledge range of the electronic file j, the user U is allowedbDownloading ciphertext of electronic file jThe file storage server records the behavior of downloading the electronic file j on a block chain;
the specific steps for decrypting the electronic file are as follows: user UbAccording to the hash value of the ciphertext of the electronic file j obtained on the block chain, the user side of the system can obtain the hash value of the ciphertext of the electronic file jAnd ciphertext of electronic file j downloaded from file storage serverVerifying the integrity of the ciphertext; if the verification ciphertext is incomplete, the ciphertext is falsified, and decryption is not performed; if the verification ciphertext is complete, decrypting; user UbAccording to the key distribution polynomial phi obtained on the block chainj(x) And user UbOf the individual private key sbCalculating and recovering decryption key K of electronic file jj,Kj=Φj(sb) (ii) a Using a decryption algorithm D and a decryption key KjCiphertext to electronic file jDecrypting to recover plaintext dataUser UbThe electronic file j can be read and viewed; the decryption algorithm D and the encryption algorithm E use the same key;
step (4), updating the key;
when the knowledge range of the electronic file j is changed, if a new user is added in the knowledge range, only a new key distribution polynomial is generated for the new user according to the new knowledge range and written into the block chain; if the user in the known range is deleted, the encryption key, the key distribution polynomial and the ciphertext of the electronic file need to be updated so as to prevent the user who is not in the known range from continuing to access the electronic file; the specific method comprises the following steps:
(4-1) Slave field FqRandomly selecting a new electronic file encryption key K for the electronic file jj′;
(4-3) distributing Key to polynomial Φ'j(x) Converting into a blockchain transaction, then broadcasting to a blockchain network, and placing the transaction into a block by a blockchain network node and writing the transaction into a blockchain;
(4-4) with a new encryption key K'jEncrypting a plaintext of the electronic file j to generate a new ciphertext of the electronic file j, and calculating a hash value of the new ciphertext;
(4-5) uploading the new ciphertext of the electronic file j to a file storage server for storage to obtain a new file storage position index;
(4-6) indexing the file identifier of the electronic file j, the new file storage position, the hash value of the new ciphertext and UaPublic key, current timestamp, and UaThe signature of the information is written into a blockchain transaction and then broadcast to a blockchain network, and the blockchain network node places the transaction into a block and writes the transaction into a blockchain.
2. An electronic file access control method based on blockchain and knowledge range encryption as claimed in claim 1, characterized in that: the block chain network consists of a plurality of block chain network nodes, and the block chain network nodes comprise user equipment, a certificate authority, a file storage server and other nodes in any form; the block chain network node is responsible for operating a consensus algorithm, generating a block, and maintaining the generated block chain, wherein the block chain is a alliance chain or a private chain.
3. A block chain and learned range encryption-based electronic file access control method as claimed in claim 1, characterized by: the certificate authority is responsible for issuing and managing digital certificates of system users and distributing and managing keys.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010154634.8A CN111541731B (en) | 2020-03-08 | 2020-03-08 | Electronic file access control method based on block chain and knowledge range encryption |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010154634.8A CN111541731B (en) | 2020-03-08 | 2020-03-08 | Electronic file access control method based on block chain and knowledge range encryption |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111541731A CN111541731A (en) | 2020-08-14 |
CN111541731B true CN111541731B (en) | 2022-06-24 |
Family
ID=71969091
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010154634.8A Active CN111541731B (en) | 2020-03-08 | 2020-03-08 | Electronic file access control method based on block chain and knowledge range encryption |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111541731B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114422176B (en) * | 2021-12-10 | 2023-03-10 | 北京理工大学 | Block chain-based dynamic access control method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101661930B1 (en) * | 2015-08-03 | 2016-10-05 | 주식회사 코인플러그 | Certificate issuance system based on block chain |
CN108462568A (en) * | 2018-02-11 | 2018-08-28 | 西安电子科技大学 | A kind of secure file storage and sharing method based on block chain |
CN110474873A (en) * | 2019-07-09 | 2019-11-19 | 杭州电子科技大学 | It is a kind of based on know range encryption electronic document access control method and system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190384895A1 (en) * | 2018-06-19 | 2019-12-19 | Ivy Food Technology, Inc. | System for document and certificate management using directed acyclic graph based tagging |
-
2020
- 2020-03-08 CN CN202010154634.8A patent/CN111541731B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101661930B1 (en) * | 2015-08-03 | 2016-10-05 | 주식회사 코인플러그 | Certificate issuance system based on block chain |
CN108462568A (en) * | 2018-02-11 | 2018-08-28 | 西安电子科技大学 | A kind of secure file storage and sharing method based on block chain |
CN110474873A (en) * | 2019-07-09 | 2019-11-19 | 杭州电子科技大学 | It is a kind of based on know range encryption electronic document access control method and system |
Also Published As
Publication number | Publication date |
---|---|
CN111541731A (en) | 2020-08-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109559124B (en) | Cloud data security sharing method based on block chain | |
CN108259169B (en) | File secure sharing method and system based on block chain cloud storage | |
KR102025409B1 (en) | Data access management system based on blockchain and method thereof | |
US10432394B2 (en) | Method and system for sharing encrypted content | |
Jin et al. | Full integrity and freshness for cloud data | |
CN114039790B (en) | Fine-grained cloud storage security access control method based on blockchain | |
US20100005318A1 (en) | Process for securing data in a storage unit | |
CN105103488A (en) | Policy enforcement with associated data | |
CN112187798B (en) | Bidirectional access control method and system applied to cloud-side data sharing | |
CN102075544A (en) | Encryption system, encryption method and decryption method for local area network shared file | |
Cui et al. | Towards blockchain-based scalable and trustworthy file sharing | |
CN108632385B (en) | Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure | |
CN111181719B (en) | Hierarchical access control method and system based on attribute encryption in cloud environment | |
CN106612169A (en) | Safe data sharing method in cloud environment | |
CN105072134A (en) | Cloud disk system file secure transmission method based on three-level key | |
CN105721146B (en) | A kind of big data sharing method towards cloud storage based on SMC | |
CN115883214A (en) | Electronic medical data sharing system and method based on alliance chain and CP-ABE | |
Guo et al. | Using blockchain to control access to cloud data | |
Mukundan et al. | Replicated Data Integrity Verification in Cloud. | |
CN111541731B (en) | Electronic file access control method based on block chain and knowledge range encryption | |
Ma et al. | A secure and efficient data deduplication scheme with dynamic ownership management in cloud computing | |
CN117200966A (en) | Trusted authorization data sharing method based on distributed identity and alliance chain | |
CN110474873B (en) | Electronic file access control method and system based on knowledge range encryption | |
CN104618419A (en) | Scheme based on content sharing policy in cloud | |
US10558786B2 (en) | Media content encryption and distribution system and method based on unique identification of user |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |