CN111541731B - Electronic file access control method based on block chain and knowledge range encryption - Google Patents

Electronic file access control method based on block chain and knowledge range encryption Download PDF

Info

Publication number
CN111541731B
CN111541731B CN202010154634.8A CN202010154634A CN111541731B CN 111541731 B CN111541731 B CN 111541731B CN 202010154634 A CN202010154634 A CN 202010154634A CN 111541731 B CN111541731 B CN 111541731B
Authority
CN
China
Prior art keywords
electronic file
user
file
ciphertext
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010154634.8A
Other languages
Chinese (zh)
Other versions
CN111541731A (en
Inventor
王秋华
夏天雨
任一支
吴国华
姚晔
张祯
陈临强
袁理锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dianzi University
Original Assignee
Hangzhou Dianzi University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dianzi University filed Critical Hangzhou Dianzi University
Priority to CN202010154634.8A priority Critical patent/CN111541731B/en
Publication of CN111541731A publication Critical patent/CN111541731A/en
Application granted granted Critical
Publication of CN111541731B publication Critical patent/CN111541731B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2151Time stamp
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses an electronic file access control method based on block chain and knowledge range encryption. The prior art has the problems of electronic file security and shareability. The method includes the steps that firstly, system initialization is carried out, a file owner encrypts and uploads an electronic file according to a knowledge range, and a storage position index of a file ciphertext is obtained; a file visitor downloads and decrypts the electronic file ciphertext to obtain an electronic file plaintext; the key is updated when the knowledge range of the electronic file changes. The electronic file is stored in a database under the chain in a ciphertext form, and the knowledge range, the key distribution polynomial and the position index of the file ciphertext in the database are stored in the block chain, so that the integrity and the non-tamper property of the ciphertext file are ensured, the file storage safety is realized, and the efficient sharing of the file is ensured. The method improves the safety of the electronic file in the storing and sharing process and realizes the fine-grained access control of the electronic file.

Description

Electronic file access control method based on block chain and knowledge range encryption
Technical Field
The invention belongs to the field of electronic file security control, and particularly relates to an electronic file access control method based on block chain and knowledge range encryption.
Background
Currently, in e-government and enterprise networks, more and more information is stored and distributed in the form of electronic files, which have become one of the important data assets of organizations such as various levels of districts, departments, enterprises and institutions. Once the electronic document is lost, the core benefits and self-safety of the units such as various levels of party administration, departments, enterprises and public institutions and the like can be seriously affected, and even the national safety and benefits are threatened. How to ensure the security and the sharing of these electronic documents has become a management problem for organizations and organizations such as various levels of districts, departments, enterprises and institutions.
Many commercial secrets or national secrets are involved in unit networks of various levels of party administrative organs, departments, enterprises and public institutions and the like, and the information needs to be controlled within a minimum knowledge range according to a secret management minimization principle to prevent secret leakage. Access control to electronic files is an important approach to improve the security of electronic files, but if these electronic files are stored in a clear text form, file sharing is facilitated, but the security of the files cannot be guaranteed. In order to ensure the security of an electronic file, in the prior art, a file is usually encrypted and then stored in a server, but the file is encrypted, so that the sharing of the file becomes very difficult, and the problems of whether a file ciphertext is maliciously tampered and whether the file ciphertext is complete exist. The conventional encryption and decryption method is used, and the existing method for sharing files is that when an accessor requests to access an electronic file from a file owner, the file owner encrypts the electronic file by using a public key of the accessor and then transmits the electronic file to the accessor, and the accessor receives an electronic file ciphertext and then decrypts the electronic file by using a private key of the accessor to obtain an electronic file plaintext. The way of realizing data sharing by public key encryption and decryption increases the expense and burden of data owners. In addition, at present, access control of 'one file one secret' to the electronic file cannot be performed according to the knowledge range, and the behavior that the user is unauthorized to access the electronic file cannot be effectively prevented. Therefore, how to safely store and share electronic files is an urgent problem to be solved.
Disclosure of Invention
The invention aims to provide an electronic file access control method based on block chain and knowledge range encryption aiming at the problems of electronic file security and shareability in the prior art.
The electronic file is stored in a database under the chain in a ciphertext form, and the knowledge range, the key distribution polynomial and the position index of the file ciphertext in the database are stored in the block chain, so that the integrity and the non-tamper property of the ciphertext file are ensured, the file storage safety is realized, and the efficient sharing of the file is ensured. The electronic files are encrypted and access controlled according to the knowledge range, and different electronic files correspond to different keys, namely a 'one-file-one-secret' mechanism. The method is based on the block chain technology, so that on one hand, the leakage of important electronic file information is prevented, and on the other hand, the legal user in the knowledge range can be ensured to decrypt and access the electronic file required by the user.
The invention is realized by the following method:
step (1), initializing a system; the method comprises the following steps:
(1-1) each user puts forward a registration application to the system and obtains a unique identification ID number ID corresponding to the real identity information of the useriThe user set is expressed as U ═ U1,U2,…,Un},UiIs ID of ID numberiI ∈ (1,2, …, n), n indicates that n users are registered in the system;
(1-2) Each user UiAfter the successful registration and logging in the system, the user end executes a public and private key pair generation algorithm to generate a pair of public and private key Pairs (PK)i,SKi) The data is stored in the user side for the user to use;
(1-3) user UiPublic key PKiSending the personal identity information of the user to a certificate authority, storing the personal identity information into a user information list by the certificate authority, and issuing a digital certificate for the user;
(1-4) certificate authority for each registered user UiSelecting a unique secret value as user UiOf the individual private key si,si∈Fq,FqIs a finite field; will siBy user UiPublic key PKiEncrypted and sent to user Ui
(1-5) user UiBy its own private key SKiAfter decryption, the individual private key s of the user is obtainediAnd storing the data to the user side.
Encrypting and uploading the electronic file to obtain a storage position index of a file ciphertext; the method comprises the following steps:
(2-1) setting an electronic file knowledge range and writing the electronic file knowledge range into a block chain;
when the electronic file owner UaWhen the electronic file j needs to be uploaded, firstly, the user end sets the knowledge range G of the electronic filejKnowledge range GjFor a set of legitimate users having access to an electronic file j, GjE is U; then, a blockchain transaction is created, and the identifier FID of the electronic file j is establishedjAnd a knowledge range Gj、UaPublic key PKaCurrent time stamp TjAnd UaSigning the above information
Figure BDA0002403650620000021
Writing into a transaction; finally, broadcasting the transaction to a blockchain network; the block chain network node verifies the transaction, and after the verification is passed, the transaction is stored in the block being generated and further written into the block chain;
(2-2) generating an encryption key and a key distribution polynomial for the electronic file j, and writing the key distribution polynomial into the block chain;
the certificate authority obtains the file identifier and the knowledge range information in the transaction information on the blockchain from the finite field FqIn which an encryption key K is randomly selected for an electronic file jjAnd according to the knowledge range G of the electronic file jjConstruction of a secret key KjThe distribution polynomial of (c):
first, use GjIndividual private key s of a legitimate useriConstructing an access polynomial
Figure BDA0002403650620000031
Wherein VIDjIs a virtual identifier whose value is notThe same individual private key as all users, the polynomial lambda for each electronic file and accessj(x) Randomly selected, x is an argument of a polynomial; for legal users U in the knowledge rangei,Λj(si) 1 is ═ 1; for illegal users U outside the knowledge rangef
Figure BDA0002403650620000032
Λj(sf) Is a random value; then, a key distribution polynomial is calculated
Figure BDA0002403650620000033
Finally, the identifier FID of the electronic file jjKey distribution polynomial phij(x) Public key PK of certificate authorityCACurrent time stamp TjAnd the signature of the information by the certificate authority
Figure BDA0002403650620000034
Writing the transaction into a block chain network, and broadcasting the transaction to the block chain network; the block chain network node verifies the transaction, and after the verification is passed, the transaction is stored in the block being generated and further written into the block chain;
(2-3) uploading the encrypted electronic file to a file storage server, and acquiring a storage position index of the file, wherein the specific steps are as follows:
Uathe user terminal of (1) first distributes a polynomial phi according to a secret key obtained on a block chainj(x) And the individual private key s of the useraCalculating and recovering encryption key K of electronic file jj,Kj=Φj(sa);
Using an encryption algorithm E and an encryption key KjFor the plaintext data M of the electronic file jjEncrypting to obtain the ciphertext of the electronic file j
Figure BDA0002403650620000035
And calculating the hash value of the ciphertext
Figure BDA0002403650620000036
Cipher text of electronic file j
Figure BDA0002403650620000037
Uploading the data to a file storage server for storage to obtain a ciphertext storage position index URL of the electronic file jj
FID file identifier of electronic file jjFile storage location index URLjHash value of file ciphertext
Figure BDA0002403650620000038
UaPublic key PKaCurrent time stamp TjAnd UaSignature on the above information
Figure BDA0002403650620000039
Writing into a blockchain transaction, and then broadcasting the transaction onto a blockchain network; and the blockchain network node verifies the transaction, and under the condition that the transaction passes the verification, the blockchain network node places the transaction into a block and writes the transaction into a blockchain.
Step (3), downloading the electronic file ciphertext and decrypting;
the downloading of the electronic file ciphertext specifically comprises: when the user UbWhen applying for accessing the electronic file j, the URL is indexed by the file storage position obtained on the block chainjApplication for downloading ciphertext of electronic file j from file storage server
Figure BDA0002403650620000041
Server checks user UbIf the current download request is in the knowledge range of the electronic file j, if the current download request is not in the knowledge range of the electronic file j, the download request is rejected, and the user UbFailure to access the electronic file; if the user UbWithin the knowledge range of the electronic file j, the user U is allowedbDownloading ciphertext of electronic file j
Figure BDA0002403650620000042
The file storage server records the behavior of downloading the electronic file j on the block chain;
The specific steps for decrypting the electronic file are as follows: user UbAccording to the hash value of the ciphertext of the electronic file j obtained on the block chain, the user side of the system can obtain the hash value of the ciphertext of the electronic file j
Figure BDA0002403650620000043
And ciphertext of electronic file j downloaded from file storage server
Figure BDA0002403650620000044
Verifying the integrity of the ciphertext; if the verification ciphertext is incomplete, the ciphertext is falsified, and decryption is not performed; if the verification ciphertext is complete, decrypting; user UbAccording to the key distribution polynomial phi obtained on the block chainj(x) And user UbOf the individual private key sbCalculating and recovering decryption key K of electronic file jj,Kj=Φj(sb) (ii) a Using a decryption algorithm D and a decryption key KjCiphertext to electronic file j
Figure BDA0002403650620000045
Decrypting to recover plaintext data
Figure BDA0002403650620000046
User UbThe electronic file j can be read and viewed.
Step (4), updating the key;
when the knowledge range of the electronic file j is changed, if a new user is added in the knowledge range, only a new key distribution polynomial is generated for the new user according to the new knowledge range and written into the block chain; if the user in the knowledge range is deleted, the encryption key, the key distribution polynomial and the ciphertext of the electronic file need to be updated so as to prevent the user who is not in the knowledge range from continuously accessing the electronic file; the specific method comprises the following steps:
(4-1) Slave field FqRandomly selecting a new electronic file encryption key K for the electronic file jj′;
(4-2).Computing a new key distribution polynomial
Figure BDA0002403650620000047
(4-3) distributing Key to polynomial Φ'j(x) Converting into a blockchain transaction, then broadcasting to a blockchain network, and placing the transaction into a block by a blockchain network node and writing the transaction into a blockchain;
(4-4) with a new encryption key K'jEncrypting a plaintext of the electronic file j to generate a new ciphertext of the electronic file j, and calculating a hash value of the new ciphertext;
(4-5) uploading the new ciphertext of the electronic file j to a file storage server for storage to obtain a new file storage position index;
(4-6) indexing the file identifier of the electronic file j, the new file storage position, the hash value of the new ciphertext and UaPublic key, current timestamp, and UaThe signature of the information is written into a blockchain transaction and then broadcast to a blockchain network, and the blockchain network node places the transaction into a block and writes the transaction into a blockchain.
The block chain network consists of a plurality of block chain network nodes, and the block chain network nodes comprise user equipment, a certificate authority, a file storage server and other nodes in any form; the block chain network node is responsible for operating a consensus algorithm, generating a block, and maintaining the generated block chain, wherein the block chain is a alliance chain or a private chain.
Further, the encryption algorithm E in the step (2) adopts a symmetric encryption algorithm, and the decryption algorithm D and the encryption algorithm E in the step (3) use the same key.
The invention uses the block chain technology to ensure the integrity and the non-tamper property of the ciphertext file and the safety of file storage; the efficient sharing of files is guaranteed by the ciphertext file storage index and the key distribution polynomial on the block chain. While reducing the overhead and burden on the data owner.
The invention realizes the encryption and access control of the electronic file according to the knowledge range based on the block chain technology, and solves the safety problem in the sharing of the electronic file, in particular the access authority control problem. The electronic file is always in an encrypted state in the circulation process of the application system, and the electronic file is shared under the condition of a ciphertext, so that the leakage of important electronic file information is prevented, legal users in a knowledge range can access the electronic file required by the users, and the safety of the electronic file is effectively protected by using technical means.
The invention improves the safety of the electronic file in the storing and sharing process and realizes a 'one-word-one-secret' mechanism. Different electronic files correspond to different encryption and decryption keys, and only users within the knowledge range can access and decrypt the electronic files, so that the access control of the electronic files is specifically controlled by individuals, and the fine-grained access control of the electronic files is realized.
Drawings
FIG. 1 is a general flow chart of the method of the present invention
FIG. 2 is an initialization flow diagram of an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a process of encrypting and uploading an electronic file by a file owner to obtain a file storage location index according to an embodiment of the present invention;
FIG. 4 is a flowchart of a file visitor accessing an electronic file, in accordance with an embodiment of the present invention;
Detailed Description
The following describes the embodiments of the present invention in further detail with reference to the drawings.
As shown in fig. 1, a block chain and knowledge range encryption-based electronic file access control method specifically includes the following steps:
step 1, initializing a system;
step 2, the file owner encrypts and uploads the electronic file according to the knowledge range to obtain a storage position index of the file ciphertext;
step 3, the file visitor downloads the electronic file ciphertext and decrypts the electronic file ciphertext to obtain the electronic file plaintext;
and 4, updating the key when the knowledge range of the electronic file is changed.
For a better understanding of the method and process of the embodiments of the invention, one timeThe electronic file sharing process is explained in detail. In the process, the user UaIs the owner of the file, user UbIs the visitor to the file. For the management and authentication of the user, the user UaAnd user UbInitialization is required when a system is logged in for the first time, and the process is as shown in fig. 2, and specifically includes:
(1) user UaAnd user UbThe user makes a registration application to the system and obtains a unique identification ID number ID corresponding to the real identity information of the useraAnd IDb
(2) User UaAnd user UbAfter the successful registration and logging in the system, the user end executes a public and private key pair generation algorithm to respectively generate a pair of public and private key Pairs (PK)a,SKa) And (PK)b,SKb) And stored in the user terminal for the user to use.
(3) User UaAnd user UbPublic key PKaAnd PKbAnd personal identification information of itself to a certificate authority. (4) The certificate authority stores the information in a user information list and provides the user U with the informationaAnd user UbIssuing a digital certificate. The certificate authority is responsible for issuing and managing digital certificates of system users and distributing and managing keys.
(5) Certificate authority is user UaAnd user UbRespectively selecting a unique secret value sa∈FqAnd sb∈FqAs the user's individual private key; using user U in combinationaAnd user UbPublic key PKaAnd PKbEncrypted and respectively sent to the user UaAnd user Ub
(6) User UaAnd user UbAnd respectively decrypting by using the private keys to obtain the individual private keys and storing the individual private keys to the user side.
File owner U of the embodiment of the inventionaThe process of encrypting and uploading the electronic file according to the knowledge range and acquiring the file storage location is shown in fig. 3, and specifically:
step a 1: setting an electronic file knowledge range and writing the electronic file knowledge range into a block chain, specifically:
(1) user UaAnd setting a knowledge range for the electronic file j at the user side. The knowledge range refers to a legitimate user who can access the electronic file. The set of legal users of the electronic file j is Gj,Gj∈U。
(2) Create a blockchain transaction, FID the identifier of the electronic file jjThe knowledge range G of the electronic file jj、UaPublic key PKaCurrent time stamp TjAnd UaIs signed
Figure BDA0002403650620000071
Writes the transaction and broadcasts the transaction to the blockchain network.
(3) The blockchain network node stores the transaction into the block being generated and further writes to the blockchain.
The blockchain network is composed of a plurality of network nodes, and the network nodes can comprise user equipment, a certificate authority and a file storage server, and can also comprise any other nodes. The block chain network node is responsible for operating a consensus algorithm, generating a block and maintaining the generated block chain. The block chain is a federation chain or a private chain.
Step a 2: an encryption key and a key distribution polynomial are generated for the electronic file j and the key distribution polynomial is written to the blockchain.
The certificate authority obtains the file identifier and the knowledge range information in the transaction information on the blockchain from the limited field FqIn the method, an encryption key K is randomly selected for an electronic file jjAnd according to the knowledge range G of the electronic file jjBuilding a secret key KjThe distribution polynomial of (1) is specifically:
(1) using the set GjConstructing an access polynomial from the individual private key of the legitimate user
Figure BDA0002403650620000072
Wherein VIDjIs a virtual identifier whose value is different from that of all usersPrivate key for each electronic file and Λj(x) And (4) randomly selecting. For legal users U in the knowledge rangei,Λj(si) 1. For illegal users U outside the known rangef
Figure BDA0002403650620000073
Λj(sf) Is a random value. Virtual identification VIDjIs to make all Λj(x) Even if the private keys of the individual users who are the same and legitimate are included, are different from each other.
(2) Calculating a key distribution polynomial
Figure BDA0002403650620000074
The legal users in the knowledge range of the key distribution polynomial guarantee can calculate the encryption key KjAnd illegal users out of the known range can not calculate the encryption key KjOnly one random value can be obtained.
(3) FID identifier of electronic file jjKey distribution polynomial phij(x) Public key PK of certificate authorityCACurrent time stamp TjAnd the signature of the information by the certificate authority
Figure BDA0002403650620000075
Writes the transaction and broadcasts the transaction to the blockchain network.
(4) The blockchain network node stores the transaction in the block being generated and further writes to the blockchain.
Step a 3: uploading the encrypted electronic file to a file storage server, and acquiring a storage position index of the file, wherein the method specifically comprises the following steps:
(1).Uathe user terminal of (1) first distributes a polynomial phi according to a secret key obtained on a block chainj(x) And the individual private key s of the useraCalculating and recovering encryption key K of electronic file jj,Kj=Φj(sa)。
(2) Using an encryption algorithm E and an encryption key KjFor electronic filePlaintext data M of jjEncrypting to obtain the ciphertext of the electronic file j
Figure BDA0002403650620000081
And calculating the hash value of the ciphertext
Figure BDA0002403650620000082
The encryption algorithm used for encryption is a symmetric encryption algorithm such as SM4, AES, etc., and thus the electronic file encryption key is also an electronic file decryption key.
(3) Cipher text of electronic document j
Figure BDA0002403650620000083
And uploading to a file storage server for storage. The server returns the ciphertext storage position index URL of the electronic file j to the userj
(4) FID the file identifier of the electronic file jjFile storage location index URLjHash value of file ciphertext
Figure BDA0002403650620000084
UaPublic key PKaCurrent time stamp TjAnd UaSignature on the above information
Figure BDA0002403650620000085
Writes to the blockchain transaction and broadcasts the transaction to the blockchain network.
(5) The blockchain network node places the transaction into the block being generated and further writes to the blockchain.
As shown in FIG. 4, file accessor UbThe specific process of downloading the electronic file ciphertext and decrypting the electronic file ciphertext to obtain the electronic file plaintext comprises the following steps of:
step b 1: downloading the electronic file ciphertext, specifically comprising the following steps:
(1) user UbIndexing URLs by file storage location obtained on blockchainsjApplication for downloading ciphertext of electronic file j from file storage server
Figure BDA0002403650620000086
(2) The server checks the user UbIf the electronic file j is not in the knowledge range of the electronic file j, the download application is rejected, and a user UbFailure to access the electronic file; if the user UbWithin the knowledge range of the electronic file j, the user U is allowedbDownloading ciphertext of electronic file j
Figure BDA0002403650620000087
(3) The file storage server records the act of downloading the electronic file j on the blockchain, thereby facilitating investigation and determination of responsibility attribution when file information leakage occurs online.
Step b 2: the electronic file is decrypted. The method comprises the following specific steps:
(1) user UbAccording to the hash value of the ciphertext of the electronic file j obtained on the block chain, the user side of the system can obtain the hash value of the ciphertext of the electronic file j
Figure BDA0002403650620000088
And ciphertext of electronic file j downloaded from file storage server
Figure BDA0002403650620000089
And verifying the integrity of the ciphertext. If the verification ciphertext is incomplete, the ciphertext is falsified, and decryption is not performed; and if the ciphertext is verified to be complete, decrypting.
(2) User UbAccording to the key distribution polynomial phi obtained on the block chainj(x) And user UbOf the individual private key sbCalculating and recovering decryption key K of electronic file jj,Kj=Φj(sb)。
(3) Using decryption algorithm D and decryption key KjCiphertext to electronic file j
Figure BDA0002403650620000091
Decrypting to recover plaintext data
Figure BDA0002403650620000092
Then the user UbThe electronic file j can be read and viewed.
When the knowledge range of the electronic file j changes, the key or the key distribution polynomial needs to be updated. If a new user is added in the knowledge range, only a new key distribution polynomial is generated for the new user according to the new knowledge range and written into the block chain. If the user in the known range is deleted, the encryption key, the key distribution polynomial and the ciphertext of the electronic file need to be updated so as to prevent the user who is not in the known range from continuously accessing the electronic file.
The specific method comprises the following steps:
(1) from domain FqRandomly selecting a new electronic file encryption key K for the electronic file jj′。
(2) Calculating a new key distribution polynomial
Figure BDA0002403650620000093
(3) Distribute key to polynomial phi'j(x) Converted to a blockchain transaction and then broadcast onto the blockchain network.
(4) The blockchain network node places the transaction into a block and writes to a blockchain.
(5) Adopt a new encryption key K'jEncrypting the plaintext of the electronic file j to generate a new ciphertext of the electronic file j
Figure BDA0002403650620000094
And calculating the hash value of the new ciphertext
Figure BDA0002403650620000095
(6) New cipher text of electronic document j
Figure BDA0002403650620000096
Uploading to a file storage server for storage to obtainNew file storage location index URL'j
(7) FID the file identifier of the electronic file jjAnd new file storage location index URL'jHash value of new ciphertext
Figure BDA0002403650620000097
UaPublic key PKaCurrent timestamp T'jAnd UaSignature on the above information
Figure BDA0002403650620000098
The blockchain transaction is written and broadcast to the blockchain network.
(8) The blockchain network node places the transaction into the block being generated and further writes to the blockchain.

Claims (3)

1. An electronic file access control method based on block chain and knowledge range encryption is characterized in that the method specifically comprises the following steps:
step (1), initializing a system; the method comprises the following steps:
(1-1) each user puts forward a registration application to the system and obtains a unique identification ID number ID corresponding to the real identity information of the useriThe user set is expressed as U ═ U1,U2,…,Un},UiIs ID of ID numberiI ∈ (1,2, …, n), n indicates that n users are registered in the system;
(1-2) Each user UiAfter the successful registration and logging in the system, the user end executes a public and private key pair generation algorithm to generate a pair of public and private key Pairs (PK)i,SKi) The data is stored at the user side for the user to use;
(1-3) user UiPublic key PKiSending the personal identity information of the user to a certificate authority, storing the personal identity information into a user information list by the certificate authority, and issuing a digital certificate for the user;
(1-4) certificate authority for each registered user UiSelecting a unique secret value as user UiPrivate of (1)Key si,si∈Fq,FqIs a finite field; will siBy user UiPublic key PKiEncrypted and sent to user Ui
(1-5) user UiBy its own private key SKiAfter decryption, the individual private key s of the user is obtainediAnd storing the data to the user side;
encrypting and uploading the electronic file to obtain a storage position index of a file ciphertext; the method comprises the following steps:
(2-1) setting an electronic file knowledge range and writing the electronic file knowledge range into a block chain;
when the electronic file owner UaWhen the electronic file j needs to be uploaded, firstly, the user end sets the knowledge range G of the electronic filejKnowledge range GjFor a set of legitimate users having access to an electronic file j, GjE is U; then, a blockchain transaction is created, and the identifier FID of the electronic file j is establishedjAnd a learning range Gj、UaPublic key PKaCurrent time stamp TjAnd UaSigning the above information
Figure FDA0003564562520000011
Writing into a transaction; finally, broadcasting the transaction to a block chain network; the block chain network node verifies the transaction, and after the verification is passed, the transaction is stored in the block being generated and further written into the block chain;
(2-2) generating an encryption key and a key distribution polynomial for the electronic file j, and writing the key distribution polynomial into the block chain;
the certificate authority obtains the file identifier and the knowledge range information in the transaction information on the blockchain from the finite field FqIn the method, an encryption key K is randomly selected for an electronic file jjAnd according to the knowledge range G of the electronic file jjBuilding a secret key KjThe distribution polynomial of (1):
first, using GjIndividual private key s of medium-legal useriConstructing an access polynomial
Figure FDA0003564562520000021
Wherein VIDjFor virtual identification, whose value is different from the individual private keys of all users, for each electronic file and access polynomial Λj(x) Randomly selected, x is an independent variable of a polynomial; for legal users U in the knowledge rangei,Λj(si) 1 is ═ 1; for illegal users U outside the knowledge rangef
Figure FDA0003564562520000022
Λj(sf) Is a random value; then, a key distribution polynomial is calculated
Figure FDA0003564562520000023
Finally, the identifier FID of the electronic file j is usedjKey distribution polynomial phij(x) Public key PK of certificate authorityCACurrent time stamp TjAnd the signature of the information by the certificate authority
Figure FDA0003564562520000024
Writing into a transaction, and then broadcasting the transaction onto a blockchain network; the block chain network node verifies the transaction, and after the transaction passes the verification, the transaction is stored in the block being generated and further written into the block chain;
(2-3) uploading the encrypted electronic file to a file storage server, and acquiring a storage position index of the file, wherein the specific steps are as follows:
Uathe user terminal of (1) first distributes a polynomial phi according to a secret key obtained on a block chainj(x) And the individual private key s of the useraCalculating and recovering encryption key K of electronic file jj,Kj=Φj(sa);
Using an encryption algorithm E and an encryption key KjFor the plaintext data M of the electronic file jjEncrypting to obtain the ciphertext of the electronic file j
Figure FDA0003564562520000025
And calculating the hash value of the ciphertext
Figure FDA0003564562520000026
The encryption algorithm E adopts a symmetric encryption algorithm, and the electronic file encryption key is also an electronic file decryption key;
ciphertext of electronic file j
Figure FDA0003564562520000027
Uploading the data to a file storage server for storage to obtain a ciphertext storage position index URL of the electronic file jj
FID file identifier of electronic file jjFile storage location index URLjHash value of file ciphertext
Figure FDA0003564562520000028
UaPublic key PKaCurrent time stamp TjAnd UaSigning the above information
Figure FDA0003564562520000029
Writing into a blockchain transaction, and then broadcasting the transaction onto a blockchain network; the block chain network node verifies the transaction, and under the condition that the transaction passes the verification, the block chain network node places the transaction into a block and writes the transaction into a block chain;
step (3), downloading the electronic file ciphertext and decrypting;
the downloading of the electronic file ciphertext specifically comprises the following steps: when the user UbWhen applying for accessing the electronic file j, the URL is indexed by the file storage position obtained on the block chainjApplication for downloading ciphertext of electronic file j from file storage server
Figure FDA0003564562520000031
Server checks user UbIf the current download request is in the knowledge range of the electronic file j, if the current download request is not in the knowledge range of the electronic file j, the download request is rejected, and the user UbFailure to access the electronic file; if the user UbWithin the knowledge range of the electronic file j, the user U is allowedbDownloading ciphertext of electronic file j
Figure FDA0003564562520000032
The file storage server records the behavior of downloading the electronic file j on a block chain;
the specific steps for decrypting the electronic file are as follows: user UbAccording to the hash value of the ciphertext of the electronic file j obtained on the block chain, the user side of the system can obtain the hash value of the ciphertext of the electronic file j
Figure FDA0003564562520000033
And ciphertext of electronic file j downloaded from file storage server
Figure FDA0003564562520000034
Verifying the integrity of the ciphertext; if the verification ciphertext is incomplete, the ciphertext is falsified, and decryption is not performed; if the verification ciphertext is complete, decrypting; user UbAccording to the key distribution polynomial phi obtained on the block chainj(x) And user UbOf the individual private key sbCalculating and recovering decryption key K of electronic file jj,Kj=Φj(sb) (ii) a Using a decryption algorithm D and a decryption key KjCiphertext to electronic file j
Figure FDA0003564562520000035
Decrypting to recover plaintext data
Figure FDA0003564562520000036
User UbThe electronic file j can be read and viewed; the decryption algorithm D and the encryption algorithm E use the same key;
step (4), updating the key;
when the knowledge range of the electronic file j is changed, if a new user is added in the knowledge range, only a new key distribution polynomial is generated for the new user according to the new knowledge range and written into the block chain; if the user in the known range is deleted, the encryption key, the key distribution polynomial and the ciphertext of the electronic file need to be updated so as to prevent the user who is not in the known range from continuing to access the electronic file; the specific method comprises the following steps:
(4-1) Slave field FqRandomly selecting a new electronic file encryption key K for the electronic file jj′;
(4-2) calculating a new key distribution polynomial
Figure FDA0003564562520000037
(4-3) distributing Key to polynomial Φ'j(x) Converting into a blockchain transaction, then broadcasting to a blockchain network, and placing the transaction into a block by a blockchain network node and writing the transaction into a blockchain;
(4-4) with a new encryption key K'jEncrypting a plaintext of the electronic file j to generate a new ciphertext of the electronic file j, and calculating a hash value of the new ciphertext;
(4-5) uploading the new ciphertext of the electronic file j to a file storage server for storage to obtain a new file storage position index;
(4-6) indexing the file identifier of the electronic file j, the new file storage position, the hash value of the new ciphertext and UaPublic key, current timestamp, and UaThe signature of the information is written into a blockchain transaction and then broadcast to a blockchain network, and the blockchain network node places the transaction into a block and writes the transaction into a blockchain.
2. An electronic file access control method based on blockchain and knowledge range encryption as claimed in claim 1, characterized in that: the block chain network consists of a plurality of block chain network nodes, and the block chain network nodes comprise user equipment, a certificate authority, a file storage server and other nodes in any form; the block chain network node is responsible for operating a consensus algorithm, generating a block, and maintaining the generated block chain, wherein the block chain is a alliance chain or a private chain.
3. A block chain and learned range encryption-based electronic file access control method as claimed in claim 1, characterized by: the certificate authority is responsible for issuing and managing digital certificates of system users and distributing and managing keys.
CN202010154634.8A 2020-03-08 2020-03-08 Electronic file access control method based on block chain and knowledge range encryption Active CN111541731B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010154634.8A CN111541731B (en) 2020-03-08 2020-03-08 Electronic file access control method based on block chain and knowledge range encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010154634.8A CN111541731B (en) 2020-03-08 2020-03-08 Electronic file access control method based on block chain and knowledge range encryption

Publications (2)

Publication Number Publication Date
CN111541731A CN111541731A (en) 2020-08-14
CN111541731B true CN111541731B (en) 2022-06-24

Family

ID=71969091

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010154634.8A Active CN111541731B (en) 2020-03-08 2020-03-08 Electronic file access control method based on block chain and knowledge range encryption

Country Status (1)

Country Link
CN (1) CN111541731B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422176B (en) * 2021-12-10 2023-03-10 北京理工大学 Block chain-based dynamic access control method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101661930B1 (en) * 2015-08-03 2016-10-05 주식회사 코인플러그 Certificate issuance system based on block chain
CN108462568A (en) * 2018-02-11 2018-08-28 西安电子科技大学 A kind of secure file storage and sharing method based on block chain
CN110474873A (en) * 2019-07-09 2019-11-19 杭州电子科技大学 It is a kind of based on know range encryption electronic document access control method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190384895A1 (en) * 2018-06-19 2019-12-19 Ivy Food Technology, Inc. System for document and certificate management using directed acyclic graph based tagging

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101661930B1 (en) * 2015-08-03 2016-10-05 주식회사 코인플러그 Certificate issuance system based on block chain
CN108462568A (en) * 2018-02-11 2018-08-28 西安电子科技大学 A kind of secure file storage and sharing method based on block chain
CN110474873A (en) * 2019-07-09 2019-11-19 杭州电子科技大学 It is a kind of based on know range encryption electronic document access control method and system

Also Published As

Publication number Publication date
CN111541731A (en) 2020-08-14

Similar Documents

Publication Publication Date Title
CN109559124B (en) Cloud data security sharing method based on block chain
CN108259169B (en) File secure sharing method and system based on block chain cloud storage
KR102025409B1 (en) Data access management system based on blockchain and method thereof
US10432394B2 (en) Method and system for sharing encrypted content
Jin et al. Full integrity and freshness for cloud data
CN114039790B (en) Fine-grained cloud storage security access control method based on blockchain
US20100005318A1 (en) Process for securing data in a storage unit
CN105103488A (en) Policy enforcement with associated data
CN112187798B (en) Bidirectional access control method and system applied to cloud-side data sharing
CN102075544A (en) Encryption system, encryption method and decryption method for local area network shared file
Cui et al. Towards blockchain-based scalable and trustworthy file sharing
CN108632385B (en) Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure
CN111181719B (en) Hierarchical access control method and system based on attribute encryption in cloud environment
CN106612169A (en) Safe data sharing method in cloud environment
CN105072134A (en) Cloud disk system file secure transmission method based on three-level key
CN105721146B (en) A kind of big data sharing method towards cloud storage based on SMC
CN115883214A (en) Electronic medical data sharing system and method based on alliance chain and CP-ABE
Guo et al. Using blockchain to control access to cloud data
Mukundan et al. Replicated Data Integrity Verification in Cloud.
CN111541731B (en) Electronic file access control method based on block chain and knowledge range encryption
Ma et al. A secure and efficient data deduplication scheme with dynamic ownership management in cloud computing
CN117200966A (en) Trusted authorization data sharing method based on distributed identity and alliance chain
CN110474873B (en) Electronic file access control method and system based on knowledge range encryption
CN104618419A (en) Scheme based on content sharing policy in cloud
US10558786B2 (en) Media content encryption and distribution system and method based on unique identification of user

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant