CN112685763B - Data opening method and system based on ciphertext authorized access - Google Patents
Data opening method and system based on ciphertext authorized access Download PDFInfo
- Publication number
- CN112685763B CN112685763B CN202110288191.6A CN202110288191A CN112685763B CN 112685763 B CN112685763 B CN 112685763B CN 202110288191 A CN202110288191 A CN 202110288191A CN 112685763 B CN112685763 B CN 112685763B
- Authority
- CN
- China
- Prior art keywords
- data
- key
- ciphertext
- encryption
- management mechanism
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention relates to the technical field of cryptography, and provides a data opening method and a system based on ciphertext authorized access, wherein the method comprises the following steps: establishing a shared network and a key management mechanism; the coalition members register in a key management mechanism, and the key management mechanism generates a public and private key pair for each coalition member; when the data is uploaded as a alliance member of the data provider, encrypting by using a public key of the data provider; when the alliance member as the data user requests data, after proxy re-encryption is carried out by using a conversion key generated by a key management mechanism, decryption is carried out by using a local private key of the data user, and a data plaintext is restored. A data sharing network which can really break the data barrier is built among the alliance members, all data in the network are encrypted, and data providers can share the data to the designated members in a fine-grained mode.
Description
Technical Field
The invention relates to the technical field of cryptography, in particular to a data opening method and a data opening system based on ciphertext authorized access.
Background
Enterprises upstream and downstream of a supply chain often need data sharing, and particularly in a complex supply chain network, the number and content of data interaction among different subjects are different. Each point-to-point data transfer is time and energy intensive and error prone. How to establish a secure and fine-grained controlled data sharing path for a plurality of subjects in an untrusted public network so as to meet the data requirements of each member of the federation in a supply chain is a research focus of the patent.
In the prior art, an industry alliance chain may be established for supply chain upstream and downstream entities. Unlike a corporate chain, only licensed principals can join the federation chain, with federation members having access to data on the chain as well as intelligent contracts. The alliance chain technology itself is relatively mature, such as hybrid, Fabric, terminal, etc., and only lacks an optimal application scenario. In the alliance chain, the main storage mode of the data is still based on the own database of each main body, and the chain is used for coordination and Hash storage.
Another similar technology is ipfs (internet File system), data is stored in a distributed manner in nodes of the whole network, and the data is returned and used for access in the form of data addresses after being uploaded. IPFS is mainly used for public link, and most of public link items of some PoC are implemented based on IPFS. But the IPFS is rarely used for data sharing at present, firstly, the safety and the stability of an open network are difficult to guarantee; and secondly, data shared on a public network must be encrypted, a private key for decryption also needs a separate secure transmission path, the required private key must be shared by different people and the key leakage of any person can cause serious consequences. Thus, the public network IPFS is a good data storage medium in itself, but is not suitable for professional data sharing networks.
The invention mainly refers to two existing technical systems, namely a alliance chain data sharing scheme and an agent re-encryption scheme for cloud storage data sharing.
(1) Enterprise alliance chain
A data sharing platform based on a alliance chain is generally provided by a technology company with certain technical strength, and the key is how to protect the security and availability of data through technical means. A common federation chain data sharing architecture is shown in fig. 1.
It can be seen that the data uploaded by the data provider is uploaded to a trusted authority (without so-called plaintext or ciphertext) trusted by a certain client, and the chain functions to only release the data. The so-called data sharing platform, although distributed, can only be used for querying, plus some data transaction information; the data use method is real data request, and also needs the authorized downlink transmission and transaction action through a trusted authority.
(2) Proxy re-encryption based on cloud storage
For data files related to user privacy or containing sensitive information, encrypting and uploading the data is a common method for ensuring the confidentiality of the data, so that a data uploader only needs to keep a decryption key. However, a large amount of application requirements for data sharing exist in cloud computing services, and for the simple data encryption uploading mode, because the encrypted file can only be decrypted by a user, the encrypted file cannot be shared to others through a cloud server, and therefore a password scheme is needed, and the ciphertext stored on the cloud server can be safely and effectively converted. Obviously, the traditional Encryption or digital signature scheme does not have a ciphertext conversion function, but the Proxy Re-Encryption (PRE) technology is an Encryption method capable of safely converting a ciphertext, the PRE technology can convert the ciphertext uploaded by a data provider through Encryption of a public key of the data provider into the ciphertext in another form, so that a data user can decrypt the converted ciphertext by using a private key of the data user, any corresponding plaintext information cannot be leaked in the whole conversion process, and the safe access and sharing of cloud data can be ensured.
As shown in fig. 2, the proxy re-encryption specifically includes: and trusting a trusted third party or a semi-honest agent to convert the ciphertext encrypted by the public key of the trusted third party into the ciphertext decrypted by the private key of the other party, thereby realizing password sharing. This process is proxy re-encryption. The semi-honest agent can execute the specified operation for the company providing the cloud computing service without tampering the content.
The specific execution process of the proxy re-encryption is as follows:
a: using the plaintext M with its own public key
Encryption
Where M is what A wants to give B.
A: will be provided with
Sending the information to the semi-honest agent and generating a conversion key for the semi-honest agent, wherein the key is a key which is generated by A for the agent in a calculation way
。
Proxy key generated with A
Cipher text
Ciphertext capable of being decrypted by private key converted into B
And the Proxy only provides calculation conversion service and cannot obtain plaintext.
Proxy: will generate good
And sending the data to the B.
B, decryption obtains the plaintext M which A wants to share secretly.
The process mainly liberates A, and A only needs to generate an agent key, and the transmission, the conversion and the storage of specific files are finished by a semi-honest agent.
The solutions of the prior art listed above have the following drawbacks:
(1) the existing alliance chain data sharing scheme does not really solve the problem of data barriers, data among organizations still exist locally, and the data sharing scheme only plays a role in data abstract release and pricing. Meanwhile, the access strategy of the data is centrally controlled by a mechanism and conflicts with the basic principle of block chain disclosure, transparency and openness.
(2) On the other hand, although data sharing of a semi-trusted environment is theoretically achieved by matching with the agent re-encryption technology based on cloud, fine-grained control is difficult to achieve, meanwhile, a special agent re-encryption calculation module needs to be established and is responsible for access control, and universality is poor.
(3) The safety is difficult to guarantee. If the data provider uploads a plurality of encrypted files to the cloud, the cloud can convert all ciphertext by using the public key, and once the private key of the data user is taken by the cloud (collusion), all files of the data provider can be decrypted by the cloud.
Disclosure of Invention
In view of the above problems, an object of the present invention is to provide a data opening method and system based on ciphertext-based authorized access, which have the following advantages:
(1) a data sharing network which can really break the data barrier is built among the alliance members, all data in the network are encrypted, and data providers can share the data to the designated members in a fine-grained mode.
(2) The key of the participant is managed by a unified key management mechanism, and the data can be applied and shared only through authorization on the key management mechanism. When the mobile phone loses or forgets the password, the key can be retrieved through a safe verification mode.
(3) The source data is efficiently stored in a distributed fashion without necessarily being co-identified on the chain. And recording the information shared by the data in the form of hash on the alliance chain.
(4) The cipher text data and the cipher key are kept and calculated by different main bodies.
The above object of the present invention is achieved by the following technical solutions:
a data opening method based on ciphertext authorized access comprises the following steps:
s1: establishing a shared network commonly maintained by a plurality of coalition members, wherein the shared network is used for storing data needing to be shared; establishing a key authority for providing services including registration, delegation, authorization, key distribution and re-encryption;
s2: the coalition members register in the key management authority, and the key management authority generates a public-private key pair comprising a public key and a private key for each coalition member;
s3: when the alliance member as a data provider uploads data, the public key of the data provider is used for encryption; when the alliance member as the data user requests data, after the conversion key generated by the key management mechanism is used for proxy re-encryption, the data plaintext is restored by decrypting through the local private key of the data user.
Further, in step S1, the method further includes:
the shared network consists of distributed IPFS storage nodes and a federation blockchain, wherein the distributed IPFS storage nodes consist of a plurality of nodes which are used as the federation members of the data provider, the distributed IPFS storage nodes and the federation blockchain are commonly maintained by the plurality of federation members, and each federation member maintains the distributed IPFS storage node and provides storage space of the distributed IPFS storage node;
the distributed IPFS storage node is used for storing a data ciphertext needing to be shared; and the alliance block chain is used for storing the information of the data, including the abstract, the hash value and the index.
Further, in step S3, the specific process of encryption and decryption is:
s31: the alliance member serving as the data provider encrypts the data plaintext by using a pre-generated symmetric encryption key to form a data ciphertext, asymmetrically encrypts the symmetric encryption key by using the public key of the data provider to form a key ciphertext, and uploads the data ciphertext and the key ciphertext to the shared network;
s32: when the alliance member as a data user requests data, the data provider authorizes through the key management mechanism and entrusts the key management mechanism to generate the re-encrypted conversion key, and the key management mechanism pulls the key ciphertext and performs proxy re-encryption through the conversion key to form a re-encrypted key ciphertext;
s33: the data user uses the private key of the local data user to decrypt the re-encrypted key ciphertext to restore the key ciphertext;
s34: and the data user pulls the data ciphertext from the shared network, decrypts the data ciphertext by using the key ciphertext and restores the key plaintext.
Further, the transformation key specifically includes:
using the private key of the data provider, calculated with the public key of the data consumer.
Further, a threshold signature mechanism is adopted, proxy re-encryption is performed through the transformed key, and a re-encryption key ciphertext is formed, specifically:
converting the character string of the conversion key into a large integer D;
converting the large integer D into n points on a curve, wherein any t points can recover the curve, and t is less than n;
converting the n points into n character strings as a sub-conversion key;
and finishing proxy re-encryption of the key ciphertext through the t sub-conversion keys to form the re-encryption key ciphertext.
Further, the federation blockchain provides a browser service in which to retrieve data.
Further, establishing an access data access terminal comprising a webpage, an APP and an applet; and viewing the data file of the data access terminal and the data abstract of other people on the data access terminal.
A system for executing the data opening method based on ciphertext authorized access comprises the following steps:
the system comprises a framework establishing module, a sharing module and a sharing module, wherein the framework establishing module is used for establishing a shared network commonly maintained by a plurality of coalition members, and the shared network is used for storing data needing to be shared; establishing a key authority for providing services including registration, delegation, authorization, key distribution and re-encryption;
the member registration module is used for providing the coalition members with registration in the key management mechanism, and the key management mechanism generates a public and private key pair comprising a public key and a private key for each coalition member;
the data sharing module is used for encrypting by using the public key of the data provider when the alliance member as the data provider uploads data; when the alliance member as the data user requests data, after the conversion key generated by the key management mechanism is used for proxy re-encryption, the data plaintext is restored by decrypting through the local private key of the data user.
An electronic device comprising a processor and a memory, wherein at least one instruction, at least one program, a set of codes, or a set of instructions is stored in the memory, and wherein the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by the processor to implement the method.
A computer readable storage medium storing computer code which, when executed, performs a method as described above.
Compared with the prior art, the invention has at least one of the following beneficial effects:
(1) establishing a shared network commonly maintained by a plurality of coalition members, wherein the shared network is used for storing data needing to be shared; a key authority is established for providing services including registration, delegation, authorization, key distribution and re-encryption. By the technical scheme, the ciphertext and the secret key are completely separated and stored in different main bodies, and the method is safe and reliable.
(2) The distributed IPFS storage node and the federation blockchain are composed of a plurality of nodes which are taken as the federation members of the data provider and are commonly maintained by a plurality of federation members, and each federation member maintains the distributed IPFS storage node and provides the storage space of the distributed IPFS storage node. The technical scheme realizes data opening in a real sense, breaks through the data barrier stored by an organization, and all data are in the form of ciphertext and exist in an IPFS alliance network.
(3) A data user applying data corresponds to a conversion key, corresponds to a data file and corresponds to the authorization of a data provider. The method realizes fine-grained data access authorization based on a key management mechanism, and can prevent platform data from being leaked (only a single authorization file can be decrypted at most) even if a key can be lost by a data usage method in time.
(4) In a decentralized data sharing environment, the method is simple and easy to use. The user only needs to manage the viewing and authorization of files on the data access terminal during data access, and does not need to pay attention to specific storage, encryption and decryption details.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention.
FIG. 1 is a diagram of a federation chain data sharing architecture as is common in the background art;
FIG. 2 is a schematic diagram of a proxy re-encryption in the background art;
FIG. 3 is a general flowchart of a data opening method based on ciphertext authorized access according to the present invention;
FIG. 4 is a block diagram of a data opening method based on ciphertext-based authorized access according to the present invention;
fig. 5 is a flow chart of encryption and decryption according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
First embodiment
As shown in fig. 3 and fig. 4, the present embodiment provides a data opening method based on ciphertext-based authorized access, including the following steps:
s1: establishing a shared network commonly maintained by a plurality of coalition members, wherein the shared network is used for storing data needing to be shared; a key authority is established for providing services including registration, delegation, authorization, key distribution and re-encryption.
Specifically, in the present embodiment, in order to implement separate storage of the ciphertext and the key, shared networks are respectively established for storing data that needs to be shared. And establishing a key management mechanism for managing the key and providing services such as registration, delegation, authorization, key distribution, re-encryption and the like.
The shared network consists of distributed IPFS storage nodes and a federation blockchain, wherein the distributed IPFS storage nodes consist of a plurality of nodes of the federation members as data providers, the nodes of the federation members are commonly maintained by the plurality of federation members, and each federation member maintains the distributed IPFS storage node of the federation member and contributes to the storage space of the distributed IPFS storage node maintained by the federation member. The distributed IPFS storage node is used for storing a data ciphertext needing to be shared; and the alliance block chain is used for storing the information of the data, including the abstract, the hash value and the index. And establishing association between the distributed IPFS storage nodes and the federation block chain in a key form.
In order to become a member of the federation, it is necessary to obtain federation owner permission of the federation chain, obtain a swarmkey (a key of a pre-agreed federation chain) of the federation network of the IPFS, and then enter a private network of the federation chain after configuration.
Further, a browser service is provided in the federation blockchain, in which browser service data is retrieved by means of a data summary. And subsequently, selecting data to be acquired from the retrieval list, and acquiring the data from a data provider.
S2: the federation members register with the key management authority, which generates a public-private key pair including a public key and a private key for each of the federation members.
Specifically, before sharing data, all federates including a data provider and a data user need to register in a key management authority to obtain their public and private keys.
The data provider and the data user are not absolute, and one member of the alliance can share own data and obtain data from other members of the alliance at the same time.
S3: when the alliance member as a data provider uploads data, the public key of the data provider is used for encryption; when the alliance member as the data user requests data, after the conversion key generated by the key management mechanism is used for proxy re-encryption, the data plaintext is restored by decrypting through the local private key of the data user. As shown in fig. 5, the specific process of encryption and decryption is:
s31: the federation member as the data provider encrypts the data plaintext (assumed to be M) using a pre-generated symmetric encryption key (assumed to be DK) to form a data ciphertext (assumed to be C1), and asymmetrically encrypts the symmetric encryption key DK using the public key pka (assumed to be pka and ska) of the data provider to form a key ciphertext (assumed to be C2), while uploading the data ciphertext C1 and the key ciphertext C2 to the shared network;
s32: when the federation member as a data user requests data, the data provider authorizes through the key management mechanism and entrusts the key management mechanism to generate the re-encrypted transformation key (assumed to be RK), the key management mechanism pulls the key ciphertext C2, and performs proxy re-encryption through the transformation key RK to form a re-encrypted key ciphertext C2 '(assumed to be C2');
the data provider can choose authorization or refusal, and after authorization, the data provider can entrust a key management organization to generate a conversion key.
S33: the data user decrypts the re-encrypted key ciphertext by using the private key skb (assuming that the public key of the data user is pkb and the private key is skb) of the local data user, and restores the key ciphertext DK;
s34: and the data user pulls the data ciphertext C1 from the shared network, decrypts by using the key ciphertext DK, and restores the key plaintext M.
Further, in step S32, the conversion key specifically includes:
using the private key of the data provider, calculated with the public key of the data consumer. After the conversion is carried out by using the conversion key, the data user can decrypt the data key ciphertext DK by using the private key of the data user.
Further, a threshold signature mechanism is adopted, proxy re-encryption is performed through the transformed key, and a re-encryption key ciphertext is formed, specifically:
converting the character string of the conversion key into a large integer D;
converting the large integer D into n points on a curve, wherein any t points can recover the curve, and t is less than n;
converting the n points into n character strings as a sub-conversion key;
completing proxy Re-encryption of the key ciphertext through t sub-transformation keys to form the Re-encrypted key ciphertext C2' [ t ] = Re-enc (RK [ t ], C2);
after the re-encryption key ciphertext is generated, the data provider notifies the data consumer that authorization is complete and attaches the addresses of attached C1 and C2' [ t ]. The data consumer obtains the ciphertext C1 from the distributed network, and completes decryption in a local or encryption and decryption service. (if necessary, the encryption and decryption services are deployed separately on the side of the data user, and the key management organization does not bump the data, regardless of encryption and decryption).
Furthermore, in order to facilitate the operation of the coalition members, an access data access terminal comprising a webpage, an APP and an applet is established; and viewing the data file of the data access terminal and the data abstract of other people on the data access terminal. Managing own key and authorization, and setting authorization validity period.
Second embodiment
The present embodiment provides a system for executing the data opening method based on ciphertext-based authorized access in the first embodiment, including:
the framework establishing module 1 is used for establishing a shared network commonly maintained by a plurality of alliance members, and the shared network is used for storing data needing to be shared; establishing a key authority for providing services including registration, delegation, authorization, key distribution and re-encryption;
a member registration module 2, configured to provide the federation members with registration in the key management authority, where the key management authority generates a public-private key pair including a public key and a private key for each federation member;
the data sharing module 3 is configured to encrypt data by using the public key of the data provider when the federation member serving as the data provider uploads the data; when the alliance member as the data user requests data, after the conversion key generated by the key management mechanism is used for proxy re-encryption, the data plaintext is restored by decrypting through the local private key of the data user.
A computer device comprising memory and one or more processors, the memory having stored therein computer code that, when executed by the one or more processors, causes the one or more processors to perform a method as set forth in any one of the first embodiments.
A computer readable storage medium storing computer code which, when executed, performs the method as described above. Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable storage medium, and the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
The above description is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above embodiments, and all technical solutions belonging to the idea of the present invention belong to the protection scope of the present invention. It should be noted that modifications and embellishments within the scope of the invention may occur to those skilled in the art without departing from the principle of the invention, and are considered to be within the scope of the invention.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
It should be noted that the above embodiments can be freely combined as necessary. The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
The software program of the present invention can be executed by a processor to implement the steps or functions described above. Also, the software programs (including associated data structures) of the present invention can be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Additionally, some of the steps or functionality of the present invention may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various functions or steps. The method disclosed by the embodiment shown in the embodiment of the present specification can be applied to or realized by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present specification may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present specification may be embodied directly in a hardware decoding processor, or in a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
Embodiments also provide a computer readable storage medium storing one or more programs that, when executed by an electronic system including a plurality of application programs, cause the electronic system to perform the method of embodiment one. And will not be described in detail herein.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices. Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave. It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In addition, some of the present invention can be applied as a computer program product, such as computer program instructions, which when executed by a computer, can invoke or provide the method and/or technical solution according to the present invention through the operation of the computer. Program instructions which invoke the methods of the present invention may be stored on a fixed or removable recording medium and/or transmitted via a data stream on a broadcast or other signal-bearing medium and/or stored within a working memory of a computer device operating in accordance with the program instructions. An embodiment according to the invention herein comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or solution according to embodiments of the invention as described above.
Claims (9)
1. A data opening method based on ciphertext authorized access is characterized by comprising the following steps:
s1: establishing a shared network commonly maintained by a plurality of coalition members, wherein the shared network is used for storing data needing to be shared; establishing a key authority for providing services including registration, delegation, authorization, key distribution and re-encryption;
s2: the coalition members register in the key management authority, and the key management authority generates a public-private key pair comprising a public key and a private key for each coalition member;
s3: when the alliance member as a data provider uploads data, the public key of the data provider is used for encryption; when the alliance member as a data user requests data, after a conversion key generated by the key management mechanism is used for proxy re-encryption, the conversion key is decrypted through the local private key of the data user, and a data plaintext is restored;
in step S3, the method further includes performing proxy re-encryption by using the transformation key generated by the key management entity:
by adopting a threshold signature mechanism, proxy re-encryption is carried out through the conversion key to form a re-encryption key ciphertext, which specifically comprises the following steps:
converting the character string of the conversion key into a large integer D;
converting the large integer D into n points on a curve, wherein any t points can recover the curve, and t is less than n;
converting the n points into n character strings as a sub-conversion key;
and finishing proxy re-encryption of the key ciphertext through the t sub-conversion keys to form the re-encryption key ciphertext.
2. The data opening method based on ciphertext-based authorized access of claim 1, wherein in step S1, the method further comprises:
the shared network consists of distributed IPFS storage nodes and a federation blockchain, wherein the distributed IPFS storage nodes consist of a plurality of nodes which are used as the federation members of the data provider, the distributed IPFS storage nodes and the federation blockchain are commonly maintained by the plurality of federation members, and each federation member maintains the distributed IPFS storage node and provides storage space of the distributed IPFS storage node;
the distributed IPFS storage node is used for storing a data ciphertext needing to be shared; and the alliance block chain is used for storing the information of the data, including the abstract, the hash value and the index.
3. The data opening method based on ciphertext-based authorized access of claim 2, wherein in step S3, the specific processes of encryption and decryption are:
s31: the alliance member serving as the data provider encrypts the data plaintext by using a pre-generated symmetric encryption key to form a data ciphertext, asymmetrically encrypts the symmetric encryption key by using the public key of the data provider to form a key ciphertext, and uploads the data ciphertext and the key ciphertext to the shared network;
s32: when the alliance member as a data user requests data, the data provider authorizes through the key management mechanism and entrusts the key management mechanism to generate the re-encrypted conversion key, and the key management mechanism pulls the key ciphertext and performs proxy re-encryption through the conversion key to form a re-encrypted key ciphertext;
s33: the data user uses the private key of the local data user to decrypt the re-encrypted key ciphertext to restore the key ciphertext;
s34: and the data user pulls the data ciphertext from the shared network, decrypts the data ciphertext by using the key ciphertext and restores the key plaintext.
4. The data opening method based on ciphertext-based authorized access according to claim 1, wherein the transformation key specifically is:
using the private key of the data provider, calculated with the public key of the data consumer.
5. The data opening method based on ciphertext authorized access of claim 2, further comprising: the federation blockchain provides browser services in which data is retrieved.
6. The data opening method based on ciphertext authorized access of claim 1, further comprising:
establishing an access data access terminal comprising a webpage, an APP and an applet;
and viewing the data file of the data access terminal and the data abstract of other people on the data access terminal.
7. A system for executing the data opening method based on ciphertext authorized access according to any one of claims 1-6, comprising:
the system comprises a framework establishing module, a sharing module and a sharing module, wherein the framework establishing module is used for establishing a shared network commonly maintained by a plurality of coalition members, and the shared network is used for storing data needing to be shared; establishing a key authority for providing services including registration, delegation, authorization, key distribution and re-encryption;
the member registration module is used for providing the coalition members with registration in the key management mechanism, and the key management mechanism generates a public and private key pair comprising a public key and a private key for each coalition member;
the data sharing module is used for encrypting by using the public key of the data provider when the alliance member as the data provider uploads data; when the alliance member as the data user requests data, after the conversion key generated by the key management mechanism is used for proxy re-encryption, the data plaintext is restored by decrypting through the local private key of the data user.
8. An electronic device comprising a processor and a memory, the memory having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by the processor to implement the method of any one of claims 1-6.
9. A computer readable storage medium storing computer code which, when executed, performs the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110288191.6A CN112685763B (en) | 2021-03-18 | 2021-03-18 | Data opening method and system based on ciphertext authorized access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110288191.6A CN112685763B (en) | 2021-03-18 | 2021-03-18 | Data opening method and system based on ciphertext authorized access |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112685763A CN112685763A (en) | 2021-04-20 |
| CN112685763B true CN112685763B (en) | 2021-08-03 |
Family
ID=75455676
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110288191.6A Active CN112685763B (en) | 2021-03-18 | 2021-03-18 | Data opening method and system based on ciphertext authorized access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112685763B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113609522B (en) * | 2021-07-27 | 2022-07-08 | 敏于行(北京)科技有限公司 | Data authorization and data access method and device |
| CN113992330A (en) * | 2021-10-30 | 2022-01-28 | 贵州大学 | Block chain data controlled sharing method and system based on proxy re-encryption |
| CN114338149B (en) * | 2021-12-28 | 2022-12-27 | 北京深盾科技股份有限公司 | Login credential authorization method of server, terminal and key escrow platform |
| CN114499894B (en) * | 2022-04-01 | 2022-09-09 | 南京金宁汇科技有限公司 | File storage and reading method and system in block chain network |
| CN114866323B (en) * | 2022-04-29 | 2023-09-29 | 华中科技大学 | User-controllable privacy data authorization sharing system and method |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9088733B2 (en) * | 2006-06-27 | 2015-07-21 | At&T Intellectual Property I, L.P. | Trusted evidence cameras and related methods and computer program products |
| CN108418681B (en) * | 2018-01-22 | 2020-10-23 | 南京邮电大学 | Attribute-based ciphertext retrieval system and method supporting proxy re-encryption |
| CN109039614A (en) * | 2018-09-17 | 2018-12-18 | 杭州弗兰科信息安全科技有限公司 | A kind of proxy re-encryption method based on optimal ate |
| CN110147681B (en) * | 2019-04-02 | 2022-11-29 | 西安电子科技大学 | Privacy protection big data processing method and system supporting flexible access control |
| CN111222155A (en) * | 2020-01-08 | 2020-06-02 | 湖南智慧政务区块链科技有限公司 | Method and system for combining re-encryption and block link |
| CN111262694A (en) * | 2020-01-10 | 2020-06-09 | 杭州趣链科技有限公司 | TEE-based security proxy re-encryption method |
| CN111343001B (en) * | 2020-02-07 | 2022-04-12 | 复旦大学 | Social data sharing system based on block chain |
| CN111415718B (en) * | 2020-02-29 | 2024-02-09 | 沈培君 | Electronic prescription sharing method based on blockchain and conditional proxy re-encryption |
| CN111541678A (en) * | 2020-04-17 | 2020-08-14 | 上海朝夕网络技术有限公司 | Block chain-based proxy re-encryption method, system and storage medium |
| CN111523133B (en) * | 2020-04-24 | 2023-05-09 | 远光软件股份有限公司 | Block chain and cloud data collaborative sharing method |
-
2021
- 2021-03-18 CN CN202110288191.6A patent/CN112685763B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112685763A (en) | 2021-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112685763B (en) | Data opening method and system based on ciphertext authorized access | |
| CN109144961B (en) | Authorization file sharing method and device | |
| US10348696B2 (en) | Cloud key escrow system | |
| US20100095118A1 (en) | Cryptographic key management system facilitating secure access of data portions to corresponding groups of users | |
| US20150067330A1 (en) | Method and system for network data access | |
| Saroj et al. | Threshold cryptography based data security in cloud computing | |
| US20220014367A1 (en) | Decentralized computing systems and methods for performing actions using stored private data | |
| NL1041549B1 (en) | A method, system, server, client and application for sharing digital content between communication devices within an internet network. | |
| CN111404895A (en) | Method, equipment and storage medium for distributing and recovering readable permission of shared data | |
| US20230327855A1 (en) | System and method for protecting secret data items using multiple tiers of encryption and secure element | |
| Asesh | Encryption technique for a trusted cloud computing environment | |
| Upadhyaya et al. | Deployment of secure sharing: Authenticity and authorization using cryptography in cloud environment | |
| CN110889128A (en) | Input method and device based on block chain storage and encryption key exchange | |
| Shruthi et al. | A Combined Cipher Text Policy Attribute-Based Encryption and Timed-Release Encryption Method for Securing Medical Data in Cloud | |
| Banerjee et al. | A nobel cryptosystem for group data sharing in cloud storage | |
| Davidson et al. | Content sharing schemes in DRM systems with enhanced performance and privacy preservation | |
| US20240080189A1 (en) | System and method for decrypting encrypted secret data items without master password | |
| US11683159B2 (en) | Hybrid content protection architecture | |
| JP7385025B2 (en) | Execution of Entity-Specific Cryptographic Code in a Cryptographic Coprocessor | |
| Reddy et al. | Data Storage on Cloud using Split-Merge and Hybrid Cryptographic Techniques | |
| Mosteiro-Sanchez et al. | “They got my keys!”: On the Issue of Key Disclosure and Data Protection in Value Chains,” | |
| Catherine et al. | CP-ABSc-AODs: CIPHERTEXT-POLICY ATTRIBUTE-BASED SIGNCRYPTION WITH ACCOUNTABLE OUTSOURCED DESIGNCRYPTION-AN ENHANCED SECURE DATA SHARING SCHEME. | |
| Baghel et al. | Multilevel security model for cloud third-party authentication | |
| Soundappan et al. | Cloud Data Security Using Hybrid Encryption with Blockchain | |
| FARHANA et al. | Combined Access Control of Time and Attribute factors for Time-Sensitive Data in Public Cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |