CN113360919A - Cloud computing security access control method and system - Google Patents

Cloud computing security access control method and system Download PDF

Info

Publication number
CN113360919A
CN113360919A CN202010146419.3A CN202010146419A CN113360919A CN 113360919 A CN113360919 A CN 113360919A CN 202010146419 A CN202010146419 A CN 202010146419A CN 113360919 A CN113360919 A CN 113360919A
Authority
CN
China
Prior art keywords
data
access control
decryption key
user decryption
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010146419.3A
Other languages
Chinese (zh)
Inventor
曹霞
党光跃
刘恩锋
王志栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yanxiang Smart Iot Technology Co ltd
Original Assignee
EVOC Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by EVOC Intelligent Technology Co Ltd filed Critical EVOC Intelligent Technology Co Ltd
Priority to CN202010146419.3A priority Critical patent/CN113360919A/en
Publication of CN113360919A publication Critical patent/CN113360919A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The invention provides a cloud computing security access control method and system. The method comprises the following steps: a first public key certificate is issued to a data using end through a certificate authority; generating a user decryption key through an attribute management mechanism, and distributing different user decryption keys for different roles according to an access control policy, wherein the user decryption key is used for encrypting data resources provided by a data providing end; encrypting the user decryption key through the public key, and storing the encrypted user decryption key to the cloud platform; determining the role of a data using end according to the access control strategy and the first public key certificate, and sending a corresponding encrypted user decryption key to the data using end; and enabling the data using end to access the data resource through the corresponding role under the condition that the data using end successfully decrypts the encrypted user decryption key through the private key. The invention can support the security requirement and provide flexible management for the strategies executed by a large number of users.

Description

Cloud computing security access control method and system
Technical Field
The invention relates to the technical field of data information security, in particular to a cloud computing security access control method and system.
Background
Cloud computing is a low-cost and efficient solution in today's big data management. When a cloud solution is adopted to store large-scale and high-value data, the security and privacy of the cloud solution are very important, and encryption technology and an access control model are generally required to be deployed to meet the security requirement of the cloud. Access control is one of the most effective solutions for network security.
The existing data access control of big data can not provide flexible management for the strategies executed by a large number of users while supporting the security requirement.
Disclosure of Invention
In order to solve the above problems, the cloud computing security access control method and system provided by the invention can support security requirements and provide flexible management for policies executed by a large number of users.
In a first aspect, the present invention provides a cloud computing security access control method, which is applied to an access control system model, where the access control system model includes: the system comprises a certificate issuing mechanism, an attribute management mechanism, a data providing end and a data using end, wherein the certificate issuing mechanism is used for issuing public key certificates for the attribute management mechanism, the data providing end and the data using end, the attribute management mechanism is used for generating a user decryption key and issuing the encrypted user decryption key to the corresponding data using end, the data providing end is used for providing data resources and limiting the role of accessing the data resources through an access control strategy, and the data using end is used for accessing the corresponding data resources according to the obtained role;
the method comprises the following steps: issuing a first public key certificate to the data using end through the certificate authority;
generating a user decryption key through the attribute management mechanism, and distributing different user decryption keys for different roles according to the access control policy, wherein the user decryption key is used for encrypting data resources provided by a data providing end;
encrypting the user decryption key through a public key, and storing the encrypted user decryption key to a cloud platform;
determining the role of the data using end according to an access control strategy and a first public key certificate provided by the data using end, and sending a corresponding encrypted user decryption key to the data using end;
and enabling the data using end to access the data resource through the corresponding role under the condition that the data using end successfully decrypts the encrypted user decryption key through the private key.
Optionally, the method further comprises: updating the access control policy;
the updating the access control policy includes: modifying the attributes of the access control policy and checking the syntax of the access control policy.
Optionally, the modifying the attribute of the access control policy includes: and adding, updating or/and deleting the attributes of the access control policy.
Optionally, the checking the syntax of the access control policy includes: the type of attribute and the operand taken by the value of the attribute are checked.
Optionally, the method further comprises: and respectively issuing a second public key certificate and a third public key certificate to the attribute management mechanism and the data providing end through the certificate issuing mechanism.
In a second aspect, the present invention provides a cloud computing security access control system, which is applied to an access control system model, where the access control system model includes: the system comprises a certificate issuing mechanism, an attribute management mechanism, a data providing end and a data using end, wherein the certificate issuing mechanism is used for issuing public key certificates for the attribute management mechanism, the data providing end and the data using end, the attribute management mechanism is used for generating a user decryption key and issuing the encrypted user decryption key to the corresponding data using end, the data providing end is used for providing data resources and limiting the role of accessing the data resources through an access control strategy, and the data using end is used for accessing the corresponding data resources according to the obtained role;
the cloud computing security access control system includes:
the first issuing module is configured to issue a first public key certificate to the data using end through the certificate issuing organization;
the generation module is configured to generate a user decryption key through the attribute management mechanism, and allocate different user decryption keys to different roles according to the access control policy, wherein the user decryption key is used for encrypting data resources provided by a data providing end;
the encryption module is configured to encrypt the user decryption key through a public key, store the encrypted user decryption key in a first issuing module and store the encrypted user decryption key in the cloud platform;
the determining module is configured to determine the role of the data using end according to an access control strategy and a first public key certificate provided by the data using end, and send a corresponding encrypted user decryption key to the data using end;
and the enabling module is configured to enable the data using end to access the data resource through the corresponding role under the condition that the data using end successfully decrypts the encrypted user decryption key through the private key.
Optionally, the cloud computing security access control system further includes: an update module configured to update the access control policy;
the update module includes:
a modification submodule configured to modify an attribute of the access control policy; and
a checking sub-module configured to check a syntax of the access control policy.
Optionally, the modification sub-module is further configured to add, update, or/and delete an attribute of the access control policy.
Optionally, the checking submodule is further configured to check the type of the attribute and an operand taken by the value of the attribute.
Optionally, the cloud computing security access control system further includes: and the second issuing module is configured to issue a second public key certificate and a third public key certificate to the attribute management mechanism and the data providing end respectively through the certificate issuing mechanism.
The cloud computing security access control method and system provided by the embodiment of the invention are applied to an access control system model, can limit a data using end through a first public key certificate, prevent a non-authenticated data using end from entering a system to acquire data resources, set a user decryption key to encrypt the data resources, and encrypt the user decryption key through a public key, so that only a data using end with a correct private key can decrypt the user decryption key and has the authority of a corresponding role, thereby accessing the corresponding data resources, and therefore, not only can the security requirement be supported, but also flexible management can be provided for a large number of policies executed by users.
Drawings
Fig. 1 is a schematic flowchart of a cloud computing security access control method according to an embodiment of the present application;
FIG. 2 is a graph comparing the performance of the re-encryption process of the embodiments of the present application;
fig. 3 is a schematic structural diagram of a cloud computing security access control system according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In a first aspect, the present invention provides a cloud computing security access control method, which is applied to an access control system model, where the access control system model includes: the system comprises a certificate authority, an attribute management authority, a data providing end and a data using end.
The certificate authority is used for issuing public key certificates for the attribute management authority, the data providing end and the data using end, the public key certificates issued by the certificate authority can be obtained only if an entity is a trusted third party, and the entity comprises the data using end, the attribute management authority, the data providing end and a system agent. In an embodiment, the public key certificate used by the entity can access the corresponding data resource as long as the public key certificate is in the trusted list of the data provider, and the entities are hierarchical and issue certificates with different rights according to the trust degree of each entity.
And the attribute management mechanism is used for generating a user decryption key and issuing the encrypted user decryption key to the corresponding data using end. Specifically, the attribute management mechanisms can issue, revoke and update independent parties of the attributes of the data using terminals in a specific domain according to the roles configured by the data using terminals, and each attribute management mechanism is responsible for generating a user decryption key and issuing the user decryption key encrypted by the system to the data using terminals registered in the domain.
The data providing terminal is used for providing data resources and limiting the roles of accessing the data resources through access control strategies. The data provider can be a data provider or a data owner, so as to upload self transaction or processed data to an entity in the cloud platform, standardize how a user accesses a specific resource through a specified access control strategy, and classify and manage resource permissions.
And the data using end is used for accessing the corresponding data resource according to the acquired role. The data user can be a user or a data user, and the attribute management organization allocates a set of attributes related to the role of the data user to each user with the first public key certificate.
In this embodiment, the attribute management entity is responsible for executing operations of Attribute Authority Setup (AAS) and User Key Generation (UKG), and the data provider and the data consumer are responsible for executing operations of Root Decryption Key Generation (RDKG), Encryption (ENC), and Decryption (DEC). In addition, in the present embodiment, bilinear mapping is used as a construction scheme in the system setting and the user decryption key generation protocol.
Referring to fig. 1, the method includes steps S101 to S105 as follows:
step S101: and issuing a first public key certificate to the data using end through the certificate authority.
Step S102: and generating a user decryption key through the attribute management mechanism, and distributing different user decryption keys for different roles according to the access control strategy, wherein the user decryption key is used for encrypting the data resource provided by the data providing end.
The user decryption key may be a set of attributes, i.e., administrative rights, on the user's corresponding role.
Step S103: and encrypting the user decryption key through a public key, and storing the encrypted user decryption key to the cloud platform.
Step S104: and determining the role of the data using end according to the access control strategy and the first public key certificate provided by the data using end, and sending a corresponding encrypted user decryption key to the data using end.
Step S105: and enabling the data using end to access the data resource through the corresponding role under the condition that the data using end successfully decrypts the encrypted user decryption key through the private key.
The cloud computing security access control method is applied to an access control system model, can limit a data using end through a first public key certificate, prevents a non-authenticated data using end from entering a system to obtain data resources, sets a user decryption key to encrypt the data resources, and encrypts the user decryption key through the public key, so that only the data using end with a correct private key can decrypt the user decryption key and has the authority of a corresponding role, and thus, the corresponding data resources are accessed, not only can the security requirement be supported, but also flexible management can be provided for a large number of strategies executed by users.
The sequence of the steps defined in this embodiment is only one of the present invention, and those skilled in the art can adjust the sequence according to actual situations.
In an optional embodiment, the method further comprises: and updating the access control strategy. The updating the access control policy includes: modifying the attributes of the access control policy and checking the syntax of the access control policy.
In an optional embodiment, the modifying the attribute of the access control policy includes: and adding, updating or/and deleting the attributes of the access control policy.
In an optional embodiment, the checking the syntax of the access control policy includes: the type of attribute and the operand taken by the value of the attribute are checked.
After the access control policy update is completed, the agent of the system will automatically adopt the updated policy to re-encrypt the ciphertext encrypted by the policy before the update.
In an optional embodiment, the method further comprises: and respectively issuing a second public key certificate and a third public key certificate to the attribute management mechanism and the data providing end through the certificate issuing mechanism.
The second public key certificate and the third public key certificate can prevent the attribute management mechanism and the data providing end from being arbitrarily tampered, so that the safety of the system can be improved.
The test of the method is verified as follows:
the time taken for the re-encryption process, including re-encryption key generation, re-encryption key update, and re-encryption key exchange, is first measured. In the experiment, a 15GB file was encrypted using an access policy consisting of 15 attributes, and a random number generator was used as part of the re-encryption key generation. Fig. 2 shows the processing time for performing the re-encryption scheme and re-encryption of its ciphertext.
As can be seen from fig. 2, the rekeying scheme can update the re-encryption key with a minimum of time, which can significantly reduce computational overhead or cost if there is a policy update that requires re-generation of the re-encryption key; compared with the RKG process, the re-encryption scheme reduces the cost by about 72%; for the re-encryption key exchange process, the proposed re-encryption scheme requires less processing time than the initial re-encryption key generation, since the initial system parameters do not need to be recalculated when the encryption key is re-generated. Since the policy or the size of the ciphertext does not change, the time for the ciphertext re-encryption is the same for all individual re-encryption processes.
In a second aspect, the present invention provides a cloud computing security access control system, referring to fig. 3, applied to an access control system model, where the access control system model includes: the system comprises a certificate issuing mechanism, an attribute management mechanism, a data providing end and a data using end, wherein the certificate issuing mechanism is used for issuing public key certificates for the attribute management mechanism, the data providing end and the data using end, the attribute management mechanism is used for generating a user decryption key and issuing the encrypted user decryption key to the corresponding data using end, the data providing end is used for providing data resources and limiting the role of accessing the data resources through an access control strategy, and the data using end is used for accessing the corresponding data resources according to the obtained role;
the cloud computing security access control system 300 includes:
a first issuing module 301 configured to issue a first public key certificate to the data consumer via the certificate authority;
a generating module 302, configured to generate a user decryption key by the attribute management entity, and allocate different user decryption keys to different roles according to the access control policy, where the user decryption key is used to encrypt a data resource provided by a data providing end;
the encryption module 303 is configured to encrypt the user decryption key through a public key, store the encrypted user decryption key in a first issuing module, and store the encrypted user decryption key in the cloud platform;
a determining module 304, configured to determine a role of the data consumer according to an access control policy and a first public key certificate provided by the data consumer, and send a corresponding encrypted user decryption key to the data consumer;
the enabling module 305 is configured to enable the data using end to access the data resource through the corresponding role if the data using end successfully decrypts the encrypted user decryption key through the private key.
In an optional embodiment, the cloud computing security access control system 300 further includes: an update module configured to update the access control policy;
the update module includes:
a modification submodule configured to modify an attribute of the access control policy; and
a checking sub-module configured to check a syntax of the access control policy.
In an optional embodiment, the modification submodule is further configured to add, update or/and delete an attribute of the access control policy.
In an alternative embodiment, the checking submodule is further configured to check the type of the attribute and an operand taken by the value of the attribute.
In an optional embodiment, the cloud computing security access control system 300 further includes: and the second issuing module is configured to issue a second public key certificate and a third public key certificate to the attribute management mechanism and the data providing end respectively through the certificate issuing mechanism.
The cloud computing security access control system is applied to an access control system model, can limit a data using end through a first public key certificate, prevents a non-authenticated data using end from entering a system to acquire data resources, sets a user decryption key to encrypt the data resources, and encrypts the user decryption key through the public key, so that only the data using end with a correct private key can decrypt the user decryption key and has the authority of a corresponding role, and corresponding data resources are accessed, so that not only can the security requirement be supported, but also flexible management can be provided for a large number of strategies executed by users.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A cloud computing security access control method is applied to an access control system model, and the access control system model comprises: the system comprises a certificate issuing mechanism, an attribute management mechanism, a data providing end and a data using end, wherein the certificate issuing mechanism is used for issuing public key certificates for the attribute management mechanism, the data providing end and the data using end, the attribute management mechanism is used for generating a user decryption key and issuing the encrypted user decryption key to the corresponding data using end, the data providing end is used for providing data resources and limiting the role of accessing the data resources through an access control strategy, and the data using end is used for accessing the corresponding data resources according to the obtained role;
the method comprises the following steps: issuing a first public key certificate to the data using end through the certificate authority;
generating a user decryption key through the attribute management mechanism, and distributing different user decryption keys for different roles according to the access control policy, wherein the user decryption key is used for encrypting data resources provided by a data providing end;
encrypting the user decryption key through a public key, and storing the encrypted user decryption key to a cloud platform;
determining the role of the data using end according to an access control strategy and a first public key certificate provided by the data using end, and sending a corresponding encrypted user decryption key to the data using end;
and enabling the data using end to access the data resource through the corresponding role under the condition that the data using end successfully decrypts the encrypted user decryption key through the private key.
2. The cloud computing security access control method of claim 1, the method further comprising: updating the access control policy;
the updating the access control policy includes: modifying the attributes of the access control policy and checking the syntax of the access control policy.
3. The cloud computing security access control method of claim 2, wherein the modifying the attributes of the access control policy comprises: and adding, updating or/and deleting the attributes of the access control policy.
4. The cloud computing security access control method of claim 2, wherein the checking the syntax of the access control policy comprises: the type of attribute and the operand taken by the value of the attribute are checked.
5. The cloud computing security access control method of claim 1, the method further comprising: and respectively issuing a second public key certificate and a third public key certificate to the attribute management mechanism and the data providing end through the certificate issuing mechanism.
6. A cloud computing security access control system is applied to an access control system model, and the access control system model comprises: the system comprises a certificate issuing mechanism, an attribute management mechanism, a data providing end and a data using end, wherein the certificate issuing mechanism is used for issuing public key certificates for the attribute management mechanism, the data providing end and the data using end, the attribute management mechanism is used for generating a user decryption key and issuing the encrypted user decryption key to the corresponding data using end, the data providing end is used for providing data resources and limiting the role of accessing the data resources through an access control strategy, and the data using end is used for accessing the corresponding data resources according to the obtained role;
the cloud computing security access control system includes:
the first issuing module is configured to issue a first public key certificate to the data using end through the certificate issuing organization;
the generation module is configured to generate a user decryption key through the attribute management mechanism, and allocate different user decryption keys to different roles according to the access control policy, wherein the user decryption key is used for encrypting data resources provided by a data providing end;
the encryption module is configured to encrypt the user decryption key through a public key, store the encrypted user decryption key in a first issuing module and store the encrypted user decryption key in the cloud platform;
the determining module is configured to determine the role of the data using end according to an access control strategy and a first public key certificate provided by the data using end, and send a corresponding encrypted user decryption key to the data using end;
and the enabling module is configured to enable the data using end to access the data resource through the corresponding role under the condition that the data using end successfully decrypts the encrypted user decryption key through the private key.
7. The cloud computing security access control system of claim 6, further comprising: an update module configured to update the access control policy;
the update module includes:
a modification submodule configured to modify an attribute of the access control policy; and
a checking sub-module configured to check a syntax of the access control policy.
8. The cloud computing security access control system of claim 7, wherein the modification submodule is further configured to add, update, or/and delete attributes of the access control policy.
9. The cloud computing security access control system of claim 7, wherein the checking sub-module is further configured to check the type of attribute and an operand taken by the value of the attribute.
10. The cloud computing security access control system of claim 6, further comprising: and the second issuing module is configured to issue a second public key certificate and a third public key certificate to the attribute management mechanism and the data providing end respectively through the certificate issuing mechanism.
CN202010146419.3A 2020-03-04 2020-03-04 Cloud computing security access control method and system Pending CN113360919A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010146419.3A CN113360919A (en) 2020-03-04 2020-03-04 Cloud computing security access control method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010146419.3A CN113360919A (en) 2020-03-04 2020-03-04 Cloud computing security access control method and system

Publications (1)

Publication Number Publication Date
CN113360919A true CN113360919A (en) 2021-09-07

Family

ID=77523636

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010146419.3A Pending CN113360919A (en) 2020-03-04 2020-03-04 Cloud computing security access control method and system

Country Status (1)

Country Link
CN (1) CN113360919A (en)

Similar Documents

Publication Publication Date Title
CN110417781B (en) Block chain-based document encryption management method, client and server
US9866375B2 (en) Multi-level key management
CN113132103B (en) Data cross-domain security sharing system and method
US8296828B2 (en) Transforming claim based identities to credential based identities
Yan et al. Heterogeneous data storage management with deduplication in cloud computing
US20140270179A1 (en) Method and system for key generation, backup, and migration based on trusted computing
CN111130757A (en) Multi-cloud CP-ABE access control method based on block chain
CN106487763B (en) Data access method based on cloud computing platform and user terminal
US10880100B2 (en) Apparatus and method for certificate enrollment
CN114065265A (en) Fine-grained cloud storage access control method, system and equipment based on block chain technology
US20140108814A1 (en) Cryptographic key management
CN111079191A (en) CP-ABE access control scheme based on block chain
KR101615137B1 (en) Data access method based on attributed
CN113098849A (en) Access control method based on attribute and identity encryption, terminal and storage medium
CN113609221A (en) Data storage method, data access device and storage medium
CN114679340B (en) File sharing method, system, device and readable storage medium
CN114500069A (en) Method and system for storing and sharing electronic contract
Xu et al. Role-based access control model for cloud storage using identity-based cryptosystem
CN113434875A (en) Lightweight access method and system based on block chain
EP3817320B1 (en) Blockchain-based system for issuing and validating certificates
CN116090000A (en) File security management method, system, device, medium and program product
CN114398623A (en) Method for determining security policy
CN112995109B (en) Data encryption system, data encryption method, data processing device and electronic equipment
CN111444268A (en) Data encryption method based on block chain
CN113360919A (en) Cloud computing security access control method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20230705

Address after: 518057 1701, Yanxiang science and technology building, 31 Gaoxin middle Fourth Road, Maling community, Yuehai street, Nanshan District, Shenzhen City, Guangdong Province

Applicant after: Yanxiang smart IOT Technology Co.,Ltd.

Address before: No.1, Yanxiang Zhigu chuangxiangdi, No.11, Gaoxin Road, Guangming New District, Shenzhen, Guangdong 518107

Applicant before: EVOC INTELLIGENT TECHNOLOGY Co.,Ltd.