CN113645206A - Cloud storage data access control method and system for different user requirements - Google Patents

Cloud storage data access control method and system for different user requirements Download PDF

Info

Publication number
CN113645206A
CN113645206A CN202110859224.8A CN202110859224A CN113645206A CN 113645206 A CN113645206 A CN 113645206A CN 202110859224 A CN202110859224 A CN 202110859224A CN 113645206 A CN113645206 A CN 113645206A
Authority
CN
China
Prior art keywords
data
access
key
cloud storage
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110859224.8A
Other languages
Chinese (zh)
Inventor
杨腾霄
马宇尘
严涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Newdun Wangan Technology Co ltd
Original Assignee
Shanghai Newdun Wangan Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Newdun Wangan Technology Co ltd filed Critical Shanghai Newdun Wangan Technology Co ltd
Priority to CN202110859224.8A priority Critical patent/CN113645206A/en
Publication of CN113645206A publication Critical patent/CN113645206A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cloud storage data access control method and system for different user requirements, and belongs to the field of cloud computing safety. The method comprises the following steps: parameter setting is carried out by the key management server, a public key and a master key are generated and uploaded to the cloud storage server; the key generation is executed by the key management server, and a private key is generated and uploaded to the cloud storage server; data encryption is performed by a data owner, and a ciphertext is generated and uploaded to a cloud storage server; access authorization, which is executed by an access control server and is used for authorizing access to users with different requirements; and data decryption is carried out by a data visitor, and plaintext is generated and data access is carried out. By using the method and the system, different users can effectively access the cloud storage data according to the requirements of the users, and meanwhile, the security and privacy protection are realized on the data in the cloud of the data owner.

Description

Cloud storage data access control method and system for different user requirements
Technical Field
The invention belongs to the field of cloud computing security.
Technical Field
In the cloud computing technology, a data owner carries out remote cloud hosting on local data, so that a cloud storage service provider becomes a physical owner of data of the data owner, but no trust relationship exists between the data owner and the data owner, the security situation is very severe, and the trust of the data owner on the cloud storage service provider is seriously influenced if a user without identity authentication can randomly access a cloud storage server, the data security cannot be guaranteed and the like. For example, a cloud storage service provider stores various types of data of users, and also stores privacy data of the users, which brings potential security threats to personal privacy. Therefore, when a cloud storage service provider manages a large number of data resources of a data owner, when a user wants to access the data resources in the cloud, a certain access control policy needs to be adopted to control the access of the visitor to the data resources in the cloud.
However, in order to implement a more flexible access control policy, when a data owner determines whether an accessor has access to data in the cloud, it is difficult for the prior art to implement access control of cloud storage data according to access requirements of different users.
Disclosure of Invention
The invention aims to provide a cloud storage data access control method and system for different user requirements.
In order to solve the above technical problem, the present invention provides a method for controlling access to cloud storage data for different user requirements, which includes the following steps:
parameter setting is carried out by the key management server, a public key and a master key are generated and uploaded to the cloud storage server;
the key generation is executed by the key management server, and a private key is generated and uploaded to the cloud storage server;
data encryption is performed by a data owner, and a ciphertext is generated and uploaded to a cloud storage server;
access authorization, which is executed by an access control server and is used for authorizing access to users with different requirements;
and data decryption is carried out by a data visitor, and plaintext is generated and data access is carried out.
Further, the access control server is used for storing the hash value of the data, the hash value of the data ciphertext and an access policy, and a data visitor can access the data stored by the data owner in the cloud storage server only by meeting the access policy.
Furthermore, the access policy is a logical expression composed of the relationship between the attributes and the data owner and the data, and the data of the data owner can be successfully accessed only if the attribute set of the data visitor meets the access policy.
Further, the access policy specifically includes the following steps:
setting access policy attributes, and setting user privacy levels and data types according to the requirements of different users;
establishing an access policy tree, wherein the attribute of each leaf node in the access policy tree T is represented by (x, y), x represents the user privacy level of the leaf node, y represents the data type of the leaf node, and the
x-1 represents primary protection, the highest privacy protection level required by the user, x-2 represents secondary protection, the important privacy protection level required by the user, x-3 represents tertiary protection, the general privacy protection level required by the user, y-1 represents user document data, y-2 represents user voice data, y-3 represents user picture data, and y-4 represents user video data;
setting a set of access policies, P ═ P1,P2,…,PnIs an attribute-based set, where Γ is represented by P ═ P1,P2,…,PnA set of non-empty attribute subsets of which
Γ∈2{P1,P2,…,Pn}The set of the access strategy set S in the gamma is an access authorization set, and the set of the access strategy set S which is not in the gamma is an non-access authorization set;
and (4) authorized access is realized, and the data visitor can successfully decrypt and obtain a plaintext only if the number of intersection sets of the access policy set S associated with the private key of the data owner and the attribute set S associated with the data ciphertext of the data owner reaches a set threshold value.
Further, the parameter setting comprises the following steps:
performing parameter setting by the key management server;
inputting a safety parameter gamma, randomly selecting alpha and beta to be ZpCalculating h as gβ,u=gαAnd v ═ e (g, g)αCalculating a public key PK according to a formula PK ═ G, G, h and v, and obtaining a master key MK according to a formula MK ═ beta, u;
the output is the public key PK and the master key MK, SetUp (γ) → (PK, MK).
Further, the key generation includes the following steps:
performing key generation by a key management server;
inputting the generated public key PK, the master key MK and the access strategy set S, and randomly selecting r to belong to ZpSelecting a random number r for the attribute x, y e in the access strategy set Sx,y∈ZpAnd calculating a user private key SK:
Figure BDA0003185220180000021
Figure BDA0003185220180000022
the output is the private key SK, KeyGen (PK, MK, S) → SK.
Further, the data encryption comprises the following steps:
performing data encryption by a data owner;
the input is the generated public key PK, the data M to be encrypted and the access strategy tree T, and for each node in the access strategy tree T, if the threshold range of the parent node parent (x) of the leaf node y is 0parent(x)∈[1,3]Then q isy(0)=qparent(x)(0) Let us orderΓ1For accessing sets of such parent nodes in the policy tree T, Γ2Is a collection of remaining parent nodes in the access policy tree T, and further according to Γ1The leaf node types of all the father nodes are different, i is1Divided into gamma11,Γ12,Γ13,Γ14Encrypting the encrypted data C, and calculating to obtain the ciphertext C of the encrypted dataCK
Figure BDA0003185220180000027
C′=gs
Figure BDA0003185220180000024
Figure BDA0003185220180000025
Output as ciphertext Cck,Encrypt(PK,M,T)→Cck
Further, the access authorization includes the following steps:
performing access authorization by the access control server;
the public key PK, the master key MK, the private key SK and the access strategy set Sm and the access strategy tree Tm of the data visitor are input, and the access control server calls a predefined recursive function into
Figure BDA0003185220180000026
The output is 1 or 0, Auth (PK, MK, SK, Sm, Tm) → 1/0, wherein
1 indicates that the access control server authorizes the data accessor to perform data access, and 0 indicates that the access control server does not authorize the data accessor to perform data access.
Further, the data decryption comprises the following steps:
performing data decryption by a data accessor;
the input is the public generatedKey PK, private key SK and ciphertext CckFor ciphertext CCKDecrypting to obtain session key
Figure BDA0003185220180000031
The data visitor decrypts the session key CK and the ciphertext C according to the decrypted session key CKckCalculating to obtain decrypted data M ═ DCK(Cck);
The output is plaintext M, Decrypt (PK, SK, C)ck)→M。
The invention also provides a cloud storage data access control system for different user requirements, which comprises:
the parameter setting module is used for executing key management server operation, generating a public key and a master key and uploading the public key and the master key to the cloud storage server;
the key generation module is used for executing key management server operation, generating a private key and uploading the private key to the cloud storage server;
the data encryption module is used for executing data owner operation, generating a ciphertext and uploading the ciphertext to the cloud storage server;
the access authorization module is used for executing the operation of the access control server and authorizing access to users with different requirements;
and the data decryption module is used for executing data visitor operation, generating a plaintext and carrying out data access.
By adopting the technical scheme, compared with the prior art, the cloud storage data security protection method and the cloud storage system can effectively realize security and privacy protection on the cloud storage data of a data owner, and meanwhile, different users can effectively access the cloud storage data according to self requirements.
Drawings
Fig. 1 is a schematic structural diagram of a cloud storage data access control method for different user requirements according to an embodiment of the present invention.
Fig. 2 is a schematic view of an access policy tree structure of a cloud storage data access control method for different user requirements according to an embodiment of the present invention.
Fig. 3 is a flowchart of a method for controlling access to cloud storage data according to different user requirements according to an embodiment of the present invention.
Fig. 4 is a data access flow chart of a cloud storage data access control method for different user requirements according to an embodiment of the present invention.
Fig. 5 is a schematic structural diagram of a cloud storage data access control system for different user requirements according to an embodiment of the present invention.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
Example 1
To solve the problems existing in the prior art, fig. 1 shows a schematic structural diagram of a cloud storage data access control method for different user requirements according to the present invention.
Specifically, the present invention comprises: the key management server 110 is used for generating a public key PK, a master key MK and a private key SK; the cloud storage server 120 is used for storing data of a data owner, so that the local storage burden of the data owner is reduced; the data owner 130 is a producer and/or owner of the data; the access control server 140 is configured to store the hash value of the data, the hash value of the data ciphertext, and an access policy, and a data visitor must satisfy the access policy to access the data stored by the data owner in the cloud storage server; the data accessor 150 is a general user who wants to access data stored by a data owner in the cloud storage server.
In the invention, the access policy attribute is set in consideration of the relationship between the attribute and the data owner and the data, and the privacy level and the data type of the user are set according to the requirements of different users, wherein the following table 1 shows different protection levels and data types of the user:
Figure BDA0003185220180000041
as shown in the table above, the attribute of each leaf node in the access policy tree T is represented by (x, y), where x represents the user privacy level of the leaf node and y represents the data type of the leaf node, where
x-1 represents primary protection, the highest privacy protection level required by the user, x-2 represents secondary protection, the important privacy protection level required by the user, x-3 represents tertiary protection, the general privacy protection level required by the user, y-1 represents user document data, y-2 represents user voice data, y-3 represents user picture data, and y-4 represents user video data.
The working principle of the cloud storage data access control method for different user requirements is as follows: the key management server 110 generates a public key PK, a master key MK, and a private key SK of the data owner 130 and uploads the public key, the master key MK, and the private key SK to the cloud storage server 120.
Fig. 2 is a schematic view illustrating an access policy tree structure of a cloud storage data access control method for different user requirements according to an embodiment of the present invention.
When the data owner 130 uploads the data M to the cloud storage server 120, the key management server 110 is operated, a main key MK is selected for the data M to be uploaded and encrypted, then the access control server 140 is operated, each leaf node is classified according to the privacy level of a father node corresponding to each leaf node on the access policy tree T, furthermore, sets of leaf nodes with different privacy levels of the father nodes are classified according to different types of the father nodes, and then the main key MK is encrypted according to the attribute classification result to obtain a main key MK ciphertext CMKThen the encrypted data C and the main key MK ciphertext CMKAnd uploading to the cloud.
A legitimate user of the access control server 140 can be distinguished as data of a data owner 130, an accessor 150, and a key management server 110, where the data owner 130 refers to a provider of cloud storage data, the data owner 130 sets an access policy, encrypts data to be uploaded based on the access policy, and uploads the encrypted data to the cloud storage server 120; the data visitor 150 refers to data that the cloud data owner 130 wants to access, and the data that the data owner 130 stores in the cloud can be successfully accessed only when the attribute set of the data visitor 150 all meets the access policy of the data owner 130; the key management server 110 refers to a trusted third party interacting with the cloud storage server 120, except for the data owner 130 data and the visitor 150, and is responsible for generating a public key PK, a master key MK, and a private key SK for each legitimate user.
It should be understood that the purpose of defining the data owner 130 and the data accessor 150 is to distinguish whether the function in the operation process of the cloud storage server 120 is uploading data or accessing data, so that the data owner 130 in the operation process of the cloud storage server 120 can be the data accessor 150 in another operation process, and similarly, the data accessor 150 in the operation process of the cloud storage server 120 can be the data owner 130 in another operation process. If the data accessor 150 wishes to access the cloud data, an access request is sent to the cloud storage server 120, the access control server 140 judges whether the data accessor 150 is a legal user according to the access request, and if so, the private key SK is calculated and sent to the data accessor 150.
When data accessor 150 accesses data from cloud storage server 120, data accessor 150 runs key management server 110 to generate master key MK ciphertext CMKAnd corresponding encrypted data C, and when the attribute set associated with the data owner 130 private key SK and the attribute set associated with the data owner 130 data ciphertext C both satisfy the access policy set S, the master key MK ciphertext CMKAnd decrypting to obtain the main key MK, and then decrypting the corresponding data ciphertext C by using the main key MK obtained by the private key SK.
In the cloud storage data access control method for different user requirements provided by the invention, in the encryption process, the data owner 130 classifies the leaf nodes according to the privacy level of the father node corresponding to each leaf node on the access policy tree T, further classifies the sets of the leaf nodes with different privacy levels of the father node according to different types of the father nodes, and then encrypts the data M according to the classification result and uploads the data M to the cloud. In this way, according to the access requirements of different users, when the intersection of the attribute set associated with the private key SK of the data owner 130 and the attribute set associated with the data ciphertext C of the data owner 130 meets the set access policy threshold of 1, the data accessor 150 can successfully decrypt and obtain the plaintext M to realize data access. Therefore, compared with the existing scheme, different users can effectively access the cloud storage data according to own requirements, and meanwhile, the security and privacy protection can be realized on the data in the cloud of the data owner.
Example 2
The present invention will be described in detail in the present embodiment, specifically referring to fig. 3 and 4, which includes the following steps:
in step S110, parameters are set, and the parameters are executed by the key management server 110, and a public key and a master key are generated and uploaded to the cloud storage server 120.
Further, the step of generating the public key and the master private key may further comprise the steps of:
step S111, performing parameter setting by the key management server 110;
step S112, inputting a safety parameter gamma;
in step S113, the output is the public key PK and the master key MK, SetUp (γ) → (PK, MK).
G is defined as a bilinear group of order prime p, and G is the generator of G. Defining a bilinear map e: g → G1Wherein, H: {0,1}*→ G is a hash function. Defining attribute set P ═ { P ═ P1,P2,…,PnFor i ∈ ZpWith access policy set S, attribute set
Figure BDA0003185220180000051
Defining lagrange coefficients
Figure BDA0003185220180000052
Figure BDA0003185220180000053
Inputting a safety parameter gamma, randomly selecting alpha and beta epsilon to ZpCalculating h as gβ,u=gαAnd v ═ e (g, g)αThe public key PK is calculated according to the formula PK ═ (G, h, v), and the master key MK is obtained according to the formula MK ═ (β, u).
In step S120, a key is generated, executed by the key management server 110, and a private key is generated and uploaded to the cloud storage server 120.
Further, the step of generating the private key comprises the following steps:
step S121, performing key generation by the key management server 110;
step S122, inputting the generated public key PK, the master key MK and the access strategy set S;
in step S123, the output is a private key SK, i.e., KeyGen (PK, MK, S) → SK.
Setting access policy attributes, and setting user privacy levels and data types according to the requirements of different users;
establishing an access policy tree, wherein the attribute of each leaf node in the access policy tree T is represented by (x, y), x represents the user privacy level of the leaf node, y represents the data type of the leaf node, and the
x-1 represents primary protection, the highest privacy protection level required by the user, x-2 represents secondary protection, the important privacy protection level required by the user, x-3 represents tertiary protection, the general privacy protection level required by the user, y-1 represents user document data, y-2 represents user voice data, y-3 represents user picture data, and y-4 represents user video data;
setting a set of access policies, P ═ P1,P2,…,PnIs an attribute-based set, where Γ is represented by P ═ P1,P2,…,PnA set of non-empty attribute subsets of which
Γ∈2{P1,P2,…,Pn}The set of the access policy set S in Γ is an access authorization set, and the set of the access policy set S not in Γ is an access non-authorization set.
Setting user privacy level and data type according to the requirements of different users, and distributing corresponding access policy set S and attribute set for the users by using attribute set P
Figure BDA0003185220180000054
Inputting the generated public key PK, the master key MK and the access strategy set S, and randomly selecting r to belong to ZpSelecting a random number r for the attribute x, y e in the access strategy set Sx,y∈ZpAnd calculating a user private key SK:
Figure BDA0003185220180000061
Figure BDA0003185220180000062
wherein G is a generator of G, alpha, beta and r epsilon ZpFor random selection generation, rx,y∈ZpRandomly selecting and generating attributes x, y and S in an access policy set S, wherein type (x, y) represents the protection level and the data type of a user, D is an element on a bilinear group G, and Dx,yAre elements on the bilinear group G,
Figure BDA0003185220180000063
is an element on bilinear group G, D'x,yAre elements on bilinear group G.
In step S130, the data is encrypted and executed by the data owner 130, and a ciphertext is generated and uploaded to the cloud storage server 120.
Step S131, performing data encryption by the data owner 130;
step S132, inputting the generated public key PK, the data M to be encrypted and the access strategy tree T;
step S133, outputting as ciphertext Cck,Encrypt(PK,M,T)→Cck
Data owner executes data encryption, selects session key CK, encrypts data M to be uploaded to obtain encrypted data C-ECK(M);
The input is the generated public key PK, the session key CK and the access policy tree T, and for each node in the access policy tree T, if the threshold range of parent node (x) of the leaf node y is 0parent(x)∈[1,3]Then q isy(0)=qparent(x)(0) Let 'r' be1For accessing a policy treeSet of such father nodes in T, Γ2Is a collection of remaining parent nodes in the access policy tree T, and further according to Γ1The leaf node types of all the father nodes are different, i is1Divided into gamma11,Γ12,Γ13,Γ14
Encrypting the encrypted data C, and calculating to obtain a ciphertext C of the encrypted dataCK
Figure BDA0003185220180000068
C′=gs
Figure BDA0003185220180000065
Figure BDA0003185220180000066
Wherein α and s ∈ ZpFor the purpose of the random selection generation,
Figure BDA0003185220180000067
for the calculation of the encrypted data C, C' is the calculation of the root node, CyIs a calculation of attribute values corresponding to user privacy classes, C'yFor the calculation of the data type corresponding to the user privacy level, att (y) is to return the attribute associated with the node, and type (att (y)) is to return the attribute att (y) to belong to the same type. In particular, Γ1jAll leaf nodes in (1) have the same CyIf the attributes of different leaf nodes are of the same type, they have the same C'y,qyAnd q isparent(y)The threshold of parent (y) of leaf node y.
Cipher text C of encrypted dataCKAnd uploading the encrypted data C to the cloud.
Step S140, access authorization is executed by the access control server 140 to authorize access to users with different requirements.
Step S141, performing access authorization through the access control server 140;
step S142, inputting the generated public key PK, master key MK, private key SK, access strategy set Sm of data accessor and access strategy tree Tm;
step S143, the output is 1 or 0, Auth (PK, MK, SK, Sm, Tm) → 1/0, wherein
A 1 indicates that the access control server 140 authorizes the data accessor 150 to make data access, and a 0 indicates that the access control server 140 does not authorize the data accessor 150 to make data access.
Further, the authorized access to the different users in need may further include the following steps:
inputting the generated public key PK, master key MK, private key SK, access strategy set Sm of data visitor and access strategy tree Tm;
the access control server 140 calls a predefined recursion function to
Figure BDA0003185220180000071
Wherein r and s ∈ ZpFor random selection generation, CCKFor ciphertext of encrypted data, qx(0) Is the attribute value corresponding to the attribute x;
if the access policy set Sm of the data visitor 150 satisfies the access policy tree Tm, the output is 1, and the access control server 140 grants the data visitor 150 data access.
In step S150, the data is decrypted and executed by the data accessor 150 to generate a plaintext and perform data access.
Step S151, performing data decryption by the data accessor 150;
step S152, inputting the generated public key PK, private key SK and ciphertext C;
in step S153, the output is plaintext M, Decrypt (PK, SK, C) → M.
Further, generating plaintext and performing data access may further comprise the steps of:
inputting the generated public key PK, private key SK and ciphertext C;
for ciphertext CCKDecrypting to obtain a session key CK:
Figure BDA0003185220180000072
wherein, alpha, beta, s and r ∈ ZpFor random selection generation, CK is the session key, h is represented by gβAnd (4) generating.
The data accessor 150 calculates according to the decrypted session key CK and the ciphertext C to obtain decrypted data M ═ DCK(C)。
Example 3
Corresponding to the method described above, fig. 5 is a schematic structural diagram of a cloud storage data access control system for different user requirements according to an embodiment of the present invention, where the system includes:
the parameter setting module 210 is configured to perform operations of the key management server 110, generate a public key and a master key, and upload the public key and the master key to the cloud storage server 120.
The parameter setting module 210 performs a parameter generation operation of the key management server 110, generates a public key PK and a master key MK, and uploads the public key PK and the master key MK to the cloud storage server 120 for storage.
The key generation module 220 is configured to perform operations of the key management server 110, generate a private key, and upload the private key to the cloud storage server 120.
The key generation module 220 performs a key generation operation of the key management server 110, generates a key SK, and uploads the key SK to the cloud storage server 120 for storage.
The data encryption module 230 is configured to perform a data owner 130 operation, generate a ciphertext, and upload the ciphertext to the cloud storage server 120.
The data encryption module 230 performs a data encryption operation of the data owner 130, and when the data owner 130 uploads the data M to the cloud storage server 120, selects the master key MK for the data M to be uploaded and encrypts the data M.
And the access authorization module 240 is used for executing the operation of the access control server 140 to authorize access to different users with different requirements.
The access authorization module 240 performs an access authorization operation of the access control server 140, and the data accessor 150 must satisfy an access policy to authorize access to data stored by the data owner 130 in the cloud storage server 120.
And the data decryption module 250 is used for performing operations of the data accessor 150, generating plaintext and performing data access.
The data decryption module 250 performs a data decryption operation of the data accessor 150, and after the access control server 140 authorizes the data accessor 150 to perform data access authorization, the authorized access data is decrypted to generate a plaintext.
When performing key management operation, the parameter setting module 210 is used to perform key management operation, the generated parameters are uploaded to the cloud storage server for storage, the key generation module 220 is used to perform key management operation, and the generated keys are uploaded to the cloud storage server for storage. Then, when performing the data encryption operation, the data encryption module 230 performs the data encryption operation, selects and encrypts the master key for the data to be uploaded, and selects and encrypts the master key for the data to be uploaded.
When performing the access authorization operation, by executing the access authorization operation by the access authorization module 240, the data accessor must satisfy the access policy to perform access authorization on the data stored by the data owner in the cloud storage server. Finally, when data decryption operation is performed, data decryption operation is performed through the data decryption module 250, and after the access control server authorizes the data visitor to perform data access authorization, the authorized access data is decrypted to generate a plaintext.
The invention is described above without limitation, and other embodiments based on the idea of the invention are also within the scope of the invention.

Claims (10)

1. A cloud storage data access control method for different user requirements is characterized by comprising the following steps:
parameter setting is carried out by the key management server, a public key and a master key are generated and uploaded to the cloud storage server;
the key generation is executed by the key management server, and a private key is generated and uploaded to the cloud storage server;
data encryption is performed by a data owner, and a ciphertext is generated and uploaded to a cloud storage server;
access authorization, which is executed by an access control server and is used for authorizing access to users with different requirements;
and data decryption is carried out by a data visitor, and plaintext is generated and data access is carried out.
2. The method according to claim 1, wherein the access control server is configured to store the hash value of the data, the hash value of the data ciphertext, and an access policy that a data visitor must satisfy to access the data stored by the data owner in the cloud storage server.
3. The method of claim 2, wherein the access policy is a logical expression consisting of the relationship between the attributes and the data owner and the data, and the data of the data owner can be successfully accessed only if the set of attributes of the data visitor all satisfy the access policy.
4. The method according to claim 2, wherein the access policy specifically includes the steps of:
setting access policy attributes, and setting user privacy levels and data types according to the requirements of different users;
establishing an access policy tree, wherein the attribute of each leaf node in the access policy tree T is represented by (x, y), x represents the user privacy level of the leaf node, y represents the data type of the leaf node, and the
x-1 represents primary protection, the highest privacy protection level required by the user, x-2 represents secondary protection, the important privacy protection level required by the user, x-3 represents tertiary protection, the general privacy protection level required by the user, y-1 represents user document data, y-2 represents user voice data, y-3 represents user picture data, and y-4 represents user video data;
setting a set of access policies, P ═ P1,P2,…,PnIs an attribute-based set, where Γ is represented by P ═ P1,P2,…,PnA set of non-empty attribute subsets of which
Γ∈2{P1,P2,…,Pn}The set of the access strategy set S in the gamma is an access authorization set, and the set of the access strategy set S which is not in the gamma is an non-access authorization set;
and (4) authorized access is realized, and the data visitor can successfully decrypt and obtain a plaintext only if the number of intersection sets of the access policy set S associated with the private key of the data owner and the attribute set S associated with the data ciphertext of the data owner reaches a set threshold value.
5. The method according to claim 1, wherein the parameter setting comprises the following steps:
performing parameter setting by the key management server;
inputting a safety parameter gamma, randomly selecting alpha and beta to be ZpCalculating h as gβ,u=gαAnd v ═ e (g, g)αCalculating a public key PK according to a formula PK ═ G, G, h and v, and obtaining a master key MK according to a formula MK ═ beta, u;
the output is the public key PK and the master key MK, SetUp (γ) → (PK, MK).
6. The method of claim 1, wherein the key generation comprises the steps of:
performing key generation by a key management server;
inputting the generated public key PK, the master key MK and the access strategy set S, and randomly selecting r to belong to ZpSelecting a random number r for the attribute x, y e in the access strategy set Sx,y∈ZpAnd calculating a user private key SK:
Figure FDA0003185220170000011
Figure FDA0003185220170000012
the output is the private key SK, KeyGen (PK, MK, S) → SK.
7. The method of claim 1, wherein said data encryption comprises the steps of:
performing data encryption by a data owner;
the input is the generated public key PK, the data M to be encrypted and the access strategy tree T, and for each node in the access strategy tree T, if the threshold range of the parent node parent (x) of the leaf node y is 0parent(x)∈[1,3]Then q isy(0)=qparent(x)(0) Let 'r' be1For accessing sets of such parent nodes in the policy tree T, Γ2Is a collection of remaining parent nodes in the access policy tree T, and further according to Γ1The leaf node types of all the father nodes are different, i is1Divided into gamma11,Γ12,Γ13,Γ14Encrypting the encrypted data C, and calculating to obtain the ciphertext C of the encrypted dataCK
Figure FDA0003185220170000021
Output as ciphertext Cck,Encrypt(PK,M,T)→Cck
8. The method of claim 1, wherein the access authorization comprises the steps of:
performing access authorization by the access control server;
the public key PK, the master key MK, the private key SK and the access strategy set Sm and the access strategy tree Tm of the data visitor are input, and the access control server calls a predefined recursive function into
Figure FDA0003185220170000023
The output is 1 or 0, Auth (PK, MK, SK, Sm, Tm) → 1/0, where 1 indicates that the access control server authorizes the data accessor to perform data access, and 0 indicates that the access control server does not authorize the data accessor to perform data access.
9. The method of claim 1, wherein said decrypting of the data comprises the steps of:
performing data decryption by a data accessor;
inputting the public key PK, the private key SK and the ciphertext C generated as described aboveckFor ciphertext CCKDecrypting to obtain session key
Figure FDA0003185220170000022
The data visitor decrypts the session key CK and the ciphertext C according to the decrypted session key CKckCalculating to obtain decrypted data M ═ DCK(Cck);
The output is plaintext M, Decrypt (PK, SK, C)ck)→M。
10. A cloud storage data access control system for different user requirements is characterized by comprising:
the parameter setting module is used for executing key management server operation, generating a public key and a master key and uploading the public key and the master key to the cloud storage server;
the key generation module is used for executing key management server operation, generating a private key and uploading the private key to the cloud storage server;
the data encryption module is used for executing data owner operation, generating a ciphertext and uploading the ciphertext to the cloud storage server;
the access authorization module is used for executing the operation of the access control server and authorizing access to users with different requirements;
and the data decryption module is used for executing data visitor operation, generating a plaintext and carrying out data access.
CN202110859224.8A 2021-07-28 2021-07-28 Cloud storage data access control method and system for different user requirements Pending CN113645206A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110859224.8A CN113645206A (en) 2021-07-28 2021-07-28 Cloud storage data access control method and system for different user requirements

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110859224.8A CN113645206A (en) 2021-07-28 2021-07-28 Cloud storage data access control method and system for different user requirements

Publications (1)

Publication Number Publication Date
CN113645206A true CN113645206A (en) 2021-11-12

Family

ID=78418671

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110859224.8A Pending CN113645206A (en) 2021-07-28 2021-07-28 Cloud storage data access control method and system for different user requirements

Country Status (1)

Country Link
CN (1) CN113645206A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114218584A (en) * 2021-11-29 2022-03-22 上海应用技术大学 Power data privacy protection model and method for system-level revocable attribute encryption
CN114244501A (en) * 2021-11-16 2022-03-25 上海应用技术大学 Power data privacy protection system and implementation method thereof, and encryption attribute revocation method
CN114244579A (en) * 2021-11-29 2022-03-25 上海应用技术大学 Power data privacy protection system and method for user-level revocable attribute encryption
CN116915520A (en) * 2023-09-14 2023-10-20 南京龟兔赛跑软件研究院有限公司 Agricultural product informatization data security optimization method based on distributed computing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104079574A (en) * 2014-07-02 2014-10-01 南京邮电大学 User privacy protection method based on attribute and homomorphism mixed encryption under cloud environment
CN105025012A (en) * 2015-06-12 2015-11-04 深圳大学 An access control system and an access control method thereof oriented towards a cloud storage service platform
CN106612271A (en) * 2016-05-20 2017-05-03 四川用联信息技术有限公司 Encryption and access control method for cloud storage
WO2019196042A1 (en) * 2018-04-12 2019-10-17 深圳大学 Hierarchical search-supported method and system for obtaining encrypted health record

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104079574A (en) * 2014-07-02 2014-10-01 南京邮电大学 User privacy protection method based on attribute and homomorphism mixed encryption under cloud environment
CN105025012A (en) * 2015-06-12 2015-11-04 深圳大学 An access control system and an access control method thereof oriented towards a cloud storage service platform
CN106612271A (en) * 2016-05-20 2017-05-03 四川用联信息技术有限公司 Encryption and access control method for cloud storage
WO2019196042A1 (en) * 2018-04-12 2019-10-17 深圳大学 Hierarchical search-supported method and system for obtaining encrypted health record

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
黄保华,贾丰玮,王添晶: "云存储平台下基于属性的数据库访问控制策略", 《计算机科学》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114244501A (en) * 2021-11-16 2022-03-25 上海应用技术大学 Power data privacy protection system and implementation method thereof, and encryption attribute revocation method
CN114218584A (en) * 2021-11-29 2022-03-22 上海应用技术大学 Power data privacy protection model and method for system-level revocable attribute encryption
CN114244579A (en) * 2021-11-29 2022-03-25 上海应用技术大学 Power data privacy protection system and method for user-level revocable attribute encryption
CN116915520A (en) * 2023-09-14 2023-10-20 南京龟兔赛跑软件研究院有限公司 Agricultural product informatization data security optimization method based on distributed computing
CN116915520B (en) * 2023-09-14 2023-12-19 南京龟兔赛跑软件研究院有限公司 Agricultural product informatization data security optimization method based on distributed computing

Similar Documents

Publication Publication Date Title
CN108881314B (en) Privacy protection method and system based on CP-ABE ciphertext under fog computing environment
CN108418681B (en) Attribute-based ciphertext retrieval system and method supporting proxy re-encryption
CN111191288A (en) Block chain data access authority control method based on proxy re-encryption
Han et al. A data sharing protocol to minimize security and privacy risks of cloud storage in big data era
CN113645206A (en) Cloud storage data access control method and system for different user requirements
US11347882B2 (en) Methods and systems for secure data sharing with granular access control
CN113569271B (en) Threshold proxy re-encryption method based on attribute condition
CN108111540B (en) Hierarchical access control system and method supporting data sharing in cloud storage
JP2023500570A (en) Digital signature generation using cold wallet
CN114039790A (en) Block chain-based fine-grained cloud storage security access control method
CN112383391B (en) Data security protection method based on data attribute authorization, storage medium and terminal
US11570155B2 (en) Enhanced secure encryption and decryption system
CN113411323B (en) Medical record data access control system and method based on attribute encryption
WO2018165835A1 (en) Cloud ciphertext access control method and system
CN110635909A (en) Attribute-based collusion attack resistant proxy re-encryption method
CN115426136B (en) Cross-domain access control method and system based on block chain
CN110012312A (en) The access control method based on key management suitable for pay television system
Athena et al. An identity attribute–based encryption using elliptic curve digital signature for patient health record maintenance
CN114218584A (en) Power data privacy protection model and method for system-level revocable attribute encryption
Chaudhari et al. A review on attribute based encryption
Shiny et al. Decentralized access control technique with multi-tier authentication of user for cloud storage
Chennam et al. Cloud security in crypt database server using fine grained access control
CN113382067A (en) Novel personal health record scheme based on attribute encryption
Chennam et al. Fine Grained Access Control Policy with Advanced Encryption Standard in the Cloud Computing
Baviskar et al. Reliable and Efficient Revocation and Data Sharing using Identity based Encryption over Cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20211112