CN114301651B - Yellow river dam bank monitoring data sharing method based on CP-ABE - Google Patents
Yellow river dam bank monitoring data sharing method based on CP-ABE Download PDFInfo
- Publication number
- CN114301651B CN114301651B CN202111578494.8A CN202111578494A CN114301651B CN 114301651 B CN114301651 B CN 114301651B CN 202111578494 A CN202111578494 A CN 202111578494A CN 114301651 B CN114301651 B CN 114301651B
- Authority
- CN
- China
- Prior art keywords
- resource
- attribute
- visitor
- identity
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02A—TECHNOLOGIES FOR ADAPTATION TO CLIMATE CHANGE
- Y02A10/00—TECHNOLOGIES FOR ADAPTATION TO CLIMATE CHANGE at coastal zones; at river basins
- Y02A10/40—Controlling or monitoring, e.g. of flood or hurricane; Forecasting, e.g. risk assessment or mapping
Abstract
The invention relates to the field of dangerous case monitoring, in particular to a yellow river dam bank monitoring data sharing method based on CP-ABE. The method comprises the following steps: the resource uploading user generates an identity number for the resource accessing user according to the security level of the resource accessing user; the key generation center generates an identity token according to the identity number, calculates an identity verification code and sends the identity verification code to the cloud server; the key generation center generates a private key and sends the private key to the resource visitor, wherein the private key comprises an identity token; the cloud server performs pre-decryption according to the identity token submitted by the resource visitor, and if the pre-decryption is unsuccessful, the access is stopped; if the pre-decryption is successful, the security level of the identity number of the resource visitor is further verified, and the dangerous case resource file ciphertext is sent to the resource visitor for decryption. The invention ensures the fine granularity of revocation, improves the revocation efficiency, ensures the safety during resource sharing and avoids the dangerous situation of the dam bank from being stolen maliciously.
Description
Technical Field
The invention relates to the technical field of river channel dangerous condition monitoring, in particular to a yellow river dam bank monitoring data sharing method based on CP-ABE.
Background
In recent years, the yellow river basin has more precipitation in the flood season, the possibility of storm flood in the upstream is gradually increased, and the yellow river basin has very serious potential hazards to the personal and property safety of residents along the yellow river. In the face of flood conditions, the traditional manual inspection method for the dikes is low in efficiency, and the condition that the dam is not timely found exists in dangerous cases, so that if the dam bank condition is monitored in real time by adopting a scientific and technological means, the monitoring efficiency can be greatly improved. Huang Heba bank dangerous situation early warning and alarming system is to boost yellow river flood prevention by high technology, the condition of the dam bank is monitored in real time through cameras deployed on the dam bank, the shot video resource files are stored in a cloud server, however, if any person can access the resource files stored on the cloud, the resource files can be stolen maliciously, the safety cannot be ensured, and therefore, the access control mechanism for the dam bank dangerous situation resource files is provided with important significance.
Because of the numerous internal gates of each river bureau in Henan province, departments and staff have variability, once the attributes are withdrawn, decryption keys and ciphertext are not changed, and the security of resource files is threatened, so that the attributes or users needing to be withdrawn need to be treated in time. Meanwhile, due to the security level characteristics of the dangerous case resource files, the access control mechanism is required to meet the requirement of hierarchical and hierarchical access, for example, people with different levels in the institutions have different access levels to the resource files, and important departments can access more dangerous case resource files.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method for sharing the yellow river dam bank monitoring data based on CP-ABE.
A yellow river dam bank monitoring data sharing method based on CP-ABE comprises the following steps:
responding to a resource access request sent by a resource visitor to a cloud server, and generating a first parameter and a first set by a key generation center; the resource uploading user generates an identity number for the resource accessing user according to the security level of the resource accessing user and generates a second parameter; the key generation center generates an identity token according to the identity number, calculates an identity verification code according to the second parameter and sends the identity verification code to the cloud server;
the key generation center generates a first component of a private key according to the first parameter, generates a first information component of each attribute carried by the resource visitor according to the first parameter, the first set and the version number of each attribute, generates a second information component of each attribute carried by the resource visitor according to the first set, forms the private key by the first component of the private key, the identity token, the first information component of each attribute and the second information component of each attribute, and sends the private key to the resource visitor;
the cloud server performs pre-decryption according to the identity token submitted by the resource visitor, and if the pre-decryption is unsuccessful, the access is stopped; if the pre-decryption is successful, the security level of the identity number of the resource visitor is further verified, the dangerous case resource file ciphertext of the corresponding level is sent to the resource visitor, and the resource visitor decrypts the dangerous case resource file ciphertext by using the access private key to obtain the decrypted dangerous case resource file.
Further, the cloud server pre-decrypting according to the identity token submitted by the resource visitor comprises: cloud server root
Verifying from the identity token whether the following equation holds:
if yes, then the pre-decryption is successful, wherein e represents the double mapping relation on the cyclic group, L 1 、g·H(U id ) γ Is the first component of the authentication code, L 2 、g γ Is the second component of the authentication code, X is the identity token, g is the generator, H (&) is the hash function, U id Is the identity number and γ is the second parameter.
Further, the method further comprises: if user-level revocation is to be performed, checking a user list, deleting the corresponding authentication code, failing to pre-decrypt the revoked user, and performing next decryption in a non-sequential manner, namely completing user-level revocation; if the user grade is to be changed, the cloud server deletes the original identity verification code, the resource uploading user generates a new identity number for the user according to the changed grade and sends the new identity number to the key generation center, if the user grade is upgraded, the key generation center generates a private key for a ciphertext newly added by the user, and if the user grade is downgraded, the key generation center calculates a new identity token and the identity verification code; and if the attribute level is cancelled, updating the identity token, the private key and the ciphertext of the dangerous case resource file.
Further, the updating the identity token, the private key and the ciphertext of the dangerous case resource file comprises: the key generation center generates a second version number for each attribute to be revoked and sends the second version number to the attribute authorization center, and the attribute authorization center calculates an upgrade token according to the initial version number and the second version number and sends the upgrade token to the cloud server and resource visitors without the revoked attributes; the resource accessor without the revoked attribute updates the first information component of each attribute according to the received upgrade token, and updates the private key according to the updated first information component of each attribute; and the cloud server calculates a first information component of the leaf node of the ciphertext of the dangerous case resource file according to the revoked attribute by the received upgrade token, and updates the ciphertext according to the updated first information component of the leaf node.
Further, before responding to the resource access request sent by the resource visitor to the cloud server, the method further comprises: the resource uploading person encrypts the dangerous case resource file to be uploaded and then uploads the encrypted dangerous case resource file to the cloud server.
Further, the encrypting the dangerous case resource file to be uploaded by the resource uploading user comprises the following steps: the resource uploading user selects a first secret value according to the access strategy tree and acquires the attribute value of each leaf node; the resource uploading user sends the attribute values to an attribute authorization center, and the attribute authorization center selects a version number for each attribute value and sends the version number to the resource uploading user; the resource uploading user generates a first information component of the leaf node according to the version number corresponding to the leaf node and the polynomial of the leaf node, generates a second information component of the leaf node according to the attribute value of the leaf node and the polynomial of the leaf node, and calculates a ciphertext first component and a ciphertext second component according to the first secret value; the access strategy tree, the ciphertext first component, the ciphertext second component, the first information component of each leaf node and the second information component of each leaf node form a dangerous case resource file ciphertext.
Further, the resource visitor decrypts the ciphertext of the dangerous case resource file by using the access private key, and the obtaining the decrypted dangerous case resource file comprises the following steps: the resource visitor calculates the secret value of the child node by using a recursion algorithm according to the ciphertext of the dangerous case resource file, the private key and the node of the access strategy tree; after decrypting all the child nodes, the resource visitor decrypts the root node and calculates the dangerous case resource file.
Further, before the resource visitor sends the resource access request to the cloud server, the method further comprises: the Huang Heba bank monitoring data sharing system is initialized, and the key generation center generates public parameters and a master key.
Further, the key generation center generating the public parameter and the master key includes: the key generation center selects a cyclic group G which takes prime number p as a step and G as a generation element, and selects two random parameters to generate a public parameter and a master key.
The embodiment of the invention has at least the following beneficial effects:
the invention provides a CP-ABE method for supporting attribute level revocation and user level revocation simultaneously in a cloud environment in order to realize safe sharing of a yellow river basin dam bank dangerous case resource file, and aims at solving the problem of low efficiency in a general attribute revocation scheme. When user-level revocation is performed, only the corresponding identity verification code is deleted on the cloud, so that the defect of low attribute revocation efficiency is effectively overcome, the revocation efficiency can be improved while the fine revocation granularity is ensured, and the security of dam bank dangerous case resource files is ensured to a certain extent. The invention generates the private key and the upgrade token according to the version numbers of the attributes, improves the security performance of the private key, and ensures the security of the ciphertext after the attribute is revoked.
According to the invention, the identity token is generated according to the security level of the user, and the pre-decryption verification is carried out, so that the security performance of the yellow river dam bank monitoring data sharing method is improved.
Drawings
FIG. 1 is a data flow diagram of a method for sharing monitoring data of a yellow river dam bank based on CP-ABE.
Detailed Description
In order to further describe the technical means and effects adopted by the present invention to achieve the preset purpose, the following detailed description is given below of a CP-ABE-based yellow river dam bank monitoring data sharing method according to the present invention, which is specific to the implementation, structure, feature and effects thereof. In the following description, different "one embodiment" or "another embodiment" means that the embodiments are not necessarily the same. Furthermore, the particular features, structures, or characteristics of one or more embodiments may be combined in any suitable manner.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
The following specifically describes a specific scheme of the yellow river dam bank monitoring data sharing method based on the CP-ABE.
As shown in fig. 1, the system corresponding to the yellow river dam bank monitoring data sharing method is shown, and the Huang Heba bank monitoring data sharing system totally comprises 5 components, namely a resource uploading user DO, a cloud server CSP, a key generating center KGC, an attribute authorization center AAC and a resource accessing user DU. The resource uploading person DO is responsible for uploading the resource to be shared in the cloud server, the cloud server CSP is mainly used for storing the resource uploaded therein, the key generating center KGC is used for generating a decryption key for the resource visitor, the attribute authorizing center AAC is a mechanism for maintaining attributes, and in this embodiment, the resource visitor DU is a person who wants to view the shared resource in each river office in henna province.
The embodiment provides a yellow river dam bank monitoring data sharing method based on CP-ABE, which comprises the following steps:
step 1, a key generation center generates a first parameter and a first set in response to a resource access request sent to a cloud server by a resource visitor; the resource uploading user generates an identity number for the resource accessing user according to the security level of the resource accessing user and generates a second parameter; the key generation center generates an identity token according to the identity number, calculates an identity verification code according to the second parameter and sends the identity verification code to the cloud server; generating a first component of the private key according to the first parameter, generating a first information component of each attribute carried by the resource visitor according to the first parameter, the first set and the version number of each attribute, generating a second information component of each attribute carried by the resource visitor according to the first set, forming the private key by the first component of the private key, the identity token, the first information component of each attribute and the second information component of each attribute, and transmitting the private key to the resource visitor.
Before the resource visitor sends the resource access request, the key generating center first needs to generate public parameters and main key, and the resource uploading person encrypts and then uploads the file.
Step 1.1, initializing a Huang Heba bank monitoring data sharing system, and generating public parameters and a master key by a key generation center. The specific process is as follows:
the key generation center KGC selects a cyclic group G with prime number p as the order, and its generator is G. Then two random parameters alpha, beta epsilon Z are selected p The public parameter PK and the master key MK are derived as follows:
PK=(G,g,h=g β ,e(g,g) α )
MK=(β,g α )
wherein h is a third component of common parameter, and its value is g β E represents bilinear mapping on the group: e (G, G) →G 0 ,G,G 0 Are all cyclic groups, Z p Representing a non-negative integer no greater than p.
And 1.2, encrypting the dangerous case resource file to be uploaded by the resource uploading person, and uploading the encrypted dangerous case resource file to the cloud server. Specifically, a resource uploading user selects a first secret value according to an access strategy tree and acquires attribute values of all leaf nodes; the resource uploading user sends the attribute values to an attribute authorization center, and the attribute authorization center selects a version number for each attribute value and sends the version number to the resource uploading user; the resource uploading user generates a first information component of the leaf node according to the version number corresponding to the leaf node and the polynomial of the leaf node, generates a second information component of the leaf node according to the attribute value of the leaf node and the polynomial of the leaf node, and calculates a ciphertext first component and a ciphertext second component according to the first secret value; the access strategy tree, the ciphertext first component, the ciphertext second component, the first information component of each leaf node and the second information component of each leaf node form a dangerous case resource file ciphertext. The specific process is as follows:
step 1.2.1, meterCiphertext calculation assembly Wherein (1)>For the first component of the generated ciphertext, C is the second component of the ciphertext, s is the secret value randomly selected by the resource uploader, and the secret value s epsilon Z p M is a dangerous case resource file.
And 1.2.2, setting access control on the dangerous case resource file to be uploaded by the resource uploading user through setting an access strategy tree. The specific setting mode is as follows:
first, the resource uploader selects a polynomial q for each node on the algorithm policy tree T x The order of each polynomial is one less than the threshold of the node, which ensures that the resource visitor can solve the polynomial of the node in satisfying two of the three child node conditions.
Next, a random secret value (i.e., the first secret value) s ε Z is selected for the root node R p The order of the polynomial is selected according to its threshold value, and then this secret value, q R (0) As constants of the polynomials, the coefficients of the remaining terms are randomly selected, and then the corresponding polynomials are generated. And then calculating the value of the polynomial of the father node according to index (x) of each child node, taking the value as the secret value of the corresponding child node, constructing the polynomial of each child node again according to the mode of the root node, and continuously cycling the steps until the leaf node is reached, wherein the obtained secret value is the attribute value of the leaf node. Where index (x) indicates that an index value different from its sibling is returned. Thus the first information component C carried by each leaf node y y And a second information component C y ′,Y is the set of all leaf nodes in the policy tree, and H is the hash function: h {0,1} * G, if y isLeaf node, then the secret value of y is the attribute value att (y). Then the resource uploading person DO sends the attribute values to the attribute authorization center AAC, and the attribute authorization center selects a corresponding initialized attribute version number V for each attribute value att(y) ∈Z p And sends it back to the resource uploader DO.
Finally, the resource uploader DO uses the attribute version number V att(y) To calculate the encrypted dangerous case resource file ciphertext CT:
uploading the dangerous case resource file ciphertext CT to the cloud server CSP.
And 1.3, after the resource visitor sends a request for accessing the resource file to the cloud server, the key generation center KGC execution algorithm generates a corresponding access private key according to the attribute set S of the resource visitor, and the corresponding access private key is used for decrypting the subsequent dangerous resource file.
The specific process is as follows:
firstly, a key generation center KGC generates a private key of a user according to an attribute set S of each resource visitor, and firstly generates a random parameter as a first parameter r E Z p And generates a random parameter r for each attribute j e S of the user j ∈Z p The random parameters corresponding to all attributes are noted as a first set. The resource uploader DO then randomly generates a unique identity number U for this user based on this user's security level id ∈Z p And generating a random second parameter gamma epsilon Z p . The identity token X is calculated as follows:
X=H(U id )
then the key generation center stores X in the private key SK, and calculates an identity verification code L:
L=(L 1 =g·H(U id ) γ ,L 2 =g γ )
sending L to CSP, CSP storing it in system list, wherein L 1 Is the first component of the authentication code, L 2 Is the second component of the authentication code.
Then, the private key SK is calculated:
wherein D is the first component of the private key, D j A first information component, D, for each attribute carried by each resource visitor j ' a second information component for each attribute carried by each resource visitor.
The generated private key SK is sent to resource visitors, each having a unique identity number U id Depending on the security level, the amount of attribute values it obtains is different.
Step 2, a pre-decryption step is carried out before decryption, a resource visitor needs to submit an identity token X of the resource visitor, the cloud server carries out pre-decryption according to the identity token submitted by the resource visitor, and if the pre-decryption is unsuccessful, the access is stopped; if the pre-decryption is successful, the security level of the identity number of the resource visitor is further verified, the dangerous case resource file ciphertext of the corresponding level is sent to the resource visitor, and the resource visitor decrypts the dangerous case resource file ciphertext by using the access private key to obtain the decrypted dangerous case resource file.
The resource visitor submits an own identity token X, and the CSP performs the following algorithm calculation verification according to the submitted identity token:
if the identity verification code L exists in the list, the identity verification code L can verify that the equation is satisfied and the value is e (g, g), the pre-decryption is successful, and the U of the resource visitor is further verified id And sending the dangerous case resource file ciphertext CT of the corresponding grade to the DU, continuing to enter an attribute decryption stage, and otherwise stopping access.
And step 3, the resource visitor uses the client to perform decryption operation to obtain the decrypted dangerous case resource file.
Step 3.1, firstly, a resource visitor defines a recursive algorithm Decryptnode (CT, SK, x), the input of the algorithm is ciphertext CT needing to be decrypted, private key SK of a user and current node x of an access strategy tree, if decryption conditions are met, a secret value of the node is output, and otherwise, access is stopped.
When the node x is a leaf node, let i be the attribute value of the node x and i=att (x), then calculate as follows:
if i is S, then calculate
If it isThe node x cannot perform this step and uses this step to screen the attribute set of the resource visitor from the total attribute set.
When the node x is not a leaf node, the secret value of the node x is obtained by the secret value of the child node of the node x, and in order to achieve the purpose, all the child nodes are firstly set as z, and the algorithm output of the child nodes is set as F z I.e. Decryptnode (CT, SK, z) =F z . According to definition of access policy tree, if F is obtained z If the number is less than the threshold value, the secret value of the x node cannot be obtained, otherwise, the set of all z is marked as S x Let i=index (z), and the following: s is S x ′={index(z):z∈S x And performs the following calculation according to the lagrangian interpolation theorem:
wherein F is x Is a decryption expression for non-leaf nodes.
Step 3.2, after decrypting all the child nodes, indicating that the attribute of the user meets the set access policy, then decrypting the root node of the access policy tree by the resource visitor, and calculating a secret value A in the following manner:
A=e(g,g) r·qR(0) =e(g,g) rs
step 3.3, the resource visitor calculates the dangerous case resource file M according to the following mode:
the method of the invention further comprises the following steps: if user-level revocation is to be performed, checking a user list, deleting the corresponding authentication code, failing to pre-decrypt the revoked user, and not allowing the next decryption to be performed, namely completing user-level revocation; if the user grade is to be changed, the cloud server deletes the original identity verification code, the resource uploading user generates a new identity number for the user according to the changed grade and sends the new identity number to the key generation center, if the user grade is upgraded, the key generation center generates a private key for a ciphertext newly added by the user, and if the user grade is downgraded, the key generation center calculates a new identity token and the identity verification code; and if the attribute level is cancelled, updating the identity token, the private key and the ciphertext of the dangerous case resource file.
When the security level of the resource visitor is upgraded or downgraded, the CSP deletes the corresponding L in the user list. Then regenerating U for the user by DO according to the changed level id And sent to KGC. If the identity token is degraded, KGC only needs to calculate a new identity token and an identity verification code; if the user is updated, a private key corresponding to the ciphertext newly added by the user needs to be calculated.
When a certain attribute of a certain resource visitor is revoked, the private key and ciphertext of each user need to be re-encrypted. The key generation center generates a second version number for each attribute to be revoked and sends the second version number to the attribute authorization center, and the attribute authorization center calculates an upgrade token according to the initial version number and the second version number and sends the upgrade token to the cloud server and resource visitors without the revoked attributes; the resource accessor without the revoked attribute updates the first information component of each attribute according to the received upgrade token, and updates the private key according to the updated first information component of each attribute; and the cloud server calculates a first information component of the leaf node of the ciphertext of the dangerous case resource file according to the revoked attribute by the received upgrade token, and updates the ciphertext according to the updated first information component of the leaf node. The method comprises the following three steps:
(1) Generating an upgrade token: KGC randomly generates a version number again called the second version number V for each attribute to be revoked j ′∈Z p It is then sent to AAC, which computes an upgrade token:
and sends it to CSP and DU of non-revoked attributes
(2) Updating the key: the DU without the revoked attribute receives the upgrade token sent by AAC and is used for D in the private key of the user j The components are upgraded, namely the following operations are performed:
and then the resource visitor can complete the updating by replacing the updated component with the original component, and the key SK' after the updating is completed is as follows:
(3) Updating ciphertext: after CSP receives the upgrade token from AAC, C in ciphertext is needed for revoked attribute y x The component performs the following calculations:
as with the key update step, not all C x All that is required isTo update, assuming that the revoked attribute node set is Y ', the ciphertext CT' after the update is completed is as follows:
the invention adds user-level revocation on the basis of attribute-level revocation to improve the overall efficiency. When user-level revocation is performed, only the corresponding identity verification code is deleted on the cloud, so that the defect of low attribute revocation efficiency is effectively overcome, the revocation efficiency can be improved while the fine revocation granularity is ensured, and the security of dam bank dangerous case resource files is ensured to a certain extent.
It should be noted that: the sequence of the embodiments of the present invention is only for description, and does not represent the advantages and disadvantages of the embodiments. And the foregoing description has been directed to specific embodiments of this specification. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.
Claims (9)
1. A yellow river dam bank monitoring data sharing method based on CP-ABE is characterized by comprising the following steps:
responding to a resource access request sent by a resource visitor to a cloud server, generating a first parameter and a first set by a key generation center, generating a random parameter for each attribute of the resource visitor by the key generation center, and recording the random parameters corresponding to all the attributes as the first set; the resource uploading user generates an identity number for the resource accessing user according to the security level of the resource accessing user and generates a second parameter; the key generation center generates an identity token according to the identity number, calculates an identity verification code according to the second parameter and sends the identity verification code to the cloud server;
the key generation center generates a first component of a private key according to the first parameter, generates a first information component of each attribute carried by the resource visitor according to the first parameter, the first set and the version number of each attribute, generates a second information component of each attribute carried by the resource visitor according to the first set, forms the private key by the first component of the private key, the identity token, the first information component of each attribute and the second information component of each attribute, and sends the private key to the resource visitor;
the cloud server performs pre-decryption according to the identity token submitted by the resource visitor, and if the pre-decryption is unsuccessful, the access is stopped; if the pre-decryption is successful, the security level of the identity number of the resource visitor is further verified, the dangerous case resource file ciphertext of the corresponding level is sent to the resource visitor, and the resource visitor decrypts the dangerous case resource file ciphertext by using the access private key to obtain the decrypted dangerous case resource file.
2. The yellow river dam bank monitoring data sharing method based on CP-ABE as claimed in claim 1, wherein the cloud server pre-decrypting according to the identity token submitted by the resource visitor comprises: the cloud server verifies whether the following equation is true according to the identity token:
if yes, then the pre-decryption is successful, wherein e represents the double mapping relation on the cyclic group, L 1 、g·H(U id ) γ Is the first component of the authentication code, L 2 、g γ Is a bodyThe second component of the share verification code, X is the identity token, g is the generator, H (&) is the hash function, U id Is the identity number and γ is the second parameter.
3. The yellow river dam bank monitoring data sharing method based on CP-ABE according to claim 1, wherein the method further comprises: if user-level revocation is to be performed, checking a user list, deleting the corresponding authentication code, failing to pre-decrypt the revoked user, and not allowing the next decryption to be performed, namely completing user-level revocation; if the user grade is to be changed, the cloud server deletes the original identity verification code, the resource uploading user generates a new identity number for the resource visitor according to the changed grade and sends the new identity number to the key generation center, if the user grade is to be upgraded, the key generation center generates a private key for the ciphertext newly added by the resource visitor, and if the user grade is to be downgraded, the key generation center calculates a new identity token and the identity verification code; and if the attribute level is cancelled, updating the identity token, the private key and the ciphertext of the dangerous case resource file.
4. The yellow river dam bank monitoring data sharing method based on CP-ABE as claimed in claim 3, wherein updating the identity token, the private key and the dangerous case resource file ciphertext comprises: the key generation center generates a second version number for each attribute to be revoked and sends the second version number to the attribute authorization center, and the attribute authorization center calculates an upgrade token according to the initial version number and the second version number and sends the upgrade token to the cloud server and resource visitors without the revoked attributes; the resource accessor without the revoked attribute updates the first information component of each attribute in the private key according to the received upgrade token, and updates the private key according to the updated first information component of each attribute; and the cloud server calculates a first information component of the leaf node of the ciphertext of the dangerous case resource file according to the revoked attribute by the received upgrade token, and updates the ciphertext according to the updated first information component of the leaf node.
5. The CP-ABE based yellow river dam bank monitoring data sharing method of claim 1, wherein the responding to the resource access request sent by the resource visitor to the cloud server further comprises: the resource uploading person encrypts the dangerous case resource file to be uploaded and then uploads the encrypted dangerous case resource file to the cloud server.
6. The yellow river dam bank monitoring data sharing method based on CP-ABE as claimed in claim 5, wherein said encrypting the dangerous case resource file to be uploaded by the resource uploading person comprises: the resource uploading user selects a first secret value according to the access strategy tree and acquires the attribute value of each leaf node; the resource uploading user sends the attribute values to an attribute authorization center, and the attribute authorization center selects a version number for each attribute value and sends the version number to the resource uploading user; the resource uploading user generates a first information component of the leaf node according to the version number corresponding to the leaf node and the polynomial of the leaf node, generates a second information component of the leaf node according to the attribute value of the leaf node and the polynomial of the leaf node, and calculates a ciphertext first component and a ciphertext second component according to the first secret value; the access strategy tree, the ciphertext first component, the ciphertext second component, the first information component of each leaf node and the second information component of each leaf node form a dangerous case resource file ciphertext.
7. The method for sharing monitoring data of yellow river dam bank based on CP-ABE as set forth in claim 1, wherein the resource visitor decrypts the ciphertext of the dangerous case resource file by using the access private key, and obtaining the decrypted dangerous case resource file comprises: the resource visitor calculates the secret value of the child node by using a recursion algorithm according to the ciphertext of the dangerous case resource file, the private key and the node of the access strategy tree; after decrypting all the child nodes, the resource visitor decrypts the root node and calculates the dangerous case resource file.
8. The yellow river dam bank monitoring data sharing method based on CP-ABE according to claim 1, further comprising, before the resource visitor sends the resource access request to the cloud server: the Huang Heba bank monitoring data sharing system is initialized, and the key generation center generates public parameters and a master key.
9. The yellow river dam bank monitoring data sharing method based on CP-ABE of claim 8, wherein the key generation center generating the common parameters and the master key comprises: the key generation center selects a cyclic group G which takes prime number p as a step and G as a generation element, and selects two random parameters to generate a public parameter and a master key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111578494.8A CN114301651B (en) | 2021-12-22 | 2021-12-22 | Yellow river dam bank monitoring data sharing method based on CP-ABE |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111578494.8A CN114301651B (en) | 2021-12-22 | 2021-12-22 | Yellow river dam bank monitoring data sharing method based on CP-ABE |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301651A CN114301651A (en) | 2022-04-08 |
| CN114301651B true CN114301651B (en) | 2023-07-21 |
Family
ID=80969776
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111578494.8A Active CN114301651B (en) | 2021-12-22 | 2021-12-22 | Yellow river dam bank monitoring data sharing method based on CP-ABE |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301651B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112329519A (en) * | 2020-09-21 | 2021-02-05 | 中国人民武装警察部队工程大学 | Safe online fingerprint matching method |
| CN113079177A (en) * | 2021-04-15 | 2021-07-06 | 河南大学 | Remote sensing data sharing method based on time and decryption frequency limitation |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105025012B (en) * | 2015-06-12 | 2017-12-08 | 深圳大学 | Towards the access control system and its access control method of cloud storage service platform |
| CN106911702B (en) * | 2017-03-08 | 2019-08-02 | 福建师范大学 | Based on the cloud storage block encryption access control method for improving CP-ABE |
| CN107147649A (en) * | 2017-05-11 | 2017-09-08 | 成都四象联创科技有限公司 | Data-optimized dispatching method based on cloud storage |
| CN110059495B (en) * | 2018-12-14 | 2020-11-17 | 创新先进技术有限公司 | Data sharing method, device and system and electronic equipment |
| CN110012312B (en) * | 2019-03-28 | 2021-09-28 | 南京信息工程大学 | Key management based access control method suitable for pay television system |
| CN110932847A (en) * | 2019-10-18 | 2020-03-27 | 中国科学院信息工程研究所 | User revocation method for identity identification cryptosystem with ciphertext homomorphism |
| CN111259353B (en) * | 2020-01-15 | 2022-10-14 | 江苏芯盛智能科技有限公司 | SM9 algorithm-based identity authentication method and device and computer equipment |
| CN111245870B (en) * | 2020-04-26 | 2020-08-14 | 国网电子商务有限公司 | Identity authentication method based on mobile terminal and related device |
| CN112564903B (en) * | 2020-12-08 | 2022-06-14 | 西安电子科技大学 | Decentering access control method for data security sharing in smart power grid |
-
2021
- 2021-12-22 CN CN202111578494.8A patent/CN114301651B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112329519A (en) * | 2020-09-21 | 2021-02-05 | 中国人民武装警察部队工程大学 | Safe online fingerprint matching method |
| CN113079177A (en) * | 2021-04-15 | 2021-07-06 | 河南大学 | Remote sensing data sharing method based on time and decryption frequency limitation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301651A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2018045568A1 (en) | Access control method oriented to cloud storage service platform and system thereof | |
| WO2016106752A1 (en) | Shared data access control method, device and system | |
| CN106375346B (en) | Data guard method based on condition broadcast agent re-encryption under a kind of cloud environment | |
| CN111130757A (en) | Multi-cloud CP-ABE access control method based on block chain | |
| CN107359986A (en) | The outsourcing encryption and decryption CP ABE methods of user revocation | |
| CN106341236A (en) | Access control method facing cloud storage service platform and system thereof | |
| US20140006806A1 (en) | Effective data protection for mobile devices | |
| CN105049430A (en) | Ciphertext-policy attribute-based encryption method having efficient user revocation capability | |
| CN114039790A (en) | Block chain-based fine-grained cloud storage security access control method | |
| CN105071937A (en) | Ciphertext poly attribute base encryption method having efficient attribute revocation capability | |
| CN107276766B (en) | Multi-authorization attribute encryption and decryption method | |
| Hao et al. | Secure and fine-grained self-controlled outsourced data deletion in cloud-based IoT | |
| CN113489591B (en) | Traceable comparison attribute encryption method based on multiple authorization centers | |
| CN106022167A (en) | Social privacy protection method of multi-level attribute management center based on characteristic encryption | |
| WO2018049601A1 (en) | Outsourcing access control method for fog computing and system thereof | |
| US20140052985A1 (en) | Methods for providing requested data from a storage device to a data consumer and storage devices | |
| CN109819323B (en) | Video content access method in mixed cloud system | |
| CN113645206A (en) | Cloud storage data access control method and system for different user requirements | |
| Wang et al. | Multi-authority based weighted attribute encryption scheme in cloud computing | |
| CN105790929A (en) | High-efficient access control method based on rule redundancy elimination in encryption environment | |
| CN114301651B (en) | Yellow river dam bank monitoring data sharing method based on CP-ABE | |
| CN111159724B (en) | Conditional proxy reconfigurable encryption method for fine-grained strategy | |
| CN108763944A (en) | Multicenter large attribute Domain Properties base encryption method can be revoked safely in calculating in mist | |
| CN109412809B (en) | SDN information access control method based on authenticatable hierarchical attribute encryption | |
| CN107659567A (en) | The ciphertext access control method and system of fine granularity lightweight based on public key cryptosyst |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |