CN114697027A - Ciphertext access control method for big data platform - Google Patents

Ciphertext access control method for big data platform Download PDF

Info

Publication number
CN114697027A
CN114697027A CN202210434126.4A CN202210434126A CN114697027A CN 114697027 A CN114697027 A CN 114697027A CN 202210434126 A CN202210434126 A CN 202210434126A CN 114697027 A CN114697027 A CN 114697027A
Authority
CN
China
Prior art keywords
key
ciphertext
cloud
data
encryption key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210434126.4A
Other languages
Chinese (zh)
Inventor
王靖午
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fangying Jintai Technology Beijing Co ltd
Original Assignee
Fangying Jintai Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fangying Jintai Technology Beijing Co ltd filed Critical Fangying Jintai Technology Beijing Co ltd
Priority to CN202210434126.4A priority Critical patent/CN114697027A/en
Publication of CN114697027A publication Critical patent/CN114697027A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A ciphertext access control method for a big data platform comprises the following steps: a data holder A encrypts plaintext data m to be encrypted into a ciphertext Cm by using a public key of the data holder A; the data access requester B sends a request for accessing m and a public key of the data access requester B to the data access requester A; a, calculating by using a private key of the A and a public key of the B to obtain an agent re-encryption key; a, generating a proxy re-encryption key fragment set by using a sharer scheme for a proxy re-encryption key, and establishing an index for the proxy re-encryption key fragment set; a, Cm is transmitted to n cloud service agents in a relay mode, and the agent re-encryption key fragments are distributed to the n cloud service agents; each cloud service agent re-encrypts Cm by using the respective agent re-encryption key fragment to obtain a re-encrypted ciphertext, and sends the re-encrypted ciphertext to B; and B, integrating all the re-encrypted ciphertexts to obtain Cm ', and decrypting Cm' to obtain plaintext data m. The method disperses the ciphertext conversion right to a plurality of cloud service agents, reduces the risk of data leakage, and reduces the communication overhead by distributing the key fragments in a relay manner.

Description

Ciphertext access control method for big data platform
The technical field is as follows:
the invention relates to the technical field of information security, in particular to a ciphertext access control method for a big data platform.
Background art:
the technology development has pushed the IT era to the data era, and the rapid development of the data era has not left data sharing, but the problem of data leakage caused by data sharing has not been effectively solved all the time, which seriously restricts the development pace of the data era. In a big data cloud platform, although data privacy can be protected by encrypting data, the data can be used only after being decrypted, so that the encryption key of the data must be shared while the encrypted data is shared, so that the safe sharing of the key becomes a new problem. The traditional way to solve the above problems is: the data holder downloads the key ciphertext stored in the cloud platform to the local, and then shares the key ciphertext after encrypting the key ciphertext by using the public key of the data access requester. Although this approach can achieve the goal of sharing data and data keys, it adds communication and computational overhead to the data holder. Therefore, a simple, safe and efficient key sharing method is needed to further realize the secure sharing of the encrypted data, i.e. ciphertext access control. The invention patent application with publication number CN106888213A discloses a method and system for controlling access to cloud ciphertext, which uses key policy attribute to encrypt KPABE shared key, and although access control to key can be performed, access control to encrypted data can be further realized, the attribute of user is closely related to key policy, so that the method and system are only suitable for static sharing scenarios. The invention patent application with publication number CN107370595A solves the problem that the ciphertext cannot be dynamically shared, and performs decryption computation by a third party, thereby reducing the computation overhead of the user, but because the right of the third party is too large, data leakage is easily caused under the condition that the third party is not trusted or semi-trusted.
The invention content is as follows:
aiming at the problems, the invention designs a ciphertext access control method facing a big data platform, which is based on an agent re-encryption method and adopts Shamir secret sharing to realize threshold control, can divide ciphertext conversion authority, and disperses the authority of ciphertext conversion to a plurality of cloud agent service providers to reduce the risk of data leakage.
A ciphertext access control method facing a big data platform comprises the following steps:
the data holder A and the data access requester B generate respective public and private key pairs;
a, encrypting plaintext data m to be encrypted into a ciphertext Cm by using a public key of the A;
b sends a request for accessing m to A and sends the public key of the B to A;
after receiving the access request and the public key of the B, the A calculates by utilizing the own private key and the public key of the B to obtain an agent re-encryption key;
a, generating an agent re-encryption key fragment set by using a sharer secret sharing scheme for the agent re-encryption key, and establishing an index for the agent re-encryption key fragment set, so that the agent re-encryption key fragment corresponds to a cloud agent service provider when the agent re-encryption key fragment is distributed by the A;
a, sending Cm to a first cloud agent service provider, sending Cm to a second cloud agent service provider by the first cloud agent service provider, sending Cm to a third cloud agent service provider by the second cloud agent service provider, and repeating the steps until all the cloud agent service providers obtain Cm, and distributing the agent re-encryption key fragments to n cloud agent service providers by the A; if the encrypted ciphertext Cm is directly sent to the n cloud agent service providers by the server A at the same time, the communication pressure on the server A is increased, single-point faults and other problems are caused, and therefore the starting of communication of the server A is reduced by adopting a relay mode. On the basis of the proxy re-encryption method, a sharer secret sharing scheme is used, and the proxy re-encryption key is divided into n segments to be distributed to n cloud proxy service providers, so that the right of ciphertext conversion is prevented from being concentrated on one party, and the risk of data leakage is reduced;
and each cloud agent service provider uses the respective agent re-encryption key fragment to re-encrypt the Cm agent to obtain a re-encrypted ciphertext Csi,i∈[1,n]And sending the respective re-encrypted ciphertext to B, where CsiThe re-encrypted ciphertext of the ith cloud agent service provider is obtained, and n is the number of the cloud agent service providers;
b, integrating all the re-encrypted ciphertexts to obtain Cm ', and decrypting Cm' by using a private key of the B to obtain plaintext data m, wherein:
Figure BDA0003612288300000031
preferably, the proxy re-encryption is a ubbral threshold proxy re-encryption scheme.
Preferably, the specific way of using the shamir secret sharing scheme is as follows: a, dividing the proxy re-encryption key into n key fragments by using a sharer scheme, and distributing the n key fragments to n cloud proxy service providers; after receiving the access request of B, at least t cloud agent service providers (t is less than or equal to n) use respective agent re-encryption key slices to re-encrypt Cm at the same time, and then effective conversion of ciphertext re-encryption can be completed.
Preferably, the retrieval item of the index is a key index ID, ID belongs to [1, n ], wherein n is the number of cloud agent service providers.
Preferably, a encrypts m to Cm using the SM2 algorithm.
Preferably, B decrypts Cm' to m using the SM2 algorithm.
The traditional agent re-encryption technology generally adopts a single agent mode, and the single agent completely masters the agent re-encryption key, so that the risks of permission abuse, key loss, agent disconnection and the like exist. The ciphertext access control method for the big data platform is based on proxy re-encryption and adopts Shamir secret sharing to realize threshold control, can divide the conversion right and disperse the right of ciphertext conversion to a plurality of cloud proxy service providers, so that the risk of data leakage is reduced, meanwhile, a data holder A in the method sends the ciphertext Cm to the plurality of cloud proxy service providers by using a relay method, so that the communication pressure and the expense of the A are reduced, and the problems of single-point failure and the like are avoided.
Description of the drawings:
FIG. 1 is a flow chart of a ciphertext access control method oriented to a big data platform.
The specific implementation mode is as follows:
in order to provide a cipher text access control implementation scheme and solve the problems of high potential safety hazard of data sharing and high communication overhead, the embodiment of the invention provides a cipher text access control method facing a large data platform.
The following describes a preferred embodiment of the ciphertext access control method for the big data platform provided by the present invention with reference to fig. 1 of the specification.
Step 100: data holder A generates a key pair (pk) of the SM2 algorithma,ska) Data access requestor B generates a key pair (pk) of the SM2 algorithmb,skb) (ii) a Wherein a public is generated for data holder A and data access requester BThe private key pair specifically comprises the following steps:
(1) initializing system parameters, namely Setup (lambda) → param;
(2) defining a cyclic group G with order q; defining a generator G, wherein U belongs to G; defining a set of hash functions, H2:G2→Zq,H3:G3→Zq,H4:G3xZq → Zq; defining a key parameter KDF G → {0,1}l
(3) System parameter param ═ G, U, H2,H3,H4,KDF};
(4) And (3) generating a public and private key pair of the data holder A: (pka,ska)=(ga,a);
(5) And (3) generating a public and private key pair of the data holder B: (pkb,skb)=(gbAnd b), since the steps are common knowledge in the industry field, the detailed description is omitted.
Step 110: a uses its own public key pkaEncrypting plaintext data m to be encrypted into ciphertext Cm, namely Cm equals Enc (pk)a,m)。
Step 120: b sends a request for accessing m to A and sends its own public key pkbAnd sending the signal to A.
Step 130: a receives B's access request and public key pkbThen, use its own private key skaAnd the public key pk of BbCalculating to obtain a proxy re-encryption key rkA→B(ii) a Wherein A uses its own private key skaAnd the public key pk of BbCalculating to obtain a proxy re-encryption key rkA→BIs a conventional technology in the industry field, and the main steps in the calculation process are given as follows:
randomly generating XAY, id ∈ Zq, calculated as follows:
XA=gXA
d=H3(pka,pkb,(pkb)XA);
f0=a-d-1modq;
Figure BDA0003612288300000051
U1=Urk
z1=H4(Y,id,pka,pkb,U1,XA);
z2=y-a·z1
step 140: a for the rkA→BGeneration of proxy re-encryption key fragment set { rks using sharer secret sharing schemei}(i∈[1,n]),rksiEstablishing an index for the ith re-encryption key fragment, wherein n is the number of cloud agent service providers, and a retrieval item of the index is a key index ID, and the ID belongs to [1, n ∈ n]N is the number of cloud agent service providers; therein, with rks1The way to calculate the key fragment is given as an example as follows:
rks1=(id,rk,XA,U1,z1,z2)。
step 150: a sends Cm to n Cloud agent service providers Cloud by adopting a relay method, namely the A sends Cm to Cloud agent service providers Cloud1,Cloud1Sending Cm to Cloud2…Cloudn-1Sending Cm to CloudnWhile A will rks1To Cloud1Rks will be2To Cloud2… mixing rksnTo Cloudn
Step 160: cloud1Use rks1The Cm agent is re-encrypted to obtain a re-encrypted ciphertext Cs1,Cloud2Use rks2The Cm agent is re-encrypted to obtain a re-encrypted ciphertext Cs2…CloudnUse rksnRe-encrypting the Cm agent to obtain a re-encrypted ciphertext Cn, Cloud1Mixing Cs1Is sent to B, Cloud2Mixing Cs2To B … CloudnMixing CsnSending the data to B; wherein a re-encrypted ciphertext Cs is generatediThe method mainly comprises the following steps:
skb=b;pka=ga
Csi=(E1,i,V1,i,idi,XA);
Figure BDA0003612288300000052
step 170: b, integrating all the re-encrypted ciphertexts, and obtaining Cm ' by adopting the complex operation of the re-encryption key in the Umbral threshold proxy re-encryption scheme, and using the Cm ' and the sk ' in a combined modeb,pka,{Csi}it=1) Decrypting Cm' yields plaintext data m, i.e. m is Des (sk)bCm '), wherein B obtains Cm' by complex operation of a re-encryption key in the ubbral threshold proxy re-encryption scheme is a conventional technique in the industry field, and the main steps in the calculation process are given as follows:
skb=b;pka=ga
Csi=(E1,i,V1,i,idi,XA);
Figure BDA0003612288300000061
calculate E ', V', K as follows:
Figure BDA0003612288300000062
Figure BDA0003612288300000063
K=KDF((E’·V’)d)。
the above description is only of the preferred embodiments of the present invention, and it should be noted that: it will be apparent to those skilled in the art that various modifications, substitutions, variations and enhancements can be made without departing from the spirit and scope of the invention, which should be considered as within the scope of the invention.

Claims (6)

1. A ciphertext access control method for a big data platform is characterized by comprising the following steps:
the data holder A and the data access requester B generate respective public and private key pairs;
a, encrypting plaintext data m to be encrypted into a ciphertext Cm by using a public key of the A;
b sends a request for accessing m to A and sends the public key of the B to A;
after receiving the access request and the public key of the B, the A calculates by utilizing the own private key and the public key of the B to obtain an agent re-encryption key;
a, generating a proxy re-encryption key fragment set by using a sharer secret sharing scheme for the proxy re-encryption key, and establishing an index for the proxy re-encryption key fragment set;
a, sending Cm to a first cloud agent service provider, sending Cm to a second cloud agent service provider by the first cloud agent service provider, sending Cm to a third cloud agent service provider by the second cloud agent service provider, and repeating the steps until all the cloud agent service providers obtain Cm, and distributing the agent re-encryption key fragments to n cloud agent service providers by the A;
and each cloud agent service provider uses the respective agent re-encryption key fragment to re-encrypt the Cm agent to obtain a re-encrypted ciphertext Csi,i∈[1,n]And sending the respective re-encrypted ciphertext to B, where CsiThe re-encrypted ciphertext of the ith cloud agent service provider is obtained, and n is the number of the cloud agent service providers;
b, integrating all the re-encrypted ciphertexts to obtain Cm ', and decrypting Cm' by using a private key of the B to obtain plaintext data m, wherein:
Figure FDA0003612288290000011
2. the method of claim 1, wherein the proxy re-encryption is a Umbral threshold proxy re-encryption scheme.
3. The method of claim 1, wherein the shamir secret sharing scheme is used in a manner that: a, the proxy re-encryption key is divided into n key fragments by using a sharer scheme and distributed to n cloud proxy service providers; and after receiving the access request of the B, at least t cloud agent service providers (t is less than or equal to n) use respective agent re-encryption key slices to re-encrypt Cm at the same time, and the ciphertext agent re-encryption is completed.
4. The method of claim 1, wherein the index has a key index ID, ID e [1, n ], where n is the number of cloud broker servers.
5. The method of claim 1, wherein a encrypts m to Cm using the SM2 algorithm.
6. The method of claim 1, wherein B decrypts Cm' to m using the SM2 algorithm.
CN202210434126.4A 2022-04-24 2022-04-24 Ciphertext access control method for big data platform Pending CN114697027A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210434126.4A CN114697027A (en) 2022-04-24 2022-04-24 Ciphertext access control method for big data platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210434126.4A CN114697027A (en) 2022-04-24 2022-04-24 Ciphertext access control method for big data platform

Publications (1)

Publication Number Publication Date
CN114697027A true CN114697027A (en) 2022-07-01

Family

ID=82145786

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210434126.4A Pending CN114697027A (en) 2022-04-24 2022-04-24 Ciphertext access control method for big data platform

Country Status (1)

Country Link
CN (1) CN114697027A (en)

Similar Documents

Publication Publication Date Title
Han et al. A data sharing protocol to minimize security and privacy risks of cloud storage in big data era
CN108881314B (en) Privacy protection method and system based on CP-ABE ciphertext under fog computing environment
US9197410B2 (en) Key management system
CN103957109B (en) A kind of cloud data-privacy protects safe re-encryption method
CN102655508B (en) Method for protecting privacy data of users in cloud environment
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
CN113992330B (en) Agent re-encryption-based blockchain data controlled sharing method and system
CN104735070B (en) A kind of data sharing method between general isomery encryption cloud
CN114513327B (en) Block chain-based Internet of things private data rapid sharing method
CN105227566A (en) Cipher key processing method, key handling device and key handling system
CN104994068A (en) Multimedia content protection and safe distribution method in cloud environment
WO2012161417A1 (en) Method and device for managing the distribution of access rights in a cloud computing environment
CN105721146B (en) A kind of big data sharing method towards cloud storage based on SMC
CN114697042A (en) Block chain-based Internet of things security data sharing proxy re-encryption method
US9473471B2 (en) Method, apparatus and system for performing proxy transformation
JP2019102970A (en) Data sharing server device, key generation server device, communication terminal, and program
WO2020042023A1 (en) Instant messaging data encryption method and apparatus
KR101812311B1 (en) User terminal and data sharing method of user terminal based on attributed re-encryption
CN116961893A (en) End-to-end secure encryption communication management method, system and storable medium
CN116094845A (en) Efficient revocation conditional proxy re-encryption method and system
CN114697027A (en) Ciphertext access control method for big data platform
CN110474873A (en) It is a kind of based on know range encryption electronic document access control method and system
Scholar et al. Easy and Secure Smart SMS Protocol on M-Health Environment in Mobile Computing
CN110650152B (en) Cloud data integrity verification method supporting dynamic key updating
CN117879939A (en) Autonomous path agent re-encryption method based on threshold value

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination