CN114866328A - Block chain-based cross-domain access control method and system in edge computing environment - Google Patents
Block chain-based cross-domain access control method and system in edge computing environment Download PDFInfo
- Publication number
- CN114866328A CN114866328A CN202210559425.0A CN202210559425A CN114866328A CN 114866328 A CN114866328 A CN 114866328A CN 202210559425 A CN202210559425 A CN 202210559425A CN 114866328 A CN114866328 A CN 114866328A
- Authority
- CN
- China
- Prior art keywords
- domain
- data
- attribute
- block chain
- cross
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000013500 data storage Methods 0.000 claims abstract description 80
- 230000008569 process Effects 0.000 claims description 20
- 238000004364 calculation method Methods 0.000 claims description 9
- 238000013507 mapping Methods 0.000 claims description 7
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000010200 validation analysis Methods 0.000 claims 1
- 238000013475 authorization Methods 0.000 abstract description 5
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
Abstract
The invention provides a block chain-based cross-domain access control method and a block chain-based cross-domain access control system in an edge computing environment, wherein a data owner registers to a trusted center TC in a domain through attribute information; each domain administrator constructs an inter-domain identity authentication block chain IA _ BC; encrypting the shared data M to obtain a data storage address; encrypting the symmetric key KS and the data storage address and uploading to a data access block chain DA _ BC; an inter-domain identity authentication block chain IA _ BC carries out identity authentication on a data user and issues a cross-domain certificate Cert (L); and the data user accesses the data access block chain DA _ BC in the target domain through the cross-domain certificate Cert (L), obtains the symmetric key KS and the data storage address of the target domain, and finally obtains the plaintext of the shared data M. According to the invention, cross-domain certificate issuance and user identity authentication are completed through the inter-domain blockchain, the access behavior of the user and the authentication and authorization result are recorded on the blockchain in a non-falsification manner, and the cross-domain access control of going to the center and being transparent and traceable is realized.
Description
Technical Field
The present application relates to the field of information security, and in particular, to a block chain-based cross-domain access control method and system in an edge computing environment.
Background
Edge computing and related applications have evolved rapidly in recent years, with the market size for global edge computing reaching $ 46.8 billion in 2020. However, security problems arising from edge computing are also endless, and attacks common in traditional cloud computing scenes begin to face an edge layer with relatively weak precautionary force. For this reason, the safety mechanism research of edge calculation is crucial.
As an important component of conventional security technologies, access control also needs to consider the problem of how to migrate relevant schemes reasonably and accurately to a completely new edge computing environment. Firstly, most of the traditional cloud access control deployment is in a centralized mode, and each cloud system is used as a unit and acts on a data owner and an access user in the cloud system. However, in the edge computing environment, huge user equipment and access management need to be divided into different domains according to geographical and institutional factors, and therefore, the traditional centralized access control scheme needs to give priority to the requirements of cross-domain deployment and management. Secondly, researchers aiming at the problem of single-point authorization performance bottleneck also make related improvements, but still construct a distributed authorization scheme of edge computing based on a centralized thought, and the single-point bottleneck cannot be solved fundamentally. In addition, the problem of opaque access control flow is not solved effectively. How to design an access control machine to meet the access requirements of the edge computing environment is made in order to solve the problem to be solved urgently.
Disclosure of Invention
In order to solve one of the above technical problems, the present invention provides a block chain-based cross-domain access control method and system in an edge computing environment.
The first aspect of the embodiments of the present invention provides a block chain-based cross-domain access control method in an edge computing environment, where the method includes:
a data owner registers to a trusted center TC in a domain through attribute information to obtain public and private key information;
each domain administrator sets a cross-domain node in an edge cloud center EC in each domain, constructs an inter-domain identity authentication block chain IA _ BC and sets a cross-domain service;
data owner by symmetric key K S The shared data M is encrypted and uploaded to the edge cloud center EC, and a data storage address returned by the edge cloud center EC is obtained;
the data owner and the edge cloud center EC jointly use the symmetric key K S Encrypting the data storage address and uploading the encrypted data storage address and the encrypted data storage address to a data access block chain DA _ BC in the domain where the data owner is located;
the inter-domain identity authentication block chain IA _ BC carries out identity authentication on the data user through the attribute information and the public and private key information of the data user and issues a cross-domain certificate Cert (L);
the data user accesses the data access block chain DA _ BC in the target domain through the cross-domain certificate Cert (L) to obtain the symmetric key K of the target domain S And a data storage address according to the symmetric key K of the target domain S And the data storage address obtains the plaintext of the shared data M.
Preferably, the process of registering the data owner with the trust center TC in the domain through the attribute information to obtain the public and private key information includes:
the data owner sends the owner attribute to a trust center TC in the domain and sends a registration request to the trust center TC in the domain;
and the trusted center TC generates a public key PK and a private key MK according to the owner attribute of the data owner and returns the public key PK to the data owner.
Preferably, the process of each domain administrator setting up a cross-domain node in the edge cloud center EC in each domain, constructing an inter-domain identity authentication block chain IA _ BC, and setting up a cross-domain service includes:
each domain administrator sets cross-domain nodes of each domain;
constructing an inter-domain identity authentication block chain IA _ BC between edge cloud centers EC of each domain by taking cross-domain nodes of each domain as inter-domain block chain nodes;
and setting attribute mapping among domains and intelligent contracts of cross-domain identity authentication services to complete the cross-domain service establishment.
Preferably, the data owner and the edge cloud centre EC together share a symmetric key K S And uploading the encrypted data to a data storage addressThe process of accessing the block chain DA _ BC in the domain of the data owner includes:
data owner to symmetric key K S And carrying out non-intensive encryption calculation on the data storage address to generate a ciphertext CT NCI ;
Edge cloud center EC vs. symmetric key K S Carrying out intensive encryption calculation with data storage address to generate ciphertext CT CI And the ciphertext CT is used CI Returning to the data owner;
data owner according to ciphertext CT NCI And ciphertext CT CI And generating a ciphertext CT, and uploading the ciphertext CT to a data access block chain DA _ BC in the domain of the data owner.
Preferably, the process of the inter-domain authentication block chain IA _ BC authenticating the data user through the attribute information and the public and private key information of the data user and issuing the cross-domain certificate cert (l) includes:
a data user sends user attribute and public and private key information to a Certificate Authority (CA);
the certificate authority CA issues an attribute certificate Cert (R) according to the user attribute and the public and private key information of the data user;
the data user uses the attribute certificate Cert (R) to send a cross-domain request to an edge cloud center EC in a domain, wherein the cross-domain request comprises target domain information;
the edge cloud center EC judges the access type according to the target domain information;
when the access type is inter-domain access, the inter-domain identity authentication block chain IA _ BC verifies the legality of the attribute certificate Cert (R);
after the validity of the attribute certificate cert (r) is successfully verified, the inter-domain identity authentication block chain IA _ BC performs attribute conversion between the domain where the data user is located and the target domain according to the attribute mapping between the domains to generate a cross-domain certificate cert (l).
Preferably, when the validity verification of the attribute certificate cert (r) fails, the inter-domain identity authentication blockchain IA _ BC sends an illegal operation indication to the data user.
Preferably, the data user passes through the cross-domainCertificate Cert (L) accesses data access block chain DA _ BC in target domain and obtains symmetric key K of target domain S And a data storage address according to the symmetric key K of the target domain S And the process of obtaining the plaintext of the shared data M by the data storage address comprises the following steps:
the trusted center TC of the target domain generates an attribute key SK of the data user through the cross-domain certificate Cert (L) r And attribute key SK v The edge cloud center EC of the target domain generates the attribute key SK of the data user through the cross-domain certificate Cert (L) u ;
The trusted center TC of the target domain obtains an attribute key SK1 according to the attribute key SKr, the attribute key SKv and the attribute key SKu and sends the attribute key SK1 to the data user;
the inter-domain identity authentication block chain IA _ BC sends a data access request to a data access block chain DA _ BC of a target domain through an edge cloud center EC of the target domain;
the data access block chain DA _ BC encrypts the symmetric key K according to the data access request S And sending the data storage address ciphertext CT to a data user;
the data user decrypts the ciphertext CT through the attribute key SK1 to obtain a symmetric key K of the target domain S And the plaintext of the data storage address;
obtaining a ciphertext of the shared data M according to the data storage address of the target domain, and obtaining a symmetric key K of the target domain S And decrypting the ciphertext of the shared data M to obtain the plaintext of the shared data M.
Preferably, the data user decrypts the ciphertext CT through the attribute key SK1 to obtain the symmetric key K of the target domain S And the plaintext of the data storage address comprises the following steps:
the edge cloud center EC of the domain where the data user is located passes through the attribute key SK u Decrypting the ciphertext CT to obtain an intermediate ciphertext PT CI ;
The data user uses the attribute key SK1 to match the intermediate cryptogram PT CI After decryption, a symmetric key K of the target domain is obtained S And data storage addressThe plaintext of (1).
Preferably, when the access type is intra-domain access, the intra-domain trust center TC of the domain where the data user is located generates the attribute key SK2 through the attribute certificate cert (r), and the data user decrypts the ciphertext CT stored in the intra-domain data access block chain DA _ BC through the attribute key SK2 to obtain the symmetric key K S And the plaintext of the data storage address.
A second aspect of the embodiments of the present invention provides a block chain-based cross-domain access control system in an edge computing environment, where the system includes: the system comprises a trusted center TC, an edge cloud center EC, an inter-domain identity authentication block chain IA _ BC and a data access block chain DA _ BC;
a data owner registers to a trusted center TC in a domain through attribute information to obtain public and private key information;
each domain administrator sets a cross-domain node in an edge cloud center EC in each domain, constructs an inter-domain identity authentication block chain IA _ BC and sets a cross-domain service;
data owner by symmetric key K S The shared data M is encrypted and uploaded to the edge cloud center EC, and a data storage address returned by the edge cloud center EC is obtained;
the data owner and the edge cloud center EC jointly use the symmetric key K S Encrypting the data storage address and uploading the encrypted data storage address and the encrypted data storage address to a data access block chain DA _ BC in the domain where the data owner is located;
the inter-domain identity authentication block chain IA _ BC carries out identity authentication on the data user through the attribute information and the public and private key information of the data user and issues a cross-domain certificate Cert (L);
the data user accesses the data access block chain DA _ BC in the target domain through the cross-domain certificate Cert (L) to obtain the symmetric key K of the target domain S And a data storage address according to the symmetric key K of the target domain S And the data storage address obtains the plaintext of the shared data M.
The invention has the following beneficial effects: the invention provides a block chain-based cross-domain access control method in an edge computing environment, wherein a data owner registers to a trusted center TC in a domain through attribute information to obtain public and private key information; each domain administrator sets a cross-domain node in an edge cloud center EC in each domain, constructs an inter-domain identity authentication block chain IA _ BC and sets a cross-domain service; the data owner encrypts the shared data M through the symmetric key KS and uploads the encrypted shared data M to the edge cloud center EC to obtain a data storage address returned by the edge cloud center EC; the data owner and the edge cloud center EC encrypt the symmetric key KS and the data storage address together and upload the encrypted symmetric key KS and the data storage address to a data access block chain DA _ BC in the domain of the data owner; the inter-domain identity authentication block chain IA _ BC carries out identity authentication on the data user through the attribute information and the public and private key information of the data user and issues a cross-domain certificate Cert (L); and the data user accesses the data access block chain DA _ BC in the target domain through the cross-domain certificate Cert (L), obtains the symmetric key KS and the data storage address of the target domain, and obtains the plaintext of the shared data M according to the symmetric key KS and the data storage address of the target domain. Aiming at the safety requirement of the trust domain of the edge computing environment, the invention realizes user access through the intra-domain blockchain, completes cross-domain certificate issuance and user identity authentication through the inter-domain blockchain, records the access behavior of the user and the authentication authorization result on the blockchain which can not be falsified, and realizes the cross-domain access control of going to the center and transparent traceability.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart of a block chain-based cross-domain access control method in an edge computing environment according to embodiment 1 of the present invention;
fig. 2 is a flowchart illustrating a data owner registering with a trust center TC in a domain to obtain public and private key information and constructing an inter-domain identity authentication block chain IA _ BC according to embodiment 1 of the present invention;
FIG. 3 shows an embodiment 1 of the present invention, wherein the shared data M is encrypted to obtain a data storage address, and the data storage address and a symmetric key K are obtained S Encrypting to obtain secretFlow chart of Wen CT;
fig. 4 is a flowchart of an inter-domain identity authentication block chain IA _ BC according to embodiment 1 of the present invention for performing identity authentication on a data user and issuing a cross-domain certificate cert (l);
fig. 5 is a flowchart of a data user accessing a data access block chain DA _ BC in a target domain through the cross-domain certificate cert (l) in embodiment 1 of the present invention, and finally obtaining a plaintext of the shared data M.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following further detailed description of the exemplary embodiments of the present application with reference to the accompanying drawings makes it clear that the described embodiments are only a part of the embodiments of the present application, and are not exhaustive of all embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Example 1
As shown in fig. 1, this embodiment proposes a block chain-based cross-domain access control method in an edge computing environment, where the method includes:
s101, registering a data owner to a trust center TC in a domain through attribute information to obtain public and private key information.
Specifically, as shown in fig. 2, the data owner first registers with the trust center TC within the domain. At this time, the data owner is required to send attribute information of the data user owner, that is, the owner attribute, to the trust center TC in its domain. The owner attributes include at least a generic attribute set a, a version attribute va, and a domain attribute set. The trusted center TC establishes a function Setup (), generates a public key PK and a private key MK for a data owner with the common attribute set a and the version attribute va as inputs, and returns the public key PK to the data owner. The specific process is as follows:
the trusted hub TC sends the domain attribute set to the edge cloud hub EC to provide data support for subsequent attribute mapping.
S102, each domain administrator sets up cross-domain nodes in an edge cloud center EC in each domain, constructs an inter-domain identity authentication block chain IA _ BC and sets up cross-domain services.
Specifically, as shown in fig. 2, each domain administrator sets a cross-domain node of each domain. And then, constructing an inter-domain identity authentication block chain IA _ BC between the edge cloud centers EC of the domains by taking the cross-domain nodes of the domains as the inter-domain block chain nodes to provide cross-domain services. And finally, setting attribute mapping between domains and an intelligent contract of the cross-domain identity authentication service through the domain attribute set to complete the cross-domain service establishment.
S103, the data owner passes through the symmetric key K S And uploading the shared data M to the edge cloud center EC after encryption processing, and obtaining a data storage address returned by the edge cloud center EC.
Specifically, the process implements encrypted upload of the shared data M. As shown in FIG. 3, the data owner uses a symmetric key K S And encrypting the shared data M to obtain a ciphertext C, and uploading the ciphertext C to the edge cloud center EC by calling a data storage service in the edge cloud center EC service providing module. And the edge cloud center EC returns a data storage address and a hash value.
S104, the data owner and the edge cloud center EC jointly use the symmetric key K S And uploading the encrypted data storage address to a data access block chain DA _ BC in the domain of the data owner.
In particular, the process implements a symmetric key K S And uploading the encrypted data. As shown in FIG. 3, the data owner is a symmetric key K S Partially encrypting with data storage address to generate ciphertext CT NCI . Invoking an encryption service pair symmetric key K in an edge cloud center EC service providing module S Encrypting with data storage address to generate ciphertext CT CI And the ciphertext CT is used CI And returning to the data owner. Data owner obtains all ciphertext CT ═ { CT ═ CT NCI ,CT CI And uploading the ciphertext CT to a data access block chain DA _ BC in the domain of the data owner by calling a block chain transaction.
This embodiment is on symmetric key K S In the process of encryption, a data owner only calculates non-intensive calculation tasks, and the intensive calculation tasks are unloaded to the edge cloud center EC to be completed, so that the calculation overhead of the data owner is reduced. The edge cloud center EC may be defined by S u And T u Deducing the value S of each leaf node i Calculating
And returning the data to the data owner, and finally obtaining all the ciphertext CTs by the data owner, wherein the specific process is as follows:
s105, the inter-domain identity authentication block chain IA _ BC carries out identity authentication on the data user through the attribute information and the public and private key information of the data user and issues a cross-domain certificate Cert (L).
Specifically, in this embodiment, the user may be divided into two parts in the cross-domain access process: cross-domain authentication and cross-domain data access. As shown in fig. 4, before performing cross-domain identity authentication, a data user first sends user attribute and public-private key information to a certificate authority CA, where the user attribute is consistent with a data type contained in an owner attribute. The certificate authority CA issues an attribute certificate Cert (R) according to the user attribute and the public and private key information of the data user. The data user calls a data access service providing module of the edge cloud center EC to send out a cross-domain request by using an attribute certificate Cert (R) and the cross-domain request req, wherein the cross-domain request comprises target domain information. And the data access service providing module of the edge cloud center EC can judge the access type according to the target domain information. When the access type is inter-domain access, the inter-domain authentication block chain IA _ BC verifies the validity of the attribute certificate cert (r). If the validity verification of the attribute certificate cert (r) is successful, the inter-domain identity authentication block chain IA _ BC performs attribute conversion between the domain where the data user is located and the target domain according to the attribute mapping between the domains to generate a cross-domain certificate cert (l). If the attribute certificate cert (r) fails to verify the validity, the inter-domain identity authentication block chain IA _ BC sends an indication of an illegal operation to the data user.
S106, the data user accesses the data access block chain DA _ BC in the target domain through the cross-domain certificate Cert (L), and obtains the symmetric key K of the target domain S And a data storage address according to the symmetric key K of the target domain S And the data storage address obtains the plaintext of the shared data M.
Specifically, as shown in fig. 5, after the cross-domain authentication is passed, the attribute key SK1 of the data user is generated by the cross-domain certificate cert (l). The attribute key SK1 includes the attribute key SK r Attribute key SK v And attribute key SK u And (4) three parts. Wherein the attribute key SK r And attribute key SK v Is generated by the trust center TC of the target domain through the cross-domain certificate cert (l). Attribute key SK u Is generated by the edge cloud centre EC of the target domain through the cross-domain certificate cert (l). In the process of generating the attribute key, calculation and unloading are also needed to reduce the expense of the trusted center TC, and for each attribute in the public key PK, the edge cloud center EC randomly selects r i ∈Z p Calculating
And finally returning the data to the trust center TC of the target domain, wherein the specific process is as follows:
the inter-domain identity authentication block chain IA _ BC calls a data access service of the edge cloud center EC of the target domain by using the cross-domain request req to send a data access request to the data access block chain DA _ BC of the target domain. The data access block chain DA _ BC encrypts the symmetric key K according to the data access request S And sending the data storage address ciphertext CT to the data user. The data user decrypts the ciphertext CT through the attribute key SK1 to obtain the symmetric key K of the target domain S And the plaintext of the data storage address. And then obtaining the ciphertext of the shared data M according to the data storage address of the target domain. Finally, according to the symmetric key K of the target domain S And decrypting the ciphertext of the shared data M to obtain the plaintext of the shared data M.
In this embodiment, in the process of decrypting the ciphertext CT, since the cloud service provider is not completely trusted, the transmitted data is kept curious, the decryption algorithm does not delegate all decryption tasks to the cloud server, and only delegates the task of decrypting the leaf node. Namely, the edge cloud center EC of the domain where the data user is located passes through the attribute key SK u Decrypting the ciphertext CT to obtain an intermediate ciphertext PT CI . Data user uses attribute key SK1 to intermediate cipher text PT CI After decryption, a symmetric key K of the target domain is obtained S And the plaintext of the data storage address. The specific process is as follows:
when the access type is intra-domain access, the intra-domain trusted center TC of the domain where the data user is located generates an attribute key SK2 through an attribute certificate Cert (R), and the data user decrypts the ciphertext CT stored in the intra-domain data access block chain DA _ BC through the attribute key SK2 to obtain a symmetric key K S And the plaintext of the data storage address.
In the embodiment, a data owner registers to a trusted center TC in a domain through attribute information to obtain public and private key information; each domain administrator sets a cross-domain node in an edge cloud center EC in each domain, constructs an inter-domain identity authentication block chain IA _ BC and sets a cross-domain service; the data owner encrypts the shared data M through the symmetric key KS and uploads the encrypted shared data M to the edge cloud center EC to obtain a data storage address returned by the edge cloud center EC; the data owner and the edge cloud center EC encrypt the symmetric key KS and the data storage address together and upload the encrypted symmetric key KS and the data storage address to a data access block chain DA _ BC in the domain of the data owner; the inter-domain identity authentication block chain IA _ BC carries out identity authentication on the data user through the attribute information and the public and private key information of the data user and issues a cross-domain certificate Cert (L); and the data user accesses the data access block chain DA _ BC in the target domain through the cross-domain certificate Cert (L), obtains the symmetric key KS and the data storage address of the target domain, and obtains the plaintext of the shared data M according to the symmetric key KS and the data storage address of the target domain. Aiming at the safety requirement of the trust domain of the edge computing environment, the invention realizes user access through the intra-domain blockchain, completes cross-domain certificate issuance and user identity authentication through the inter-domain blockchain, records the access behavior of the user and the authentication authorization result on the blockchain which can not be falsified, and realizes the cross-domain access control of going to the center and transparent traceability.
Example 2
Corresponding to embodiment 1, this embodiment provides a block chain-based cross-domain access control system in an edge computing environment, where the system includes: the system comprises a trusted center TC, an edge cloud center EC, an inter-domain identity authentication block chain IA _ BC and a data access block chain DA _ BC;
a data owner registers to a trusted center TC in a domain through attribute information to obtain public and private key information;
each domain administrator sets a cross-domain node in an edge cloud center EC in each domain, constructs an inter-domain identity authentication block chain IA _ BC and sets a cross-domain service;
data owner by symmetric key K S The shared data M is encrypted and uploaded to the edge cloud center EC, and a data storage address returned by the edge cloud center EC is obtained;
the data owner and the edge cloud center EC jointly use the symmetric key K S Encrypting the data storage address and uploading the encrypted data storage address and the encrypted data storage address to a data access block chain DA _ BC in the domain where the data owner is located;
the inter-domain identity authentication block chain IA _ BC carries out identity authentication on the data user through the attribute information and the public and private key information of the data user and issues a cross-domain certificate Cert (L);
the data user accesses the data access block chain DA _ BC in the target domain through the cross-domain certificate Cert (L) to obtain the symmetric key K of the target domain S And a data storage address according to the symmetric key K of the target domain S And the data storage address obtains the plaintext of the shared data M.
The working principle and process of the system proposed in this embodiment can refer to the content described in embodiment 1, and are not described herein again.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A block chain-based cross-domain access control method in an edge computing environment, the method comprising:
a data owner registers to a trusted center TC in a domain through attribute information to obtain public and private key information;
each domain administrator sets a cross-domain node in an edge cloud center EC in each domain, constructs an inter-domain identity authentication block chain IA _ BC and sets a cross-domain service;
data owner by symmetric key K S The shared data M is encrypted and uploaded to the edge cloud center EC, and a data storage address returned by the edge cloud center EC is obtained;
the data owner and the edge cloud center EC jointly use the symmetric key K S Encrypting the data storage address and uploading the encrypted data storage address and the encrypted data storage address to a data access block chain DA _ BC in the domain where the data owner is located;
the inter-domain identity authentication block chain IA _ BC carries out identity authentication on the data user through the attribute information and the public and private key information of the data user and issues a cross-domain certificate Cert (L);
the data user accesses the data access block in the target domain through the cross-domain certificate Cert (L)The chain DA _ BC obtains the symmetric key K of the target domain S And a data storage address according to the symmetric key K of the target domain S And the data storage address obtains the plaintext of the shared data M.
2. The method according to claim 1, wherein the process of obtaining public and private key information by registering the data owner with the trust center TC in the domain through the attribute information comprises:
the data owner sends the owner attribute to a trust center TC in the domain and sends a registration request to the trust center TC in the domain;
and the trusted center TC generates a public key PK and a private key MK according to the owner attribute of the data owner and returns the public key PK to the data owner.
3. The method of claim 2, wherein the process of each domain administrator setting up a cross-domain node at an edge cloud center (EC) in each domain, building an inter-domain identity authentication block chain (IA _ BC), and setting up a cross-domain service comprises:
each domain administrator sets cross-domain nodes of each domain;
constructing an inter-domain identity authentication block chain IA _ BC between edge cloud centers EC of each domain by taking cross-domain nodes of each domain as inter-domain block chain nodes;
and setting attribute mapping among domains and intelligent contracts of cross-domain identity authentication services to complete the cross-domain service establishment.
4. The method of claim 3, wherein the data owner and the edge cloud center EC share a symmetric key K S The process of uploading the encrypted data storage address to a data access block chain DA _ BC in the domain of the data owner comprises the following steps:
data owner to symmetric key K S And carrying out non-intensive encryption calculation on the data storage address to generate a ciphertext CT NCI ;
Edge cloud center EC vs. symmetric key K S And data storage address to perform intensive additionCipher text CT generated by cipher calculation CI And the ciphertext CT is used CI Returning to the data owner;
data owner according to ciphertext CT NCI And ciphertext CT CI And generating a ciphertext CT, and uploading the ciphertext CT to a data access block chain DA _ BC in the domain of the data owner.
5. The method of claim 4, wherein the inter-domain authentication block chaining (IA _ BC) for authenticating a data user through attribute information and public and private key information of the data user and issuing a cross-domain certificate Cert (L) comprises:
a data user sends user attribute and public and private key information to a Certificate Authority (CA);
the certificate authority CA issues an attribute certificate Cert (R) according to the user attribute and the public and private key information of the data user;
the data user uses the attribute certificate Cert (R) to send a cross-domain request to an edge cloud center EC in a domain, wherein the cross-domain request comprises target domain information;
the edge cloud center EC judges the access type according to the target domain information;
when the access type is inter-domain access, the inter-domain identity authentication block chain IA _ BC verifies the validity of the attribute certificate Cert (R);
after the validity of the attribute certificate cert (r) is successfully verified, the inter-domain identity authentication block chain IA _ BC performs attribute conversion between the domain where the data user is located and the target domain according to the attribute mapping between the domains, and generates a cross-domain certificate cert (l).
6. The method according to claim 5, wherein the inter-domain identity authentication blockchain IA _ BC sends an indication of illegal operation to the data user when the attribute certificate Cert (R) fails validation.
7. The method according to claim 5, wherein the data user accesses the data access block chain DA _ BC in the target domain through the cross-domain certificate Cert (L), and obtains the target domainSymmetric key K S And a data storage address according to the symmetric key K of the target domain S And the process of obtaining the plaintext of the shared data M by the data storage address comprises the following steps:
the trusted center TC of the target domain generates an attribute key SK of the data user through the cross-domain certificate Cert (L) r And attribute key SK v The edge cloud center EC of the target domain generates the attribute key SK of the data user through the cross-domain certificate Cert (L) u ;
The trusted center TC of the target domain obtains an attribute key SK1 according to the attribute key SKr, the attribute key SKv and the attribute key SKu and sends the attribute key SK1 to the data user;
the inter-domain identity authentication block chain IA _ BC sends a data access request to a data access block chain DA _ BC of a target domain through an edge cloud center EC of the target domain;
the data access block chain DA _ BC encrypts the symmetric key K according to the data access request S And sending the data storage address ciphertext CT to a data user;
the data user decrypts the ciphertext CT through the attribute key SK1 to obtain a symmetric key K of the target domain S And the plaintext of the data storage address;
obtaining a ciphertext of the shared data M according to the data storage address of the target domain, and obtaining a symmetric key K of the target domain S And decrypting the ciphertext of the shared data M to obtain the plaintext of the shared data M.
8. The method according to claim 7, wherein the data user decrypts the ciphertext CT through the attribute key SK1 to obtain the symmetric key K of the target domain S And the plaintext of the data storage address comprises the following steps:
the edge cloud center EC of the domain where the data user is located passes through the attribute key SK u Decrypting the ciphertext CT to obtain an intermediate ciphertext PT CI ;
The data user uses the attribute key SK1 to match the intermediate cryptogram PT CI After decryption, a symmetric key K of the target domain is obtained S And data storage address specificationThe text.
9. The method according to claim 7, wherein when the access type is intra-domain access, the intra-domain trusted center TC of the domain where the data user is located generates an attribute key SK2 through the attribute certificate cert (r), and the data user decrypts the ciphertext CT stored in the intra-domain data access block chain DA _ BC through the attribute key SK2 to obtain a symmetric key K S And the plaintext of the data storage address.
10. A block chain based cross-domain access control system in an edge computing environment, the system comprising: the system comprises a trusted center TC, an edge cloud center EC, an inter-domain identity authentication block chain IA _ BC and a data access block chain DA _ BC;
a data owner registers to a trusted center TC in a domain through attribute information to obtain public and private key information;
each domain administrator sets a cross-domain node in an edge cloud center EC in each domain, constructs an inter-domain identity authentication block chain IA _ BC and sets a cross-domain service;
data owner by symmetric key K S The shared data M is encrypted and uploaded to the edge cloud center EC, and a data storage address returned by the edge cloud center EC is obtained;
the data owner and the edge cloud center EC jointly use the symmetric key K S Encrypting the data storage address and uploading the encrypted data storage address and the encrypted data storage address to a data access block chain DA _ BC in the domain where the data owner is located;
the inter-domain identity authentication block chain IA _ BC carries out identity authentication on the data user through the attribute information and the public and private key information of the data user and issues a cross-domain certificate Cert (L);
the data user accesses the data access block chain DA _ BC in the target domain through the cross-domain certificate Cert (L) to obtain the symmetric key K of the target domain S And a data storage address according to the symmetric key K of the target domain S And the data storage address obtains the plaintext of the shared data M.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210559425.0A CN114866328A (en) | 2022-05-23 | 2022-05-23 | Block chain-based cross-domain access control method and system in edge computing environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210559425.0A CN114866328A (en) | 2022-05-23 | 2022-05-23 | Block chain-based cross-domain access control method and system in edge computing environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114866328A true CN114866328A (en) | 2022-08-05 |
Family
ID=82638363
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210559425.0A Pending CN114866328A (en) | 2022-05-23 | 2022-05-23 | Block chain-based cross-domain access control method and system in edge computing environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114866328A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115396229A (en) * | 2022-09-01 | 2022-11-25 | 西安电子科技大学 | Cross-domain resource isolation sharing system based on block chain |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110933033A (en) * | 2019-10-27 | 2020-03-27 | 西安电子科技大学 | Cross-domain access control method for multiple Internet of things domains in smart city environment |
| CN112532591A (en) * | 2020-11-06 | 2021-03-19 | 西安电子科技大学 | Cross-domain access control method, system, storage medium, computer equipment and terminal |
| CN113364735A (en) * | 2021-05-01 | 2021-09-07 | 西安电子科技大学 | Data cross-link access control method, system, equipment and terminal under multi-link scene |
| CN113507370A (en) * | 2021-06-24 | 2021-10-15 | 西南林业大学 | Forestry Internet of things equipment authorization authentication access control method based on block chain |
| CN113676447A (en) * | 2021-07-12 | 2021-11-19 | 海南大学 | Block chain-based scientific and technological service platform cross-domain identity authentication scheme |
-
2022
- 2022-05-23 CN CN202210559425.0A patent/CN114866328A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110933033A (en) * | 2019-10-27 | 2020-03-27 | 西安电子科技大学 | Cross-domain access control method for multiple Internet of things domains in smart city environment |
| CN112532591A (en) * | 2020-11-06 | 2021-03-19 | 西安电子科技大学 | Cross-domain access control method, system, storage medium, computer equipment and terminal |
| CN113364735A (en) * | 2021-05-01 | 2021-09-07 | 西安电子科技大学 | Data cross-link access control method, system, equipment and terminal under multi-link scene |
| CN113507370A (en) * | 2021-06-24 | 2021-10-15 | 西南林业大学 | Forestry Internet of things equipment authorization authentication access control method based on block chain |
| CN113676447A (en) * | 2021-07-12 | 2021-11-19 | 海南大学 | Block chain-based scientific and technological service platform cross-domain identity authentication scheme |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115396229A (en) * | 2022-09-01 | 2022-11-25 | 西安电子科技大学 | Cross-domain resource isolation sharing system based on block chain |
| CN115396229B (en) * | 2022-09-01 | 2024-02-20 | 西安电子科技大学 | Cross-domain resource isolation sharing system based on blockchain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109617698B (en) | Method for issuing digital certificate, digital certificate issuing center and medium | |
| US8843415B2 (en) | Secure software service systems and methods | |
| US8006090B2 (en) | System and method for combining user and platform authentication in negotiated channel security protocols | |
| Yan et al. | Heterogeneous data storage management with deduplication in cloud computing | |
| US9055107B2 (en) | Authentication delegation based on re-verification of cryptographic evidence | |
| US11134069B2 (en) | Method for authorizing access and apparatus using the method | |
| US20170099148A1 (en) | Securely authorizing client applications on devices to hosted services | |
| US20140112470A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
| US9680827B2 (en) | Geo-fencing cryptographic key material | |
| TW202015378A (en) | Cryptographic operation method, method for creating work key, and cryptographic service platform and device | |
| US20150271154A1 (en) | Geo-Fencing Cryptographic Key Material | |
| KR20140127303A (en) | Multi-factor certificate authority | |
| US11100209B2 (en) | Web client authentication and authorization | |
| JP5992535B2 (en) | Apparatus and method for performing wireless ID provisioning | |
| US11218317B1 (en) | Secure enclave implementation of proxied cryptographic keys | |
| Tu et al. | A secure, efficient and verifiable multimedia data sharing scheme in fog networking system | |
| EP4169208A1 (en) | Authentication system and method | |
| CN114039753A (en) | Access control method and device, storage medium and electronic equipment | |
| Guo et al. | Using blockchain to control access to cloud data | |
| CA3160111A1 (en) | Shared secret implementation of proxied cryptographic keys | |
| Zwattendorfer et al. | A federated cloud identity broker-model for enhanced privacy via proxy re-encryption | |
| CN114866328A (en) | Block chain-based cross-domain access control method and system in edge computing environment | |
| US11804957B2 (en) | Exporting remote cryptographic keys | |
| CN111131160A (en) | User, service and data authentication system | |
| CN115694838A (en) | Anonymous trusted access control method based on verifiable certificate and zero-knowledge proof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |