CN114978578A - Data unauthorized access control method and device based on attribute key derivation - Google Patents

Data unauthorized access control method and device based on attribute key derivation Download PDF

Info

Publication number
CN114978578A
CN114978578A CN202210360031.2A CN202210360031A CN114978578A CN 114978578 A CN114978578 A CN 114978578A CN 202210360031 A CN202210360031 A CN 202210360031A CN 114978578 A CN114978578 A CN 114978578A
Authority
CN
China
Prior art keywords
key
access control
department
node
current
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210360031.2A
Other languages
Chinese (zh)
Other versions
CN114978578B (en
Inventor
李�荣
张华�
周国浩
韩昊轩
丁旋
王延昭
唐华云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Bond Jinke Information Technology Co ltd
Tsinghua University
Original Assignee
China Bond Jinke Information Technology Co ltd
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Bond Jinke Information Technology Co ltd, Tsinghua University filed Critical China Bond Jinke Information Technology Co ltd
Priority to CN202210360031.2A priority Critical patent/CN114978578B/en
Publication of CN114978578A publication Critical patent/CN114978578A/en
Application granted granted Critical
Publication of CN114978578B publication Critical patent/CN114978578B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data unauthorized access control method and a device based on attribute key derivation, wherein the method comprises the following steps: sending all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism by combining public parameters of a blockchain system and a master key of the blockchain system; if the current organization node is the organization root node, generating a department key of the next department node according to the organization key, the access control parameter of the next department node and the access control parameter of the current organization node; and after receiving a request for adding the current department user terminal into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user. The method can realize the unauthorized access control of the data, prevent the risk of data leakage on the chain caused by the redundant authority or the unauthorized access of the user and the like, and improve the safety of the data on the chain.

Description

Data unauthorized access control method and device based on attribute key derivation
Technical Field
The invention relates to the field of data security, in particular to a data unauthorized access control method and device based on attribute key derivation.
Background
In the financial field, after the financial data is linked, the monitoring organization can directly access the data by means of the block chain to improve the monitoring efficiency. The safe and credible characteristic of the block chain enables the block chain to have a wide application scene in the financial industry, but some sensitive private data are not suitable for being disclosed to all people. That is, specific data can only be accessed by a person having access rights. The financial industry has high requirements on data privacy protection, data rights and interests guarantee and the like, and therefore fine-grained access control needs to be carried out on data.
By using attribute encryption, a fine-grained data security access control mechanism can be realized, field-level authorization of private data is realized, and for example, private data fields such as effective support price can be accessed only by a user with specific authorization. And selective disclosure of data is achieved so that the data encrypted on the chain can be made available to a user with a specified authority. On the basis of attribute encryption, a mechanism for effectively controlling data unauthorized is still needed to realize authority control, reduce redundant authority and prevent the problem of data leakage on a link caused by unauthorized.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a data unauthorized access control method and device based on attribute key derivation, which respectively realize key derivation schemes of KP-ABE and CP-ABE so as to adapt to more application scenes.
The invention provides a data unauthorized access control method based on attribute key derivation, which comprises the following steps: sending all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism by combining public parameters of a blockchain system and a master key of the blockchain system; if the mechanism root node is the mechanism root node, generating a department key of the next department node according to the mechanism key, the access control parameter of the next department node and the access control parameter of the current mechanism node; and after receiving a request for adding the current department user terminal into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
According to the data unauthorized access control method based on attribute key derivation provided by the invention, if the current node is a department node, the key of the next department is generated according to the department key of the current department, the access control parameter of the current department and the access control parameter of the next department.
According to the data unauthorized access control method based on attribute key derivation provided by the invention, the key attribute comprises the key validity time, and the method further comprises the following steps: if the current node is a mechanism root node or an intermediate department node, after the key validity time of the subordinate node is detected to be overtime, the subordinate department key is regenerated and sent to the subordinate department node; and if the user private key of the belonging user is detected to be overtime, regenerating the user private key and sending the user private key to the user terminal.
According to the data unauthorized access control method based on attribute key derivation, provided by the invention, if the data unauthorized access control method is a CP-ABE encryption mode, the access control parameters are attribute sets, and if the data unauthorized access control method is a KP-ABE encryption mode, the access control parameters are access strategy parameters.
The invention provides a data unauthorized access control method based on attribute key derivation, which comprises the following steps: receiving all mechanism access control parameters sent by any node newly added to the mechanism; generating an organization key according to all access control parameters of the organization by combining public parameters of the blockchain system and a master key of the blockchain system; sending the mechanism key to a mechanism root node newly added to the mechanism, so that the mechanism root node generates a department key of a lower department node according to the mechanism key, the access control parameter of the lower department node and the access control parameter of the current mechanism node; and after receiving a request for adding the current department user terminal into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
According to the data unauthorized access control method based on attribute key derivation provided by the invention, if the effective time of the mechanism key is detected to be overtime, the mechanism key is regenerated according to all access control parameters which are sent by the mechanism most recently and by combining the public parameters of the blockchain system and the master key of the blockchain system, and the updated mechanism key is sent to the mechanism root node.
The invention also provides a data unauthorized access control device based on attribute key derivation, which comprises: the system comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending all access control parameters of a mechanism, and the access control parameters of the mechanism are used for generating a mechanism key by a blockchain network according to an access control parameter set of the mechanism by combining public parameters of a blockchain system and a master key of the blockchain system; the processing module is used for generating a department key of a lower department node according to the organization key, the access control parameter of the lower department node and the access control parameter of the current organization node if the organization node is the organization root node;
and after receiving a request for adding the current department user into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The invention also provides a data unauthorized access control device based on attribute key derivation, which comprises: the receiving module is used for receiving all mechanism access control parameters sent by any node newly added to the mechanism; the processing module is used for generating an organization key according to all access control parameters of the organization by combining public parameters of the blockchain system and a master key of the blockchain system; the sending module is used for sending the mechanism key to a mechanism root node of a newly added mechanism for the mechanism root node, and generating a department key of a lower department node according to the mechanism key, an access control parameter of the lower department node and an access control parameter of a current mechanism node; and after receiving a request for adding the current department user into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the data unauthorized access control method based on attribute key derivation.
The present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method for attribute key derivation-based data unauthorized access control as described in any of the above.
The present invention also provides a computer program product comprising a computer program which, when executed by a processor, implements a method for controlling unauthorized access to data based on attribute key derivation as described in any of the above.
According to the data unauthorized access control method and device based on attribute key derivation, the attribute set corresponding to the private key is strictly decreased, the access control parameters (such as attributes) in attribute encryption correspond to the access strategy, when the access control parameters corresponding to the private key are reduced, the satisfied access structure is reduced, so that the user authority is ensured to be smaller than the mechanism authority, the unauthorized access control of the data is finally realized, the risk of data leakage on a chain caused by user redundancy authority or unauthorized and the like is prevented, and the safety of the data on the chain is improved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a data unauthorized access control method based on attribute key derivation according to the present invention;
fig. 2 is a second schematic flowchart of the data unauthorized access control method based on attribute key derivation according to the present invention;
FIG. 3 is a schematic diagram of access policy in KP-ABE key provided by the present invention;
FIG. 4 is a schematic diagram of an access tree with restrictions added to KP-ABE keys provided by the present invention;
FIG. 5 is a schematic diagram of a KP-ABE key source access tree provided by the present invention;
FIG. 6 is a schematic diagram of a KP-ABE key trapdoor threshold access tree provided by the present invention;
FIG. 7 is a schematic diagram of a KP-ABE key pruning subtree provided by the present invention;
FIG. 8 is a schematic diagram of a KP-ABE key addition sub-tree provided by the present invention;
FIG. 9 is a schematic structural diagram of a data unauthorized access control device derived based on an attribute key according to the present invention;
fig. 10 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The access authority control is carried out by using attribute-based encryption, and the issue of distributing the secret key is well processed to prevent unauthorized access, because the attribute owned by the user determines the access authority of the user. In CP-ABE, the user's attributes are directly embedded in the key; for KP-ABE, the key stores access tree, which can decide which data the user can access, so that the access tree can be regarded as a special attribute to describe the whole process uniformly.
The method and apparatus for controlling unauthorized access to data based on attribute key derivation according to the present invention will be described with reference to fig. 1-10. Fig. 1 is a schematic flow chart of a data unauthorized access control method based on attribute key derivation according to the present invention, and as shown in fig. 1, the data unauthorized access control method based on attribute key derivation according to the present invention includes:
101. and sending all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism by combining the public parameters of the blockchain system and the master key of the blockchain system.
The embodiment of the invention can be applied to attribute encryption modes such as CP-ABE, KP-ABE and the like. The overall flow of multi-level access control is shown in fig. 2, and the core problem to be solved by multi-level access control is key hierarchical derivation. The invention adopts a hierarchical structure of 'organization key center → middle department of organization → user'.
An organization key center: for each company, there is an organization key center, and the organization root node may be a node of the organization key center. When a company or an organization applies for adding a block chain, an organization key is generated by the block chain system according to access control parameters (in a CP-ABE encryption mode, the access control parameters are attribute information) of the organizations such as the company or the organization, so that the access rights of different organizations are different.
The middle department of the organization: for the inside of the organization, it can be more finely divided hierarchically, such as "company → department → user", and each key of the lower hierarchy is assigned by the upper level. The user: the user is the lowest level of the hierarchical architecture, and the key of the user is distributed by the direct department.
In 101, all access control parameters of an organization may be sent to the blockchain network by any node of the organization, or by a root node of the organization, to indicate that the organization needs to join the blockchain network. Alternatively, the request information for joining the blockchain network may be additionally transmitted, and all the access control parameters of the mechanism may be simultaneously transmitted. The access control parameter is a parameter corresponding to which data can be accessed by a mechanism, and in a CP-ABE encryption mode, the access control parameter is attribute information.
Taking CP-ABE encryption mode as an example, after receiving a request of a newly-added mechanism needing to join the network, the block chain network collects S according to the attribute of the mechanism org Public parameter PK of the block chain network and system master key MK of the block chain network, and output mechanism master key:
SK org ←OrgKeyGen(MK,PK,S org )
wherein S is org Set of attributes representing an organization, SK org Indicating the organization key to which the organization corresponds.
102. And if the current node is the organization root node, generating a department key of the next department node according to the organization key, the access control parameter of the next department node and the access control parameter of the current organization node.
And after receiving a request for adding the current department user into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
And the internal hierarchy of the organization is divided, the hierarchy is divided in the organization, the access authority is reduced step by step, and even if the organization is under the same organization, the access authority is different. Part of the (n-1) (n is a positive integer, and the organization root node can be regarded as a department of the 0 th layer)The gate executes the algorithm, and can generate the key of the n-th layer department, and the input of the algorithm is the key SK of the n-1-th layer department n-1 Attribute set S n-1 And attribute set S of nth layer department n The output is the secret key SK of the nth layer department n
SK n ←MidKeyGen(SK n-1 ,S n-1 ,S n )
SK n Key, S, representing the current department n Set of attributes, S, representing the current department n-1 Set of attributes, SK, representing superior departments n-1 Key representing superior department, satisfies
Figure BDA0003583456350000071
When the user terminal applies for joining the block chain, the user directly belongs to the organization to execute, input the attribute set of the user, output the private key of the user, and send to the user:
SK user ←UserKeyGen(SK org ,S org ,S user )
S user representing a set of attributes of a user, satisfy
Figure BDA0003583456350000072
SK user Key representing a user, S org Set of attributes, SK, representing the department of the user org A department key representing the department of the user.
The invention adopts a hierarchical structure of 'organization key center → middle department of organization → user'. For each organization, the organization key center is the topmost key organization, only one, and the middle departments of the organization can have multiple layers, and the users are the last layer. The core method is hierarchical attribute encryption, when a key center of a certain hierarchy distributes keys for the next hierarchy, a private key of the current hierarchy and an attribute set of the next hierarchy are input, and the attribute contained in the attribute set must be contained in the attribute used when the current private key is generated, and is output as the private key of the next-level department.
According to the data unauthorized access control method based on attribute key derivation, provided by the invention, the attribute set corresponding to the private key is strictly decreased, the access control parameters (such as attributes) in attribute encryption correspond to the access strategy, and when the access control parameters corresponding to the private key are reduced, the satisfied access structure is reduced, so that the user authority is ensured to be smaller than the mechanism authority, the unauthorized access control of the data is finally realized, the risk of data leakage on a chain caused by user redundancy authority or unauthorized and the like is prevented, and the safety of the data on the chain is improved.
In one embodiment, if the current node is a department node, the key of the next department is generated according to the department key of the current department, the access control parameter of the current department and the access control parameter of the next department.
Specifically, if the current terminal node is a terminal node in the department, such as a layer n-1 department, the current terminal node is based on the key SK of the current department, i.e., the layer n-1 department n-1 And a current department attribute set S n-1 Attribute set S of nth level department n Generating a key SK for a subordinate department, i.e., an nth-level department n . The generation of the private key of the user can be seen in the above embodiments. The invention reduces the access authority level by dividing the hierarchy in the organization, even if the organization under the same organization has different access authority.
In one embodiment, the key attribute includes a key validity time, and the method further includes: if the current node is a mechanism root node or an intermediate department node, after the key validity time of the subordinate node is detected to be overtime, the subordinate department key is regenerated and sent to the subordinate department node; and if the overtime of the private key of the user is detected, regenerating the private key of the user and sending the private key to the user terminal.
Specifically, the key validity time is used for re-distribution of keys that expire after the validity time is exceeded. For example, the KP-ABE derived key can also be updated with its validity time, all keys including the organization key and the department key can be set with validity time, and the key validity time is redistributed by the upper level after the key validity time expires. Wherein the validity time of the derived key does not exceed the validity time of the superior key. Namely, the current node is an organization root node, and after detecting that the validity time of the department key of the lower department node is overtime, the latest department key of the lower department node is generated according to the latest organization key, the access control parameter of the lower department node and the access control parameter of the current organization node. And if the current node is a department node, after detecting that the valid time of the department key of the current department node is overtime, generating the key of the current department according to the latest department key of the superior department, the access control parameter of the superior department and the access control parameter of the current department. If the current node is a department node, and after detecting that the valid time of the user private key of the current department user is overtime, generating the latest user private key according to the latest department key of the current department, the access control parameter of the current department and the access control parameter of the user, and sending the latest user private key to the user.
In one embodiment, if the CP-ABE encryption mode is used, the access control parameter is an attribute set, and if the CP-ABE encryption mode is used, the access control parameter is an access policy parameter. The above embodiment has been described by taking the CP-ABE encryption method as an example, and the KP-ABE encryption method is taken as an example and is described with reference to the scheme of the above embodiment.
In the KP-ABE key derivation scheme, the access rights of a user are determined by the access policy embedded in the key. In contrast to CP-ABE, embedded in KP-ABE keys is an access policy, so the keys should be derived by adding access restrictions. Fig. 3 shows that a user can access data with "ID ═ 1, level > 3" or "ID ═ 3", the access policy can be regarded as an N-ary tree, the leaf nodes represent attributes, the non-leaf nodes can be regarded as a trapdoor, and the trapdoor is valid only when the child nodes meet the access requirements.
In the non-leaf node shown in FIG. 3, "2/2" indicates that the node has two child nodes that meet the requirement only if both children meet the requirement; similarly, "1/2" indicates that the current node can satisfy the requirement as long as one child node satisfies the requirement, and the user has the right to access the data only when the access requirement of the root node is satisfied.
It can be seen that when the restriction condition of the access tree is increased, the authority of the user is correspondingly reduced.
As shown in fig. 4, we add a condition of "level > 2" to the access policy shown in fig. 3, and the user changes from being able to access data with "ID-3" to being able to access only data with "ID-3" and "level > 2". By adding the restriction conditions of the access tree, the access rights of the user can be reduced.
The procedure of KP-ABE key derivation based on the above embodiment is as follows:
the key derivation scheme of KP-ABE is illustrated by way of example in fig. 5. Fig. 5 shows the access policy embedded by the original key, fig. 6 and 7 show two different derived keys, the white boxes in italics identify the differences between the derived and original keys. Leaf nodes represent attributes, represented by circles; the non-leaf nodes represent threshold requirements, represented by rectangles.
The derived key represented in fig. 6 has no truncated attributes relative to the original key, but adds a threshold requirement for a non-leaf node, changed from "1/2" to "2/2", which modification allows the access requirement to be satisfied by all child nodes only if the nodes satisfy the access requirement.
The key represented in figure 7 has a partial subtree deleted compared to the original key, but at the same time the threshold requirements of the parent of the deleted part have been modified from "1/2" to "1/1", in such a way that the access policy changes from requiring only any one child node to meet the requirements to a certain child node that must meet the requirements, i.e. the access policy becomes more restrictive, and the right to derive the key is smaller compared to the original key.
The key shown in fig. 8 is added with an access sub-tree compared with the original key, and the threshold of the parent node of the root node of the sub-tree is modified from "1/1" to "2/2", only when the original child nodes of the new sub-tree and the parent node of the new sub-tree are both satisfied, the parent node of the new sub-tree can satisfy the access requirement, so that the access policy of the new key is stricter than that of the original key. The KP-ABE newly-added subtrees realize key derivation, and key finite period or version limitation can be added to the derived keys to realize fine-grained access control.
The procedure for KP-ABE key derivation is as follows: and (4) initializing the system, and setting a security parameter lambda of the master key center by a system administrator.
An initialization algorithm Setup () that may be run by a system administrator, inputs security parameters, outputs system public parameters PK and system master key MK:
(PK,MK)←Setup(λ)
λ represents an implicit security parameter, PK, MK will be used for subsequent intermediary key generation.
And the organization master key generation algorithm is executed by a system administrator. Inputting mechanism access policy P when new company or organization applies for joining block chain org Public parameter PK and system master key MK, export authority master key:
SK org ←OrgKeyGen(PK,MK,P org )
P org representing an access policy, SK, of an organization org Representing the key to which the organization corresponds.
The internal hierarchy of the organization is divided, the hierarchy is divided in the organization, the access authority is reduced step by step, and even if the organization is under the same organization, the access authority is different; the department at the n-1 layer executes the algorithm, and a key of the n-1 layer department can be generated, and the input of the algorithm is the key SK of the n-1 layer department n-1 Access policy P n-1 And access policy P of nth layer department n The output is the secret key SK of the nth layer department n
SK n ←MidKeyGen(SK n-1 ,P n-1 ,P n )
SK n Key, P, representing the current institution n Access policy, p, indicating the current institution n-1 Represents the access policy of the upper level organization and satisfies
Figure BDA0003583456350000111
The user private key generation algorithm is executed by a user direct mechanism when a user applies to join the block chain, inputs the access strategy of the user, outputs the user private key and sends the user private key to the user:
SK user ←UserKeyGen(SK org ,p org ,p Iser )
S user representing the access policy of the user, satisfy
Figure BDA0003583456350000112
SK user Representing the user's key.
In the invention, the access authority of the user corresponds to the attribute owned by the user, and the attribute is embedded into the private key, so that the problem of unauthorized access control of data is converted into a key derivation problem. Flexible and safe data unauthorized access control is realized through hierarchical step-by-step key derivation. The scheme is characterized in that:
the security is realized, the key mechanism at the upper stage distributes keys for the key mechanism at the lower stage, the attribute set corresponding to the keys is gradually decreased, and the corresponding data access authority is also gradually decreased, so that the authority of the user cannot exceed the organization to which the user belongs, and the unauthorized access can be prevented.
The mechanism is flexible, flexible hierarchical division can be performed inside the mechanism, the attribute is the core of attribute-based encryption, different access authorities can be given to users by combining different attribute sets, and therefore flexible fine-grained authority access control is achieved.
The invention also provides a data unauthorized access control method based on attribute key derivation, which comprises the following steps: receiving all mechanism access control parameters sent by any node newly added to the mechanism; generating an organization key according to all access control parameters of the organization by combining public parameters of the blockchain system and a master key of the blockchain system; sending the mechanism key to a mechanism root node newly added to the mechanism, so that the mechanism root node generates a department key of a lower department node according to the mechanism key, the access control parameter of the lower department node and the access control parameter of the current mechanism node; and after receiving a request for adding the current department user terminal into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The embodiment of the invention takes the existing node in the block chain network as an execution main body, receives all access control parameters of the newly added mechanism node, and can also receive a request message from the mechanism. The existing node generates an organization key according to all access control parameters of the organization and by combining public parameters of the blockchain system and a master key of the blockchain system. Wherein the implementation can be based on a consensus mechanism. For other specific steps, reference may be made to the above embodiment in which a node in a mechanism is taken as an execution subject, and details are not described here.
In the above embodiment, before receiving all the access control parameters of the mechanism sent by any node newly joining the mechanism, the method further includes: and determining the public parameter and the master key according to the security parameter of the blockchain network.
Namely, for the blockchain system, the input security parameter λ, the output system public parameter PK and the system master key MK:
(PK,MK)←Setup(λ)
λ represents an implicit security parameter, PK, MK will be used for subsequent authority key generation, and the subsequent steps can be seen in the above embodiments with authority nodes as the execution subject.
In the above embodiment, if it is detected that the valid time of the mechanism key is overtime, the mechanism key is regenerated according to all the access control parameters that are newly sent by the mechanism, in combination with the public parameter of the blockchain system and the master key of the blockchain system, and the updated mechanism key is sent to the mechanism root node.
Specifically, after the organization key expires, the blockchain network generates a new organization key according to the latest access control parameter set of the organization, by combining the public parameters of the blockchain system and the master key of the blockchain system, and sends the new organization key to the organization root node. And the organization root node distributes the key to the lower department according to the latest organization key. By the method, the safety of the secret key is further guaranteed.
The following describes the data unauthorized access control device based on attribute key derivation according to the present invention, and the data unauthorized access control device based on attribute key derivation described below and the data unauthorized access control method based on attribute key derivation described above may be referred to in correspondence with each other.
Fig. 9 is a schematic structural diagram of a data unauthorized access control device derived based on an attribute key according to the present invention, and as shown in fig. 9, the data unauthorized access control device derived based on the attribute key includes: a sending module 901 and a processing module 902. The sending module 901 is configured to send all access control parameters of an organization, where the access control parameters of the organization are used for generating an organization key by the blockchain network according to the access control parameter set of the organization in combination with a public parameter of the blockchain system and a master key of the blockchain system; if the processing module 902 is an organization root node, a department key of a next department node is generated according to the organization key, an access control parameter of the next department node and an access control parameter of a current organization node; and after receiving a request for adding the current department user into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The invention also provides a data unauthorized access control device based on attribute key derivation, which comprises: the receiving module is used for receiving all mechanism access control parameters sent by any node newly added to the mechanism; the processing module is used for generating an organization key according to all access control parameters of the organization by combining public parameters of the blockchain system and a master key of the blockchain system; the sending module is used for sending the mechanism key to a mechanism root node of a newly added mechanism for the mechanism root node, and generating a department key of a lower department node according to the mechanism key, an access control parameter of the lower department node and an access control parameter of a current mechanism node; and after receiving a request for adding the current department user into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The device embodiment provided in the embodiments of the present invention is for implementing the above method embodiments, and for details of the process and the details, reference is made to the above method embodiments, which are not described herein again.
The data unauthorized access control device derived based on the attribute key provided by the embodiment of the present invention has the same implementation principle and technical effect as the data unauthorized access control method derived based on the attribute key, and for the sake of brief description, reference may be made to the corresponding contents in the data unauthorized access control method derived based on the attribute key, where the embodiment of the data unauthorized access control device derived based on the attribute key is not mentioned in part.
Fig. 10 is a schematic structural diagram of an electronic device provided in the present invention, and as shown in fig. 10, the electronic device may include: a processor (processor)1001, a communication Interface (communication Interface)1002, a memory (memory)1003 and a communication bus 1004, wherein the processor 1001, the communication Interface 1002 and the memory 1003 complete communication with each other through the communication bus 1004. Processor 1001 may call logic instructions in memory 1003 to perform a data override access control method based on attribute key derivation, the method comprising: sending all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism by combining public parameters of a blockchain system and a master key of the blockchain system; if the mechanism root node is the mechanism root node, generating a department key of the next department node according to the mechanism key, the access control parameter of the next department node and the access control parameter of the current mechanism node; and after receiving a request for adding the current department user terminal into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
In addition, the logic instructions in the memory 1003 may be implemented in the form of software functional units and may be stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention further provides a computer program product, the computer program product including a computer program, the computer program being stored on a non-transitory computer-readable storage medium, wherein when the computer program is executed by a processor, the computer is capable of executing the method for controlling unauthorized access to data based on derivation of an attribute key, the method including: sending all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism by combining public parameters of a blockchain system and a master key of the blockchain system; if the mechanism root node is the mechanism root node, generating a department key of the next department node according to the mechanism key, the access control parameter of the next department node and the access control parameter of the current mechanism node; and after receiving a request for adding the current department user terminal into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method for controlling unauthorized access to data based on derivation of attribute keys provided by the methods described above, the method comprising: sending all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism by combining public parameters of a blockchain system and a master key of the blockchain system; if the mechanism root node is the mechanism root node, generating a department key of the next department node according to the mechanism key, the access control parameter of the next department node and the access control parameter of the current mechanism node; and after receiving a request for adding the current department user terminal into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A data unauthorized access control method based on attribute key derivation is characterized by comprising the following steps:
sending all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism by combining public parameters of a blockchain system and a master key of the blockchain system;
if the current node is an organization root node, generating a department key of a next department node according to the organization key, the access control parameter of the next department node and the access control parameter of the current organization node;
and after receiving a request for adding the current department user terminal into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
2. The data unauthorized access control method based on attribute key derivation according to claim 1, wherein if the current node is a department node, a key of a lower department is generated based on a department key of the current department, an access control parameter of the current department, and an access control parameter of the lower department.
3. The method of claim 2, wherein the key attribute includes a key validity time, the method further comprising:
if the current node is a mechanism root node or an intermediate department node, after the key validity time of the subordinate node is detected to be overtime, the subordinate department key is regenerated and sent to the subordinate department node;
and if the user private key of the belonging user is detected to be overtime, regenerating the user private key and sending the user private key to the user terminal.
4. The method according to claim 1, wherein the access control parameter is an attribute set in case of a CP-ABE encryption scheme, and the access control parameter is an access policy parameter in case of a KP-ABE encryption scheme.
5. A data unauthorized access control method based on attribute key derivation is characterized by comprising the following steps:
receiving all mechanism access control parameters sent by any node newly added to the mechanism;
generating an organization key according to all access control parameters of the organization by combining public parameters of the blockchain system and a master key of the blockchain system;
sending the mechanism key to a mechanism root node newly added to the mechanism, so that the mechanism root node generates a department key of a next department node according to the mechanism key, an access control parameter of the next department node and an access control parameter of a current mechanism node;
and after receiving a request for adding the current department user terminal into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
6. The attribute key derivation-based data unauthorized access control method according to claim 1, further comprising:
and if the effective time of the mechanism key is detected to be overtime, the mechanism key is regenerated according to all the access control parameters which are sent by the mechanism latest and by combining the public parameters of the blockchain system and the master key of the blockchain system, and the updated mechanism key is sent to the mechanism root node.
7. An attribute key derivation-based data unauthorized access control device, comprising:
the system comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending all access control parameters of a mechanism, and the access control parameters of the mechanism are used for generating a mechanism key by a blockchain network according to an access control parameter set of the mechanism by combining public parameters of a blockchain system and a master key of the blockchain system;
the processing module is used for generating a department key of a lower department node according to the organization key, the access control parameter of the lower department node and the access control parameter of the current organization node if the organization root node is the organization root node;
and after receiving a request for adding the current department user into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
8. An attribute key derivation-based data unauthorized access control device, comprising:
the receiving module is used for receiving all mechanism access control parameters sent by any node newly added to the mechanism;
the processing module is used for generating an organization key according to all access control parameters of the organization by combining public parameters of the blockchain system and a master key of the blockchain system;
the sending module is used for sending the mechanism key to a mechanism root node of a newly added mechanism for the mechanism root node, and generating a department key of a lower department node according to the mechanism key, an access control parameter of the lower department node and an access control parameter of a current mechanism node;
and after receiving a request for adding the current department user into the block chain, generating a user private key according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the attribute key derivation-based data unauthorized access control method according to any one of claims 1 to 6 when executing the program.
10. A non-transitory computer-readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the method for attribute key derivation-based data unauthorized access control as recited in any one of claims 1 to 6.
CN202210360031.2A 2022-04-06 2022-04-06 Data unauthorized access control method and device based on attribute key derivation Active CN114978578B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210360031.2A CN114978578B (en) 2022-04-06 2022-04-06 Data unauthorized access control method and device based on attribute key derivation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210360031.2A CN114978578B (en) 2022-04-06 2022-04-06 Data unauthorized access control method and device based on attribute key derivation

Publications (2)

Publication Number Publication Date
CN114978578A true CN114978578A (en) 2022-08-30
CN114978578B CN114978578B (en) 2023-09-19

Family

ID=82977839

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210360031.2A Active CN114978578B (en) 2022-04-06 2022-04-06 Data unauthorized access control method and device based on attribute key derivation

Country Status (1)

Country Link
CN (1) CN114978578B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102916954A (en) * 2012-10-15 2013-02-06 南京邮电大学 Attribute-based encryption cloud computing safety access control method
WO2016197769A1 (en) * 2015-06-12 2016-12-15 深圳大学 Cloud storage ciphertext access control system based on table attributes
WO2016197770A1 (en) * 2015-06-12 2016-12-15 深圳大学 Access control system and access control method thereof for cloud storage service platform
KR20190012969A (en) * 2017-07-31 2019-02-11 서강대학교산학협력단 Data access management system based on blockchain and method thereof
CN110113156A (en) * 2019-04-30 2019-08-09 福建师范大学 A kind of traceable layering authorizes ciphertext policy ABE base authentication method more
CN111371561A (en) * 2020-02-27 2020-07-03 华信咨询设计研究院有限公司 Alliance block chain data access control method based on CP-ABE algorithm
US20200404023A1 (en) * 2017-11-09 2020-12-24 University Of Science & Technology Beijing Method and system for cryptographic attribute-based access control supporting dynamic rules
CN112187454A (en) * 2020-09-14 2021-01-05 国网浙江省电力有限公司信息通信分公司 Key management method and system based on block chain
US20210297268A1 (en) * 2020-03-19 2021-09-23 Jinan University Method and system for secure blockchain-based vehicular digital forensics
CN113595735A (en) * 2021-07-12 2021-11-02 中债金科信息技术有限公司 Supervised privacy protection block chain crossing system based on CP-ABE
US20210344485A1 (en) * 2020-05-01 2021-11-04 Microsoft Technology Licensing, Llc Label-based double key encryption
CN114050915A (en) * 2021-10-25 2022-02-15 安徽中科晶格技术有限公司 Fine-grained permission access synchronization method, device and equipment under isolated network

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102916954A (en) * 2012-10-15 2013-02-06 南京邮电大学 Attribute-based encryption cloud computing safety access control method
WO2016197769A1 (en) * 2015-06-12 2016-12-15 深圳大学 Cloud storage ciphertext access control system based on table attributes
WO2016197770A1 (en) * 2015-06-12 2016-12-15 深圳大学 Access control system and access control method thereof for cloud storage service platform
KR20190012969A (en) * 2017-07-31 2019-02-11 서강대학교산학협력단 Data access management system based on blockchain and method thereof
US20200404023A1 (en) * 2017-11-09 2020-12-24 University Of Science & Technology Beijing Method and system for cryptographic attribute-based access control supporting dynamic rules
CN110113156A (en) * 2019-04-30 2019-08-09 福建师范大学 A kind of traceable layering authorizes ciphertext policy ABE base authentication method more
CN111371561A (en) * 2020-02-27 2020-07-03 华信咨询设计研究院有限公司 Alliance block chain data access control method based on CP-ABE algorithm
US20210297268A1 (en) * 2020-03-19 2021-09-23 Jinan University Method and system for secure blockchain-based vehicular digital forensics
US20210344485A1 (en) * 2020-05-01 2021-11-04 Microsoft Technology Licensing, Llc Label-based double key encryption
CN112187454A (en) * 2020-09-14 2021-01-05 国网浙江省电力有限公司信息通信分公司 Key management method and system based on block chain
CN113595735A (en) * 2021-07-12 2021-11-02 中债金科信息技术有限公司 Supervised privacy protection block chain crossing system based on CP-ABE
CN114050915A (en) * 2021-10-25 2022-02-15 安徽中科晶格技术有限公司 Fine-grained permission access synchronization method, device and equipment under isolated network

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
TAERIM LEE; HO-SE MOON: "Data encryption method using CP-ABE with symmetric key algorithm in blockchain network", 2021 INTERNATIONAL CONFERENCE ON INFORMATION AND COMMUNICATION TECHNOLOGY CONVERGENCE (ICTC) *
WEN-MIN LI,XUE-LEI LI: "flexible CP-ABE based access control on encrypted data for mobile users in hybrid cloud system", SPRINGER *
宋开波;罗军;孙金涛;: "基于CP-ABE算法的云存储数据保护机制", 华中科技大学学报(自然科学版), no. 1 *
邱云翔;张红霞;曹琪;章建聪;陈兴蜀;金泓键;: "基于CP-ABE算法的区块链数据访问控制方案", 网络与信息安全学报, no. 03 *

Also Published As

Publication number Publication date
CN114978578B (en) 2023-09-19

Similar Documents

Publication Publication Date Title
Megouache et al. Ensuring user authentication and data integrity in multi-cloud environment
Tan et al. A blockchain-based access control framework for cyber-physical-social system big data
Huang et al. Survey on securing data storage in the cloud
CN115701301A (en) Integration of blockchains, administrative group permissions, and access in an enterprise environment
US9680649B2 (en) Policy-based key sharing
CN110933093A (en) Block chain data sharing platform and method based on differential privacy protection technology
JP2012523050A (en) Providing access to data items using access graphs
CN109039734B (en) Distributed access control model and access method
CN110635904B (en) Remote attestation method and system for software-defined Internet of things node
Aruna et al. Medical healthcare system with hybrid block based predictive models for quality preserving in medical images using machine learning techniques
CN116680241A (en) Electronic government affair data safe sharing method based on blockchain
CN113949541B (en) DDS (direct digital synthesizer) secure communication middleware design method based on attribute strategy
CN114143072A (en) CP-ABE-based attribute revocation optimization method and system
CN107659567A (en) The ciphertext access control method and system of fine granularity lightweight based on public key cryptosyst
Atallah et al. Key management for non-tree access hierarchies
CN116938521A (en) Distributed digital identity trusted authentication method based on hierarchical storage
CN114978578B (en) Data unauthorized access control method and device based on attribute key derivation
Frikken et al. Key allocation schemes for private social networks
CN112398861B (en) Encryption system and method for sensitive data in web configuration system
Uddin et al. Blockchain and IFPS based Secure System for Managing e-FIR
Gupta et al. Hybrid Multi-User Based Cloud Data Security for Medical Decision Learning Patterns
CN112968904B (en) Block chain data protection method and system
Sellami et al. A verifiable data integrity scheme for distributed data sharing in fog computing architecture
CN112906069B (en) Trusted computing method for blockchain registration management process
CN116155619B (en) Data processing method, data request terminal, data possession terminal and data processing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant