CN114978578B - Data unauthorized access control method and device based on attribute key derivation - Google Patents

Data unauthorized access control method and device based on attribute key derivation Download PDF

Info

Publication number
CN114978578B
CN114978578B CN202210360031.2A CN202210360031A CN114978578B CN 114978578 B CN114978578 B CN 114978578B CN 202210360031 A CN202210360031 A CN 202210360031A CN 114978578 B CN114978578 B CN 114978578B
Authority
CN
China
Prior art keywords
key
department
node
access control
current
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210360031.2A
Other languages
Chinese (zh)
Other versions
CN114978578A (en
Inventor
李�荣
张华�
周国浩
韩昊轩
丁旋
王延昭
唐华云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Bond Jinke Information Technology Co ltd
Tsinghua University
Original Assignee
China Bond Jinke Information Technology Co ltd
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Bond Jinke Information Technology Co ltd, Tsinghua University filed Critical China Bond Jinke Information Technology Co ltd
Priority to CN202210360031.2A priority Critical patent/CN114978578B/en
Publication of CN114978578A publication Critical patent/CN114978578A/en
Application granted granted Critical
Publication of CN114978578B publication Critical patent/CN114978578B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data override access control method and device based on attribute key derivation, wherein the method comprises the following steps: transmitting all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism and combining the public parameters of the blockchain system and the master key of the blockchain system; if the node is the organization root node, generating a department key of the lower-level department node according to the organization key, the access control parameter of the lower-level department node and the access control parameter of the current organization node; the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user terminal, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user. The method can realize the unauthorized access control of the data, prevent the risk of leakage of the data on the chain caused by redundant rights or unauthorized rights of users and the like, and improve the safety of the data on the chain.

Description

Data unauthorized access control method and device based on attribute key derivation
Technical Field
The invention relates to the field of data security, in particular to a data unauthorized access control method and device based on attribute key derivation.
Background
In the financial field, when financial data is up-linked, the supervisory authorities can access the data directly by means of blockchain to improve the supervisory efficiency. The characteristics of block chain security and credibility lead the block chain to have wide application scenes in the financial industry, but certain sensitive privacy data are not suitable for being disclosed to all people, taking the financial industry as an example, after the company data are linked, the confidential data of the company should be qualified to be accessed only by people with management authority of the company. That is, certain data is only accessible to persons having access rights. The finance industry has extremely high requirements on data privacy protection, data rights and interests protection and the like, and for this purpose, fine-grained access control on data is needed.
By using attribute encryption, a fine-grained data security access control mechanism can be realized, field-level authorization of private data is realized, and only specific authorized users can access private data fields such as effective support prices. And enabling selective disclosure of data so that encrypted data on the chain can be opened to a designated authority user. On the basis of attribute encryption, a mechanism for effectively controlling data override is still needed to realize authority control, reduce redundant authority and prevent on-chain data leakage caused by override.
Disclosure of Invention
Aiming at the problems existing in the prior art, the invention provides a data override access control method and device based on attribute key derivation, which respectively realize key derivation schemes of KP-ABE and CP-ABE so as to adapt to more application scenes.
The invention provides a data override access control method based on attribute key derivation, which comprises the following steps: transmitting all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism and combining the public parameters of the blockchain system and the master key of the blockchain system; if the node is the organization root node, generating a department key of the lower-level department node according to the organization key, the access control parameter of the lower-level department node and the access control parameter of the current organization node; the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user terminal, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
According to the data override access control method based on attribute key derivation, if the current node is a department node, a key of a lower department is generated according to a department key of the current department, access control parameters of the current department and access control parameters of the lower department.
According to the data override access control method based on attribute key derivation, the key attribute comprises key valid time, and the method further comprises: if the current node is a mechanism root node or a middle department node, after detecting that the key effective time of the lower node is overtime, regenerating a lower department key and sending the lower department key to the lower department node; if the user private key of the user is detected to be overtime, the user private key is regenerated and sent to the user terminal.
According to the data override access control method based on the attribute key derivation, if the access control parameter is the attribute set and the access control parameter is the access policy parameter if the access control parameter is the KP-ABE encryption mode.
The invention provides a data override access control method based on attribute key derivation, which comprises the following steps: receiving all access control parameters of a mechanism sent by any node of a new joining mechanism; generating an organization key according to all access control parameters of the organization and combining public parameters of a blockchain system and a master key of the blockchain system; the mechanism key is sent to a mechanism root node of a new joining mechanism, so that the mechanism root node generates a department key of a lower-level department node according to the mechanism key, the access control parameter of the lower-level department node and the access control parameter of the current mechanism node; the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user terminal, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
According to the data override access control method based on attribute key derivation, if the valid time of the mechanism key is detected to be overtime, the mechanism key is regenerated according to all the latest transmitted access control parameters of the mechanism by combining the public parameters of the blockchain system and the master key of the blockchain system, and the updated mechanism key is transmitted to the mechanism root node.
The invention also provides a data override access control device based on attribute key derivation, comprising: the system comprises a sending module, a mechanism key generation module and a control module, wherein the sending module is used for sending all access control parameters of the mechanism, and the access control parameters of the mechanism are used for a blockchain network to generate the mechanism key according to an access control parameter set of the mechanism and combining public parameters of a blockchain system and a master key of the blockchain system; the processing module generates a department key of the lower department node according to the organization key, the access control parameter of the lower department node and the access control parameter of the current organization node if the organization key is the organization root node;
the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The invention also provides a data override access control device based on attribute key derivation, comprising: the receiving module is used for receiving all access control parameters of the mechanism sent by any node of the new joining mechanism; the processing module is used for generating an organization key according to all access control parameters of the organization and combining public parameters of the blockchain system and a master key of the blockchain system; the sending module is used for sending the mechanism key to a mechanism root node of a new joining mechanism for the mechanism root node, and generating a department key of a lower-level department node according to the mechanism key, the access control parameter of the lower-level department node and the access control parameter of the current mechanism node; the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor realizes the data override access control method based on the attribute key derivation according to any one of the above when executing the program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a data override access control method based on attribute key derivation as described in any of the above.
The invention also provides a computer program product comprising a computer program which when executed by a processor implements a data override access control method based on attribute key derivation as described in any one of the above.
According to the attribute key derivation-based data override access control method and device, the attribute set corresponding to the private key is strictly decremented, the access control parameters (such as attributes) in attribute encryption correspond to the access policy, when the access control parameters corresponding to the private key are reduced, the access structure satisfied by the access control parameters is necessarily reduced, so that the user permission is ensured to be smaller than the mechanism permission, the override access control of the data is finally realized, the risk of on-chain data leakage caused by redundant permission or override of the user is prevented, and the safety of the on-chain data is improved.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a data override access control method based on attribute key derivation provided by the invention;
FIG. 2 is a second flow chart of the attribute key derivation-based data override access control method provided by the invention;
FIG. 3 is a schematic diagram of access policies in KP-ABE keys provided by the invention;
FIG. 4 is a schematic diagram of an access tree with restrictions added to KP-ABE keys provided by the present invention;
FIG. 5 is a schematic diagram of a KP-ABE key source access tree provided by the invention;
FIG. 6 is a schematic diagram of a KP-ABE key plus trapdoor threshold access tree provided by the present invention;
FIG. 7 is a schematic diagram of a KP-ABE key pruning sub-tree provided by the present invention;
FIG. 8 is a schematic diagram of a KP-ABE key addition subtree provided by the present invention;
FIG. 9 is a schematic diagram of a structure of an attribute key derivation-based data unauthorized access control device according to the present invention;
fig. 10 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The access right control is performed by using attribute-based encryption, and the problem of distributing the secret key is solved in order to prevent unauthorized access, because the attribute owned by the user determines the access right owned by the user. In CP-ABE, the user's attributes are directly key-embedded; for KP-ABE, stored in the key is an access tree that can determine which data a user can access, so that the access tree can be considered as a special attribute to describe the overall process uniformly.
The attribute key derivation-based data override access control method and apparatus of the present invention are described below with reference to fig. 1 to 10. Fig. 1 is a schematic flow chart of a data override access control method based on attribute key derivation, and as shown in fig. 1, the invention provides a data override access control method based on attribute key derivation, including:
101. and transmitting all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism and combining the public parameters of the blockchain system and the master key of the blockchain system.
The embodiment of the invention can be applied to the attribute encryption modes such as CP-ABE, KP-ABE and the like. The overall flow of multi-level rights access control is shown in fig. 2, and the core problem to be solved by multi-level access control is key hierarchical derivation. The invention adopts a layered structure of 'mechanism key center- & gt mechanism middle department- & gt user'.
The institution key center: for each company, there is an organization key center, and the organization root node may be a node of the organization key center. When a company or organization applies for joining a blockchain, an organization key is generated by a blockchain system according to access control parameters (in a CP-ABE encryption mode, the access control parameters are attribute information) of organizations such as the company or organization, so that the access rights owned by different organizations are different.
The middle department of the mechanism: for the organization's interior, it may be hierarchically divided into finer granularity, e.g. "company→department→user", with each lower-level key being served by the upper level responsible. The user: the user is the lowest level of the hierarchical architecture, with its keys being responsible for dispatch by its immediate affiliate.
At 101, all access control parameters for an organization may be sent to the blockchain network by any node of the organization, or by the root node of the organization, to indicate that the organization needs to join the blockchain network. Alternatively, the request information to join the blockchain network may be additionally transmitted, while all access control parameters of the organization are transmitted. The access control parameters are parameters corresponding to which data can be accessed by the mechanism, and in the CP-ABE encryption mode, the access control parameters are attribute information.
Taking a CP-ABE encryption mode as an example, after the blockchain network receives a request of adding an organization into the network, S is collected according to the attribute of the organization org Public parameters PK of the blockchain network and system master key MK of the blockchain network, and output mechanism master key:
SK org ←OrgKeyGen(MK,PK,S org )
wherein S is org Representing a set of attributes for a mechanism, SK org Representing the institution key corresponding to the institution.
102. And if the current node is the organization root node, generating a department key of the lower-level department node according to the organization key, the access control parameter of the lower-level department node and the access control parameter of the current organization node.
The department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
Hierarchical division within an organization, where the hierarchy is divided within an organization, reducing access privileges step by step, even for groups under the same organizationThe access rights of the fabrics may also be different. The department of the n-1 (n is a positive integer, the organization root node can be regarded as the department of the 0 th layer) executes the algorithm, the key of the n-1 th layer department can be generated, and the algorithm is input as the key SK of the n-1 th layer department n-1 Attribute set S n-1 And attribute set S of nth layer department n The key SK outputted as the nth layer department n
SK n ←MidKeyGen(SK n-1 ,S n-1 ,S n )
SK n Key representing current department, S n Representing the attribute set of the current department, S n-1 Attribute collection representing superior departments, SK n-1 Key representing superior department, satisfy
When the user terminal applies for joining the blockchain, the user generic mechanism executes the method, inputs the attribute set of the user, outputs the private key of the user and distributes the private key to the user:
SK user ←UserKeyGen(SK org ,S org ,S user )
S user representing a set of attributes of a user, satisfyingSK user Representing the user' S key, S org Set of attributes representing the departments of a user, SK org A department key representing the department of the user.
The invention adopts a layered structure of 'mechanism key center- & gt mechanism middle department- & gt user'. For each organization, the organization key center is the topmost key organization, only one, the middle departments of the organization can have multiple layers, and the user is the last layer. The key center of a certain level is used for distributing keys for the next level, the keys are input as a private key of the current level and a property set of the next level, the property contained in the property set must be contained in the property used for generating the current private key, and the property set is output as a private key of the next level department.
According to the attribute key derivation-based data override access control method provided by the invention, the attribute set corresponding to the private key is strictly decremented, the access control parameters (such as attributes) correspond to the access policy in attribute encryption, and when the access control parameters corresponding to the private key are reduced, the access structure satisfied by the access policy is necessarily reduced, so that the user authority is ensured to be smaller than the authority, the override access control of the data is finally realized, the risk of on-link data leakage caused by redundant authority or override of the user is prevented, and the safety of the on-link data is improved.
In one embodiment, if the current node is a department node, a key of a lower department is generated according to a department key of the current department, an access control parameter of the current department, and an access control parameter of the lower department.
Specifically, if the current terminal node is a terminal node in the department, such as the n-1 layer department, the key SK of the current department, i.e. the n-1 layer department, is used n-1 And current department attribute set S n-1 Attribute set S of nth layer department n Generating keys SK of lower departments, i.e. n-th departments n . The generation of the user private key can be seen from the above embodiments. According to the invention, the access rights are reduced step by dividing the hierarchy in the organization, and even the organization under the same organization has different access rights.
In one embodiment, the key attribute includes a key validity time, and the method further includes: if the current node is a mechanism root node or a middle department node, after detecting that the key effective time of the lower node is overtime, regenerating a lower department key and sending the lower department key to the lower department node; if the user private key is detected to be overtime, the user private key is regenerated and sent to the user terminal.
Specifically, the key validity time is used for re-distribution of the key that fails after the key exceeds the validity time. For example, the validity time of the KP-ABE derivative key can be updated, and all keys including the institution key and the department key can be set to the validity time, and the key is redistributed by the upper level after the expiration of the validity time. Wherein the validity time of the derivative key does not exceed the validity time of the superior key. The current node is the organization root node, and after the fact that the effective time of the department key of the lower-level department node is overtime is detected, the latest department key of the lower-level department node is generated according to the latest organization key, the access control parameters of the lower-level department node and the access control parameters of the current organization node. If the current node is a department node, after the fact that the valid time of the department key of the current department node is overtime is detected, the key of the current department is generated according to the latest department key of the superior department, the access control parameter of the superior department and the access control parameter of the current department. If the current node is a department node, after the timeout of the effective time of the user private key of the current department user is detected, generating the latest user private key according to the latest department key of the current department, the access control parameter of the current department and the access control parameter of the user, and sending the latest user private key to the user.
In one embodiment, the access control parameter is an attribute set if it is a CP-ABE encryption scheme, and the access control parameter is an access policy parameter if it is a KP-ABE encryption scheme. The above embodiment is described by taking the CP-ABE encryption scheme as an example, and the KP-ABE encryption scheme is described by taking the KP-ABE encryption scheme as an example.
In the KP-ABE key derivation scheme, the access rights of the user are determined by the access policy embedded in the key. Embedded in the KP-ABE key is an access policy, compared to CP-ABE, so keys should be derived by adding access restrictions. Fig. 3 shows that a user may access data of "id=1, level >3" or "id=3", the access policy may be regarded as an N-ary tree, the leaf nodes represent attributes, and the non-leaf nodes may be regarded as a trapdoor, which is valid only if its child nodes meet the access requirement.
In the non-leaf nodes shown in FIG. 3, "2/2" means that the node has two child nodes, and the node satisfies the requirement only if both children satisfy the requirement; similarly, "1/2" means that as long as one child node meets the requirement, the current node can meet the requirement, and only when the access requirement of the root node is met, the user has permission to access the data.
It is thus known that when increasing the constraints of the access tree, the rights of the user are correspondingly reduced.
As shown in fig. 4, we add the condition of "level >2" to the access policy represented in fig. 3, and the user changes from having access to data of "id=3" to having access to data of only "id=3" and "level > 2". By increasing the constraints of the access tree, the access rights of the user can be reduced.
The flow of KP-ABE key derivation based on the above embodiment is as follows:
the key derivation scheme of KP-ABE is illustrated by way of example in fig. 5. Fig. 5 shows the access policy in which the original key is embedded, fig. 6, 7 show two different derivative keys, the white box italics identifying the differences between the derivative key and the original key. Leaf nodes represent attributes, represented by circles; non-leaf nodes represent threshold requirements, represented by rectangles.
The derived key represented in fig. 6 has no pruning attribute relative to the original key, but adds a threshold requirement for a non-leaf node, instead of "1/2" to "2/2", which allows all child nodes to meet the access requirement only if they meet the access requirement.
The key represented in fig. 7 has a part of subtrees deleted compared to the original key, but at the same time the threshold requirement of the parent node of the deleted part is modified from "1/2" to "1/1", in such a way that the access policy changes from requiring only any one child node to requiring a particular one, i.e. the access policy becomes more stringent, the rights to deriving the key is smaller than the original key.
The key shown in fig. 8 is added with an access subtree compared with the original key, and the threshold value of the parent node of the root node of the subtree is modified from 1/1 to 2/2, so that the parent node of the new added subtree can meet the access requirement only when the original child nodes of the new added subtree and the parent node of the new added subtree are both met, and the access strategy of the new key is stricter than that of the original key. The KP-ABE newly added subtree realizes key derivation, and a key finite period or version limit can be added to the derived key to realize fine-grained access control.
The KP-ABE key derivation flow is as follows: the system is initialized and the security parameter lambda of the master key center can be set by a system administrator.
An initialization algorithm Setup (), which can be run by a system administrator, inputs security parameters, outputs system public parameters PK and system master key MK:
(PK,MK)←Setup(λ)
λ represents an implicit security parameter, PK, MK will be used for subsequent intermediary key generation.
The institution master key generation algorithm is executed by a system administrator. When a new company or organization applies for joining a blockchain, access policy P of an organization is entered org Public parameters PK and system master key MK, export institution master key:
SK org ←OrgKeyGen(PK,MK,P org )
P org representing access policies, SK, of an organization org Representing the key corresponding to the organization.
The method comprises the steps of dividing the hierarchy in the mechanism, and gradually reducing the access rights, wherein the access rights are different even if the organization is under the same mechanism; the n-1 layer department executes the algorithm to generate the key of the n-layer department, and the algorithm is input as the key SK of the n-1 layer department n-1 Access policy P n-1 And access policy P for the nth layer department n The key SK outputted as the nth layer department n
SK n ←MidKeyGen(SK n-1 ,P n-1 ,P n )
SK n Representing the key of the current institution, P n Representing access policy of current institution, p n-1 Represents the access policy of the upper-level organization and satisfies
The user private key generation algorithm is executed by the user affiliated mechanism when the user applies to join the blockchain, inputs the access strategy of the user, outputs the user private key and distributes the user private key to the user:
SK user ←UserKeyGen(SK org ,p org ,p Iser )
S user representing the access policy of the user, satisfyingSK user Representing the user's key.
In the invention, the access authority of the user corresponds to the attribute owned by the user, the attribute is embedded into the private key, and the problem of data unauthorized access control is converted into a key derivation problem. Flexible and safe data unauthorized access control is realized through hierarchical step-by-step key derivation. The scheme is characterized in that:
the security, the key institution of the last level distributes the secret key for the key institution of the next level, and the attribute set that the secret key corresponds to is progressively decreased, and the corresponding data access authority that has also is progressively decreased, and this design makes all authorities of user must not surpass its affiliated organization, can prevent the emergence of unauthorized access.
The flexibility is realized, flexible hierarchical division can be performed in the mechanism, the attribute is the core of attribute-based encryption, and different access rights can be given to a user by combining different attribute sets, so that flexible fine-grained rights access control is realized.
The invention also provides a data override access control method based on attribute key derivation, comprising the following steps: receiving all access control parameters of a mechanism sent by any node of a new joining mechanism; generating an organization key according to all access control parameters of the organization and combining public parameters of a blockchain system and a master key of the blockchain system; the mechanism key is sent to a mechanism root node of a new joining mechanism, so that the mechanism root node generates a department key of a lower-level department node according to the mechanism key, the access control parameter of the lower-level department node and the access control parameter of the current mechanism node; the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user terminal, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The embodiment of the invention takes the existing nodes in the blockchain network as an execution main body, and receives all access control parameters of the nodes of the new joining mechanism, and can also receive request messages from the mechanism. The existing node generates an organization key according to all access control parameters of the organization and by combining common parameters of the blockchain system and a master key of the blockchain system. Wherein it may be implemented based on a consensus mechanism. Other specific steps may be referred to the above embodiments using nodes in the mechanism as execution bodies, and will not be described herein.
In the above embodiment, before receiving all the access control parameters of the mechanism sent by any node of the newly added mechanism, the method further includes: and determining the public parameter and the master key according to the security parameters of the blockchain network.
Namely, for the blockchain system, a security parameter lambda is input, and a system public parameter PK and a system master key MK are output:
(PK,MK)←Setup(λ)
λ represents an implicit security parameter, PK, MK will be used for subsequent mechanism key generation, see the above-described embodiment with mechanism nodes as the execution subject.
In the above embodiment, if the validity time of the mechanism key is detected to be overtime, the mechanism key is regenerated according to all the access control parameters which are sent by the mechanism latest and combined with the public parameters of the blockchain system and the master key of the blockchain system, and the updated mechanism key is sent to the mechanism root node.
Specifically, after the establishment key expires, the blockchain network generates a new establishment key according to the latest access control parameter set of the establishment, by combining the public parameters of the blockchain system and the master key of the blockchain system, and sends the new establishment key to the establishment root node. The organization root node performs key dispatch to the lower departments according to the latest organization key. By the method, the security of the secret key is further ensured.
The data override access control device based on the attribute key derivation provided by the invention is described below, and the data override access control device based on the attribute key derivation described below and the data override access control method based on the attribute key derivation described above can be referred to correspondingly.
Fig. 9 is a schematic structural diagram of an attribute key derivation-based data unauthorized access control device according to the present invention, and as shown in fig. 9, the attribute key derivation-based data unauthorized access control device includes: a transmitting module 901 and a processing module 902. The sending module 901 is configured to send all access control parameters of an organization, where the access control parameters of the organization are used by a blockchain network to generate an organization key according to an access control parameter set of the organization, and combine public parameters of the blockchain system and a master key of the blockchain system; if the processing module 902 is a mechanism root node, generating a department key of a lower-level department node according to the mechanism key, the access control parameter of the lower-level department node and the access control parameter of the current mechanism node; the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The invention also provides a data override access control device based on attribute key derivation, comprising: the receiving module is used for receiving all access control parameters of the mechanism sent by any node of the new joining mechanism; the processing module is used for generating an organization key according to all access control parameters of the organization and combining public parameters of the blockchain system and a master key of the blockchain system; the sending module is used for sending the mechanism key to a mechanism root node of a new joining mechanism for the mechanism root node, and generating a department key of a lower-level department node according to the mechanism key, the access control parameter of the lower-level department node and the access control parameter of the current mechanism node; the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The embodiment of the device provided by the embodiment of the present invention is for implementing the above embodiments of the method, and specific flow and details refer to the above embodiments of the method, which are not repeated herein.
The implementation principle and the generated technical effects of the data override access control device based on the attribute key derivation provided by the embodiment of the invention are the same as those of the data override access control method based on the attribute key derivation, and for brief description, the corresponding content in the data override access control method based on the attribute key derivation can be referred to where the embodiment of the data override access control device based on the attribute key derivation is not mentioned.
Fig. 10 is a schematic structural diagram of an electronic device according to the present invention, and as shown in fig. 10, the electronic device may include: a processor 1001, a communication interface (Communications Interface) 1002, a memory 1003, and a communication bus 1004, wherein the processor 1001, the communication interface 1002, and the memory 1003 perform communication with each other through the communication bus 1004. The processor 1001 may call logic instructions in the memory 1003 to perform a data override access control method based on attribute key derivation, the method comprising: transmitting all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism and combining the public parameters of the blockchain system and the master key of the blockchain system; if the node is the organization root node, generating a department key of the lower-level department node according to the organization key, the access control parameter of the lower-level department node and the access control parameter of the current organization node; the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user terminal, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
Further, the logic instructions in the memory 1003 described above may be implemented in the form of software functional units and sold or used as a separate product, and may be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product including a computer program, the computer program being storable on a non-transitory computer readable storage medium, the computer program, when executed by a processor, being capable of executing the attribute key derivation-based data override access control method provided by the above methods, the method comprising: transmitting all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism and combining the public parameters of the blockchain system and the master key of the blockchain system; if the node is the organization root node, generating a department key of the lower-level department node according to the organization key, the access control parameter of the lower-level department node and the access control parameter of the current organization node; the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user terminal, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the attribute key derivation based data override access control method provided by the above methods, the method comprising: transmitting all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism and combining the public parameters of the blockchain system and the master key of the blockchain system; if the node is the organization root node, generating a department key of the lower-level department node according to the organization key, the access control parameter of the lower-level department node and the access control parameter of the current organization node; the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user terminal, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (8)

1. A data override access control method based on attribute key derivation, comprising:
transmitting all access control parameters of the mechanism, wherein the access control parameters of the mechanism are used for generating a mechanism key by the blockchain network according to the access control parameter set of the mechanism and combining the public parameters of the blockchain system and the master key of the blockchain system;
if the current node is the organization root node, generating a department key of a lower department node of the current node according to the organization key, the access control parameter of the lower department node of the current node and the access control parameter of the current organization node;
the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user terminal, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user;
if the current node is a department node, generating a key of a lower department of the current node according to a department key of the current department, an access control parameter of the current department and an access control parameter of a lower department of the current node;
the access control parameters corresponding to the secret key are gradually decreased, the secret key attribute comprises the secret key effective time, and the method further comprises the following steps:
if the current node is a mechanism root node or a middle department node, after detecting that the key effective time of the lower node is overtime, regenerating a lower department key and sending the lower department key to the lower department node;
if the user private key of the user is detected to be overtime, the user private key is regenerated and sent to the user terminal.
2. The method according to claim 1, wherein the access control parameter is an attribute set if the access control parameter is a CP-ABE encryption scheme, and the access control parameter is an access policy parameter if the access control parameter is a KP-ABE encryption scheme.
3. A data override access control method based on attribute key derivation, comprising:
receiving all access control parameters of a mechanism sent by any node of a new joining mechanism;
generating an organization key according to all access control parameters of the organization and combining public parameters of a blockchain system and a master key of the blockchain system;
the mechanism key is sent to a mechanism root node of a new joining mechanism, so that the mechanism root node generates a department key of a lower-level department node of a current mechanism node according to the mechanism key, the access control parameter of the lower-level department node of the current mechanism node and the access control parameter of the current mechanism node;
the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user terminal, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user;
if the current node is a department node, generating a key of a lower department of the current node according to a department key of the current department, an access control parameter of the current department and an access control parameter of a lower department of the current node;
the access control parameters corresponding to the secret key are gradually decreased, the secret key attribute comprises the secret key effective time, and the method further comprises the following steps:
if the current node is a mechanism root node or a middle department node, after detecting that the key effective time of the lower node is overtime, regenerating a lower department key and sending the lower department key to the lower department node;
if the user private key of the user is detected to be overtime, the user private key is regenerated and sent to the user terminal.
4. The attribute key derivation based data override access control method of claim 3, further comprising:
if the valid time of the mechanism key is detected to be overtime, the mechanism key is regenerated according to all the latest transmitted access control parameters of the mechanism and combining the public parameters of the blockchain system and the master key of the blockchain system, and the updated mechanism key is transmitted to the mechanism root node.
5. A data unauthorized access control device based on attribute key derivation, comprising:
the system comprises a sending module, a mechanism key generation module and a control module, wherein the sending module is used for sending all access control parameters of the mechanism, and the access control parameters of the mechanism are used for a blockchain network to generate the mechanism key according to an access control parameter set of the mechanism and combining public parameters of a blockchain system and a master key of the blockchain system;
the processing module is used for generating a department key of a lower department node of the current node according to the organization key, the access control parameter of the lower department node of the current node and the access control parameter of the current organization node if the current node is the organization root node;
the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user;
if the current node is a department node, generating a key of a lower department of the current node according to a department key of the current department, an access control parameter of the current department and an access control parameter of a lower department of the current node;
the access control parameters corresponding to the secret key are gradually decreased, the secret key attribute comprises the secret key effective time, and the method further comprises the following steps:
if the current node is a mechanism root node or a middle department node, after detecting that the key effective time of the lower node is overtime, regenerating a lower department key and sending the lower department key to the lower department node;
if the user private key of the user is detected to be overtime, the user private key is regenerated and sent to the user terminal.
6. A data unauthorized access control device based on attribute key derivation, comprising:
the receiving module is used for receiving all access control parameters of the mechanism sent by any node of the new joining mechanism;
the processing module is used for generating an organization key according to all access control parameters of the organization and combining public parameters of the blockchain system and a master key of the blockchain system;
the sending module is used for sending the mechanism key to a mechanism root node of a new joining mechanism for the mechanism root node, and generating a department key of a lower department node of the current mechanism node according to the mechanism key, the access control parameter of the lower department node of the current mechanism node and the access control parameter of the current mechanism node;
the department key is used for the affiliated department node, and after receiving the request of joining the blockchain from the current department user, the user private key is generated according to the access control parameter of the current department, the department key of the current department and the access control parameter of the user;
if the current node is a department node, generating a key of a lower department of the current node according to a department key of the current department, an access control parameter of the current department and an access control parameter of a lower department of the current node;
the access control parameters corresponding to the secret key are gradually decreased, the secret key attribute comprises the secret key effective time, and the method further comprises the following steps:
if the current node is a mechanism root node or a middle department node, after detecting that the key effective time of the lower node is overtime, regenerating a lower department key and sending the lower department key to the lower department node;
if the user private key of the user is detected to be overtime, the user private key is regenerated and sent to the user terminal.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the attribute key derivation-based data override access control method of any one of claims 1 to 4 when the program is executed by the processor.
8. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the attribute key derivation-based data override access control method of any one of claims 1 to 4.
CN202210360031.2A 2022-04-06 2022-04-06 Data unauthorized access control method and device based on attribute key derivation Active CN114978578B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210360031.2A CN114978578B (en) 2022-04-06 2022-04-06 Data unauthorized access control method and device based on attribute key derivation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210360031.2A CN114978578B (en) 2022-04-06 2022-04-06 Data unauthorized access control method and device based on attribute key derivation

Publications (2)

Publication Number Publication Date
CN114978578A CN114978578A (en) 2022-08-30
CN114978578B true CN114978578B (en) 2023-09-19

Family

ID=82977839

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210360031.2A Active CN114978578B (en) 2022-04-06 2022-04-06 Data unauthorized access control method and device based on attribute key derivation

Country Status (1)

Country Link
CN (1) CN114978578B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102916954A (en) * 2012-10-15 2013-02-06 南京邮电大学 Attribute-based encryption cloud computing safety access control method
WO2016197769A1 (en) * 2015-06-12 2016-12-15 深圳大学 Cloud storage ciphertext access control system based on table attributes
WO2016197770A1 (en) * 2015-06-12 2016-12-15 深圳大学 Access control system and access control method thereof for cloud storage service platform
KR20190012969A (en) * 2017-07-31 2019-02-11 서강대학교산학협력단 Data access management system based on blockchain and method thereof
CN110113156A (en) * 2019-04-30 2019-08-09 福建师范大学 A kind of traceable layering authorizes ciphertext policy ABE base authentication method more
CN111371561A (en) * 2020-02-27 2020-07-03 华信咨询设计研究院有限公司 Alliance block chain data access control method based on CP-ABE algorithm
CN112187454A (en) * 2020-09-14 2021-01-05 国网浙江省电力有限公司信息通信分公司 Key management method and system based on block chain
CN113595735A (en) * 2021-07-12 2021-11-02 中债金科信息技术有限公司 Supervised privacy protection block chain crossing system based on CP-ABE
CN114050915A (en) * 2021-10-25 2022-02-15 安徽中科晶格技术有限公司 Fine-grained permission access synchronization method, device and equipment under isolated network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107864139B (en) * 2017-11-09 2020-05-12 北京科技大学 Cryptographic attribute base access control method and system based on dynamic rules
US11223487B2 (en) * 2020-03-19 2022-01-11 Jinan University Method and system for secure blockchain-based vehicular digital forensics
US11303432B2 (en) * 2020-05-01 2022-04-12 Microsoft Technology Licensing, Llc Label-based double key encryption

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102916954A (en) * 2012-10-15 2013-02-06 南京邮电大学 Attribute-based encryption cloud computing safety access control method
WO2016197769A1 (en) * 2015-06-12 2016-12-15 深圳大学 Cloud storage ciphertext access control system based on table attributes
WO2016197770A1 (en) * 2015-06-12 2016-12-15 深圳大学 Access control system and access control method thereof for cloud storage service platform
KR20190012969A (en) * 2017-07-31 2019-02-11 서강대학교산학협력단 Data access management system based on blockchain and method thereof
CN110113156A (en) * 2019-04-30 2019-08-09 福建师范大学 A kind of traceable layering authorizes ciphertext policy ABE base authentication method more
CN111371561A (en) * 2020-02-27 2020-07-03 华信咨询设计研究院有限公司 Alliance block chain data access control method based on CP-ABE algorithm
CN112187454A (en) * 2020-09-14 2021-01-05 国网浙江省电力有限公司信息通信分公司 Key management method and system based on block chain
CN113595735A (en) * 2021-07-12 2021-11-02 中债金科信息技术有限公司 Supervised privacy protection block chain crossing system based on CP-ABE
CN114050915A (en) * 2021-10-25 2022-02-15 安徽中科晶格技术有限公司 Fine-grained permission access synchronization method, device and equipment under isolated network

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
flexible CP-ABE based access control on encrypted data for mobile users in hybrid cloud system;wen-min li,xue-lei li;Springer;全文 *
Taerim Lee ; Ho-Se Moon.Data encryption method using CP-ABE with symmetric key algorithm in blockchain network.2021 International Conference on Information and Communication Technology Convergence (ICTC).2021,全文. *
基于CP-ABE算法的云存储数据保护机制;宋开波;罗军;孙金涛;;华中科技大学学报(自然科学版)(第S1期);全文 *
基于CP-ABE算法的区块链数据访问控制方案;邱云翔;张红霞;曹琪;章建聪;陈兴蜀;金泓键;;网络与信息安全学报(第03期);全文 *

Also Published As

Publication number Publication date
CN114978578A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
Gayathri et al. Securing e-health records using keyless signature infrastructure blockchain technology in the cloud
Zhou et al. Trust enhanced cryptographic role-based access control for secure cloud data storage
US9286481B2 (en) System and method for secure and distributed physical access control using smart cards
CN112543105B (en) Complete access control method based on roles under intelligent contract
Samanthula et al. An efficient and secure data sharing framework using homomorphic encryption in the cloud
Nakamura et al. Capability-based access control for the internet of things: An ethereum blockchain-based scheme
CN110933093A (en) Block chain data sharing platform and method based on differential privacy protection technology
US9680649B2 (en) Policy-based key sharing
CN113645195B (en) Cloud medical record ciphertext access control system and method based on CP-ABE and SM4
CN110635904A (en) Remote attestation method and system for software-defined Internet of things node
Aruna et al. Medical healthcare system with hybrid block based predictive models for quality preserving in medical images using machine learning techniques
CN113949541B (en) DDS (direct digital synthesizer) secure communication middleware design method based on attribute strategy
Almuzaini et al. Key Aggregation Cryptosystem and Double Encryption Method for Cloud‐Based Intelligent Machine Learning Techniques‐Based Health Monitoring Systems
CN107659567A (en) The ciphertext access control method and system of fine granularity lightweight based on public key cryptosyst
CN114978578B (en) Data unauthorized access control method and device based on attribute key derivation
CN113055164A (en) Cipher text strategy attribute encryption algorithm based on state cipher
CN110912703B (en) Network security-based multi-level key management method, device and system
Chatterjee et al. An efficient fine grained access control scheme based on attributes for enterprise class applications
Dadhania et al. Access control mechanism in Internet of Things using blockchain technology: a review
US10305906B1 (en) Access heartbeat for a hardware security module
Frikken et al. Key allocation schemes for private social networks
CN111130761B (en) Digital right identity identification method and system
Athena et al. TBAC: tree-based access control approach for secure access of PHR in cloud
Saravanakumar et al. Hybrid Cloud Security by Revocable KUNodes-Storage with Identity-Based Encryption.
CN116155619B (en) Data processing method, data request terminal, data possession terminal and data processing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant