CN115499141A - Data encryption method and device based on attributes - Google Patents
Data encryption method and device based on attributes Download PDFInfo
- Publication number
- CN115499141A CN115499141A CN202110672273.0A CN202110672273A CN115499141A CN 115499141 A CN115499141 A CN 115499141A CN 202110672273 A CN202110672273 A CN 202110672273A CN 115499141 A CN115499141 A CN 115499141A
- Authority
- CN
- China
- Prior art keywords
- data
- attribute
- target
- parameter
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 76
- 239000011159 matrix material Substances 0.000 claims abstract description 28
- 238000012795 verification Methods 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 239000002131 composite material Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000002994 raw material Substances 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a data encryption method and device based on attributes. The method comprises the following steps: acquiring a public key parameter and a master key parameter generated based on attribute information of a user; determining a first symmetric encryption key and a broadcast head parameter for data encryption based on the main key parameter, the public key parameter, the selected first random value and a corresponding target matrix; determining signature information based on a preset hash function and the selected random integer; the target matrix is generated in advance based on attribute sets of all users; encrypting the formulated access strategy based on the first symmetric encryption key and the broadcast head parameters to obtain corresponding ciphertext data; and writing the signature information into the ciphertext data to obtain corresponding target ciphertext data. By adopting the method disclosed by the invention, the authenticity of the ciphertext is ensured by obfuscating the hidden access strategy and adding the signature into the ciphertext, and the risk that data is maliciously tampered in the transmission process is avoided.
Description
Technical Field
The invention relates to the technical field of internet communication, in particular to a data encryption method and device based on attributes. In addition, the invention also relates to a data decryption method and device based on the attribute, an electronic device and a processor readable storage medium.
Background
In recent years, with the rapid development of internet technology, more and more business processes are implemented by means of the internet, and how to ensure the security of personal information of users is a major current problem. In order to solve the above problems and ensure the personal information security of users, the prior art generally adopts a novel public key data encryption method which is mainly classified into two types: one type is an Identity (ID) -Based data Encryption method (IBE), which uses an ID as a public key for encrypting data, but has the disadvantage that the ID contains multi-user personal information, which will pose a great threat to the personal privacy of the user, and at the same time, the Encryption method is not conducive to one-to-many data transmission; the other type is an Attribute-Based data Encryption method (ABE), which uses a plurality of attributes of a user for producing a private key by formulating an access policy, and gives the user more detailed access control right to the data, so that the user can share the data one-to-many and fine-grained, but since the data is encrypted by the related attributes of the user, an attacker may presume personal information of the user by using a ciphertext, and the leakage of the personal information of the user may be caused. The most common data Encryption method Based on Attribute protection user privacy is the data Encryption method Based on Attribute Hidden access Policy (HP-CP-ABE). The HP-CP-ABE hides the access strategy in the attribute-based encryption by confusion, so that an attacker cannot acquire the information of a receiver from a ciphertext, and even a legal user cannot acquire other information in the access strategy, thereby achieving the aim of protecting the privacy of the user.
Based on the Attribute Based Broadcast Encryption method (ABBE), the method has the advantages of both the Broadcast Encryption method (BE) and the ABE, and allows a data owner to establish an access strategy and a Broadcast set. Only users belonging to the broadcast set and satisfying the access policy can successfully decrypt. ABBE can provide users with flexible access control to data, but has two major problems: the receiver set and the access strategy both contain a large amount of user personal information, and if the user personal information is not protected, the leakage of the user personal information can be caused, and the risk that the book data is cracked can be increased; the data has the risk of being maliciously tampered in the transmission process, and the authenticity of the ciphertext cannot be guaranteed. Therefore, how to design a more secure data encryption scheme becomes an important issue of research in the field.
Disclosure of Invention
Therefore, the invention provides a data encryption method and device based on attributes, and aims to solve the problems of high limitation and poor safety of a data encryption scheme in the prior art.
In a first aspect, the present invention provides an attribute-based data encryption method, including:
acquiring a public key parameter and a master key parameter generated based on attribute information of a user;
determining a first symmetric encryption key and a broadcast head parameter for data encryption based on the main key parameter, the public key parameter, the selected first random value and a corresponding target matrix; determining signature information based on a preset hash function and the selected random integer; the target matrix is generated in advance based on attribute sets of all users;
encrypting the formulated access strategy based on the first symmetric encryption key and the broadcast head parameters to obtain corresponding ciphertext data; and writing the signature information into the ciphertext data to obtain corresponding target ciphertext data.
In one embodiment, each row of the target matrix corresponds to attribute information of one user.
In one embodiment, the attribute-based data encryption method further includes: and sending the target ciphertext data to a data user receiving end through a corresponding cloud server.
In a second aspect, the present invention further provides an attribute-based data decryption method, including:
acquiring target ciphertext data to be decrypted; the target ciphertext data comprises corresponding tag information;
performing authority verification based on the label information, if the verification is passed, acquiring a target private key parameter and a broadcast header parameter which are determined based on the label of the user and the attribute information of the user, and acquiring a corresponding second symmetric encryption key according to the target private key parameter and the broadcast header parameter;
and decrypting the target ciphertext data based on the second symmetric encryption key to obtain decrypted target data.
In one embodiment, the attribute-based data decryption method further includes: acquiring attribute information based on all users, the selected corresponding second random values and public key parameters in advance, and determining private key parameters required for decryption;
the public key parameters are generated based on attribute information of different users, and the private key parameters comprise the target private key parameters.
In one embodiment, the label information is obtained based on a preset hash function and a selected random integer.
In a third aspect, the present invention further provides an attribute-based data encryption apparatus, including:
a public parameter acquiring unit for acquiring a public key parameter and a master key parameter generated based on the attribute information of the user;
an encryption information determining unit, configured to determine a first symmetric encryption key and a broadcast header parameter for data encryption based on the master key parameter, the public key parameter, the selected first random value, and a corresponding target matrix; determining signature information based on a preset hash function and the selected random integer; the target matrix is generated in advance based on attribute sets of all users;
the data encryption processing unit is used for encrypting the formulated access strategy based on the first symmetric encryption key and the broadcast head parameters to obtain corresponding ciphertext data; and writing the signature information into the ciphertext data to obtain corresponding target ciphertext data.
In one embodiment, each row of the target matrix corresponds to attribute information of one user.
In one embodiment, the attribute-based data encryption apparatus further includes: and the ciphertext data sending unit is used for sending the target ciphertext data to a data user receiving end through a corresponding cloud server.
In a fourth aspect, the present invention further provides an attribute-based data decryption apparatus, including:
the ciphertext data acquisition unit is used for acquiring target ciphertext data to be decrypted; the target ciphertext data comprises corresponding tag information;
the decryption information determining unit is used for performing authority verification based on the label information, acquiring a target private key parameter and a broadcast head parameter determined based on the label of the user and the attribute information of the user if the authority verification passes, and acquiring a corresponding second symmetric encryption key according to the target private key parameter and the broadcast head parameter;
and the data decryption processing unit is used for decrypting the target ciphertext data based on the second symmetric encryption key to obtain decrypted target data.
In one embodiment, the attribute-based data decryption apparatus further includes: the private key parameter determining unit is used for acquiring attribute information based on all users, the selected corresponding second random values and the public key parameters in advance and determining the private key parameters required for decryption;
the public key parameters are generated respectively based on attribute information of different users, and the private key parameters comprise the target private key parameters.
In one embodiment, the label information is obtained based on a preset hash function and a selected random integer.
In a fifth aspect, the present invention further provides an electronic device, including: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method for attribute-based data encryption or the method for attribute-based data decryption as claimed in any one of the preceding claims when executing the program.
In a sixth aspect, the present invention also provides a processor-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the attribute-based data encryption method or the attribute-based data decryption method as described in any one of the above.
By adopting the data encryption method based on the attribute, the authenticity of the ciphertext is ensured by obfuscating the hidden access strategy and adding the signature information into the ciphertext, the personal information of the user is protected, the personal information of the user is effectively prevented from being leaked, and the risk that the data is maliciously tampered in the transmission process is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic flowchart of an attribute-based data encryption method according to an embodiment of the present invention;
fig. 2 is a schematic view of a complete flow chart of a data encryption method based on attributes according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of an attribute-based data encryption apparatus according to an embodiment of the present invention;
FIG. 4 is a second flowchart illustrating a method for attribute-based data decryption according to an embodiment of the present invention;
FIG. 5 is a second schematic structural diagram of an attribute-based data decryption apparatus according to an embodiment of the present invention;
fig. 6 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments of the present invention, belong to the protection scope of the present invention.
The application provides a data Encryption method (HP-CP-ABBE) for protecting user privacy Based on attributes, the method combines the ABBE technology and the HP-CP-ABE technology, and the authenticity of a ciphertext is ensured by confusing a Hidden access strategy and a Broadcast set and adding signature information into the ciphertext.
The following describes an embodiment of the attribute-based data encryption method according to the present invention in detail. As shown in fig. 1, which is a schematic flow chart of a data encryption method based on attributes according to an embodiment of the present invention, a specific implementation process includes the following steps:
step 101: and acquiring a public key parameter and a master key parameter generated based on the user attribute information.
As shown in fig. 2, before this step is performed, the system initialization of the authority center needs to be performed first. Specifically, the system initialization process includes: running group generatorTo generate Ω = (N = p) 1 p 2 p 3 ,G,G T E); then for anySelecting the g as a raw material of the composite material,α,andfor arbitrary user attribute informationSelecting Then selecting the groupIs randomly generated primitive g 3 (ii) a And based on user attribute information and slave groupsThe random generator is calculated according to a preset algorithm to obtain: a. The 0 =g·R 0 ,A 1 =g a ,A 2 =g τ Andthe public key parameter PK and the master key parameter MK are respectively as follows (1) - (2):
wherein G is of order N = p 1 p 2 p 3 A complex order group of (1); p is a radical of 1 ,p 2 ,p 3 Is a prime number; u is a set of positive integers;is of order p i A prime order group; e is the generator of G.
In this step, the user attribute information includes information such as a user name and a gender.
Step 102: determining a first symmetric encryption key and a broadcast head parameter for data encryption based on the main key parameter, the public key parameter, the selected first random value and a corresponding target matrix; and determining signature information based on a preset hash function and the selected random integer.
The target matrix is generated in advance based on attribute sets of all users, and each row of the target matrix corresponds to attribute information of one user. The public parameter is the public key parameter. The first symmetric encryption key and the broadcast head parameter are used for encrypting data related to the access strategy, and the tag information is used for being written into the encrypted ciphertext to ensure the authenticity of the ciphertext.
Specifically, the data owner side firstly determines a first symmetric encryption key and a broadcast header parameter for data encryption based on a target matrix generated based on attribute sets of all users, and further based on the master key parameter, the public key parameter, the selected first random value and the corresponding target matrix, determines signature information based on a preset hash function and the selected random integer, and further writes the signature information into an encrypted ciphertext.
In a practical embodiment, the data encryption process specifically includes: selecting a vectorRandom integerAnd calculating lambda according to a preset algorithm x =A x V, wherein A x Representing the x-th row of the object matrix a. Further, selecting the first random valueR x,1 ,R x,2 ,R 3,3 ,R 3,4 ,Respectively calculating according to a preset algorithm to obtain: K=e(g,g) αs . The first symmetric encryption key parameter K and the broadcast header parameter Hdr are (3) - (4), respectively:
K=e(g,g) αs , (3)
in the implementation process, a secure hash function is selectedThen selecting a random integerBased on the hash function and the selected random integer, respectively calculating according to a preset algorithm:Υ=e(g,Θ) δ ,Ψ=H(M) H(γ) ,Ω=g δ (K s ) Ψ further, signature information Sign =is obtained<Θ,Ψ,Ω>。
Step 103: encrypting the formulated access strategy based on the first symmetric encryption key and the broadcast head parameters to obtain corresponding ciphertext data; and writing the signature information into the ciphertext data to obtain corresponding target ciphertext data.
In the embodiment of the present invention, after the first symmetric encryption key, the broadcast header parameter, and the signature information are obtained through the above algorithm, a formulated access policy may be further encrypted based on the first symmetric encryption key and the broadcast header parameter to obtain corresponding ciphertext data, and the signature information is written into the ciphertext data to obtain corresponding target ciphertext data, thereby implementing data encryption.
In a specific implementation process, after obtaining the target ciphertext data, the data owner side may further send the target ciphertext data to a data user receiving end (i.e., the data user side) through a corresponding cloud server.
In addition, the verification of the access policy can also be implemented based on the following formula algorithms (5) - (7):
if (A ', rho ') = (A, rho) then there is rho (x) ' = rho (x), Σ x∈I μ′ x λ x = s, where a, a 'is the access policy matrix and ρ, ρ' is the mapping, so there is:
if (A ', ρ ') ≠ A, ρ, then ρ (x) ' ≠ ρ (x) there is therefore:
as can be seen from the above algorithm equation, the Diffie-Hellman assumes that only one random value is available, and the attacker cannot obtain any user personal information about the access policy, whether (a ', ρ') = (a, ρ), or (a ', ρ') ≠ (a, ρ).
Further, verification of the broadcast set may also be achieved based on the following formula algorithms (8) - (9). Because of the following equation:
e(C 3 ,A 0 )=e(∏ j∈S u j ,g) s ·e(R 0 ,R 3,3 ), (9)
then there isThe Diffie-Hellman assumption is not satisfied, so an attacker cannot obtain any user personal information about the broadcast set (receiver set), indicating that the data encryption security of the present invention is higher through the above authentication process.
By adopting the data encryption method based on the attribute, the access strategy and the broadcast set in the ABBE are hidden by combining the ABBE and the HP-CP-ABE, and the user information is prevented from being leaked. And a ciphertext signature is added into the ABBE, so that the authenticity of the ciphertext in the ABBE is guaranteed. The authenticity of the ciphertext is ensured by obfuscating the hidden access strategy and adding the signature information into the ciphertext, so that the personal information of the user is protected, the personal information of the user is effectively prevented from being leaked, and the risk that data is maliciously tampered in the transmission process is avoided.
Corresponding to the data encryption method based on the attributes, the invention also provides a data encryption device based on the attributes. Since the embodiment of the apparatus is similar to the above method embodiment, the description is simple, and for the relevant points, reference may be made to the description of the above method embodiment, and the embodiment of the attribute-based data encryption apparatus described below is only illustrative. Fig. 3 is a schematic structural diagram of an attribute-based data encryption apparatus according to an embodiment of the present invention.
The invention relates to an attribute-based data encryption device, which specifically comprises the following parts:
a public parameter acquiring unit 301 configured to acquire a public key parameter and a master key parameter generated based on attribute information of a user.
An encryption information determining unit 302, configured to determine a first symmetric encryption key and a broadcast header parameter for data encryption based on the master key parameter, the public key parameter, the selected first random value, and a corresponding target matrix; and determining signature information based on a preset hash function and the selected random integer.
Wherein the target matrix is generated in advance based on the attribute sets of all the users.
The data encryption processing unit 303 is configured to encrypt the formulated access policy based on the first symmetric encryption key and the broadcast header parameter to obtain corresponding ciphertext data; and writing the signature information into the ciphertext data to obtain corresponding target ciphertext data.
By adopting the data encryption device based on the attribute, the access strategy and the broadcast set in the ABBE are hidden by combining the ABBE and the HP-CP-ABE, and the user information is prevented from being leaked. And a ciphertext signature is added into the ABBE, so that the authenticity of the ciphertext in the ABBE is guaranteed. The authenticity of the ciphertext is ensured by obfuscating the hidden access strategy and adding the signature information into the ciphertext, so that the personal information of the user is protected, the personal information of the user is effectively prevented from being leaked, and the risk that data is maliciously tampered in the transmission process is avoided.
Correspondingly, the invention also provides a data decryption method based on the attribute. Fig. 4 is a second flowchart of the attribute-based data decryption method according to the embodiment of the present invention.
Step 401: acquiring target ciphertext data to be decrypted; the target ciphertext data may include corresponding tag information.
Before executing the step, the private key parameters are generated in advance based on the attribute information of all the users, the selected corresponding second random values and the public key parameters, and the private key parameters required for decryption are determined. Wherein the public key parameters are generated based on the attribute information of different users, respectively.
The generation process of the private key parameter specifically includes: randomly selecting an integerThen respectively calculating according to a preset algorithm to obtain: further, a second random value is selectedAnd calculating a signature key according to a preset algorithm:and ciphertext verification key K v =g γ . Further, the specific steps for obtaining the private key parameters of the user are as follows:
wherein Z is N = {0,1,2.. Times N-1} is the residue set, each integer represents Z N And a remaining class of (a), θ, τ is any positive integer.
Step 402: and performing authority verification based on the label information, if the verification is passed, acquiring a target private key parameter and a broadcast head parameter determined based on the label of the user and the attribute information of the user, and acquiring a corresponding second symmetric encryption key according to the target private key parameter and the broadcast head parameter.
The label information is obtained based on a preset hash function and a selected random integer. The private key parameter includes the target private key parameter.
Step 403: and decrypting the target ciphertext data based on the second symmetric encryption key to obtain decrypted target data.
Corresponding to the attribute-based data decryption method, the invention also provides an attribute-based data decryption device. Since the embodiment of the apparatus is similar to the above method embodiment, the description is simple, and please refer to the description of the above method embodiment, and the following embodiments of the attribute-based data decryption apparatus are only exemplary. Fig. 5 is a schematic structural diagram of a second attribute-based data decryption apparatus according to an embodiment of the present invention.
A ciphertext data obtaining unit 501, configured to obtain target ciphertext data to be decrypted; the target ciphertext data may include corresponding tag information.
A decryption information determining unit 502, configured to perform permission verification based on the tag information, and if the verification is passed, obtain a target private key parameter and a broadcast header parameter determined based on a tag of the user and attribute information of the user, and obtain a corresponding second symmetric encryption key according to the target private key parameter and the broadcast header parameter.
The data decryption processing unit 503 is configured to decrypt the target ciphertext data based on the second symmetric encryption key to obtain decrypted target data.
By adopting the attribute-based data decryption method and device provided by the embodiment of the invention, the authenticity of the ciphertext is ensured by obfuscating the hidden access strategy and adding the signature information into the ciphertext, the personal information of the user is protected, the personal information of the user is effectively prevented from being leaked, and the risk that the data is maliciously tampered in the transmission process is avoided.
Corresponding to the data encryption method based on the attributes, the invention also provides electronic equipment. Since the embodiment of the electronic device is similar to the above method embodiment, the description is simple, and please refer to the description of the above method embodiment, and the electronic device described below is only schematic. Fig. 6 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention. The electronic device may include: a processor (processor) 601, a memory (memory) 602 and a communication bus 603, wherein the processor 601 and the memory 602 communicate with each other through the communication bus 603 and communicate with the outside through the communication interface 604. Processor 601 may invoke logic instructions in memory 602 to perform an attribute-based data encryption method comprising: acquiring a public key parameter and a master key parameter generated based on attribute information of a user; determining a first symmetric encryption key and a broadcast head parameter for data encryption based on the main key parameter, the public key parameter, the selected first random value and a corresponding target matrix; determining signature information based on a preset hash function and the selected random integer; the target matrix is generated in advance based on attribute sets of all users; encrypting the formulated access strategy based on the first symmetric encryption key and the broadcast head parameters to obtain corresponding ciphertext data; and writing the signature information into the ciphertext data to obtain corresponding target ciphertext data. Or executing an attribute-based data decryption method, the attribute-based data decryption method comprising: acquiring target ciphertext data to be decrypted; the target ciphertext data comprises corresponding tag information; performing authority verification based on the label information, if the verification is passed, acquiring a target private key parameter and a broadcast header parameter which are determined based on the label of the user and the attribute information of the user, and acquiring a corresponding second symmetric encryption key according to the target private key parameter and the broadcast header parameter; and decrypting the target ciphertext data based on the second symmetric encryption key to obtain decrypted target data.
Furthermore, the logic instructions in the memory 602 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a Memory chip, a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In another aspect, an embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program stored on a processor-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute the attribute-based data encryption method provided by the above-mentioned method embodiments, where the attribute-based data encryption method includes: acquiring a public key parameter and a master key parameter generated based on attribute information of a user; determining a first symmetric encryption key and a broadcast header parameter for data encryption based on the master key parameter, the public key parameter, the selected first random value and the corresponding target matrix; determining signature information based on a preset hash function and the selected random integer; the target matrix is generated in advance based on attribute sets of all users; encrypting the formulated access strategy based on the first symmetric encryption key and the broadcast head parameters to obtain corresponding ciphertext data; and writing the signature information into the ciphertext data to obtain corresponding target ciphertext data. Or executing an attribute-based data decryption method, the attribute-based data decryption method comprising: acquiring target ciphertext data to be decrypted; the target ciphertext data comprises corresponding tag information; performing authority verification based on the label information, if the verification is passed, acquiring a target private key parameter and a broadcast head parameter determined based on the label of the user and the attribute information of the user, and acquiring a corresponding second symmetric encryption key according to the target private key parameter and the broadcast head parameter; and decrypting the target ciphertext data based on the second symmetric encryption key to obtain decrypted target data.
In yet another aspect, an embodiment of the present invention further provides a processor-readable storage medium, where the processor-readable storage medium stores thereon a computer program, where the computer program is implemented to perform the attribute-based data encryption method provided in the foregoing embodiments when executed by a processor, where the attribute-based data encryption method includes: acquiring a public key parameter and a master key parameter generated based on attribute information of a user; determining a first symmetric encryption key and a broadcast head parameter for data encryption based on the main key parameter, the public key parameter, the selected first random value and a corresponding target matrix; determining signature information based on a preset hash function and the selected random integer; the target matrix is generated in advance based on attribute sets of all users; encrypting the formulated access strategy based on the first symmetric encryption key and the broadcast head parameters to obtain corresponding ciphertext data; and writing the signature information into the ciphertext data to obtain corresponding target ciphertext data. Or executing an attribute-based data decryption method, the attribute-based data decryption method comprising: acquiring target ciphertext data to be decrypted; the target ciphertext data comprises corresponding tag information; performing authority verification based on the label information, if the verification is passed, acquiring a target private key parameter and a broadcast header parameter which are determined based on the label of the user and the attribute information of the user, and acquiring a corresponding second symmetric encryption key according to the target private key parameter and the broadcast header parameter; and decrypting the target ciphertext data based on the second symmetric encryption key to obtain decrypted target data.
The processor-readable storage medium can be any available medium or data storage device that can be accessed by a processor, including, but not limited to, magnetic memory (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical memory (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor memory (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), solid State Disks (SSDs)), etc.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on the understanding, the above technical solutions substantially or otherwise contributing to the prior art may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the various embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An attribute-based data encryption method, comprising:
acquiring a public key parameter and a master key parameter generated based on attribute information of a user;
determining a first symmetric encryption key and a broadcast head parameter for data encryption based on the main key parameter, the public key parameter, the selected first random value and a corresponding target matrix; determining signature information based on a preset hash function and the selected random integer; the target matrix is generated in advance based on attribute sets of all users;
encrypting the formulated access strategy based on the first symmetric encryption key and the broadcast head parameters to obtain corresponding ciphertext data; and writing the signature information into the ciphertext data to obtain corresponding target ciphertext data.
2. The method of claim 1, wherein each row of the target matrix corresponds to attribute information of one user.
3. The method of attribute-based data encryption of claim 1, further comprising: and sending the target ciphertext data to a data user receiving end through a corresponding cloud server.
4. An attribute-based data decryption method, comprising:
acquiring target ciphertext data to be decrypted; the target ciphertext data comprises corresponding tag information;
performing authority verification based on the label information, if the verification is passed, acquiring a target private key parameter and a broadcast head parameter determined based on the label of the user and the attribute information of the user, and acquiring a corresponding second symmetric encryption key according to the target private key parameter and the broadcast head parameter;
and decrypting the target ciphertext data based on the second symmetric encryption key to obtain decrypted target data.
5. The attribute-based data decryption method of claim 4, further comprising: acquiring attribute information based on all users, the selected corresponding second random values and public key parameters in advance, and determining private key parameters required for decryption;
the public key parameters are generated respectively based on attribute information of different users, and the private key parameters comprise the target private key parameters.
6. The attribute-based data decryption method of claim 4, wherein the label information is obtained based on a preset hash function and a selected random integer.
7. An attribute-based data encryption apparatus, comprising:
a public parameter acquiring unit for acquiring a public key parameter and a master key parameter generated based on the attribute information of the user;
an encryption information determining unit, configured to determine a first symmetric encryption key and a broadcast header parameter for data encryption based on the master key parameter, the public key parameter, the selected first random value, and a corresponding target matrix; determining signature information based on a preset hash function and the selected random integer; the target matrix is generated in advance based on attribute sets of all users;
the data encryption processing unit is used for encrypting the formulated access strategy based on the first symmetric encryption key and the broadcast head parameters to obtain corresponding ciphertext data; and writing the signature information into the ciphertext data to obtain corresponding target ciphertext data.
8. An attribute-based data decryption apparatus, comprising:
the ciphertext data acquisition unit is used for acquiring target ciphertext data to be decrypted; the target ciphertext data comprises corresponding tag information;
the decryption information determining unit is used for performing authority verification based on the label information, acquiring a target private key parameter and a broadcast head parameter determined based on the label of the user and the attribute information of the user if the authority verification passes, and acquiring a corresponding second symmetric encryption key according to the target private key parameter and the broadcast head parameter;
and the data decryption processing unit is used for decrypting the target ciphertext data based on the second symmetric encryption key to obtain decrypted target data.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps are implemented when the processor executes the program.
10. A processor-readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor implements the steps of the attribute-based data encryption method of any one of claims 1 to 3 or the attribute-based data decryption method of any one of claims 4 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110672273.0A CN115499141A (en) | 2021-06-17 | 2021-06-17 | Data encryption method and device based on attributes |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110672273.0A CN115499141A (en) | 2021-06-17 | 2021-06-17 | Data encryption method and device based on attributes |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115499141A true CN115499141A (en) | 2022-12-20 |
Family
ID=84465031
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110672273.0A Pending CN115499141A (en) | 2021-06-17 | 2021-06-17 | Data encryption method and device based on attributes |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115499141A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116756761A (en) * | 2023-08-22 | 2023-09-15 | 广东南方电信规划咨询设计院有限公司 | Method and device for encrypting data |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105049207A (en) * | 2015-05-11 | 2015-11-11 | 电子科技大学 | ID-based broadcast encryption scheme containing customized information |
CN105376213A (en) * | 2015-08-04 | 2016-03-02 | 电子科技大学 | Identity-based broadcast encryption scheme |
CN107508667A (en) * | 2017-07-10 | 2017-12-22 | 中国人民解放军信息工程大学 | Ciphertext policy ABE base encryption method and its device of the fix duty without key escrow can be disclosed |
CN112260829A (en) * | 2020-10-19 | 2021-01-22 | 浙江工商大学 | Multi-authorization-based CP-ABE method for supporting mobile equipment under hybrid cloud |
-
2021
- 2021-06-17 CN CN202110672273.0A patent/CN115499141A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105049207A (en) * | 2015-05-11 | 2015-11-11 | 电子科技大学 | ID-based broadcast encryption scheme containing customized information |
CN105376213A (en) * | 2015-08-04 | 2016-03-02 | 电子科技大学 | Identity-based broadcast encryption scheme |
CN107508667A (en) * | 2017-07-10 | 2017-12-22 | 中国人民解放军信息工程大学 | Ciphertext policy ABE base encryption method and its device of the fix duty without key escrow can be disclosed |
CN112260829A (en) * | 2020-10-19 | 2021-01-22 | 浙江工商大学 | Multi-authorization-based CP-ABE method for supporting mobile equipment under hybrid cloud |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116756761A (en) * | 2023-08-22 | 2023-09-15 | 广东南方电信规划咨询设计院有限公司 | Method and device for encrypting data |
CN116756761B (en) * | 2023-08-22 | 2024-01-12 | 广东南方电信规划咨询设计院有限公司 | Method and device for encrypting data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111130757B (en) | Multi-cloud CP-ABE access control method based on block chain | |
CN110214440B (en) | Computing system, method for transmitting protected data and readable storage medium | |
Gupta et al. | Secure data storage and sharing techniques for data protection in cloud environments: A systematic review, analysis, and future directions | |
CN106357401B (en) | A kind of storage of private key and application method | |
US9798677B2 (en) | Hybrid cryptographic key derivation | |
CN111859444B (en) | Block chain data supervision method and system based on attribute encryption | |
US20180262326A1 (en) | Protecting white-box feistel network implementation against fault attack | |
CN106452775A (en) | Method and apparatus for accomplishing electronic signing and signing server | |
WO2016086788A1 (en) | Method and apparatus for encrypting/decrypting data on mobile terminal | |
US10826694B2 (en) | Method for leakage-resilient distributed function evaluation with CPU-enclaves | |
CN108989339B (en) | Ciphertext encryption method, system and storage medium with strategy hiding function | |
US11063743B2 (en) | Method of RSA signature of decryption protected using assymetric multiplicative splitting | |
KR101615137B1 (en) | Data access method based on attributed | |
CN110235134B (en) | Addressing trusted execution environments using clean room provisioning | |
JP7256862B2 (en) | Secure communication method and system between protected containers | |
US20140108818A1 (en) | Method of encrypting and decrypting session state information | |
CN101764694A (en) | Device, method and system for protecting data | |
CN109005196A (en) | Data transmission method, data decryption method, device and electronic equipment | |
EP3455763B1 (en) | Digital rights management for anonymous digital content sharing | |
CN115499141A (en) | Data encryption method and device based on attributes | |
CN115809459B (en) | Data protection and decryption method, system, equipment and medium of software cryptographic module | |
CN110677253A (en) | Anti-quantum computation RFID authentication method and system based on asymmetric key pool and ECC | |
CN111949996A (en) | Generation method, encryption method, system, device and medium of security private key | |
Dudiki et al. | A Hybrid Cryptography Algorithm to Improve Cloud Computing Security | |
CN104283868A (en) | Encryption method for internet of things and cloud computing secure storage distributed file system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |