CN115720175A - Data sharing system and method for large data volume and organization - Google Patents
Data sharing system and method for large data volume and organization Download PDFInfo
- Publication number
- CN115720175A CN115720175A CN202211523243.4A CN202211523243A CN115720175A CN 115720175 A CN115720175 A CN 115720175A CN 202211523243 A CN202211523243 A CN 202211523243A CN 115720175 A CN115720175 A CN 115720175A
- Authority
- CN
- China
- Prior art keywords
- group
- encryption
- chain
- data
- proxy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a data sharing system used between large data volume and organization, which comprises an algorithm library, a service end, an encryption algorithm service end, a cloud storage encryption storage service and a block chain, wherein the algorithm library is used for storing a plurality of data; the algorithm library comprises: the system comprises a data signature library, an agent re-encryption library and a group signature library, and provides algorithm functions for a service end and an encryption algorithm server end. The method has the advantages that the block chain technology, the digital envelope technology and the cloud storage technology are comprehensively used, safe and efficient storage in large data volume is achieved, network transmission requirements are reduced, the requirements of data on non-tampering, non-repudiation, traceability and the like are met, and meanwhile, the data stored and transmitted on the chain and in the cloud are encrypted, so that the data privacy and safety are effectively protected.
Description
Technical Field
The invention relates to the technical field of data encryption, in particular to a data sharing system and a data sharing method for large data volume and organization.
Background
With the rapid development of network information technology, the efficiency and security of data sharing become a problem which has to be faced.
In order to ensure the security of data, most organizations and users adopt a digital envelope technology, the public key of a receiver is used for encrypting and transmitting transmission information, the authenticity of the data is ensured by the characteristics that block chain data cannot be tampered and can be traced, the data is safely transmitted to the receiver, and the receiver decrypts the data through the private key of the receiver. However, with the development of technology, the demand of data volume becomes larger and larger, and the transmission pressure between nodes is increased sharply due to the data which is encrypted and transmitted excessively, the consensus efficiency is reduced, the block-out time is too long, and the like.
Therefore, a plurality of organizations and users select the proxy re-encryption technology, a large amount of data are encrypted and then uploaded to the cloud server for storage, the cipher key of the cipher text is directly converted into the file which can be decrypted by the target user through the cloud server, and the cloud server cannot obtain any plaintext information in the process. However, the process of re-encryption is completely completed by the cloud server, the process is falsifiable and not traceable, and the data does not have absolute authenticity. Moreover, when the receiving party is organized as a group, multiple encryption and multiple transmission still need to be performed, and excessive resources are wasted in actual service.
Therefore, under the condition of protecting the information security and privacy of users, the characteristics of credibly and efficiently sharing large data and still ensuring high efficiency when facing a group organization are the problems to be solved urgently in the current data sharing.
Disclosure of Invention
The invention aims to solve the problems and designs a data sharing system for large data volume and organizations.
The technical scheme of the invention is that the data sharing system for large data volume and organization comprises an algorithm library, a service end, an encryption algorithm service end, a cloud storage encryption storage service and a block chain;
the algorithm library comprises: the system comprises a data signature library, an agent re-encryption library and a group signature library, wherein the data signature library, the agent re-encryption library and the group signature library provide algorithm functions for a service terminal and an encryption algorithm server terminal;
the service end is a simulation service client, namely, a service used by a user in actual service;
the main data held by the service end comprises service data to be transmitted in the service, a symmetric key, a group member private key, a chain user private key and a shared target group agent user;
the encryption algorithm server side provides group management and transmission encryption related functions for the service side by depending on an algorithm library, and the main functions comprise group member management, group signature verification, group agent user management, agent re-encryption and asymmetric decryption for group organization management;
the cloud storage encryption storage service is used for encrypting and storing large data volume, provides storage and returns a stored hash value;
the intelligent contract on the block chain comprises: for PKI contracts, group signature contracts, proxy re-encryption contracts.
An intelligent contract method on chain for a data sharing system between a large data volume and an organization, comprising the steps of:
PKIManager intelligent contract:
creating a linked group for linking related information of a management group and a group agent user;
updating the group public key by the updateGPK, providing a function of updating the group public key on the chain, and mainly dealing with the condition that the group public key is changed after the group members are changed;
getProxPK acquires the public key of the proxy user, and acquires the public key of the group proxy user according to the group name for the use of the function under the chain;
group signature precompiled contract groupsigeprecompiled;
group signature verification by group verification and on-chain group signature verification method;
proxyrencryptrecompiled proxy re-encrypt the precompiled contract:
proxyrencrpt re-encryption, a chain proxy re-encryption method;
DataSharer data sharing contract:
the setCipherText sets a ciphertext and uploads a cloud storage address function;
authorization, namely performing proxy re-encryption to generate an authorization key after verifying the identity through group signature;
and getCipherText acquires the ciphertext and acquires the ciphertext cloud storage address and the authorization key.
A block chain privacy encryption protection method based on group signature and proxy re-encryption comprises the following steps:
step one, group initialization:
the group A group owner calls an encryption algorithm service through a service end to establish a group AA and a group agent AA;
the encryption algorithm service generates a chain user AA according to the information and calls a PKI intelligent contract on the chain to manage the comparison relationship between the public key of the GroupA proxy user AA and the GroupA;
the group A member calls an encryption algorithm service to join the group organization through the service terminal;
the group B refers to the group A to finish the above 3 steps in the same way;
step two, encryption information sharing:
the local service terminal of the member A of the group uses a symmetric encryption key to symmetrically encrypt a plaintext m to be transmitted to generate a ciphertext c1;
the group A member local service end uploads the shared data cipher text c1 to a cloud storage IPFS to obtain a storage address;
the local service end of the group A member calls a data contract on the chain to upload the storage address of the cloud storage data to the chain;
the group A member local service terminal calls an encryption algorithm server to generate a trans-encryption basic message c2 and a proxy trans-encryption authorization key Kaa-BB of a data receiving group B, wherein the trans-encryption basic message c2 is generated by asymmetrically encrypting a chain user public key pkAA and a symmetric encryption key of a group A group proxy user AA, the proxy trans-encryption authorization key Kaa-BB is generated by a chain user private key skAA of the group A group proxy user AA and a chain user public key pkBB of a target group B group proxy user BB, and the pkBB is obtained by an encryption algorithm service calling an on-chain PKI intelligent contract;
the group A member local service end calls a data contract on the chain to realize on-chain encryption authorization and associates cloud storage shared data on the chain, wherein the chain can carry out group signature verification on the contract caller identity, proxy-to-encryption is carried out after the group A member is confirmed to be a group A group, and an authorization key c3 on a target group B proxy user chain is generated through a proxy-to-encryption authorization key Kaa-bb and a encryption basic message c 2;
the local service end of the group B member calls a linked data contract to acquire a linked authorization key c3 and a cloud storage shared data address;
the local service end of the member of the group B calls an encryption algorithm service to carry out asymmetric decryption through a private key skBB of the agent user of the group B and a chain authorization key c3 to obtain a symmetric encryption key;
the local service end of the group B member obtains a shared data ciphertext c1 through the cloud storage shared data address;
and the local service end of the member B of the group symmetrically decrypts the shared data ciphertext c1 through the symmetric encryption key, and finally obtains the plaintext m.
The data sharing system for large data volume and organization manufactured by the technical scheme of the invention integrates a block chain technology, an intelligent contract technology, a group signature technology, an agent re-encryption technology and a cloud storage technology, and aims to solve the problems of insecurity, incapability of tracing, tampering, low efficiency, high transmission pressure, complex authorization operation and the like of data in the conventional network data sharing scheme.
According to the general fusion scheme, the group signature technology and the agent re-encryption technology are comprehensively used, the problems of multiple encryption calculation and multiple authorization facing to group objects are solved, the management models of group authorization and single user authorization can be unified, and the concept of a group agent user on a group-on-chain is provided to avoid the incompatibility of a group signature key system and agent re-encryption on an algorithm system. Meanwhile, the role is virtual, is not a real user, and cannot actively initiate any on-chain operation, and the on-chain operation is initiated by the real user through a digital signature and a group signature of the real user, so that the characteristics of traceability of a block chain and the like can be effectively maintained. The public and private chain keys and the user information of the group agent users are managed in the encryption algorithm server by taking the groups as organization units, and each group has the encryption algorithm server belonging to the group, so that the physical isolation of the group agent users is ensured, and the safety of data transmission is ensured.
According to the group signature and proxy re-encryption fusion scheme, the group signature technology and the intelligent contract technology are comprehensively used, the complexity and centralization problems of traditional PKI public key infrastructure are solved, the associated public key can be managed based on an algorithm in a decentralized mode, a user uses the digital signature and the group signature to authorize and manage storage of the group, the group public key and the group proxy user public key in the intelligent contract on a chain, and further the subsequent service requirements such as data sharing and the like can be managed based on the chain account of each identity.
According to the general fusion scheme, the block chain technology, the digital envelope technology and the cloud storage technology are comprehensively used, safe and efficient storage in large data volume is achieved, network transmission requirements are reduced, the requirements of data on tampering, undeniability, traceability and the like are met, and meanwhile, the data stored and transmitted on the chain and at the cloud are encrypted, so that the data privacy safety is effectively protected.
Drawings
FIG. 1 is a schematic diagram of a data sharing system for large data volumes and organizations according to the present invention;
FIG. 2 is a block chain privacy protection scheme based on group signature and proxy re-encryption for a data sharing system between large data volumes and organizations according to the present invention;
FIG. 3 is a block chain privacy protection scheme intelligent contract relationship based on group signature and proxy re-encryption for a data sharing system between large data volumes and organizations according to the present invention.
Detailed Description
The present invention will be described in detail with reference to the accompanying drawings, which show in FIGS. 1-3 a system for data sharing between large data volumes and organizations;
in the present embodiment, the scheme service structure (fig. 1), determines the role relationship between the uplink and downlink service structures and the service;
the algorithm library is a basic algorithm library which is dependent under the chain of the invention, and comprises a data signature library, an agent re-encryption library and a group signature library, and provides algorithm functions for a service end and an encryption algorithm service end.
The service end simulates a service client, namely a service used by a user in actual service, and main data held by the service end comprises service data to be transmitted in the service, a symmetric key for transmitting symmetric encryption, a group member private key for group identity identification and group signature verification, a chain user private key for block chain user identity identification and initiating block contract calling, namely transaction, and a shared target group proxy user for acquiring group proxy public key information of a target group for transmitting data on a chain.
The encryption algorithm server side provides group management and transmission encryption related functions for the service side by depending on an algorithm library, and mainly has the functions of group member management for managing group organization, group signature verification for verifying the identity of group members, group proxy user management for establishing and managing the identity of a group on a block chain, relationship between a group and group proxy users, proxy re-encryption function for generating a proxy re-encryption key at the service side, and asymmetric decryption function for decrypting and obtaining a plaintext symmetric encryption key.
The cloud storage encryption storage service is used for encrypting and storing large data volume and returning the stored hash value while providing storage. The IPFS interplanetary file system is adopted in the embodiment, and the practical implementation is not limited to the storage scheme and is widely applicable to various cloud storage schemes.
Intelligent contracts on block chain:
1. PKI contract for managing public key of group and public key information of group proxy user;
2. group signature contract, functional precompiled contract for group signature verification;
3. a proxy re-encryption contract, a functional pre-compiled contract for proxy re-encryption;
2. the overall implementation steps are divided into two major stages (figure 2);
a block chain privacy encryption protection method based on group signature and proxy re-encryption;
the method comprises the following steps: initializing a group;
1. the group A group owner calls an encryption algorithm service through a service end to establish a group AA and a group agent AA;
2. the encryption algorithm service generates a link user AA according to the information and calls a PKI intelligent contract on the link to manage the comparison relationship between the public key of the GroupA agent user AA and the GroupA;
3. the group A member calls an encryption algorithm service to join the group organization through the service terminal;
4. the group B also completes the above 3 steps with reference to the group A;
step two, sharing the encrypted information;
1. the local service terminal of the member A of the group uses a symmetric encryption key to symmetrically encrypt a plaintext m to be transmitted to generate a ciphertext c1;
2. the group A member local service end uploads the shared data cipher text c1 to a cloud storage IPFS to obtain a storage address;
3. the local service end of the group A member calls a data contract on the chain to upload the storage address of the cloud storage data to the chain;
4. the group A member local service terminal calls an encryption algorithm server to generate a trans-encryption basic message c2 and a proxy trans-encryption authorization key Kaa-BB of a data receiving group B, wherein the trans-encryption basic message c2 is generated by asymmetrically encrypting a chain user public key pkAA and a symmetric encryption key of a group A group proxy user AA, the proxy trans-encryption authorization key Kaa-BB is generated by a chain user private key skAA of the group A group proxy user AA and a chain user public key pkBB of a target group B group proxy user BB, and the pkBB is obtained by an encryption algorithm service calling an on-chain PKI intelligent contract;
5. the local service end of the group A member calls a data contract on the chain to realize on-chain encryption authorization and associates cloud storage shared data on the chain, wherein the chain carries out group signature verification on the identity of an agreement caller, proxy-to-encryption is carried out after the group A member is confirmed to be a member of a group A group, and an on-chain authorization key c3 of a target group B proxy user is generated through a proxy-to-encryption authorization key Kaa-bb and a transfer-to-encryption basic message c 2;
6. the local service end of the group B member calls a linked data contract to acquire a linked authorization key c3 and a cloud storage shared data address;
7. the local service terminal of the member of the group B calls an encryption algorithm service to carry out asymmetric decryption through a private key skBB of the proxy user of the group B and a chain authorization key c3 to obtain a symmetric encryption key;
8. the local service end of the group B member obtains a shared data ciphertext c1 through the cloud storage shared data address;
9. the local service end of the member in the group B symmetrically decrypts the shared data ciphertext c1 through the symmetric encryption key, and finally obtains a plaintext m;
3. the intelligent contract method and relationships on the chain are as follows (FIG. 3);
A. PKIManager intelligent contract:
1. creating a linked group for linking related information of a management group and a group agent user;
2. updating the group public key by the updateGPK, providing a function of updating the group public key on the chain, and mainly dealing with the situation that the group public key is changed after the group members are changed;
3. getProxyPK acquires an agent user public key, and acquires a group agent user public key according to the group name for use by a linked function;
B. groupsigpprecompiled group signature precompiled contract:
1. group signature verification by group verification and on-chain group signature verification method;
C. proxyrencryptcompiled proxy re-encrypts the precompiled contract:
1. proxyReEncrpt re-encryption, a chain proxy re-encryption method;
D. DataSharer data sharing contract:
1. the setCipherText sets a ciphertext and uploads a cloud storage address function;
2. authorization, namely performing proxy re-encryption to generate an authorization key after verifying the identity through group signature verification;
3. and getCipherText acquires the ciphertext and acquires the ciphertext cloud storage address and the authorization key.
The technical solutions described above only represent the preferred technical solutions of the present invention, and some possible modifications made to some parts by those skilled in the art all represent the principles of the present invention, and fall within the protection scope of the present invention.
Claims (3)
1. A data sharing system used between large data volume and organization is characterized by comprising an algorithm library, a service end, an encryption algorithm service end, a cloud storage encryption storage service and a block chain;
the algorithm library comprises: the system comprises a data signature library, an agent re-encryption library and a group signature library, wherein the data signature library, the agent re-encryption library and the group signature library provide algorithm functions for a service end and an encryption algorithm server end;
the service end is a simulation service client, namely a service used by a user in actual service;
the main data held by the service end comprises service data to be transmitted in the service, a symmetric key, a group member private key, a chain user private key and a shared target group proxy user;
the encryption algorithm server side provides group management and transmission encryption related functions for the service side by depending on an algorithm library, and the main functions comprise group member management, group signature verification, group agent user management, agent re-encryption and asymmetric decryption for group organization management;
the cloud storage encryption storage service is used for encrypting and storing large data volume, provides storage and returns a stored hash value;
the intelligent contract on the block chain comprises the following steps: for PKI contracts, group signature contracts, proxy re-encryption contracts.
2. An intelligent contract method on a chain for a data sharing system between a large data volume and an organization, comprising the steps of:
PKIManager intelligent contract:
creating a linked group for linking related information of a management group and a group agent user;
updating the group public key by the updateGPK, providing a function of updating the group public key on the chain, and mainly dealing with the situation that the group public key is changed after the group members are changed;
getProxyPK acquires a proxy user public key, and acquires a group proxy user public key for use of a linked function according to a data sharing system used between a group for large data volume and an organization;
groupsigpprecompiled group signature precompiled;
group pSigVerify verifies the group signature, verify the group signature method on the chain;
proxyrencryptcompiled proxy re-encrypts the precompiled contract:
proxyReEncrpt re-encryption, a chain proxy re-encryption method;
DataSharer data sharing contract:
the setCipherText sets a cipher text and uploads a cloud storage address function;
authorization, namely performing proxy re-encryption to generate an authorization key after verifying the identity through group signature verification;
and getCipherText acquires the ciphertext and acquires the ciphertext cloud storage address and the authorization key.
3. A block chain privacy encryption protection method based on group signature and proxy re-encryption is characterized by comprising the following steps:
step one, group initialization:
the group A group owner calls an encryption algorithm service through a service end to establish a group AA and a group agent AA;
the encryption algorithm service generates a link user AA according to the information and calls a PKI intelligent contract on the link to manage the comparison relationship between the public key of the GroupA agent user AA and the GroupA;
the group A member calls an encryption algorithm service to join the group organization through the service terminal;
the group B also completes the above 3 steps with reference to the group A;
step two, encryption information sharing:
the local service terminal of the member A of the group uses a symmetric encryption key to symmetrically encrypt a plaintext m to be transmitted to generate a ciphertext c1;
the group A member local service end uploads the shared data cipher text c1 to a cloud storage IPFS to obtain a storage address;
the group A member local service end calls a chained data contract to upload a storage address of cloud storage data to a chain;
the group A member local service terminal calls an encryption algorithm server to generate a trans-encryption basic message c2 and proxy trans-encryption authorization keys Kaa-BB of a data receiving group B, wherein the trans-encryption basic message c2 is generated by asymmetric encryption of a chain user public key pkAA and a symmetric encryption key of a group A group proxy user AA, the proxy trans-encryption authorization keys Kaa-BB are generated by a chain user private key skAA of the group A group proxy user AA and a chain user public key pkBB of a target group B group proxy user BB, and the pkBB is obtained by an encryption algorithm service calling on-chain PKI intelligent contract;
the local service end of the group A member calls a data contract on the chain to realize on-chain encryption authorization and associates cloud storage shared data on the chain, wherein the chain carries out group signature verification on the identity of an agreement caller, proxy-to-encryption is carried out after the group A member is confirmed to be a member of a group A group, and an on-chain authorization key c3 of a target group B proxy user is generated through a proxy-to-encryption authorization key Kaa-bb and a transfer-to-encryption basic message c 2;
the local service end of the group B member calls an on-chain data contract to acquire an on-chain authorization key c3 and a cloud storage shared data address;
the local service terminal of the member of the group B calls an encryption algorithm service to carry out asymmetric decryption through a private key skBB of the proxy user of the group B and a chain authorization key c3 to obtain a symmetric encryption key;
the local service end of the group B member obtains a shared data ciphertext c1 through the cloud storage shared data address;
and the local service end of the member in the group B symmetrically decrypts the shared data ciphertext c1 through the symmetric encryption key, and finally obtains a plaintext m.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211523243.4A CN115720175A (en) | 2022-12-01 | 2022-12-01 | Data sharing system and method for large data volume and organization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211523243.4A CN115720175A (en) | 2022-12-01 | 2022-12-01 | Data sharing system and method for large data volume and organization |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115720175A true CN115720175A (en) | 2023-02-28 |
Family
ID=85257100
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211523243.4A Pending CN115720175A (en) | 2022-12-01 | 2022-12-01 | Data sharing system and method for large data volume and organization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115720175A (en) |
-
2022
- 2022-12-01 CN CN202211523243.4A patent/CN115720175A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI748853B (en) | Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system | |
| CN109412794B (en) | Quantum key automatic charging method and system suitable for power business | |
| CN109120639A (en) | A kind of data cloud storage encryption method and system based on block chain | |
| CN112380565A (en) | Secure multi-party computing method based on trusted hardware and block chain | |
| CN110880972A (en) | Block chain key management system based on safe multiparty calculation | |
| CN104023013A (en) | Data transmission method, server side and client | |
| CN111523133A (en) | Block chain and cloud data collaborative sharing method | |
| CN101340443A (en) | Session key negotiating method, system and server in communication network | |
| CN109981584B (en) | Block chain-based distributed social contact method | |
| WO2016136024A1 (en) | Key replacement direction control system, and key replacement direction control method | |
| CN109543434B (en) | Block chain information encryption method, decryption method, storage method and device | |
| CN105610793A (en) | Outsourced data encrypted storage and cryptograph query system and application method therefor | |
| CN112104454B (en) | Data secure transmission method and system | |
| WO2014114080A1 (en) | Method and system for data encryption protection | |
| CN109995530B (en) | Safe distributed database interaction system suitable for mobile positioning system | |
| CN110535626B (en) | Secret communication method and system for identity-based quantum communication service station | |
| CN113901512B (en) | Data sharing method and system | |
| CN103457932A (en) | Data safety storage method and system under cloud computing environment | |
| US20210144002A1 (en) | Secondary Channel Authentication of Public Keys | |
| CN115632779B (en) | Quantum encryption communication method and system based on power distribution network | |
| CN104158880A (en) | User-end cloud data sharing solution | |
| CN115828310B (en) | Data query method and device based on privacy calculation and storage medium | |
| CN111385088B (en) | Efficient satellite quantum key pairing generation method | |
| WO2022033122A1 (en) | Key management system | |
| KR101760376B1 (en) | Terminal and method for providing secure messenger service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |