CN115941221A - Access control method based on block chain in mobile edge cloud cooperation - Google Patents
Access control method based on block chain in mobile edge cloud cooperation Download PDFInfo
- Publication number
- CN115941221A CN115941221A CN202111086224.5A CN202111086224A CN115941221A CN 115941221 A CN115941221 A CN 115941221A CN 202111086224 A CN202111086224 A CN 202111086224A CN 115941221 A CN115941221 A CN 115941221A
- Authority
- CN
- China
- Prior art keywords
- terminal member
- attribute
- edge server
- access
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 86
- 238000011217 control strategy Methods 0.000 claims abstract description 13
- 238000012795 verification Methods 0.000 claims description 42
- 238000013507 mapping Methods 0.000 claims description 7
- 230000005251 gamma ray Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 14
- 230000005540 biological transmission Effects 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 11
- 238000011160 research Methods 0.000 description 3
- 230000035945 sensitivity Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 101001019450 Haloferax volcanii (strain ATCC 29605 / DSM 3757 / JCM 8879 / NBRC 14742 / NCIMB 2012 / VKM B-1768 / DS2) Isocitrate dehydrogenase [NADP] Proteins 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides an access control method based on a block chain in mobile edge cloud cooperation, which comprises the following steps: initializing protocol parameters in a mobile edge network domain, generating a master key and a public key of an edge cloud cooperative system, generating a public/private key pair of a cloud server, an edge server and a terminal member, performing identity registration on the terminal member to obtain an attribute authority parameter and writing the attribute authority parameter into a block chain, after the registration is successful, sharing data by a resource provider and setting an attribute set and an access control strategy for accessing the resource, accessing the resource in the domain by a resource accessor, and if the domain does not have the required resource, applying for a signature by the resource accessor at a local edge server, and accessing the resource across the domain after obtaining the signature. The invention adopts the identity authentication technology of the hidden attribute, so that the attribute is not leaked in the transmission process, personal privacy information is protected more effectively and safely, and meanwhile, the protocol combines the block chain technology, thus ensuring the collusion attack resistance of the protocol and ensuring that the access control is more flexible, efficient and practical.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a block chain-based access control method in mobile edge cloud coordination.
Background
The rapid development of 5G, big data and artificial intelligence technology in recent years pushes cloud computing to the peak, the cloud computing brings benefits for companies and enterprises in the aspects of computing power, scale, interoperability, centralization and the like, but with the development of the cloud computing, the large-scale increase of edge nodes and data volume leads the defects of the cloud computing to be increasingly amplified, so that edge cloud collaboration becomes a new technology wave, and the combination of the edge computing and the cloud computing can provide a data sharing technology with large capacity, high bandwidth and low time delay for various scenes. However, the resource sharing has the characteristics of complex and various resource types, frequent resource access, large resource transmission quantity and the like, so that the privacy and data security of the terminal members are seriously challenged.
The realization of the safe access control of the data is one of the key technologies for guaranteeing the safe data sharing among the terminal members, limits the range or the sensitivity of the data obtained by a data acquirer through certain conditions, ensures that a user can access the data in a legal right, and prohibits the user from carrying out unauthorized operation. In the edge cloud collaborative environment, access control is still an important technology for ensuring safe data access. However, in the existing access control technology, the identity authentication process of the terminal member is complicated and inefficient, the user authority is difficult to update in time, data is easy to be tampered in the sharing process, and the like, so that the mobile edge cloud coordination scene is difficult to adapt. The access control protocol based on the block chain in the mobile edge cloud collaborative scene provides an access control protocol based on the block chain in the secure data sharing, and the protocol protects the privacy information of the terminal user through identity authentication based on the hidden attribute. Meanwhile, dynamic, fine-grained and cross-domain access control is realized according to traceability, provability and authenticable characteristics of the block chain, and the scheme enables the identity authentication process to be more light and reliable. In addition, the scheme combines identity authentication and attribute authentication to realize a double authentication mechanism, so that the safety of the safety data access control is improved.
At present, a research aiming at an access control protocol based on a block chain in a mobile edge cloud collaborative scene does not appear, a series of challenging problems need to be solved, and the work in the aspects of cross-domain access control and the like is unprecedented.
Disclosure of Invention
Aiming at the technical problems that privacy of terminal members is easy to leak, the efficiency of an authentication process is low and cross-domain access control is difficult to realize in the access control process of the existing access control method, the invention provides the block chain-based access control method in mobile edge cloud cooperation.
In order to achieve the purpose, the technical scheme of the invention is realized as follows: an access control method based on a block chain in mobile edge cloud cooperation comprises the following steps:
step one, initializing access control protocol parameters in a side cloud coordination system: generating public/private key pairs of a cloud server CS, each edge server and each terminal member;
step two, distributing the attribute authority of the terminal member:
a) The CS broadcasts all attributes of the access system resource and attribute serial numbers thereof to each terminal member;
b) The terminal member calculates intermediate parameters required by registration according to the attribute of the terminal member, and sends the intermediate parameters to the cloud server CS;
c) After receiving the messages sent by each terminal member, the cloud server CS verifies the validity of the parameters and the validity of the identity of each terminal member, if the verification is passed, the cloud server CS determines the number of the terminal member attributes and calculates the attribute authority parameters and the signature, and then sends the public key, the signature and the attribute authority parameters of the cloud server CS to each terminal member;
d) After receiving a message sent by a cloud server CS, each terminal member calculates an attribute authority, then the identity of the cloud server CS and the correctness of the attribute authority are verified, if the verification is passed, each terminal member obtains an attribute authority corresponding to the attribute and an attribute authority parameter set, and the distribution of the attribute authority of each terminal member is successful;
e) The cloud server CS calculates encryption parameters and sends the encryption parameters to each edge server, and each edge server receives the encryption parameters and then calculates to obtain an attribute authority set of all attributes;
f) The cloud server CS is divided into different security domains according to the IP of the edge server and the mobile terminal, a block chain is established for each security domain, the public information of each terminal member of the security domain is written into the block chain, the edge server runs a block chain program of the local domain, and the block information of any managed terminal member can be acquired;
step three, storage of shared resources:
g) The resource sharer sets an attribute set and an access control strategy of the resource, and encrypts the shared resource by using the access control strategy to obtain a ciphertext; the resource sharer uploads the own public key and the information of the shared resource to the local edge server, and the local edge server writes the message into the block chain after receiving the message and simultaneously stores the message into a list of a federation data index database;
step four: access control of shared resources within a domain and access control of shared resources outside the domain.
Further, the method for controlling access to the shared resources in the domain includes:
h) The resource demander calculates the access parameters and the access signatures required by the access resources and sends the access parameters, the access signatures and the access authority information to a local edge server;
i) After receiving the message of the resource demander, the local edge server verifies the validity of the parameters, the identity of the resource demander and the attribute authority parameters;
j) After the verification is passed, the local edge server searches resources according to keywords provided by the resource demander, compares the access rights of the resources and the resource demander, and calculates request parameters and request signatures and sends the request parameters and the request signatures to the resource demander after finding the target resources;
k) After receiving the message of the local edge server, the resource demander verifies the request parameters and the identity of the local edge server, and if the verification is passed, the resource demander obtains the shared resource.
Further, the method for controlling the access of the shared resource outside the domain comprises the following steps
L) the resource demander calculates the access parameters and the signature required by the access resources and sends the access parameters, the access signature, the access authority of the demander and the information of the keywords to a local edge server;
m) after receiving the message of the resource demander, the local edge server verifies the validity of the access parameters, the identity of the terminal member and the attribute authority parameters;
n) after the verification is passed, the local edge server searches resources corresponding to the keywords, the access authority of the resources and the edge server outside the domain to which the resources belong, then calculates a request signature and sends the request signature and the address of the edge server outside the domain to the resource demander;
o) after receiving the message of the local edge server, the resource demander calculates the parameter of the request signature and verifies the validity of the message, and after the verification is passed, the resource demander sends the parameter information of the resource request to the edge server outside the domain;
p) after receiving the resource request parameter message of the resource demander, the edge server outside the domain verifies the request parameter, the identity of the resource demander, the request signature of the local edge server of the resource demander and the attribute authority parameter of the resource demander;
q) after the verification is passed, the edge server outside the domain provides a link of the shared resource to the resource demander.
Further, in the first step, the method for generating the public/private key pair of the cloud server CS, each edge server, and each terminal member includes:
generating a master key MSK and a public key PK of the system by using a master key generating function; public key PK, master key MSK and terminal member u of input system i,t Identification of
And terminal member u i,t Is selected based on the attribute set->
Using key generation functions
Private key of output terminal member->
Then calculates the public key
The public/private key pair of the terminal member is £ v>
The cloud server CS selects a random positive integer
As a private key and computing a public key PK CS =SK CS g 1 Then the public/private key pair of the cloud server CS is (PK) CS ,SK CS );
Each edge server E i Randomly selecting a positive integer
As a private key and calculates the public key +>
Wherein, g 1 Is an addition group G 1 The generation element of (a) is generated,
representing a set of integers of order q, q being an addition group G 1 I is more than or equal to 1 and less than or equal to N, t is more than or equal to 1 and less than or equal to N, N is the number of terminal members in the domain, and N is the number of edge servers in the system.
Further, the method for distributing the attribute authority of the terminal member in the second step includes:
(1) All attributes of cloud server CS broadcast access system resource and corresponding sequence numbers thereof { (A) 1 ,S 1 ),(A 2 ,S 2 ),...,(A R ,S R ) Giving each terminal member; wherein A is v For the v attribute, S, for accessing system resources v Represents attribute A v V is more than or equal to 1 and is less than or equal to R, R belongs to N * Representing the number of network attributes, N * Represents a positive integer;
(2) Owning Attribute sequence set
Terminal member u i,t Randomly selecting a positive integer->
Calculating an intermediate parameter o i,t =γ i,t g 1 ,θ i,t,1 =γ i,t H 1 (a i,t,1 )g 1 ,θ i,t,2 =γ i,t H 1 (a i,t,2 )g 1 ,...,θ i,t,r =γ i,t H 1 (a i,t,r )g 1 、β i,t =γ i,t PK CS 、
And phi i,t =H 2 (β i,t ) Terminal member u i,t Sending a message pick>
Sending the data to a cloud server CS; wherein, a i,t,v Is a terminal member u i,t And a is i,t,k <a i,t,k+1 K is more than or equal to 1 and less than R, and R is a terminal member u i,t The number of attributes of (b), positive integer gamma i,t ≠1,θ i,t,1 ,θ i,t,2 ,...,θ i,t,r 、η i,t 、β i,t 、φ i,t And o i,t All represent terminal member u i,t Intermediate parameter required for registration, g 1 Is an addition group G 1 I is more than or equal to 1 and less than or equal to N, t is more than or equal to 1 and less than or equal to N, N is the number of terminal members in the domain, and N is the number of edge servers in the system; PK CS For the public key of the cloud server CS>
Representing terminal member u i,t Is based on the private key of>
Is terminal member u i,t The public key of (a);
Is a hash function, | | is a connection symbol;
(3) Cloud server CS receives terminal member u i,t Message sent
After that, the air conditioner is started to work,calculating a hash value β i ' ,t =H 2 (β i,t ) And verifying the equation beta i ' ,t =φ i,t And
if it is true, the cloud server CS calculates an intermediate parameter ≥ if the equation is true>
And &>
(ii) a The cloud server CS compares the intermediate parameter->
And theta i,t,k Is equal or not, determining the terminal member u i,t Which attributes to have; then the cloud server CS is a terminal member u i,t Each attribute a of i,t,k Randomly selecting a positive integer>
Calculating an Attribute a i,t,k Corresponding attribute authority parameter χ i,t,k =t i,t,k CS i,t And signature->
Cloud server CS sends message { PK CS ,δ i,t ,(χ i,t,1 ,χ i,t,2 ,...χ i,t,r ) Sending it to registered terminal member u i,t (ii) a Wherein, χ i,t,k Is a terminal member u i,t SK, an attribute authority parameter of the kth attribute CS Is the private key of the cloud server CS, delta i,t Is terminal member u i,t Registering the required signature, e (-) being a computable bilinear mapping function;
(4) Terminal member u i,t Receiving message { PK sent by cloud server CS CS ,δ i,t ,(χ i,t,1 ,χ i,t,2 ,...χ i,t,r ) After that, the attribute of each attribute is calculatedRight T i,t,1 =γ i,t -1 χ i,t,1 =t t,1 g 1 ,T i,t,2 =γ i,t -1 χ i,t,2 =t i,t, 2 g 1 ,...,T i,t,r =γ i,t -1 χ i,t,r =t i,t,r g 1 And the intermediate parameter mu i,t =H 2 (T i,t,1 ||T i,t,2 ||...||T i,t,r ) (ii) a Terminal member u i,t Verify equation e (δ) i,t ,PK CS )=e(μ i,t g 1 ,g 1 ) If the equation is established, the terminal member u i,t Successfully registers and acquires each attribute a thereof i,t,k Corresponding attribute authority T i,t,k And attribute authority parameter set pi i,t ={χ i,t,1 ,χ i,t,2 ,...,χ i,t,r }; wherein, T i,t,1 ,T i,t,2 ,...,T i,t,r Indicating terminal member u i,t Property right of i,t Representing intermediate variables required for verifying the identity of the cloud server CS;
(5) The cloud server CS uses the selected positive integer
For each edge server E i Calculating encryption parameters
And the encrypted parameter is->
Sent to the edge server E i Each edge server E i Receiving encryption parameters
Thereafter, the attribute authority is calculated>
Then edge server E i Attribute authority set Eaw for acquiring all attributes t,k ={T i,t,1 ,T i,t,2 ,...,T i,t,R }; wherein it is present>
As an edge server E i In conjunction with the public key of>
For edge server E i The private key of (1);
(6) The cloud server CS is divided into different security domains according to the IP of the edge server and the terminal members, a block chain is established for each security domain, and the public information of each terminal member of the security domain is written into the block chain; when the edge server E i A terminal member u of i,t After successful registration, the cloud server CS uses the public key of the terminal member
Attribute permission parameter set pi i,t And edge server E i Is based on the information consisting of the public key>
Writing a new block in the block chain, wherein the information blocks of all terminal members of a security domain form the block chain of the security domain;
(7) Edge server E i Running the block chain program of the local area to acquire any terminal member u governed by the local area i,t Information of the block of (2)
Further, the method for storing the shared resource in the third step is as follows:
1) Terminal member u i,j According to shared resources m i,j Setting access to shared resources m for security level i,j Property set of
And an access control policy +>
Attribute set->
The corresponding attribute authority set is
The attribute authority parameter set corresponding to the attribute authority set is combined into
Wherein, attr i,j,m Representing shared resources m i,j The mth attribute of (1), T i,j,m Representation attribute attr i,j,m Corresponding attribute authority χ i,j,m As attribute authority T i,j,m J is more than or equal to 1 and less than or equal to n, and n is the number of terminal members in the domain;
2) Terminal member u i,j Using attribute rights collections
Attribute authority and access control policy in>
Encrypting a shared resource m i,j And obtains the ciphertext data->
Then terminal member u i,j Will its public key>
Ciphertext data->
Attribute privilege parameter set +>
Shared resource m i,j Key words of (4), access control policy->
Composed messages
Upload to local edge server E i ;
3) Local edge server E i Receiving a message
Then, the message is written into the block chain; edge server E i Write each shared resource as a block to the local data shared block chain, and simultaneously ≥ er>
Store to the federation data index database list d all (ii) a Wherein it is present>
As a local edge server E i The access address of (2).
Further, the method for controlling access to the intra-domain shared resource comprises:
s1: resource demander u i,t Computing hash values
And access signatures
The access authority information of the user and the keyword information of the access resource
Sent to the local edge server E i (ii) a Wherein it is present>
Indicating terminal member u i,t Is based on the private key of>
Is a terminal member u i,t The public key of (2); pi i,t Representing a set of attribute rights parameters, o i,t Indicating terminal member u i,t Registering the calculated intermediate parameters; and t is not less than 1 but not equal to j is not more than n;
Is a hash function, | | is a concatenation symbol, H 3 :{0,1} * →G 1 As a hash function, g 1 Is an addition group G 1 A generator of (2);
s2: local edge server E i Receiving information
Thereafter, a hash value is calculated
And verifies the hash value->
Whether equal, if the hash values are equal, then the equation is calculated and validated>
If the equation is established, verifying the attribute authority parameter set pi i,t Message on a blockchain platform with cloud server CS->
Whether the attribute authority parameters in (1) are consistent or not; chi shape t,r Is attribute authority parameter;
s3: if terminal member u i,t After authentication, the local edge server E i According to terminal member u i,t The provided keyword keywords search data resources and according to the access authority of the searched data resources and the terminal member u i,t Selecting a terminal member u according to the comparison result of the access authority i,t Shared resources with access rightsSource
Local edge server E i Selecting a random number>
Computing intermediate request parameters
And request signature
And combines the information>
Send to terminal member u i,t (ii) a Wherein +>
For edge server E i Is greater than or equal to>
As an edge server E i The private key of (1);
s4: terminal member u i,t Receiving information
Thereafter, two equations are calculated and verified
And &>
Whether the result is true or not; if both equations hold, terminal member u i,t Calculate ciphertext data->
And through its attribute rights and access control policy->
Decrypting to obtain plaintext information; gamma ray i,t Is a terminal member u i,t A randomly selected positive integer. />
Further, the method for controlling access to the inter-domain shared resources comprises:
s11, resource demander u i,t Computing hash values
And access signatures
And the information such as the access authority information of the user, the keywords of the access data and the like
Sent to the local edge server E i (ii) a Wherein t is not less than 1 and not equal to j and not more than n, H 3 :{0,1} * →G 1 As a hash function, g 1 Is an addition group G 1 A generator of (2); h 2 (. Is a hash function;
s12, local edge server E i Receiving information
Then, the hash value is calculated->
And verifies whether or not it is present>
Whether equal, if equal, the equation is calculated and verified>
If the equation is established, verifying the attribute authority parameter set pi i,t ^ based on block chain platform with cloud server CS>
Whether the attribute authority parameters in (1) are consistent or not;
s13, if the terminal member u i,t If the authentication is passed, the local edge server E i According to terminal member u i,t Database list d of index in alliance of keyword provided all Shared resources corresponding to the keyword keywords and access rights thereof are searched in the medium, and the member u conforming to the terminal is assumed to be i,t Edge server E outside the domain to which the required shared resource belongs t (ii) a Terminal member u i,t Edge server E of local domain i Signing messages it sends, local edge server E i Computing request signatures
And will sign the request>
And out-of-domain edge server E t IP address of>
Delivered to terminal member u i,t ;
S14, terminal member u i,t Edge server E outside the receiving domain i Transmitted message
Then, calculating intermediate parameters
And verifies whether or not it is present>
If yes, the terminal member u i,t Based on the IP address>
Access outside edge server E t And send the message
Sending to an edge server E outside the domain t ;
S15, edge server E outside domain t Receiving a message
Then, by hash value
Verifying message->
Whether the hash value of (2) is correct, and by calculating the equation
If it is, to verify the edge server E outside the domain i If both equations hold, the edge server E outside the domain t Verifying a set of attribute rights parameters pi i,t Message on a blockchain platform with cloud server CS->
Whether the attribute weight parameters in (1) are consistent or not;
s16, if the terminal member u i,t Verified and its access rights conform to the edge server E outside the domain t And managing the access right of the related resources in the domain, and providing corresponding cipher text resource links.
Further, the step (3) is intermediate
The verification method comprises the following steps: />
The step (4) is a step of a medium equation e (delta) i,t ,PK CS )=e(μ i,t g 1 ,g 1 ) The verification method comprises the following steps:
the step S2 is of a medium type
The verification method comprises the following steps:
the step S4 is intermediate
The verification method comprises the following steps:
further, the step S12 is equal to
The verification method comprises the following steps:
step S14 of intermediate equation
The verification method comprises the following steps:
step S15 of intermediate equation
Is verified byThe method comprises the following steps:
compared with the prior art, the invention has the beneficial effects that: 1) The privacy protection of the mobile terminal is realized, in the Bian Yun collaborative wireless network environment, the privacy of the mobile terminal is easy to leak, and the access control technology based on the hidden attribute is provided, so that the purpose of resource access control can be realized, and the attribute and identity information of terminal members can be prevented from being leaked; 2) Cross-domain access control is carried out, the application background of a side cloud protocol is complex, and terminal members sharing resources are possibly distributed in different security domains; 3) Dynamic access control, wherein a mobile terminal may frequently join or quit an application system, a quitted terminal member needs to update the resource access authority of the quitted terminal member in time, and the authority is updated and dynamically tracked by adopting a block chain technology; 4) Fine-grained access control is realized by combining the resource access authorities of the terminal members through attribute authorities of the terminal members, and multiple resource access authorities can be set through different combinations in the same authority set, so that fine-grained resource access weight setting is realized; 5) The invention writes the attribute of each user into the block chain based on the access control technology of the block chain, and can ensure that any two terminal users can not combine the attributes by using the non-tamper property of the block chain to access the data resource of any unauthorized terminal user. The method enables information resource sharing in the edge cloud collaborative scene to be more flexible, efficient and practical, and has important field research significance and commercial application value.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of the present invention.
Fig. 2 is a schematic diagram of hierarchical group key negotiation in embodiment 1 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive effort based on the embodiments of the present invention, are within the scope of the present invention.
Aiming at the problems of confidentiality, integrity and leakage resistance of data resources involved in information security communication between mobile terminals in a network under a mobile edge cloud collaborative complex environment; meanwhile, in the internet, a mobile terminal can access the internet anytime and anywhere, which causes problems of complexity, randomness and the like of communication environment personnel, and on this background, the invention provides an access control protocol based on a block chain in mobile edge cloud collaboration, as shown in fig. 1, so that access control of shared data security in an edge collaboration environment is realized. Firstly, a cloud server and an edge server in the edge cloud coordination system randomly select a positive integer, then calculate a private key of the cloud server and calculate a public key of the cloud server by using a generating element of an addition group, and a terminal member generates a private key of the terminal member by using an identity and an attribute set of the terminal member through a key generating function and calculates a public key by using the generating element; secondly, the cloud server CS broadcasts the attribute and the attribute serial number to each terminal member, the terminal member calculates parameters and signatures required by identity verification according to the attribute, the cloud server CS verifies the identity and the attribute of the terminal member, and if the verification is passed, the attribute authority is distributed to the terminal member. Then, the terminal member sets an attribute set and an access control strategy of the resource, encrypts the resource according to the attribute authority and the access strategy to obtain ciphertext data, and uploads the ciphertext data and information such as the attribute authority parameter set, the access strategy and the keyword together to a local edge server; the terminal member can apply for accessing resources from the local edge server according to the attribute authority of the terminal member; if the local edge server does not have the resources required by the terminal member, the terminal member applies for a signature to the local edge server first, and then applies for accessing the resources to the inter-domain server after obtaining the signature; when the system is running, the terminal member can apply for adding or adding access authority, and also can cancel authority or quit the system, and the cloud server dynamically updates the access authority of the terminal member.
1. Theoretical basic knowledge and associated definitions to which the invention relates
1.1 bilinear mapping problem
Definition 1. Bilinear mapping: let G 1 Is an addition group, G, on an elliptic curve 2 Is a multiplicative group on an elliptic curve. Addition group G 1 And multiplicative group G 2 Have the same large prime order q, wherein,
is a safety parameter, g 1 Is an addition group G 1 Is the generator of (G) 1 =g 1 . Computing addition group G 1 And multiplicative group G 2 The discrete logarithm problem above is difficult, e is a bilinear map that can be computed efficiently, i.e., e: G 1 ×G 1 →G 2 . The bilinear map e satisfies the following properties:
property 1. Bilinear: for addition group G 1 Any two elements of (1) are mu, v is epsilon to G 1 And any two positive integers
With the equation e (a μ, b ν) = e (μ, ν) ab This is true. Wherein +>
Representing an integer set of order q.
Property 2. Non-degradability: there is a generator ω, ρ ∈ G 1 So that e (ω, ρ) ≠ 1.
Property 3. Calculability: there are efficient algorithms for generatorω,ρ∈G 1 E (ω, ρ) can be calculated.
Inference 1. For all generative elements ρ 1 ,ρ 2 ,ω∈G 1 With e (ρ) 1 +ρ 2 ,ω)=e(ρ 1 ,ω)e(ρ 2 ,ω)。
1.2 computational complexity problem
Definition 1 Discrete Logarithm Problem (DLP): any two points Y, Q epsilon G on the elliptic curve 1 Wherein Y = aQ, and wherein,
a < Q, given a and Q, it is known that point Y can be easily calculated. However, knowing points Y and Q, a cannot be calculated in significant multiples of time.
Definition 2.Diffie-Hellman inverse problem operation (ICDH): give g 1 ,ag 1 And abg 1 For the parameters
Calculating (aba) g 1 。
Example 1
Under a complex data sharing environment, the terminal member needs to perform identity authentication before attribute authority distribution, but privacy information of the terminal member is easy to leak under a mobile edge cloud collaborative network environment during identity authentication. For security, the terminal member needs to protect personal privacy while authenticating identity. During data sharing, the confidentiality, integrity and leakage resistance of shared information are also guaranteed, and terminal members meeting the access policy are required to obtain shared resources. In view of the application background, the invention provides an access control method based on a block chain in a mobile edge cloud collaborative scene, as shown in fig. 1, the steps are as follows: (1) the edge cloud coordination system is initialized firstly, and respective public/private key pairs of a cloud server CS, an edge server and a terminal member are generated respectively; (2) distributing attribute authority by terminal members in the edge cloud cooperative system: before data sharing is carried out, a terminal member firstly carries out identity authentication of hidden attributes, the identity of the terminal member is authenticated, meanwhile, the privacy information of the terminal member is guaranteed not to be leaked, and after the authentication is successful, an attribute authority is distributed to a legal terminal member; (3) and (4) safe resource storage: the terminal member sets an attribute set and an access control strategy of the resource according to the security level of the resource, encrypts the resource by using the attribute authority and the access control strategy to obtain ciphertext data and uploads the ciphertext data to a local edge server; (4) intra-domain resource access control: and the terminal member applies the target resource to the local server according to the attribute authority of the terminal member. (5) Inter-domain resource access control: if the target resource does not exist in the domain, the terminal member applies for a request signature to the local edge server first, and then applies for accessing the target resource to the edge server in the different domain according to the request signature and the attribute authority parameters. As shown in fig. 2, the access control schematic diagram of the entire edge cloud coordination system includes the following specific steps:
the method comprises the following steps: initializing access control protocol parameters in the edge cloud coordination system: and generating a public/private key pair of the cloud server CS, each edge server and each terminal member.
Assuming that each edge server and terminal members administered by the edge server form a security domain, the edge cloud cooperative system has N domains D i (1. Ltoreq. I.ltoreq.N) with N terminal members per domain, domain D i By edge server E i (1 is more than or equal to i and less than or equal to N) and set U of terminal members administered by the same i ={u i,1 ,u i,2 ,...,u i,n Composed of, the domain D i Is represented as a set of identities of the terminal members
Is a terminal member u i,t T is more than or equal to 1 and less than or equal to n.
According to the requirement of system resource access, the cloud server defines all attributes of the access system resource, and defines an attribute sequence Aseq = A for all attributes according to the importance of attribute authority 1 |A 2 |...|A R These sequences of attributes correspond to attribute set as Aset = { A = 1 ,A 2 ,...,A j ,A j+1 ,...,A R In which A is j <A j+1 (j<R),R∈N * Indicating the number of attributes needed to access all system resources. Each terminal memberu i,t (1. Ltoreq. T. Ltoreq.n) is represented as
The corresponding attribute sequence is +>
Wherein r ∈ N * R is equal to or less than R and>
a i,t,r-1 <a i,t,r ,u i,t indicating the ith edge server E in the edge cloud cooperative system i Of the administrative domain, a i,t,r Indicating the belonging to a terminal device u i,t The r-th attribute of (1).
The method for generating the public/private key pair by the cloud server CS, each edge server and each terminal member comprises the following steps:
inputting a security parameter lambda, the edge cloud protocol system uses a master key generation function Setup (1) λ ) Generating a system master key MSK and a public key PK, generating a key of a terminal member in the edge cloud cooperative system, and inputting the public key PK, the master key MSK and the terminal member u of the system i,t Identity information of
And terminal member u i,t Is selected based on the attribute set->
Using key generation functions
Private key of output terminal member->
Then calculates the public key
The cloud server CS selects a random positive integer
As a private key and computing a public key PK CS =SK CS g 1 ;
Each edge server E in edge cloud protocol system i Randomly selecting a positive integer
As a private key and calculates the public key->
A common parameter of the system is->
Wherein, g 1 Is an addition group G 1 Is generated and/or selected>
Representing a set of integers of order q, q being an addition group G 1 I is more than or equal to 1 and less than or equal to N, t is more than or equal to 1 and less than or equal to N, N is the number of terminal members in the domain, N is the number of edge servers in the system, and then the key (Gen () represents a key generation algorithm)>
Is a terminal member u i,t Is based on the private key of>
Is a terminal member u i,t Is greater than or equal to>
Is a terminal member u i,t The identity of (2) is identified,
are three hash functions.
Step two: and distributing the attribute authority of the terminal member.
In order to prevent unauthorized terminal members from participating in resource sharing, only terminal members with authority are allowed to participate in information encryption storage and information resource access. The invention adopts the identity authentication mode of hidden attribute, and the identity authentication is carried out on the terminal members in the domain before the resource sharing, thereby avoiding the participation of other unauthorized users. And each terminal member interacts with the cloud server CS to generate attribute authority corresponding to each attribute.
The invention realizes the identity authentication of hidden attributes, has the function of traditional identity authentication, can protect the personal privacy problem, carries out matching access according to the attribute authority, and prevents the leakage of sensitive information because terminal members with different attribute authorities access data with different sensitivity degrees. The specific implementation method for distributing the attribute authority of the terminal member comprises the following steps:
(1) All attributes of cloud server CS broadcast access system resource and corresponding sequence numbers thereof { (A) 1 ,S 1 ),(A 2 ,S 2 ),...,(A R ,S R ) Given to each terminal member, where A v For the v attribute, S, used to access system resources v Represents an attribute A v Corresponding attribute serial number, v is more than or equal to 1 and less than or equal to R, and R belongs to N * Representing the number of network attributes, N * Representing a positive integer.
(2) Owning Attribute sequence set
Terminal member u i,t Randomly selecting a positive integer>
Then the intermediate parameter o is calculated i,t =γ i,t g 1 ,θ i,t,1 =γ i,t H 1 (a i,t,1 )g 1 ,θ i,t,2 =γ i,t H 1 (a i,t,2 )g 1 ,...,θ i,t,r =γ i,t H 1 (a i,t,r )g 1 、β i,t =γ i,t PK CS 、
And phi i,t =H 2 (β i,t ) Then terminal member u i,t Sending message>
Sending the data to a cloud server CS; wherein, a i,t,k <a i,t,k+1 Positive integer gamma i,t ≠1,θ i,t,1 ,θ i,t,2 ,...,θ i,t,r 、η i,t 、β i,t 、φ i,t And o i,t All represent terminal member u i,t Intermediate parameter required for registration, o i,t For later terminal member authentication, g 1 Is an addition group G 1 T is more than or equal to 1 and less than or equal to n, k is more than or equal to 1 and less than R, and R is a terminal member u i,t Number of attributes of (a) i,t,v Is a terminal member u i,t The (c) th attribute of (2),
representing terminal member u i,t The private key of (a);
Is a hash function and is a concatenation symbol.
(3) Receiving terminal member u by cloud server CS i,t Transmitted message
Then, the hash value beta is calculated i ' ,t =H 2 (β i,t ) And verifying the equation->
If the equation is not satisfied, the terminal member u is indicated i,t The illegal identity registration fails, if the equation is established, the terminal member u is indicated i,t The identity is legal. Cloud server CS computing intermediate parameter
The cloud server CS compares the intermediate parameter->
And theta i,t,k Whether the values of (1 ≦ k ≦ r) are equal or not can be determined as to whether the terminal member u is equal i,t Which attributes are present. Then the cloud server CS is a terminal member u i,t Each attribute a of i,t,k Randomly selecting a positive integer>
Calculating an Attribute a i,t,k Corresponding attribute authority parameter χ i,t,k =t i,t,k CS i,t And signature->
The cloud server CS then sends the message { PK CS ,δ i,t ,(χ i,t,1 ,χ i,t,2 ,...χ i,t,r ) Sending it to registered terminal member u i,t (ii) a Wherein, χ i,t,k Is a terminal member u i,t Of the kth attribute, δ i,t Is terminal member u i,t The signature required for registration, e (-) is a computable bilinear mapping function.
Wherein the equation
The verification method comprises the following steps:
(4) Terminal member u i,t Receiving message { PK sent by cloud server CS CS ,δ i,t ,(χ i,t,1 ,χ i,t,2 ,...χ i,t,r ) After that, the attribute authority T of each attribute is calculated i,t,1 =γ i,t -1 χ i,t,1 =t t,1 g 1 ,T i,t,2 =γ i,t -1 χ i,t,2 =t i,t, 2 g 1 ,...,T i,t,r =γ i,t -1 χ i,t,r =t i,t,r g 1 And the intermediate parameter mu i,t =H 2 (T i,t,1 ||T i,t,2 ||...||T i,t,r ). Then, terminal member u i,t By verifying equation e (δ) i,t ,PK CS )=e(μ i,t g 1 ,g 1 ) If the identity information is established, the identity information and the attribute a of the cloud server CS are verified i,t,k Corresponding attribute authority T i,t,k Whether it is correct. If the equality is not established, the cloud server CS identity is illegal, and the terminal member u i,t And (6) re-registering. If the equation is true, terminal member u i,t Can acquire each attribute a thereof i,t,k Corresponding attribute authority T i,t,k And attribute authority parameter set pi i,t ={χ i,t,1 ,χ i,t,2 ,...,χ i,t,r }. At this time, each terminal member u i,t Successfully registering and acquiring the attribute authority corresponding to each attribute; wherein, T i,t,1 ,T i,t,2 ,...,T i,t,r Indicating terminal member u i,t Property right of i,t Representing the intermediate variables needed to verify the cloud server CS identity.
Wherein equation e (δ) i,t ,PK CS )=e(μ i,t g 1 ,g 1 ) The verification method comprises the following steps:
(5) The cloud server CS uses its previously selected positive integer
For each edge server E i Calculating encryption parameters +>
And the encrypted parameter is->
Sent to the edge server E i Each edge server E i Receiving encryption parameters
Thereafter, the attribute authority is calculated>
Then edge server E i The attribute authority of all attributes in the edge cloud cooperative system can be obtained, namely the edge server E i Attribute authority set Eaw capable of acquiring all attributes of system t,k ={T i,t,1 ,T i,t,2 ,...,T i,t,R }. Wherein it is present>
For edge server E i Is greater than or equal to>
For edge server E i The private key of (2).
(6) The cloud server CS is divided into different security domains according to the IP of the edge server and the IP of the terminal members, a block chain is established for each security domain, and the public information of each terminal member of the security domain is written into the block chain. When the edge server E i A terminal member u of i,t After successful registration, the cloud server CS uses the public key of the terminal member
Attribute permission parameter set pi i,t And edge server E i Is based on the information consisting of the public key>
And writing a new block in the block chain, wherein the information blocks of all terminal members of a security domain form the block chain of the security domain.
(7) Edge server E i Running the block chain program of the local area to obtain any terminal member u administered by the local area i,t Block information of
Step three, safe shared resource storage:
the resource sharer sets an attribute set and an access control strategy of the shared resource, encrypts the shared resource by using the access control strategy to obtain a ciphertext, uploads a public key of the resource sharer and related information of the shared resource to a local edge server, and the local edge server writes the message into a block chain after receiving the message and simultaneously stores the message into a database list of the alliance data index. The method of the process is as follows:
(1) Terminal member u i,j First according to the shared resource m i,j Sets a security level of access to the shared resource m i,j Property set of (2)
And an access control policy ≧ which accesses the shared resource>
Attribute set
Corresponding attribute permission set for>
The attribute authority parameter set corresponding to the attribute authority set is combined as ^ er>
Wherein, attr i,j,m Representing shared resources m i,j The mth attribute of (1), T i,j,m Representation attribute attr i,j,m Corresponding attribute authority χ i,j,m As attribute authority T i,j,m J is more than or equal to 1 and less than or equal to n, and n is the number of terminal members in the domain;
(2) Terminal member u i,j Using attribute rights collections
Attribute authority and access control policy->
Encrypting a shared resource m i,j And obtains the ciphertext data->
Then terminal member u i,j Putting the public key in>
Ciphertext data->
Set of attribute right parameters £ based on access to a shared resource>
Shared resource m i,j Keyword keywords, access control policy>
Composed message>
Upload to local edge server E i I is more than or equal to 1 and less than or equal to N, and N represents the number of edge servers in the system.
(3) Local edge server E i Receiving a message
The message is then written to the blockchain. Edge server E i Write each shared resource as a block to the local data shared block chain, and simultaneously ≥ er>
Store to the federation data index database list d all Wherein is present>
As an edge server E i The access address of (2).
Step four, access control of the intra-domain shared resources:
the method comprises the following steps: if the required shared resource is located in the local edge server, the terminal member can apply for the shared resource of the access target to the local edge server by using the attribute authority of the terminal member, and the specific steps are as follows:
(1) Resource demander u i,t (t is not equal to 1 and not equal to j and not equal to n) calculating hash value
And accessing the signature pick>
And then will request the information needed by the resource->
Sent to the local edge server E i (ii) a Wherein, pi i,t Representing a set of attribute rights parameters, o i,t Representing the intermediate variables needed to request the resource.
(2) Local edge server E i Receiving information
Then, a hash value is calculated
And verifies the hash value->
Whether or not equal. If the equation is not satisfied, the information is falsified or u is indicated i,t Identity invalid, edge Server E i The service is denied. If the equation holds, then the equation is calculated and validated>
If the equation is established, verifying the attribute authority parameter set pi i,t Messages on blockchain platform with cloud server CS
Whether the attribute authority parameters in (2) are consistent. If the equality is not true, edge server E i To terminal member u i,t And sending the attribute insufficient authority information.
Wherein the equation
The verification method comprises the following steps:
(3) If terminal member u i,t After authentication, the local edge server E i According to terminal member u i,t The provided keyword keywords search relevant data resources, and access authority and terminal member u of the searched data resources i,t Comparing the access rights of the terminal and selecting the terminal member u i,t Shared resource with access rights
Local edge server E i Selecting a random number->
Calculating an intermediate request parameter ≥ er>
And request signature->
And combines the information>
Send to terminal member u i,t 。
(4) Terminal member u i,t Receiving information
Thereafter, two equations are calculated and verified
And &>
If it is true. If both equations hold, then terminal member u i,t Calculate ciphertext data->
And based on its attribute authority and access control policy +>
And decrypting to obtain plaintext information. If the two equations are not satisfied, terminal member u i,t The information is discarded and the resource is reapplied.
Wherein the equation
The verification method comprises the following steps: />
Step five, access control of inter-domain shared resources:
the method comprises the following steps: if the target resource is located in the edge server between domains, the terminal member can apply for signature to the local edge server by using the attribute authority parameter of the terminal member, and the terminal member applies for accessing the shared resource to the edge server between domains after obtaining the signature, and the process is as follows:
(1) Resource demander u i,t (t is not equal to 1 and not equal to j and not equal to n) calculating hash value
AsAccess parameter and access signature ≥>
And the information such as the access authority information of the user, the key word of the access data and the like is compared>
Sent to the local edge server E i (ii) a Wherein H 2 (. Is) a hash function.
(2) Local edge server E i Receiving information
Thereafter, a hash value is calculated
And verifies whether or not it is present>
If they are equal, the description information is falsified or the terminal member u i,t Identity invalid, edge server E i The service is denied. If the equations are equal, the equations are calculated and verified
If the equation is established, verifying the attribute authority parameter set pi i,t ÷ on a blockchain platform with a cloud server CS>
Whether the attribute authority parameters in (2) are consistent. If the equation does not hold, edge server E i To terminal member u i,t And sending the attribute authority insufficiency information.
Wherein the equation
The verification method comprises the following steps:
(3) If terminal member u i,t If the authentication is passed, the local edge server E i According to u i,t Provided keyword keywords in list d of federation index database all Searching the shared resource corresponding to the keyword and the access authority thereof, and assuming that the shared resource conforms to the terminal member u i,t Edge server E outside the domain to which the required shared resource belongs t . Terminal member u i,t Edge server E of the local domain i Signing the message sent by the edge server E in the local domain i Computing request signatures
And will sign the request>
And out-of-domain edge server E t IP address of>
Delivered to terminal member u i,t 。/>
(4) Terminal member u i,t Receive local edge server E i Message sent
Then, calculating intermediate parameters
And verifies whether or not it is present>
If it is true. If the equality is not true, terminal member u i,t The information is discarded and access to the resource is reapplied. If so, the terminal member u i,t According to IP address>
To access edge servers E outside the domain t And will eliminateInformation and/or device>
Sending to an edge server E outside the domain t 。
Equation of
The verification method comprises the following steps:
(5) Out-of-domain edge server E t Receiving a message
Then passes through>
Verifying message->
Whether the hash value of (1) is correct or not, and by calculating the equation
If it is, to verify the edge server E outside the domain i Whether the request signature is correct. If the equality is not true, edge server E outside the domain t The service is denied. If both equations hold, edge server E outside the domain t Verifying a set of attribute rights parameters pi i,t Message on a blockchain platform with cloud server CS->
Whether the attribute weight parameters in (1) are consistent or not.
Equation of
The verification method comprises the following steps:
(6) If terminal member u i,t Verified and its access rights conform to the edge server E outside the domain t And managing the access right of the related resources in the domain, and providing corresponding ciphertext resource links.
The method comprises the following steps: initializing protocol parameters in a mobile edge network domain, generating a master key and a public key of a side cloud cooperative system, generating a public/private key pair of a cloud server, an edge server and a terminal member, performing identity registration and obtaining attribute authority by the terminal member, after the registration is successful, sharing data and setting an attribute set and an access control strategy for accessing the resource by a resource provider, accessing the resource in the domain by a resource accessor, applying for a signature at the local edge server if the domain does not have the required resource, accessing the resource across the domain after obtaining the signature, and synchronously updating information such as the attribute authority parameters of the terminal member by the cloud server. The invention adopts the identity authentication technology of the hidden attribute to hide the attribute of the entity through the parameters, so that the attribute is not leaked in the transmission process, thereby more effectively and safely protecting the personal privacy information.
Embodiment 2 is an access control protocol based on a block chain in a mobile edge cloud collaborative scenario, as shown in fig. 1, to illustrate the contents and implementation method of the present invention, a specific embodiment is provided. The details introduced in this example are not intended to limit the scope of the claims but rather to aid in the understanding of the specific implementation of the invention. Those skilled in the art will understand that: various modifications, changes or substitutions to the preferred embodiment steps are possible without departing from the spirit and scope of the invention and its appended claims. Therefore, the present invention should not be limited to the disclosure of the preferred embodiments and the accompanying drawings.
The true bookIn the embodiment, for convenience of illustration, it is assumed that each edge server and its governed terminal form a security domain, and there are 5 domains D in the edge cloud coordination system i (1. Ltoreq. I.ltoreq.5) with 10 terminal members per domain, domain D i By the edge server E i (1 is more than or equal to i is less than or equal to 5) and set U of terminal members administered by the same i ={u i,1 ,u i,2 ,...,u i,10 And (9) composition. The set of identities of the members of the domain terminal is represented as
According to the requirement of system resource access, the cloud server defines all attributes of the accessed system resources, and defines an attribute sequence Aseq = A for all attributes according to the importance of the weight 1 |A 2 |A 3 These attribute sequences correspond to attribute set is Aset = { A = 1 ,A 2 ,A 3 In which A is j <A j+1 (j < 3). Each terminal device u i,t (1 ≦ t ≦ 10) for the sequence attribute set denoted ≦ T>
The corresponding attribute sequence is
The method comprises the following steps:
the method comprises the following steps: initializing access control protocol parameters in the edge cloud coordination system: and (4) generating public/private key pairs of the cloud server CS, each edge server and each terminal member.
Assuming that each edge server and the terminal members administered by the edge server form a security domain, the edge cloud cooperative system has 5 domains D i (1. Ltoreq. I.ltoreq.5) with 10 terminal members per domain, domain D i By edge server E i (1 is more than or equal to i is less than or equal to 5) and set U of terminal members administered by the same i ={u i,1 ,u i,2 ,...,u i,10 And (9) composition. The set of identities of the members of the domain terminal is represented as
According toAccording to the requirement of system resource access, the cloud server defines all attributes of the accessed system resources, and defines an attribute sequence Aseq = A for all attributes according to the importance of the weight 1 |A 2 |A 3 These attribute sequences correspond to attribute set is Aset = { A = 1 ,A 2 ,A 3 In which A is j <A j+1 (j < 3). Each terminal member u i,t (1 ≦ t ≦ 10) for the sequence attribute set denoted ≦ T>
The corresponding attribute sequence is ≥>
Wherein it is present>
u i,t A terminal member belonging to the ith edge server in the edge cloud coordination system, wherein t represents a terminal member u i,t Is an edge server E i T-th terminal of the administrative Domain, r represents the attribute a t,r Belongs to terminal member u i,t The r-th attribute of (1).
The method for generating the public/private key pair by the cloud server CS, each edge server and each terminal member comprises the following steps:
generating a key of a terminal member in the edge cloud cooperative system, inputting a system public key PK, a master key MSK and a terminal member u i,t Identity information of
And terminal member u i,t Is selected based on the attribute set->
Using key generation functions
Private key of output terminal member->
Then countPublic key calculation>
The cloud server CS selects a random positive integer->
As a private key and computing a public key PK CS =SK CS g 1 (ii) a Each edge server E in the system i Randomly selecting a positive integer->
As a private key and calculates the public key->
A common parameter of the system is->
Wherein, g 1 Is an addition group G 1 Is generated and/or selected>
Representing a set of integers of order q, q being an addition group G 1 I is more than or equal to 1 and less than or equal to 5,1 and less than or equal to t is less than or equal to 10,5 is the number of terminal members in the domain, 10 is the number of edge servers in the system, and/or>
Is a terminal member u i,t Is based on the private key of>
Is a terminal member u i,t Is greater than or equal to>
Is a terminal member u i,t The identity of (2) is identified,
are three hash-over functions that are hash-over functions,{0,1} * representing a set of numeric strings of arbitrary length consisting of binary 0 and 1.
Step two: and distributing the attribute authority.
In order to prevent unauthorized terminal members from participating in resource sharing, only terminal members with authority are allowed to participate in information encryption storage and information resource access. The invention adopts the identity authentication mode of hidden attribute, and the identity authentication is carried out on the terminal members in the domain before the resource sharing, thereby avoiding the participation of other unauthorized users. And each terminal member interacts with the cloud server CS to generate attribute authority corresponding to each attribute.
The invention realizes the identity authentication of hidden attributes, has the function of traditional identity authentication, can protect the personal privacy problem, carries out matching access according to the attribute authority, and prevents the leakage of sensitive information because terminal members with different attribute authorities access data with different sensitivity degrees. The specific implementation method for distributing the attribute authority of the terminal member comprises the following steps:
(1) All attributes of cloud server broadcast access system resource and corresponding sequence numbers thereof { (A) 1 ,S 1 ),(A 2 ,S 2 ),.(A 3 ,S 3 ) To each terminal member, where A v (1. Ltoreq. V. Ltoreq.3) is the v-th attribute, S, for accessing a system resource v Represents an attribute A v The corresponding attribute sequence number, 3, indicates the number of network attributes.
(2) Owned attribute sequence set
Mobile terminal member u i,t (1. Ltoreq. T.ltoreq.10) a positive integer is selected at random>
Then the intermediate parameter o is calculated i,t =γ i,t g 1 ,θ i,t,1 =γ i,t H 1 (a i,t,1 )g 1 ,θ i,t,2 =γ i,t H 1 (a i,t,2 )g 1 ,θ i,t,3 =γ i,t H 1 (a i,t,3 )g 1 ,β i,t =γ i,t PK CS ,
And phi i,t =H 2 (β i,t ) Then terminal member u i,t Sending messages
Sending the data to a cloud server CS; wherein, a i,t,j <a i,t,j+1 (j is more than or equal to 1 and less than 3) and a positive integer gamma i,t ≠1,θ i,t,1 ,θ i,t,2 ,θ i,t,3 、η i,t 、β i,t 、φ i,t And o i,t Indicating terminal member u i,t Intermediate variable, g, required for registration 1 Is an addition group G 1 A generator of i,t,v Is a terminal member u i,t Is greater than or equal to the vth attribute of (1)>
Indicating terminal member u i,t The private key of (a); h 1 (. H) is a hash function, | | is a join symbol.
(3) Cloud server CS receives terminal member u i,t Transmitted message
Then, the hash value beta is calculated i ' ,t =H 2 (β i,t ) And verifying the equation beta i ' ,t =φ i,t And &>
Whether or not, if yes, the cloud server CS calculates an intermediate parameter->
And
the cloud server CS compares the intermediate parameter->
And theta i,t,k Whether the values of (1 ≦ k ≦ 3) are equal or not can be determined as to whether the terminal member u is equal i,t Which attributes are present. Then the cloud server CS is the terminal member u i,t Each attribute a of i,t,k (k is more than or equal to 1 and less than or equal to 3) a positive integer is randomly selected>
Calculating an Attribute a i,t,k Corresponding authority parameter x i,t,k =t i,t,k CS i,t And calculating a signature +>
The cloud server CS then sends the message { PK CS ,δ i,t ,(χ i,t,1 ,χ i,t,2 χ i,t,3 ) Sending it to registered terminal member u i,t (ii) a Wherein, χ i,t,k Is a terminal member u i,t Of the kth attribute, δ i,t Is terminal member u i,t The signature required for registration, e (-) is a computable bilinear mapping function, H 2 (. Cndot.) is a hash function.
Wherein the equation
The verification method comprises the following steps:
(4) Terminal member u i,t (t is more than or equal to 1 and less than or equal to 10) receives the message { PK (key page) sent by the cloud server CS CS ,δ i,t ,(χ i,t,1 ,χ i,t,2 ,χ i,t,3 ) After that, the attribute authority T of each attribute is calculated i,t,1 =γ i,t -1 χ i,t,1 =t t,1 g 1 ,T i,t,2 =γ i,t -1 χ i,t,2 =t i,t,2 g 1 ,T i,t,3 =γ i,t -1 χ i,t,3 =t i,t,3 g 1 And the parameter mu i,t =H 2 (T i,t,1 ||T i,t,2 ||T i,t,3 ). Then, terminal member u i,t By verifying equation e (δ) i,t ,PK CS )=e(μ i,t g 1 ,g 1 ) If the identity information is established, the identity information and the attribute a of the cloud server CS are confirmed i,t,k (k is more than or equal to 1 and less than or equal to 3) corresponding attribute authority T i,t,k (k is more than or equal to 1 and less than or equal to 3) is correct. If the equation is true, terminal member u i,t Can acquire each attribute a thereof i,t,k (k is more than or equal to 1 and less than or equal to 3) corresponding attribute authority T i,t,k (k is more than or equal to 1 and less than or equal to 3) and permission parameter set pi i,t ={χ i,t,1 ,χ i,t,2 ,χ i,t,3 }. At this time, each mobile terminal u i,t Successfully registering and acquiring attribute authorities corresponding to each attribute of the user; wherein, T i,t,1 ,T i,t,2 ,T i,t,3 Representing terminal member u i,t Property right of i,t Representing an intermediate variable required for verifying the identity of the cloud server CS, and e (-) being a computable bilinear mapping function;
wherein equation e (δ) i,t ,PK CS )=e(μ i,t g 1 ,g 1 ) The verification method comprises the following steps:
(5) The cloud server CS uses all previously selected positive integers thereof
For each edge server E t (t is more than or equal to 1 and less than or equal to N) calculating an encryption parameter>
And the encrypted parameter is->
Sent to each edge server E t Each edge server E t Receive and answer>
Thereafter, the attribute authority is calculated>
Then E t The attribute authority of all attributes in the edge cloud cooperative system, namely E t Attribute authority set Eaw capable of acquiring all attributes of system t,k ={T i,t,1 ,T i,t,2 ,T i,t,3 }. Wherein it is present>
As an edge server E t Is greater than or equal to>
As an edge server E t The private key of (1). t represents any edge server between 1-N. />
(6) The cloud server CS is divided into different security domains according to the IP of the edge server and the mobile terminal members. And establishing a block chain for each security domain, and writing the public information of each terminal member of the security domain into the block chain. When the edge server E i A terminal member u of i,t (t is more than or equal to 1 and less than or equal to 10) after successful registration, the cloud server CS transmits the public key information of the terminal member
Permission parameter information pi i,t And edge server E i Is based on public key information->
And writing a new block in the block chain, wherein the information blocks of all terminal members of a security domain form the block chain of the security domain.
(7) Edge server E i Running the block chain program of the local domain can acquire any terminal member u governed by the block chain program i,t (1. Ltoreq. T. Ltoreq.10) block information
Step three: and (4) safe resource storage:
the resource sharer sets an attribute set and an access control strategy of the shared resource, encrypts the shared resource by using the access control strategy to obtain a ciphertext, uploads a public key and resource related information of the resource sharer to the local edge server, and the local edge server writes the message into the block chain after receiving the message and simultaneously stores the message into a database list of the alliance data index. The process is as follows:
(1) Terminal member u i,j First according to the shared resource m i,j Setting a security level of access to the shared resource m i,j Property set of
And an access control policy ≧ which accesses the shared resource>
Attribute set
The corresponding set of attribute rights is ≦ ≦>
The attribute authority parameter set corresponding to the attribute authority set is combined as ^ er>
Wherein +>
Represents a resource m i,j M attribute of (2), T i,j,m Denotes attr i,j,m And (4) corresponding attribute authority.
(2) Terminal member u i,j Using attribute rights collections
Attribute authority and access control policy in>
Encrypting a shared resource m i,j And obtains the ciphertext data->
Then terminal member u i,j Combining public key information>
Ciphertext data->
A minimum set of permissions to access the data +>
Data m i,j Key words of (4), access control policy->
Upload to local edge Server E i 。
(3) Local edge server E i Receiving a message
The message is written to the blockchain. Local edge server E i Each shared data is written as a block into the local data shared block chain. And simultaneously message>
Store to the federation data index database list d all In which>
For edge server E i The access address of (2).
Step four: the method for controlling the access of resources in the domain comprises the following steps: if the target resource is located in the local edge server, the terminal member can apply for accessing the resource from the local edge server by using the attribute authority of the terminal member, and the specific steps are as follows:
(1) Resource demander u i,t (1 ≦ t ≠ j ≦ 10) calculating hash value
And signature>
Then the information such as the access authority information of the user and the key word of the access data is compared>
Sent to the local edge server E i (ii) a Wherein, pi i,t Representing a set of rights parameters.
(2) Local edge server E i Receiving information
Thereafter, a hash value is calculated
And verifies whether or not it is present>
If not, the local edge server E i Deny service and, if the equation holds, calculate and validate the equation>
If the equation is established, verifying the permission parameter set pi i,t Based on the CS block chain platform of the cloud service platform>
Whether the right parameters in (2) are consistent.
Wherein the equation
The verification method comprises the following steps:
(3) If terminal member u i,t After authentication, the local edge server E i According to terminal member u i,t The provided data keywords search related data resources, and access authority of the searched resources and terminal members u i,t By comparing access rights of the terminal member u i,t Resource with access rights
Local edge server E i Selecting a random number->
Calculating intermediate parameters
And signatures
And pick up the information>
Send to terminal member u i,t 。
(4) Terminal member u i,t Receiving information
Thereafter, two equations are calculated and verified
And &>
If it is true. If both equations hold, terminal member u i,t Calculate ciphertext data->
And through its attribute authority and access control policy
And decrypting to obtain plaintext information.
Wherein the equation
The verification method comprises the following steps:
step five: the method for controlling the inter-domain resource access comprises the following steps: if the target resource is located in the inter-domain edge server, the terminal member can apply for signature to the local edge server by using the attribute authority of the terminal member, and the terminal member applies for accessing the resource to the inter-domain edge server after obtaining the signature, and the process is as follows:
(1) Resource demander u i,t (t ≠ j ≦ 1 ≦ 10) calculating hash value
And signature>
And information such as access authority information and key words of the access data is combined>
Sent to the local edge server E i (ii) a Wherein H 2 (. Cndot.) is a hash function.
(2) Local edge server E i Receiving information
Then, a hash value is calculated
And verifies whether or not it is present>
Whether or not to be equal. If the equality is not true, the local edge server E i Deny service and, if the equation holds, calculate and validate the equation>
If the equation is established, verifying the permission parameter set pi i,t On the cloud server CS block chain platform
Whether the attribute authority parameters in (1) are consistent.
Wherein the equation
The verification method comprises the following steps:
(3) If terminal member u i,t If the authentication is passed, the local edge server E i According to terminal member u i,t Database list d of data keyword in alliance index provided all Searching the data resource corresponding to the key word and the access authority, and assuming to accord with the terminal member u i,t The out-of-domain edge server to which the required data resource belongs is E t . Terminal member u i,t Local edge server E i Signing the message it sends, local edge server E i Computing signatures
And will->
And out-of-domain edge server E t Ip address of>
Is transmitted to the terminalEnd member u i,t 。
(4) Terminal member u i,t Receive local edge server E i Transmitted message
Then, the parameters are calculated
And verifies whether or not it is present>
Whether or not this is true. If so, the terminal member u i,t According to>
To access out-of-domain edge servers E t And send the message
Sent to out-of-domain edge server E t 。
(5) Out-of-domain edge server E t Receiving a message
Then, pass +>
Authentication
Whether the hash value of (1) is correct or not, and by calculating the equation
If true, to verify the local edge server E i Is correct. If both equations hold, out-of-domain edge server E t Validating a set of permission parameters pi i,t Based on the CS block chain platform of the cloud service platform>
If the attribute weight parameters in the domain are consistent, if the equality is not satisfied, the domain outer edge server E t And returning prompt information of insufficient attribute authority.
(6) If terminal member u i,t Verified and its access rights conform to the edge server E outside the domain t And managing the access right of the related resources in the domain, and providing corresponding cipher text resource links.
The invention is based on the hidden attribute authentication theory, and is provided on the premise of taking decision-making bilinear Diffie-Hellman (DBDH) problem as a safety hypothesis, the personal privacy protection is realized in the identity authentication process of resource information sharing by adopting the hidden attribute identity authentication technology, and in the process of distributing the attribute authority of the terminal members, each terminal member also obtains corresponding attribute authority besides performing identity authentication on the terminal members; the method adopts an access control technology based on the block chain, the attribute of each user is written into the block chain, and by utilizing the non-tamper property of the block chain, any two terminal users can not combine the attributes to access the data resource of any unauthorized terminal user. In addition, the invention supports cross-domain access control, provides a feasible scheme for possible cooperative operation between different security domains, enables information resource sharing under the edge cloud cooperative environment to be more flexible, efficient and practical, and has important field research significance and commercial application value.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and should not be taken as limiting the scope of the present invention, which is intended to cover any modifications, equivalents, improvements, etc. within the spirit and scope of the present invention.
Claims (10)
1. An access control method based on a block chain in mobile edge cloud cooperation is characterized by comprising the following steps:
step one, initializing access control protocol parameters in a side cloud coordination system: generating public/private key pairs of a cloud server CS, each edge server and each terminal member;
step two, distributing the attribute authority of the terminal member:
a) The method comprises the steps that a cloud server CS broadcasts all attributes of access system resources and attribute serial numbers thereof to each terminal member;
b) The terminal member calculates intermediate parameters required by registration according to the attribute of the terminal member, and sends the intermediate parameters to the cloud server CS;
c) After receiving the messages sent by each terminal member, the cloud server CS verifies the validity of the parameters and the validity of the identity of each terminal member, if the verification is passed, the cloud server CS determines the number of the terminal member attributes and calculates the attribute authority parameters and the signature, and then sends the public key, the signature and the attribute authority parameters of the cloud server CS to each terminal member;
d) After receiving a message sent by a cloud server CS, each terminal member calculates an attribute authority, then the identity of the cloud server CS and the correctness of the attribute authority are verified, if the verification is passed, each terminal member obtains an attribute authority corresponding to the attribute and an attribute authority parameter set, and the distribution of the attribute authority of each terminal member is successful;
e) The cloud server CS calculates encryption parameters and sends the encryption parameters to each edge server, and each edge server receives the encryption parameters and then calculates to obtain an attribute authority set of all attributes;
f) The cloud server CS is divided into different security domains according to the IP of the edge server and the mobile terminal, a block chain is established for each security domain, the public information of each terminal member of the security domain is written into the block chain, the edge server runs a block chain program of the local domain, and the block information of any managed terminal member can be acquired;
step three, storage of shared resources:
g) The resource sharer sets an attribute set and an access control strategy of the resource, and encrypts the shared resource by using the access control strategy to obtain a ciphertext; the resource sharer uploads the own public key and the information of the shared resource to the local edge server, and the local edge server writes the message into the block chain after receiving the message and simultaneously stores the message into a list of the alliance data index database;
step four: access control of shared resources within a domain and access control of shared resources outside the domain.
2. The method for controlling access based on the block chain in the mobile edge cloud coordination according to claim 1, wherein the method for controlling access to the shared resources in the domain comprises:
h) The resource demander calculates the access parameters and the access signatures required by the access resources and sends the access parameters, the access signatures and the access authority information to a local edge server;
i) After receiving the message of the resource demander, the local edge server verifies the validity of the parameters, the identity of the resource demander and the attribute authority parameters;
j) After the verification is passed, the local edge server searches resources according to the keywords provided by the resource demander, compares the access rights of the resources and the resource demander, and calculates request parameters and request signatures and sends the request parameters and the request signatures to the resource demander after finding the target resources;
k) After receiving the message of the local edge server, the resource demander verifies the request parameters and the identity of the local edge server, and if the verification is passed, the resource demander obtains the shared resource.
3. The method for block chain-based access control in mobile edge cloud coordination according to claim 2, wherein the method for access control of the shared resources outside the domain is
L) the resource demander calculates the access parameters and the signature required by the access resources and sends the access parameters, the access signature, the access authority of the demander and the information of the keywords to a local edge server;
m) after receiving the message of the resource demander, the local edge server verifies the validity of the access parameters, the identity of the terminal member and the attribute authority parameters;
n) after the verification is passed, the local edge server searches resources corresponding to the keywords, the access authority of the resources and the edge server outside the domain to which the resources belong, then calculates a request signature and sends the request signature and the address of the edge server outside the domain to the resource demander;
o) after receiving the message of the local edge server, the resource demander calculates the parameter of the request signature and verifies the validity of the message, and after the verification is passed, the resource demander sends the resource request parameter information to the edge server outside the domain;
p) after receiving the resource request parameter message of the resource demander, the edge server outside the domain verifies the request parameter, the identity of the resource demander, the request signature of the local edge server of the resource demander and the attribute authority parameter of the resource demander;
q) after the verification is passed, the edge server outside the domain provides a link to the shared resource to the resource demander.
4. The method for controlling access based on the block chain in the mobile edge cloud collaboration as claimed in claim 1 or 3, wherein the method for generating the public/private key pair of the cloud server CS, each edge server and each terminal member in the first step is as follows:
generating a master key MSK and a public key PK of a system by using a master key generating function; public key PK, master key MSK and terminal member u of input system i,t Identification of
And terminal member u i,t Property set of>
Using key generation functions
Private key of output terminal member>
Then calculates the public key
Then the public/private key pair of the terminal member is ÷ reserved>
The cloud server CS selects a random positive integer
As a private key and computing a public key PK CS =SK CS g 1 Then the public/private key pair of the cloud server CS is (PK) CS ,SK CS );
Each edge server E i Randomly selecting a positive integer
As a private key and calculates the public key->
Wherein, g 1 Is an addition group G 1 The generation element(s) of (a),
representing a set of integers of order q, q being an addition group G 1 I is more than or equal to 1 and less than or equal to N, t is more than or equal to 1 and less than or equal to N, N is the number of terminal members in the domain, and N is the number of edge servers in the system.
5. The access control method based on the block chain in the mobile edge cloud collaboration as claimed in claim 1, wherein the method for distributing the attribute authority of the terminal member in the second step is as follows:
(1) All attributes of cloud server CS broadcast access system resource and corresponding sequence numbers thereof { (A) 1 ,S 1 ),(A 2 ,S 2 ),...,(A R ,S R ) Giving each terminal member; wherein A is v For the v attribute, S, for accessing system resources v Represents an attribute A v V is more than or equal to 1 and less than or equal to R, R belongs to N * Representing the number of network attributes, N * Represents a positive integer;
(2) Owning Attribute sequence collections
Terminal member u i,t Randomly selecting a positive integer
Calculating an intermediate parameter o i,t =γ i,t g 1 ,θ i,t,1 =γ i,t H 1 (a i,t,1 )g 1 ,θ i,t,2 =γ i,t H 1 (a i,t,2 )g 1 ,...,θ i,t,r =γ i,t H 1 (a i,t,r )g 1 、β i,t =γ i,t PK CS 、
And phi i,t =H 2 (β i,t ) Terminal member u i,t Sending a message pick>
Sending the data to a cloud server CS; wherein, a i,t,v Is a terminal member u i,t And a is i,t,k <a i,t,k+1 K is more than or equal to 1 and less than R, and R is a terminal member u i,t The number of attributes of (1), positive integer gamma i,t ≠1,θ i,t,1 ,θ i,t,2 ,...,θ i,t,r 、η i,t 、β i,t 、φ i,t And o i,t All represent terminal member u i,t Intermediate parameter, g, required for registration 1 Is an addition group G 1 I is more than or equal to 1 and less than or equal to N, t is more than or equal to 1 and less than or equal to N, N is the number of terminal members in the domain, and N is the number of edge servers in the system; PK CS Is the public key of the cloud server CS>
Indicating terminal member u i,t Is based on the private key of>
Is a terminal member u i,t The public key of (2); h 1 :
H 2 :
Is a hash function, | | is a connection symbol;
(3) Receiving terminal member u by cloud server CS i,t Transmitted message
Then, the hash value β 'is calculated' i,t =H 2 (β i,t ) And verify equation β' i,t =φ i,t And &>
If it is true, the cloud server CS calculates an intermediate parameter ≥ if the equation is true>
And
the cloud server CS compares the intermediate parameter->
And theta i,t,k Is equal or not, determining the terminal member u i,t Which attributes to have; then the cloud server CS is a terminal member u i,t Each attribute a of i,t,k Randomly selecting a positive integer
Calculating an Attribute a i,t,k Corresponding attribute authority parameter χ i,t,k =t i,t,k CS i,t And signatures
Cloud server CS sends message { PK CS ,δ i,t ,(χ i,t,1 ,χ i,t,2 ,...χ i,t,r ) Sending it to registered terminal member u i,t (ii) a Wherein, χ i,t,k Is a terminal member u i,t Property authority parameter of the kth property of (1), SK CS Is the private key of the cloud server CS, delta i,t Is terminal member u i,t Registering the required signature, e (-) being a computable bilinear mapping function;
(4) Terminal member u i,t Receiving message { PK (password key) sent by cloud server CS CS ,δ i,t ,(χ i,t,1 ,χ i,t,2 ,...χ i,t,r ) After that, the attribute authority T of each attribute is calculated i,t,1 =γ i,t -1 χ i,t,1 =t t,1 g 1 ,T i,t,2 =γ i,t -1 χ i,t,2 =t i,t,2 g 1 ,...,T i,t,r =γ i,t -1 χ i,t,r =t i,t,r g 1 And the intermediate parameter mu i,t =H 2 (T i,t,1 ||T i,t,2 ||...||T i,t,r ) (ii) a Terminal member u i,t Verify equation e (δ) i,t ,PK CS )=e(μ i,t g 1 ,g 1 ) If the equation is established, the terminal member u i,t Successfully registers and acquires each attribute a thereof i,t,k Corresponding attribute authority T i,t,k And attribute authority parameter set pi i,t ={χ i,t,1 ,χ i,t,2 ,...,χ i,t,r }; wherein, T i,t,1 ,T i,t,2 ,...,T i,t,r Indicating terminal member u i,t Property right of i,t Representing intermediate variables required for verifying the identity of the cloud server CS;
(5) Cloud server CS uses the selected positive integer
Serving each edgeDevice E i Calculating encryption parameters
And the encrypted parameter is->
Sent to the edge server E i Each edge server E i Receiving encryption parameters
Thereafter, the attribute authority is calculated>
Then edge server E i Attribute authority set Eaw for acquiring all attributes t,k ={T i,t,1 ,T i,t,2 ,...,T i,t,R }; wherein it is present>
As an edge server E i Is greater than or equal to>
As an edge server E i The private key of (1);
(6) The cloud server CS is divided into different security domains according to the IP of the edge server and the terminal members, a block chain is established for each security domain, and the public information of each terminal member of the security domain is written into the block chain; when the edge server E i A terminal member u of i,t After successful registration, the cloud server CS uses the public key of the terminal member
Attribute permission parameter set pi i,t And edge server E i In a public key of a mobile terminal>
Writing a new block in the block chain, wherein the information blocks of all terminal members of a security domain form the block chain of the security domain;
(7) Edge server E i Running the block chain program of the local area to acquire any terminal member u governed by the local area i,t Information of the block of
6. The method for controlling access based on block chains in mobile edge cloud collaboration as claimed in claim 5, wherein the method for storing the shared resources in the third step is:
1) Terminal member u i,j According to shared resources m i,j Setting access to shared resources m for security level i,j Property set of
And an access control policy>
Attribute set->
The corresponding attribute authority set is
The attribute authority parameter set corresponding to the attribute authority set is combined into
Wherein, attr i,j,m Representing shared resources m i,j The mth attribute of (1), T i,j,m Representation attribute attr i,j,m Corresponding attribute authority χ i,j,m As attribute authority T i,j,m J is more than or equal to 1 and less than or equal to n, and n is the number of terminal members in the domain;
2) Terminal member u i,j Using attribute rights collections
Attribute authority and access control policy->
Encrypting a shared resource m i,j And obtain ciphertext data>
Then terminal member u i,j Will its public key->
Ciphertext data->
Attribute privilege parameter set +>
Shared resource m i,j Keyword keywords, access control policy>
Composed messages
Upload to local edge server E i ;
3) Local edge server E i Receiving a message
Then, writing the message into the block chain; edge server E i Writing each shared resource as a block into a local data shared block chain while concurrently combining message +>
Store to federation data index database list d all (ii) a Wherein +>
As a local edge server E i The access address of (2).
7. The method for controlling access based on block chains in mobile edge cloud collaboration according to claim 6, wherein the method for controlling access to shared resources in a domain is as follows:
s1: resource demander u i,t Computing hash values
And access signatures
The access authority information of the user and the keyword information of the access resource
Sent to the local edge server E i (ii) a Wherein +>
Representing terminal member u i,t Is based on the private key of>
Is a terminal member u i,t The public key of (a); pi i,t Representing a set of attribute rights parameters, o i,t Indicating terminal member u i,t Registering the calculated intermediate parameters; and t is not less than 1 but not equal to j and not more than n; h 2 :
Is a hash function, | | is a concatenation symbol, H 3 :{0,1} * →G 1 As a hash function, g 1 Is an additionGroup G 1 The generator of (2);
s2: local edge server E i Receiving information
Then, a hash value is calculated
And verifies the hash value->
Whether equal, if the hash values are equal, then the equation is calculated and validated>
If the equation is established, verifying the attribute authority parameter set pi i,t Message on a blockchain platform with a cloud server CS +>
Whether the attribute authority parameters in (1) are consistent or not; chi-type food processing machine t,r Is attribute authority parameter;
s3: if terminal member u i,t After passing the authentication, the local edge server E i According to terminal member u i,t The provided keyword keywords search data resources and according to the access authority of the searched data resources and the terminal member u i,t Selecting the terminal member u according to the comparison result of the access authority i,t Shared resource with access rights
Local edge server E i Selecting a random number->
Calculating intermediate request parameters>
And request signature
And pick up the information>
Send to terminal member u i,t (ii) a Wherein +>
For edge server E i In conjunction with the public key of>
For edge server E i The private key of (a);
s4: terminal member u i,t Receiving information
Thereafter, two equations are calculated and verified
And &>
Whether the result is true; if both equations hold, terminal member u i,t Calculate ciphertext data->
And through its attribute authority and access control policy
Decrypting to obtain plaintext information; gamma ray i,t Is a terminal member u i,t A positive integer selected randomly.
8. The method for controlling access based on a block chain in mobile edge cloud collaboration according to claim 6 or 7, wherein the method for controlling access to inter-domain shared resources is as follows:
s11, resource demander u i,t Computing hash values
And access signatures
And the information such as the access authority information of the user, the keywords of the access data and the like
Sent to the local edge server E i (ii) a Wherein t is not less than 1 and not equal to j and not more than n, H 3 :{0,1} * →G 1 As a hash function, g 1 Is an addition group G 1 The generator of (2); h 2 (. Is a hash function;
s12, local edge server E i Receiving information
Thereafter, a hash value is calculated
And verifies whether or not it is present>
Whether equal, if equal, the equation is calculated and verified>
If the equation is established, verifying the attribute authority parameter set pi i,t ^ based on block chain platform with cloud server CS>
Whether the attribute authority parameters in (2) are consistent or not;
s13, if the terminal member u i,t If the authentication is passed, the local edge server E i According to terminal member u i,t Database list d of index in alliance of keyword provided all Shared resources corresponding to the keyword keywords and access rights thereof are searched in the medium, and the member u conforming to the terminal is assumed to be i,t Edge server E outside the domain to which the required shared resource belongs t (ii) a Terminal member u i,t Edge server E of local domain i Signing messages it sends, local edge server E i Computing request signatures
And sign the request->
And out-of-domain edge server E t Is greater than or equal to>
Delivered to terminal member u i,t ;
S14, terminal member u i,t Edge server E outside the receiving domain i Transmitted message
Then, calculating intermediate parameters
And verifies whether or not it is present>
If yes, the terminal member u i,t According to IP address>
Access outside edge server E t And send the message
Sending to an edge server E outside the domain t ;
S15, edge server E outside domain t Receiving a message
Then, the hash value->
Authentication message>
Is correct and is determined by calculating the equation @>
If it is established, to verify the edge server E outside the domain i If both equations hold, the edge server E outside the domain t Verifying a set of attribute rights parameters pi i,t Message on a blockchain platform with a cloud server CS +>
Whether the attribute weight parameters in (1) are consistent or not;
s16, if the terminal member u i,t Passes the verification and the access authority conforms to the edge server E outside the domain t And managing the access right of the related resources in the domain, and providing corresponding cipher text resource links.
9. The method for controlling access based on block chain in mobile edge cloud collaboration as claimed in claim 7, wherein the step (3) is equivalent to
The verification method comprises the following steps:
the step (4) is a step of a medium equation e (delta) i,t ,PK CS )=e(μ i,t g 1 ,g 1 ) The verification method comprises the following steps:
the step S2 is of a medium type
The verification method comprises the following steps:
the step S4 is intermediate
The verification method comprises the following steps: />
10. The method for block chain-based access control in mobile edge cloud collaboration as claimed in claim 8, wherein the equation in step S12
The verification method comprises the following steps:
step S14 of intermediate equation
The verification method comprises the following steps:
step S15 of intermediate equation
The verification method comprises the following steps:
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111086224.5A CN115941221A (en) | 2021-09-16 | 2021-09-16 | Access control method based on block chain in mobile edge cloud cooperation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111086224.5A CN115941221A (en) | 2021-09-16 | 2021-09-16 | Access control method based on block chain in mobile edge cloud cooperation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115941221A true CN115941221A (en) | 2023-04-07 |
Family
ID=86549400
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111086224.5A Pending CN115941221A (en) | 2021-09-16 | 2021-09-16 | Access control method based on block chain in mobile edge cloud cooperation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941221A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116800435A (en) * | 2023-08-21 | 2023-09-22 | 成都信息工程大学 | Access control method, system and storage medium based on zero knowledge proof and cross-chain |
-
2021
- 2021-09-16 CN CN202111086224.5A patent/CN115941221A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116800435A (en) * | 2023-08-21 | 2023-09-22 | 成都信息工程大学 | Access control method, system and storage medium based on zero knowledge proof and cross-chain |
| CN116800435B (en) * | 2023-08-21 | 2023-12-19 | 成都信息工程大学 | Access control method, system and storage medium based on zero knowledge proof and cross-chain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Guo et al. | Blockchain meets edge computing: A distributed and trusted authentication system | |
| CN111639361B (en) | Block chain key management method, multi-person common signature method and electronic device | |
| CN113489733B (en) | Content center network privacy protection method based on block chain | |
| Zhang et al. | SMAKA: Secure many-to-many authentication and key agreement scheme for vehicular networks | |
| Ma et al. | Redactable blockchain in decentralized setting | |
| CN112165472B (en) | Internet of things data security sharing method based on privacy protection | |
| JP4639084B2 (en) | Encryption method and encryption apparatus for secure authentication | |
| CN111563261A (en) | Privacy protection multi-party computing method and system based on trusted execution environment | |
| CN110912897B (en) | Book resource access control method based on ciphertext attribute authentication and threshold function | |
| CN112383550B (en) | Dynamic authority access control method based on privacy protection | |
| CN113360943B (en) | Block chain privacy data protection method and device | |
| CN113761582A (en) | Group signature based method and system for protecting privacy of block chain transaction under supervision | |
| Yan et al. | Integrity audit of shared cloud data with identity tracking | |
| CN115065679B (en) | Electronic health record sharing model, method, system and medium based on blockchain | |
| CN113346993B (en) | Layered dynamic group key negotiation method based on privacy protection | |
| CN111447058B (en) | Book resource access control method based on Chinese remainder theorem | |
| CN114244838B (en) | Encryption method and system, decryption method, device and equipment for block chain data | |
| CN115834067A (en) | Ciphertext data sharing method in edge cloud collaborative scene | |
| CN116318663A (en) | Multi-strategy safe ciphertext data sharing method based on privacy protection | |
| CN115883102B (en) | Cross-domain identity authentication method and system based on identity credibility and electronic equipment | |
| CN115242388B (en) | Group key negotiation method based on dynamic attribute authority | |
| Wang et al. | Achieving fine-grained and flexible access control on blockchain-based data sharing for the Internet of Things | |
| CN117040800A (en) | Personal archive management scheme based on alliance chain and non-certificate searchable encryption | |
| Long et al. | Blockchain-Based Anonymous Authentication and Key Management for Internet of Things With Chebyshev Chaotic Maps | |
| CN117714065A (en) | Efficient alliance chain privacy protection method and system based on group signature and Bulletprofos |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |