CN116055050B - End-to-end stream data encryption method and system based on cryptography access control - Google Patents
End-to-end stream data encryption method and system based on cryptography access control Download PDFInfo
- Publication number
- CN116055050B CN116055050B CN202310330568.9A CN202310330568A CN116055050B CN 116055050 B CN116055050 B CN 116055050B CN 202310330568 A CN202310330568 A CN 202310330568A CN 116055050 B CN116055050 B CN 116055050B
- Authority
- CN
- China
- Prior art keywords
- privacy
- stream data
- conversion
- token
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
- H04L9/0656—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
- H04L9/0836—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The embodiment of the invention provides an end-to-end stream data encryption method and system based on cryptography access control. Generating a derivative key by a data producer, encrypting stream data to obtain encrypted stream data, and sending the encrypted stream data and the derivative key to a server; the privacy management module generates a privacy conversion token and sends the privacy conversion token to the server; the server collects the privacy conversion token and the encrypted stream data and sends the privacy conversion token and the encrypted stream data to the privacy conversion module together; the privacy conversion module aggregates the encrypted stream data through a privacy conversion function and performs privacy conversion on the privacy conversion token; and pairing the privacy conversion token after privacy conversion with the aggregated encrypted stream data to generate privacy conforming data. In this way, data conversion based on multi-stream data aggregation privacy control can be realized, and instant transmission and processing of a large amount of stream data are ensured, so that the privacy of user data is not violated when the user data is normally acquired and used.
Description
Technical Field
The present invention relates generally to the field of network security, and more particularly to an end-to-end stream data encryption method and system based on cryptographic access control.
Background
With the continuous change of mobile terminal equipment, mass data and intelligent application are filling up the physical space on which people live at unprecedented speed, wherein the time series data has huge duty ratio, the time series data is more and more popular in a wide system in different fields, more and more equipment and service collection detailed time series data are stored in a cloud server, and the information technology is gradually and widely applied to various fields such as medical treatment, transportation, finance, network supervision and the like. Distributed parallel processing and virtualization technologies based on cloud computing can store, compute, and transmit massive data.
However, the physical data generated by the terminal device typically relates to personal privacy. If private data is uploaded to the cloud data center, a large amount of bandwidth is occupied, and the risk of privacy disclosure of users is increased. In the network information transmission process, the personal privacy safety problem is also more and more prominent, and the information safety problem is not only related to personal privacy, but also is closely related to national confidentiality and social stability development. The network security flow data access control technology plays an important role in maintaining network security, and is beneficial to the healthy and stable development of computer networks.
In the past, the traditional safety protection technology has certain limitations due to the characteristics of low information authority, low visualization degree and the like, and has poor timeliness, so that a great deal of time is required in the transmission process of information data, and the requirements of high efficiency and rapidness of a modern network cannot be met. Secondly, in the actual detection process, the information data also changes, so that the actual accuracy of the detection result is greatly affected and gradually reduced. At present, although technologies for network security privacy have greatly advanced, the network security privacy framework is still mainly focused on informing users and the stage of user consent, but this is not the best solution. Erroneous practices of data usage and sharing in systems based on user consent remain commonplace.
Aiming at the problems, a stream data encryption algorithm based on symmetrical homomorphic encryption and a stream data-oriented cryptography access control mechanism are generally adopted to meet the related scalability and low-delay requirements of time series workload, realize real-time analysis of a large amount of encrypted data and protect the privacy of network stream data.
In existing data processing systems, automatic enforcement of privacy policies is achieved by using information flow control (Information Flow Control, IFC) to monitor and restrict information through systems that vary in how and where IFC rules are implemented in programs, but generally rely on trusted services or trusted hardware to achieve privacy protection. The IFC system in Riverbed groups users with similar privacy policies into separately running containers, enforcing user-defined privacy policies through information flow techniques. A trusted data processing library is introduced in the Ancile, and data conversion conforming to the privacy policy requirements is only issued to the application program, so that conversion conforming to the privacy preferences of the user is enforced on the data generated by the application program. In the multitverse database, the global privacy policy makes users believe that it can execute the privacy policy correctly by disclosing only materialized views of the database to each user in the application. Qapla allows privacy-compliant servers to associate a set of privacy policies with a database schema that is enforced by a trusted reference monitor.
While secure syndication protocols have been used in the design of various privacy systems, they are primarily intended to allow a data service party to access only syndicated data, not individual data, when accessing user data. But these systems often require that the production of data be actively involved in these secure aggregation protocols and that data be kept localized and broad privacy conversions are not supported; there are also systems that combine a look-up privacy technique (i.e., by adding noise to the input) with a secure aggregation protocol to perform the task of privacy data.
In summary, there are three key issues to be resolved:
first, in the current user privacy control model, privacy control is implemented and performed by a data manager having full access control authority to plaintext data, but even trusted data managers can be damaged by intrusion or leak the privacy data due to external interests due to frequent privacy data leak events issued by CNCERT/CC. Moreover, even if these trusted data managers do not actively leak private data, it is difficult to ensure that the private data of the user can be used in a processing manner agreed to by the user.
Secondly, the data service side usually prescribes the data using mode of the user by self-drafting privacy policy unilaterally, and no method is available for realizing the privacy data preference of the user, if the user refuses the privacy scheme of the data service side, the user will be refused to use the service.
Finally, in existing private data solutions, most are temporary solutions, not an integral part of the entire data processing system.
Disclosure of Invention
According to an embodiment of the invention, an end-to-end stream data encryption scheme based on cryptographic access control is provided.
In a first aspect of the invention, an end-to-end stream data encryption method based on cryptographic access control is provided. The method comprises the following steps:
generating a derivative key by a data producer, encrypting stream data according to the derivative key to obtain encrypted stream data, and sending the encrypted stream data and the derivative key to a server;
the privacy management module generates a privacy conversion token and sends the privacy conversion token to a server;
the server collects the privacy conversion token and the encrypted stream data and sends the privacy conversion token and the encrypted stream data to a privacy conversion module together;
the privacy conversion module is used for responding to a stream data inquiry request and aggregating the encrypted stream data through a privacy conversion function to obtain aggregated encrypted stream data; performing privacy conversion on the privacy conversion token to obtain a privacy conversion token after privacy conversion; and matching the privacy conversion token after privacy conversion with the aggregate encrypted stream data to generate privacy conforming data.
Further, the data producer generates a derivative key, encrypts stream data according to the derivative key to obtain encrypted stream data, and includes:
constructing a key derivation tree;
each leaf node in the key derivation tree represents a time period, and each time period is mapped into a derivation key;
and encrypting the stream data by using the derivative key to generate encrypted stream data.
Further, the key derivation tree is a balanced binary tree, and is constructed from the root node to the child node from top to bottom; wherein the root node represents a master key; the child node is generated by a pseudo-random generator through a hash function; each leaf node represents a time period as input to a key derivation function; the key derivation function is used for calculating a derived key.
Further, the privacy management module generates a privacy conversion token comprising:
acquiring a subkey corresponding to each piece of stream data from the master key;
and encrypting the stream data and the corresponding subkey, and generating a privacy conversion token through the subkey.
Further, the aggregating the encrypted stream data by a privacy transfer function includes:
If the encrypted stream data is single stream data of a single data producer, ciphertext aggregation is carried out on the encrypted stream data through a first privacy conversion function;
if the encrypted stream data is multi-stream data of a single data producer, ciphertext aggregation is carried out on the encrypted stream data through a second privacy conversion function;
if the encrypted stream data is from a plurality of data producers, noise is added to the encrypted stream data by a third privacy transfer function.
Further, the privacy conversion module responds to the stream data query request to perform privacy conversion on the privacy conversion token, and the privacy conversion module comprises:
judging whether the privacy conversion token is a required privacy conversion token according to the query stream data request, if so, continuing to judge whether the privacy conversion token needs to be aggregated, otherwise, discarding the privacy conversion token;
if the privacy conversion tokens need to be aggregated, the privacy conversion tokens are aggregated to obtain aggregated privacy conversion tokens, and privacy conversion is carried out on the aggregated privacy conversion tokens; otherwise, privacy conversion is carried out on the privacy conversion token.
Further, the privacy conversion includes:
if the privacy conversion token is a single-stream conversion token, calculating the privacy conversion token after privacy conversion;
If the privacy conversion token is a multi-stream conversion token, calculating the privacy conversion token after privacy conversion through the aggregation window key;
if the privacy conversion token is a multi-user conversion token, the privacy conversion token after privacy conversion is obtained by adding noise to the privacy conversion token.
In a second aspect of the invention, an end-to-end stream data encryption system based on cryptographic access control is provided. The system comprises:
the data producer is used for generating a derivative key, encrypting stream data according to the derivative key to obtain encrypted stream data, and sending the encrypted stream data and the derivative key to the server;
the privacy management module is used for generating a privacy conversion token and sending the privacy conversion token to the server;
the server is used for collecting the privacy conversion token and the encrypted stream data and sending the privacy conversion token and the encrypted stream data to the privacy conversion module together;
the privacy conversion module is used for responding to the stream data inquiry request, and aggregating the encrypted stream data through a privacy conversion function to obtain aggregated encrypted stream data; performing privacy conversion on the privacy conversion token to obtain a privacy conversion token after privacy conversion; and matching the privacy conversion token after privacy conversion with the aggregate encrypted stream data to generate privacy conforming data.
In a third aspect of the invention, an electronic device is provided. At least one processor of the electronic device; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of the first aspect of the invention.
In a fourth aspect of the invention, there is provided a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of the first aspect of the invention.
It should be understood that the description in this summary is not intended to limit the critical or essential features of the embodiments of the invention, nor is it intended to limit the scope of the invention. Other features of the present invention will become apparent from the description that follows.
The scheme realizes the data conversion based on the multi-stream data aggregation privacy control, can form high-efficiency communication between privacy conversion modules, constructs a privacy conversion token by sharing and canceling random numbers, constructs a stream data privacy protection system with a user as a center based on cryptography, and ensures the instant transmission and processing of a large amount of stream data; the method and the system have the advantages that the user privacy is complied with, an interface which is easy to call is provided for a network security research organization, and the user data can be ensured to be normally acquired and used without violating the privacy.
Drawings
The above and other features, advantages and aspects of embodiments of the present invention will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, wherein like or similar reference numerals denote like or similar elements, in which:
FIG. 1 illustrates a flow chart of an end-to-end stream data encryption method based on cryptographic access control in accordance with an embodiment of the invention;
FIG. 2 shows a schematic diagram of the structure of a key derivation tree according to an embodiment of the present invention;
FIG. 3 illustrates a flow chart of a privacy conversion module execution process according to an embodiment of the present invention;
FIG. 4 shows a block diagram of an end-to-end stream data encryption system based on cryptographic access control in accordance with an embodiment of the present invention;
FIG. 5 shows a block diagram of an exemplary electronic device capable of implementing embodiments of the invention;
wherein 500 is an electronic device, 501 is a computing unit, 502 is a ROM, 503 is a RAM, 504 is a bus, 505 is an I/O interface, 506 is an input unit, 507 is an output unit, 508 is a storage unit, 509 is a communication unit.
Description of the embodiments
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Existing encrypted data processing systems can perform server-side computation on encrypted data using homomorphic encryption schemes, which typically combine efficient partial homomorphic encryption schemes with specialized client-side encoding to support a broader set of queries. However, the conventional common encryption scheme cannot support selective decryption of data, and privacy conversion can only be performed across multiple users through a multiparty computing protocol, and the protocols require a data producer to participate in computation and are often limited to specific functions, so that the method adopts a mode of sharing homomorphic secrets for decoupling encryption and privacy conversion, meets the requirement of privacy conversion, and realizes decoupling of encryption and privacy conversion.
Fig. 1 shows a flow chart of an end-to-end stream data encryption method based on cryptographic access control according to an embodiment of the invention.
The method comprises the following steps:
s101, a data producer generates a derivative key, encrypts stream data according to the derivative key to obtain encrypted stream data, and sends the encrypted stream data and the derivative key to a server.
In this embodiment, the data producer is responsible for generating master keys and encrypting the generated stream data and providing privacy preferences. The data producer registers in the system, starts to produce data after logging in, encrypts the data according to the derivative key of the data producer, generates encrypted stream data and sends the encrypted stream data to the server.
In this embodiment, the server refers to a kafka server.
In this embodiment, the data producer generates a derivative key according to the encryption access control algorithm, and encrypts stream data according to the derivative key to obtain encrypted stream data.
The encryption access control algorithm realizes access of streaming data with different granularities under different strategies. To limit access to each data consumer's time frame and meet the data stream's fine-grained requirements, and to limit the granularity of time at which they can retrieve or query data, e.g., every hour, every minute, etc. To achieve such fine-grained access control and allow the data owner to perform access to its data in an encrypted manner, keys may be derived from a hierarchical tree key derivation structure.
First, a key derivation tree is constructed.
Each leaf node in the key derivation tree is then represented as a time period, and each time period is mapped to a derivative key.
Specifically, as shown in fig. 2, the key derivation tree is a balanced binary tree, and is constructed from the root node to the child node from top to bottom; wherein the root node represents a master key; the child node is generated by a pseudo-random generator through a hash function; each leaf node represents a time period as input to a key derivation function; the key derivation function is used for calculating a derived key.
As an implementation of this embodiment, the key derivation is based on a key derivation tree, i.e., a balanced binary tree, where each node contains a unique pseudorandom string. The leaf nodes represent inputs to a Key Derivation Function (KDF) for computing the derivative key { k 0 , k 1 , k 2 , k 3 ,k 4 , k 5 … …. The key derivation tree is built from top to bottom with a secret random seed (master key) as the root. The child nodes are generated by a pseudo-random generator (Prg) that takes as input the parent string. Prg is from leftG of side child node 0 (x) And G of right child node 1 (x) Composition, where x is the parent node. This procedure is applied recursively until the desired depth h in the tree is reached. A large h is chosen so that the derivative key is almost unlimited. Especially considering the case where the high frequency stream is to be divided into blocks, e.g. one block per second. The pseudo-random generator (Prg) may be passed through a hash function
、/>
To realize the method. The number of keys thus meets the requirements of high granularity and limited access time ranges.
The specific construction process is as follows:
the depth of the selected tree is h, the root node is x, the child nodes are generated by a pseudo-random generator (Prg), and the left node calculation method is a hash function
The right node calculation method is->
. This process is iterated until the tree depth h is reached. Each leaf node represents a time period, the size of which is set by the policy manager. Map each time period to a derivative key, denoted { k } 0 , k 1 , k 2 , k 3 ,k 4 , k 5 ,……}。
It is worth noting that when k needs to be shared 0 ~k 3 When stream data between them is found k 0 , k 3 Is higher node k of (a) 0123 Only need to share k 0123 Keys of a node without sharing k 0 ~ k 3 Is used for the key(s).
After generating the derivative key, encrypting the stream data by using the derivative key to generate encrypted stream data. For example, using derivative key { k 0 , k 1 , k 2 , k 3 ,k 4 , k 5 … … the stream data is encrypted.
Given the unidirectional nature of the pseudo-random generator (Prg), it is computationally infeasible to compute a parent, sibling, node. Thus, the data users cannot calculate any keys outside the segment for which they are granted access.
The highest granularity of query and access control is defined by the block size father. So long as the boundary key is accessible
And->
The aggregate can be decrypted but the individual ciphertext cannot be decrypted. Where the level must be a multiple of the block size and the segments at a given level cannot overlap. For example, if the data owner is to share { k with the data user 0 、k 3 、k 6 ,. { k } 1 、k 4 、k 7 …, then the data consumer can access (k 0 ,k 1 ) Data in between, which is not allowed. In addition, if the data owner wishes to limit access to a granularity of 3 times the block size, the data owner will only share { k with the data user 0 、k 3 、k 6 ,...}. The data user may then decrypt the aggregated ciphertext at a granularity of 3 times (i.e., 3 father) or less (e.g., 6 father), but may not access finer granularity blocks due to the lack of an internal key.
In this embodiment, an interface is provided for the network security research platform, so that data generated by a data producer at the user side is homomorphically encrypted through a master key of the user, and uploaded to an Apach Kafka stream data processing pipeline through Netty, and meanwhile, the master key of the user is stored in a server of the trusted third party system for managing the master key and privacy of the user.
S102, the privacy management module generates a privacy conversion token and sends the privacy conversion token to a server.
In this embodiment, the privacy management module generates a privacy conversion token, including:
firstly, a sub-key corresponding to each stream data is obtained from a main key;
the stream data is then encrypted with a corresponding subkey by which a privacy conversion token is generated. The encrypted stream data and subkeys may be considered as additional shares of the message. Each additional share
Is divided into key->
And ciphertext->
Two parts, i.e.)>
Since encryption and decryption are both linear operations, this scheme supports linear aggregation by independently computing the sub-keys and functions on the encrypted message.
Finally, a conversion token is generated by the subkey
. Specifically, the->
. The server may use the conversion token +.>
By calculating->
To represent the output of the conversion function F>
. Thus, the privacy conversion module possessing the streaming data master key can authorize F by deriving the necessary key and performing the conversion thereon, thereby generating a matched conversion token +.>
。
As an implementation manner of this embodiment, the privacy management module may generate a privacy policy according to the privacy rights set by the data producer, and finally generate the privacy conversion token.
The privacy policy generation rule is: i, not sharing own data; II, sharing own data without limit; III, sharing own data when aggregating with other users; and IV, only sharing the generalization view of the data or the desensitized sensitive data, namely sharing the data but limiting the sensitive information deduced from the data. Privacy preferences are converted into a particular annotation stream by mapping them into a pattern language. The annotation stream contains privacy options, as well as values for metadata attributes and additional information about the stream. The user can customize privacy preference, and the user can authorize the service side to safely access the original data or the data conforming to the privacy. And privacy-conforming conversion is carried out on the data by forcing, and the generated conversion view conforms to the user-defined privacy policy.
S103, the server collects the privacy conversion token and the encrypted stream data and sends the privacy conversion token and the encrypted stream data to a privacy conversion module.
S104, the privacy conversion module responds to the stream data inquiring request and aggregates the encrypted stream data through a privacy conversion function to obtain aggregated encrypted stream data; performing privacy conversion on the privacy conversion token to obtain a privacy conversion token after privacy conversion; and matching the privacy conversion token after privacy conversion with the aggregate encrypted stream data to generate privacy conforming data.
In this embodiment, as shown in fig. 3, S104 may be specifically divided into the following three processes:
s301, the privacy conversion module responds to a stream data inquiring request, and the encrypted stream data are aggregated through a privacy conversion function to obtain aggregated encrypted stream data.
In this embodiment, it is necessary to determine different sources of encrypted stream data, including, in particular, single stream data from a single data producer, multi-stream data from a single data producer, and multi-stream data from multiple data producers, to select different aggregation modes. The following polymerization modes for different situations specifically include:
if the encrypted stream data is single stream data of a single data producer, passing through a first privacy transfer function
And performing ciphertext aggregation on the encrypted stream data. Said first privacy transfer function->
Allowing ciphertext aggregation operation to be performed in stream data of the same user; />
Wherein w represents the window size,
representing the ciphertext of the stream data.
If the encrypted stream data is multi-stream data of a single data producer, then passing through a second privacy transfer function
And performing ciphertext aggregation on the encrypted stream data. Second privacy transfer function->
And supporting the ciphertext aggregation of the multi-stream data from the same user.
If the encrypted stream data is from multiple data producers, then passing through a third privacy transfer function
Noise is added to the encrypted stream data. Third privacy transfer function->
The disturbance is supported by adding noise to the stream aggregated by multiple users.
S302, the privacy conversion module responds to the stream data query request to carry out privacy conversion on the privacy conversion token, and the privacy conversion token after privacy conversion is obtained.
In this embodiment, the privacy conversion module, in response to a request for querying stream data, performs privacy conversion on the privacy conversion token, including:
judging whether the privacy conversion token is a required privacy conversion token according to the query stream data request, if so, continuing to judge whether the privacy conversion token needs aggregation, otherwise, discarding the privacy conversion token. If the privacy conversion tokens need to be aggregated, the privacy conversion tokens are aggregated to obtain aggregated privacy conversion tokens, and privacy conversion is carried out on the aggregated privacy conversion tokens; otherwise, privacy conversion is carried out on the privacy conversion token.
In this embodiment, the privacy conversion process also corresponds to the three cases in the foregoing embodiment, where the privacy conversion token is a single-stream conversion token, a multi-stream conversion token, and a multi-user conversion token, and specifically includes:
case 1: if the privacy conversion token is a single-stream conversion token, calculating the privacy conversion token after privacy conversion, namely calculating the privacy conversion token after privacy conversion through the privacy conversion module
Where w is the window size.
The system aggregates from windows to reduce time resolution, and the server calculates a specified time window
To->
Wherein w is the window size and the form of the server-shared window aggregate result ciphertext after the data producer submits a message on each window is ∈ ->
. The privacy conversion module may calculate the privacy conversion token for this window +.>
The key is +.>
,/>
. This transition token can be used to decrypt window aggregations if and only if the server aggregates the correct windows, where the key is the window encoding range.
Case 2: if the privacy conversion token is a multi-stream conversion token, calculating the privacy conversion token after privacy conversion through the aggregation window key.
Specifically, in multi-stream aggregation, the server aggregates one fixed window 
To->
Let S be the aggregate of streams in the aggregate +.>
There is a window sharing->
Wherein
. Thus, the aggregate for all streams in S is equal to the sum of all window aggregates and all window shared keys. The privacy conversion module can calculate privacy after privacy conversion through aggregating window keysConversion token
。
Case 3: if the privacy conversion token is a multi-user conversion token, the privacy conversion token after privacy conversion is obtained by adding noise to the privacy conversion token
Wherein->
Is noise.
Differential privacy provides a limitation to the leakage of private information in aggregated statistics, and the most common technique to achieve different degrees of private information distribution is to add carefully calibrated noise. Noise is added to the decryption key, allowing noise to be added to previously encrypted data without regard to noise, which means that the same data can be reused for encrypted storage and facilitates one or more different private privacy transformations.
And S303, pairing the privacy conversion token subjected to the privacy conversion with the aggregated encrypted stream data to generate privacy conforming data.
In this embodiment, by providing an interface to the third party data consumer, when the third party data consumer obtains the data of the data producer, a specific privacy conversion token can be generated according to a specified privacy aggregation mode and uploaded to the Apach Kafka server, and then the privacy conversion module combines the encrypted data and the conversion token to obtain the data conforming to the privacy policy, and the third party data consumer obtains the data conforming to the privacy by calling the provided interface.
In some embodiments, privacy-compliant data may also be presented through the visualization front-end.
According to the embodiment of the invention, based on the data conversion of the multi-stream data aggregation privacy control, high-efficiency communication can be formed between the privacy conversion modules, the privacy conversion token is constructed by sharing the canceling random number, the system constructs a stream data privacy protection system with a user as a center based on cryptography, and the instant transmission and processing of a large amount of stream data are ensured. In practical application, while observing user privacy, the network security research organization is provided with an interface easy to call, so that the user data can be normally acquired and used without invading the privacy, and the network data is analyzed by combining a machine learning algorithm, thereby having an important role in maintaining network security.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are alternative embodiments, and that the acts and modules referred to are not necessarily required for the present invention.
The foregoing description of the embodiments of the method further describes the embodiments of the present invention through system embodiments.
The overall architecture of the system is divided into a privacy plane and a data plane.
In this embodiment, the present system refers to the portion of the data stream passing through the streaming platform as the data plane, which is solely responsible for receiving, storing or processing encrypted data received from the data producer, compatible with existing data pipes, allowing the source data to write the encrypted data stream to the existing remote stream processing pipe.
In this embodiment, the portion responsible for privacy management and conversion is referred to as a privacy plane, and this plane enables the cloud server to extract data information conforming to privacy from the encrypted data stream through the privacy conversion module, that is, all privacy-related operations are performed on a privacy plane outside the data plane, so as to achieve separation of the two. In the process of executing privacy conversion, a privacy conversion module of a trusted third party privacy management platform manages privacy policies of users, and the privacy conversion module combines encrypted data of a privacy conversion token through interaction with a policy manager and the privacy conversion module to obtain a data view conforming to privacy. The system network security research organization provides an easy-to-use interface, which can simply use the privacy conversion algorithm to obtain the data conforming to the user privacy.
As shown in fig. 4, the system 400 includes:
the data producer 410 is configured to generate a derivative key, encrypt stream data according to the derivative key, obtain encrypted stream data, and send the encrypted stream data and the derivative key to a server.
In this embodiment, the data producer is configured to generate a master key and encrypt the generated stream data and provide privacy preferences.
The privacy management module 420 is configured to generate a privacy conversion token, and send the privacy conversion token to a server.
In this embodiment, the privacy management module 420 is configured to generate a privacy conversion token, record the master key and privacy preferences at the same time, and forward the encrypted data while it is sending the privacy conversion token as appropriate.
And the server 430 is configured to collect the privacy conversion token and the encrypted stream data, and send the privacy conversion token and the encrypted stream data to the privacy conversion module together.
The privacy conversion module 440 is configured to aggregate the encrypted stream data through a privacy conversion function in response to a request for inquiring stream data, so as to obtain aggregated encrypted stream data; performing privacy conversion on the privacy conversion token to obtain a privacy conversion token after privacy conversion; and matching the privacy conversion token after privacy conversion with the aggregate encrypted stream data to generate privacy conforming data.
In this embodiment, the system constructs a privacy model centered on the user, so that the user can customize their privacy preferences, and the user can authorize the service side to safely access the original data or the data conforming to the privacy. Meanwhile, the system forces the data to be converted according with privacy, and ensures that the generated conversion view accords with the privacy policy defined by the user.
In this embodiment, the system separates data encryption from privacy conversion, so that the system can be compatible with a data processing pipeline in an existing system and meet performance requirements of the data processing pipeline, and can also support a wide range of existing privacy conversion methods, so that a data producer can disregard the privacy conversion, and does not need to use different encryption modes for data according to different privacy policies.
In this embodiment, in the present system, the privacy management module is responsible for providing the server with the encrypted privacy conversion token for privacy conversion, but since some privacy policies require data to be aggregated across different users, generating these tokens for decrypting the aggregated data requires interaction between multiple privacy conversion modules, i.e., federal approximation control. The system can form efficient communication between the privacy conversion modules through federal privacy control, and can construct the privacy conversion token through sharing the cancellation random number.
The system provides a simple interface for a network security research institution, and enforces privacy conversion through a homomorphic encryption mode to provide a data view conforming to privacy.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the described modules may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
In the technical scheme of the invention, the acquisition, storage, application and the like of the related user personal information all conform to the regulations of related laws and regulations, and the public sequence is not violated.
According to an embodiment of the present invention, the present invention also provides an electronic device and a readable storage medium.
Fig. 5 shows a schematic block diagram of an electronic device 500 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
The device 500 comprises a computing unit 501 that may perform various suitable actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 502 or loaded from a storage unit 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data required for the operation of the device 500 can also be stored. The computing unit 501, ROM 502, and RAM 503 are connected to each other by a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
Various components in the device 500 are connected to the I/O interface 505, including: an input unit 506 such as a keyboard, a mouse, etc.; an output unit 507 such as various types of displays, speakers, and the like; a storage unit 508 such as a magnetic disk, an optical disk, or the like; and a communication unit 509 such as a network card, modem, wireless communication transceiver, etc. The communication unit 509 allows the device 500 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 501 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 501 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 501 performs the respective methods and processes described above, for example, the methods S101 to S104. For example, in some embodiments, methods S101-S104 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 508. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 500 via the ROM 502 and/or the communication unit 509. When the computer program is loaded into RAM 503 and executed by the computing unit 501, one or more steps of the methods S101-S104 described above may be performed. Alternatively, in other embodiments, the computing unit 501 may be configured to perform the methods S101-S104 in any other suitable way (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present invention may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (7)
1. An end-to-end stream data encryption method based on cryptographic access control, comprising:
generating a derivative key by a data producer, encrypting stream data according to the derivative key to obtain encrypted stream data, and sending the encrypted stream data and the derivative key to a server;
the privacy management module generates a privacy conversion token and sends the privacy conversion token to a server;
The server collects the privacy conversion token and the encrypted stream data and sends the privacy conversion token and the encrypted stream data to a privacy conversion module together;
the privacy conversion module is used for responding to a stream data inquiry request and aggregating the encrypted stream data through a privacy conversion function to obtain aggregated encrypted stream data; performing privacy conversion on the privacy conversion token to obtain a privacy conversion token after privacy conversion; pairing the privacy conversion token after privacy conversion with the aggregate encrypted stream data to generate privacy conforming data;
the data producer generates a derivative key, encrypts stream data according to the derivative key to obtain encrypted stream data, and comprises:
constructing a key derivation tree;
each leaf node in the key derivation tree represents a time period, and each time period is mapped into a derivation key;
encrypting stream data by using the derivative key to generate encrypted stream data;
the key derivation tree is a balanced binary tree and is built from the root node to the child node from top to bottom; wherein the root node represents a master key; the child node is generated by a pseudo-random generator through a hash function; each leaf node represents a time period as input to a key derivation function; the key derivation function is used for calculating a derived key;
The privacy management module generates a privacy conversion token comprising:
obtaining a derivative key corresponding to each stream data from the master key;
and encrypting the stream data and the corresponding derivative key, and generating a privacy conversion token through the derivative key.
2. The method of claim 1, wherein the aggregating the encrypted stream data by a privacy transfer function comprises:
if the encrypted stream data is single stream data of a single data producer, ciphertext aggregation is carried out on the encrypted stream data through a first privacy conversion function;
if the encrypted stream data is multi-stream data of a single data producer, ciphertext aggregation is carried out on the encrypted stream data through a second privacy conversion function;
if the encrypted stream data is from a plurality of data producers, noise is added to the encrypted stream data by a third privacy transfer function.
3. The method of claim 2, wherein privacy converting the privacy conversion token comprises:
judging whether the privacy conversion token is a required privacy conversion token according to the query stream data request, if so, continuing to judge whether the privacy conversion token needs to be aggregated, otherwise, discarding the privacy conversion token;
If the privacy conversion tokens need to be aggregated, the privacy conversion tokens are aggregated to obtain aggregated privacy conversion tokens, and privacy conversion is carried out on the aggregated privacy conversion tokens; otherwise, privacy conversion is carried out on the privacy conversion token.
4. A method according to claim 3, wherein the privacy conversion comprises:
if the privacy conversion token is a single-stream conversion token, calculating the privacy conversion token after privacy conversion;
if the privacy conversion token is a multi-stream conversion token, calculating the privacy conversion token after privacy conversion through the aggregation window key;
if the privacy conversion token is a multi-user conversion token, the privacy conversion token after privacy conversion is obtained by adding noise to the privacy conversion token.
5. An end-to-end stream data encryption system based on cryptographic access control, comprising:
the data producer is used for generating a derivative key, encrypting stream data according to the derivative key to obtain encrypted stream data, and sending the encrypted stream data and the derivative key to the server;
the privacy management module is used for generating a privacy conversion token and sending the privacy conversion token to the server;
The server is used for collecting the privacy conversion token and the encrypted stream data and sending the privacy conversion token and the encrypted stream data to the privacy conversion module together;
the privacy conversion module is used for responding to the stream data inquiry request, and aggregating the encrypted stream data through a privacy conversion function to obtain aggregated encrypted stream data; performing privacy conversion on the privacy conversion token to obtain a privacy conversion token after privacy conversion; pairing the privacy conversion token after privacy conversion with the aggregate encrypted stream data to generate privacy conforming data;
the data producer generates a derivative key, encrypts stream data according to the derivative key to obtain encrypted stream data, and comprises:
constructing a key derivation tree;
each leaf node in the key derivation tree represents a time period, and each time period is mapped into a derivation key;
encrypting stream data by using the derivative key to generate encrypted stream data;
the key derivation tree is a balanced binary tree and is built from the root node to the child node from top to bottom; wherein the root node represents a master key; the child node is generated by a pseudo-random generator through a hash function; each leaf node represents a time period as input to a key derivation function; the key derivation function is used for calculating a derived key;
The privacy management module generates a privacy conversion token comprising:
obtaining a derivative key corresponding to each stream data from the master key;
and encrypting the stream data and the corresponding derivative key, and generating a privacy conversion token through the derivative key.
6. An electronic device comprising at least one processor; and
a memory communicatively coupled to the at least one processor; it is characterized in that the method comprises the steps of,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-4.
7. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310330568.9A CN116055050B (en) | 2023-03-31 | 2023-03-31 | End-to-end stream data encryption method and system based on cryptography access control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310330568.9A CN116055050B (en) | 2023-03-31 | 2023-03-31 | End-to-end stream data encryption method and system based on cryptography access control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116055050A CN116055050A (en) | 2023-05-02 |
| CN116055050B true CN116055050B (en) | 2023-06-13 |
Family
ID=86133533
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310330568.9A Active CN116055050B (en) | 2023-03-31 | 2023-03-31 | End-to-end stream data encryption method and system based on cryptography access control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116055050B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114491578A (en) * | 2021-12-24 | 2022-05-13 | 电子科技大学 | Security data aggregation method for privacy calculation |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109495426B (en) * | 2017-09-12 | 2021-08-17 | 腾讯科技(深圳)有限公司 | Data access method and device and electronic equipment |
| CN109684855B (en) * | 2018-12-17 | 2020-07-10 | 电子科技大学 | Joint deep learning training method based on privacy protection technology |
| US11741254B2 (en) * | 2020-04-08 | 2023-08-29 | International Business Machines Corporation | Privacy centric data security in a cloud environment |
| WO2023012105A1 (en) * | 2021-08-03 | 2023-02-09 | Sony Group Corporation | Apparatus and method for privacy control, device, cloud server, apparatus and method for local privacy control |
| CN114553416A (en) * | 2022-03-18 | 2022-05-27 | 北京友普信息技术有限公司 | Data encryption processing method for signature verification of application program interface |
-
2023
- 2023-03-31 CN CN202310330568.9A patent/CN116055050B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114491578A (en) * | 2021-12-24 | 2022-05-13 | 电子科技大学 | Security data aggregation method for privacy calculation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116055050A (en) | 2023-05-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Xiong et al. | Attribute-based privacy-preserving data sharing for dynamic groups in cloud computing | |
| Li et al. | A lightweight secure data sharing scheme for mobile cloud computing | |
| Zhou et al. | Efficient and secure data storage operations for mobile cloud computing | |
| US10673614B2 (en) | Secret search system, management device, secret search method and computer readable medium | |
| WO2022105505A1 (en) | Data processing method and apparatus applied to blockchain system | |
| CN109361510B (en) | Information processing method supporting overflow detection and large integer operation and application | |
| Shen et al. | Multi-security-level cloud storage system based on improved proxy re-encryption | |
| CN104079574A (en) | User privacy protection method based on attribute and homomorphism mixed encryption under cloud environment | |
| KR101615137B1 (en) | Data access method based on attributed | |
| Murugesan et al. | Analysis on homomorphic technique for data security in fog computing | |
| CN113411323B (en) | Medical record data access control system and method based on attribute encryption | |
| Li et al. | An efficient blind filter: Location privacy protection and the access control in FinTech | |
| Fan et al. | PPMCK: Privacy-preserving multi-party computing for K-means clustering | |
| Shen et al. | Keyword search with access control over encrypted cloud data | |
| WO2021098152A1 (en) | Blockchain-based data processing method, device, and computer apparatus | |
| Liu et al. | Secure IoT data outsourcing with aggregate statistics and fine-grained access control | |
| Hong et al. | A fine-grained attribute based data retrieval with proxy re-encryption scheme for data outsourcing systems | |
| Tong et al. | Privacy-preserving Boolean range query with temporal access control in mobile computing | |
| Wang et al. | Preserving scheme for user’s confidential information in smart grid based on digital watermark and asymmetric encryption | |
| Zhou et al. | Threshold key management scheme for blockchain-based intelligent transportation systems | |
| Alabdulatif et al. | Privacy-preserving data clustering in cloud computing based on fully homomorphic encryption | |
| Yan et al. | Traceable and weighted attribute-based encryption scheme in the cloud environment | |
| Kibiwott et al. | Privacy Preservation for eHealth Big Data in Cloud Accessed Using Resource-Constrained Devices: Survey. | |
| CN116055050B (en) | End-to-end stream data encryption method and system based on cryptography access control | |
| Al-Sabri et al. | Building a cloud storage encryption (cse) architecture for enhancing cloud security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |