CN116599771B - Data hierarchical protection transmission method and device, storage medium and terminal - Google Patents
Data hierarchical protection transmission method and device, storage medium and terminal Download PDFInfo
- Publication number
- CN116599771B CN116599771B CN202310861062.0A CN202310861062A CN116599771B CN 116599771 B CN116599771 B CN 116599771B CN 202310861062 A CN202310861062 A CN 202310861062A CN 116599771 B CN116599771 B CN 116599771B
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- data
- encryption
- private key
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000005540 biological transmission Effects 0.000 title claims abstract description 54
- 238000012795 verification Methods 0.000 claims abstract description 35
- 238000004422 calculation algorithm Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 11
- 238000005070 sampling Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 241000764238 Isis Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention discloses a data hierarchical protection transmission method and device, a storage medium and a terminal, wherein the method comprises the following steps: receiving an initial encryption ciphertext sent by a data sending end; matching the primary encryption ciphertext based on the search trapdoor to obtain the class to which the ciphertext belongs; decrypting and verifying the primary encryption ciphertext based on the center private key, receiving the primary encryption ciphertext after verification is successful, and rejecting the primary encryption ciphertext after verification is failed; generating a re-encryption key based on the receiving end identity and the center private key, and re-encrypting the primary encryption ciphertext based on the re-encryption key to obtain a re-encryption ciphertext; and sending the re-encrypted ciphertext to a data receiving end corresponding to the class to which the ciphertext belongs. The invention prevents ciphertext from being stolen and prevents malicious attackers from stealing data; rights define access control capability, re-encrypt ciphertext data meeting the conditions and send the encrypted ciphertext data to a corresponding data receiving end; the file distribution error is prevented, and the data received by different data receiving ends are different and cannot be decrypted mutually.
Description
Technical Field
The present invention relates to the field of data transmission technologies, and in particular, to a data hierarchical protection transmission method and apparatus, a storage medium, and a terminal.
Background
With the current telemedicine system, the problem of data transmission efficiency is continuously improved, but the problems of data security and patient privacy are not solved well, and in addition, how to reduce the influence of a password scheme on the original system in a low-delay and high-efficiency medical communication system is a problem to be considered.
The data transmission process of the current telemedicine system has the following problems: the encryption process is simple, and the ciphertext is easy to be stolen after the output transmission process is attacked maliciously; after the central transfer server receives the encrypted ciphertext, the data receiving departments cannot be well screened, and the situation that information is missed to be sent and misplaced exists, so that information between the departments is disordered; the encryption process is simple, so that the receiving end can realize decryption sometimes even if the received encrypted ciphertext does not belong to the department to which the receiving end belongs, and information leakage is caused.
Disclosure of Invention
The invention aims to solve the technical problems that the encrypted data is easy to steal in the data transmission process of the current medical system, the information is missed and misplaced in the process of transferring the encrypted data, so that the information between departments is disordered, and the encryption process is too simple, so that the information between different departments is revealed.
In order to solve the technical problems, the invention provides a data hierarchical protection transmission method, which comprises the following steps:
receiving an initial encryption ciphertext sent by a data sending end;
matching the primary encryption ciphertext based on a search trapdoor to obtain the class to which the ciphertext belongs;
decrypting and verifying the primary encryption ciphertext based on a central private key, receiving the primary encryption ciphertext after verification is successful, and returning the primary encryption ciphertext after verification is failed;
generating a re-encryption key based on the receiving end identity and the central private key, and re-encrypting the primary encryption ciphertext based on the re-encryption key to obtain a re-encryption ciphertext;
and sending the re-encrypted ciphertext to a data receiving end corresponding to the class to which the ciphertext belongs.
Preferably, the primary encryption ciphertext encryption mode is:
signing the plaintext to be encrypted based on the sending private key to generate a plaintext signature pair;
acquiring an initial encryption ciphertext based on the plaintext signature pair and a target keyword;
the target keyword is a keyword corresponding to the data category to which the plaintext to be encrypted belongs.
Preferably, the step of obtaining the class to which the ciphertext belongs includes the steps of:
acquiring keywords corresponding to each type of data category, and generating a search trapdoor corresponding to each type of data category based on the keywords corresponding to each type of data category, the main public key and the central private key;
and matching the primary encryption ciphertext with the search trapdoor corresponding to each type of data category respectively to obtain the category of the ciphertext of the primary encryption ciphertext.
Preferably, after receiving the re-encrypted ciphertext, the data receiving end corresponding to the class to which the ciphertext belongs decrypts and verifies the re-encrypted ciphertext based on the receiving key, receives the re-encrypted ciphertext after verification is successful, and refutes the re-encrypted ciphertext after verification fails.
Preferably, the decrypting the preset encrypted ciphertext based on the preset private key includes:
decrypting the preset encrypted ciphertext based on the preset private key to obtain a decrypted file;
verifying the signature pair in the preset encryption ciphertext based on the decryption file, if verification is successful, indicating that the preset encryption ciphertext is not tampered, otherwise, indicating that the preset encryption ciphertext is tampered;
when the preset private key is a central private key, the preset encrypted ciphertext is an initial encrypted ciphertext;
and when the preset private key is a receiving private key, the preset encrypted ciphertext is a re-encrypted ciphertext.
Preferably, the step of generating a re-encryption key based on the receiving end identity and the central private key, and re-encrypting the primary encrypted ciphertext based on the re-encryption key, includes:
generating a re-encryption key based on the receiving end identity and the central private key;
and re-encrypting the ciphertext segment of the primary encrypted ciphertext based on the re-encryption key to obtain a re-encrypted ciphertext.
Preferably, the target private key generation process includes:
acquiring a target private key through a primary image sampling algorithm based on the target end identity;
when the target terminal is a data sending terminal, the target private key is a sending private key;
when the target terminal is a central server, the target private key is a central private key;
when the target terminal is a data receiving terminal, the target private key is a receiving private key.
In order to solve the technical problem, the invention also provides a data hierarchical protection transmission device, which comprises a primary encryption module, a category search module, a decryption verification module, a re-encryption module and a data transmission module;
the primary encryption module is used for receiving primary encryption ciphertext sent by the data sending end;
the category searching module is used for matching the primary encryption ciphertext based on a searching trapdoor to acquire the category to which the ciphertext belongs;
the decryption verification module is used for carrying out decryption verification on the primary encryption ciphertext based on a central private key, receiving the primary encryption ciphertext after verification is successful, and returning the primary encryption ciphertext after verification is failed;
the re-encryption module is used for generating a re-encryption key based on the central private key, re-encrypting the primary encryption ciphertext based on the re-encryption key, and obtaining a re-encryption ciphertext;
the data sending module is used for sending the re-encrypted ciphertext to a data receiving end corresponding to the class to which the ciphertext belongs.
In order to solve the above technical problem, the present invention also provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the data hierarchical protection transmission method.
In order to solve the technical problem, the present invention further provides a terminal, including: the device comprises a processor and a memory, wherein the memory is in communication connection with the processor;
the memory is used for storing a computer program, and the processor is used for executing the computer program stored in the memory so as to enable the terminal to execute the data hierarchical protection transmission method.
One or more embodiments of the above-described solution may have the following advantages or benefits compared to the prior art:
by applying the data hierarchical protection transmission method provided by the embodiment of the invention, the plaintext is encrypted based on the keyword, and the searchable primary encrypted ciphertext is generated; searching the primary encrypted ciphertext through a searching trapdoor to determine an encrypted ciphertext receiving end; the central server performs overall planning on the data receiving end, and re-encrypts the data receiving end based on the personal authority and the central private key of the data receiving end; the ciphertext is prevented from being stolen, and data transmission in a secret state form is prevented from being stolen by a malicious attacker in the whole process of data sharing; the authority defines access control capability, and for a central server, the central server has the capability of decrypting all data, allocates the authority to a data receiving end, re-encrypts ciphertext data meeting the conditions and sends the encrypted ciphertext data to a corresponding data receiving end to define access control authority; the file distribution errors are prevented, the authority defines that the data received by different data receiving ends are different, the data cannot be decrypted mutually, namely the file distribution errors occur, and the data receiving ends which are wrongly transmitted cannot decrypt to obtain the data.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention, without limitation to the invention. In the drawings:
fig. 1 is a flow chart illustrating a data hierarchical protection transmission method according to an embodiment of the invention;
FIG. 2 is a schematic diagram of data transmission between terminals in accordance with the first embodiment of the present invention;
FIG. 3 is a schematic diagram of a data hierarchical protection transmission device according to an embodiment of the present invention;
fig. 4 shows a schematic structural diagram of a fourth terminal according to an embodiment of the present invention.
Detailed Description
The following will describe embodiments of the present invention in detail with reference to the drawings and examples, thereby solving the technical problems by applying technical means to the present invention, and realizing the technical effects can be fully understood and implemented accordingly. It should be noted that, as long as no conflict is formed, each embodiment of the present invention and each feature of each embodiment may be combined with each other, and the formed technical solutions are all within the protection scope of the present invention.
First, the definition of the following concepts is explained:
telemedicine system: the on-line diagnosis and treatment system built in the hospital is used for realizing the comprehensive management system between different hospital areas and different departments.
The system user: the identity of the system user is the authentication doctor of the hospital, and the medical information and data of the patient can be inquired and exchanged in real time through the medical system in the hospital.
Private key generation center (PKG): and generating a corresponding public and private key pair by using a user identity identifier, such as an identity card ID of a doctor in the system, and sending the user identity identifier to the user.
Hash function: the bit string of random length can be output as a fixed length and satisfies unidirectionality, uniqueness, discreteness, and collision resistance.
Example 1
In order to solve the technical problems in the prior art, the embodiment of the invention provides a data hierarchical protection transmission method.
The data hierarchical protection transmission method is applied to a telemedicine system and used for realizing data transmission of all data ends in the telemedicine system. FIG. 2 is a schematic diagram of data transmission between terminals in accordance with the first embodiment of the present invention; referring to fig. 2, in the process of data transmission, the telemedicine system needs to implement a data transmission process from a data transmitting end to a central server to a data receiving end; a plurality of data transmitters and a plurality of data receivers may be included in the telemedicine system.
Firstly, data initialization is realized in a private key generation center, then the private key of each data terminal is generated, and the private key category of each data terminal comprises a sending private key, a center private key and a receiving private key.
The data initialization process specifically comprises the following steps:
the method comprises the following steps: the input system safety parameters arePositive integer,WhereinPrimes, orderWherein;
And two,: system generation of uniformly random circular polynomial matrixAlgorithm generated by trapdoor->As matrix A 0 Generating trapdoor matrix->;
And thirdly,: randomly selecting m matrices with uniform random distribution;
Fourth, it is: hash algorithm for selecting anti-collision attack, ;
Fifth, it is: algorithm output master public keyMain private Key->。
The private key (transmission private key) generation process of the data transmitting terminal S is as follows:
s1: by data sender S identityExpressed as a string of 0,1 bits of arbitrary length, let;
S2: calculation of;
S3: running a primary image sampling algorithmThen;
S4: the algorithm outputs S as the private key。
The private key (central private key) generation process of the central server R is as follows:
r1: by central server R identityLet->;
R2: calculation of;
R3: running a primary image sampling algorithmThen;
R4: the algorithm outputs the private key of the central server R as。
The private key (receiving private key) generation process of the data receiving terminal t is as follows:
t1: by data receiving end t identityLet->;
t2: calculation of;
t3: running a primary image sampling algorithmThen->;
t4: the algorithm outputs the private key of the data receiving end t as。
The data hierarchical protection transmission method is realized in a central server. Fig. 1 is a flow chart illustrating a data hierarchical protection transmission method according to an embodiment of the invention; referring to fig. 1, the data hierarchical protection transmission method according to the embodiment of the invention includes the following steps.
Step S101, receiving an initial encryption ciphertext sent by a data sending end.
Specifically, the data to be transmitted of the data transmitting end is set as a plaintext to be encrypted, the data transmitting end needs to encrypt the plaintext to be encrypted first to obtain an initial encrypted ciphertext, and then the initial encrypted ciphertext is transmitted to the central server. The central server can receive the primary encryption ciphertext of all the data sending ends.
Assuming that one department data of a hospital is one data category, a plurality of departments correspond to a plurality of data categories. And setting corresponding keywords for each department (each class of data category) by taking the name of the department or other set values as keywords. And introducing a keyword in the initial encryption ciphertext generation process to obtain the initial encryption ciphertext with the function of searching the secret key.
The primary encryption ciphertext is specifically obtained by the following steps: setting a target keyword as a keyword corresponding to a data category to which the plaintext to be encrypted belongs, and signing the plaintext to be encrypted based on a sending private key to generate a plaintext signature pair; and then acquiring an initial encryption ciphertext based on the plaintext signature pair and the target keyword.
The primary encryption ciphertext obtaining process comprises the following specific steps:
s1011: the algorithm randomly selects short polynomial vectors;
S1012: from plaintext to be encryptedCalculation of,Generating a plaintext signature pair of plaintext to be encrypted;
S1013: to support keyword searching, keywords are setAnd orderCalculate->;
Computing encrypted messages,,,/>Wherein,/>And->Obeying error distribution;
s1014: the algorithm outputs a searchable signed message pair (i.e., primary encrypted ciphertext)。
Step S102, the primary encryption ciphertext is matched based on the search trapdoor, and the class of the ciphertext is obtained.
Specifically, since each type of data category has a keyword corresponding to the data category, the keyword corresponding to each type of data category is acquired, and the search trapdoor corresponding to each type of data category is generated based on the keyword corresponding to each type of data category, the main public key and the central private key.
The search trapdoor acquisition process includes:
s102: obtaining a master public key,/>Private key of central server +.>;
S1022: calculation ofBy the following constitutionSatisfy->Outputting search trapdoor。
The search trapdoors corresponding to all the data categories are obtained through the mode.
And respectively matching the primary encryption ciphertext with the search trapdoor corresponding to each type of data category to obtain the category of the ciphertext of the primary encryption ciphertext. The classification mode of the class to which the ciphertext belongs is consistent with the classification mode of the data class, for example, assuming that department data of an A department of a hospital is the A data class, based on the primary encrypted ciphertext acquired by the keyword corresponding to the A data class, the type to which the ciphertext acquired by searching trapdoor matching also corresponds to the A department, and the A department is a data receiving end corresponding to the type to which the ciphertext belongs. The matching process of the searching trapdoor and the primary encryption ciphertext is as follows:
calculation ofDue toIs negligible, let->If->ThenOtherwise->Obtain->If->The matching is successful.
And step S103, performing decryption verification on the primary encryption ciphertext based on the center private key, receiving the primary encryption ciphertext after verification is successful, and refusing the primary encryption ciphertext after verification is failed.
Specifically, decrypting the primary encrypted ciphertext based on a central private key to obtain a decrypted file; and verifying the signature pair in the primary encryption text based on the decryption file, wherein if verification is successful, the primary encryption text is not tampered, otherwise, the primary encryption text is tampered.
The central server has decryption authority, and the specific decryption algorithm is as follows:wherein->If->,/>ThenOtherwise->Obtain->;
And then verifyIf so, accepting the plaintext, otherwise, refusing.
Step S104, a re-encryption key is generated based on the receiving end identity and the center private key, and the primary encryption ciphertext is re-encrypted based on the re-encryption key to obtain a re-encryption ciphertext.
Specifically, a re-encryption key is generated based on the receiving end identity and the central private key; and re-encrypting the ciphertext segment of the primary encrypted ciphertext based on the re-encryption key to obtain a re-encrypted ciphertext.
The re-encryption key acquisition process is as follows:,wherein->Obeying the error distribution.
The re-encryption ciphertext obtaining process comprises the following steps: obtaining ciphertext segment of primary encrypted ciphertext by central server RUse of the re-encryption key->And (3) calculating:,,wherein;
Finally, outputting authorization ciphertext。
Step S105, the re-encrypted ciphertext is sent to a data receiving end corresponding to the class to which the ciphertext belongs.
Specifically, the re-encrypted ciphertext is sent to a data receiving end corresponding to the class to which the ciphertext belongs. After receiving the re-encrypted ciphertext, the data receiving end corresponding to the class to which the ciphertext belongs decrypts and verifies the re-encrypted ciphertext based on the receiving key, receives the re-encrypted ciphertext after verification is successful, and rejects the re-encrypted ciphertext after verification fails. The security and pertinence of the data transmission of the central server are ensured, and the data is ensured to be transmitted to the corresponding data receiving end only. Even if the central server transmits the encrypted data to the erroneous data receiving end, the data receiving end cannot decrypt the encrypted data.
The receiving server decrypts the re-encrypted ciphertext, which comprises the following steps:
the receiving server receivesAfter that, calculateWherein->If (if)Then->Otherwise->,/>;
VerificationIf so, accepting the plaintext, otherwise, refusing.
Wherein, the liquid crystal display device comprises a liquid crystal display device,the specific calculation process of (2) is as follows:
wherein->Due to->Therefore, it isIs negligible.
VerificationThe process is as follows:
therefore, it is。
The specific application scene of the data hierarchical protection transmission method of the invention is as follows:
in a remote consultation in a medical scenario, in order to ensure data security and tamper resistance, a doctor S firstly signs plaintext information of a patient and encrypts the information to obtain an initial encrypted ciphertext, and then sends the initial encrypted ciphertext to a main doctor header (a central server R) of a receiver.
After the main doctor Leader receives the data, the primary encryption ciphertext is searched to distinguish patient data of different departments, and meanwhile, the private key of the main doctor Leader can be utilized to decrypt the ciphertext and verify the validity of the signature, so that the data is ensured not to be tampered.
The main doctor lead distributes the medical data of the patient to the department doctors under jurisdiction according to the different departments, in order to improve the efficiency of ciphertext forwarding, the process is based on the principle of using proxy re-encryption, the main doctor lead only needs to encrypt the corresponding department ciphertext again by using a re-encryption key, generates a new ciphertext, and sends the new ciphertext to the department doctor t, the department doctor can decrypt the received ciphertext by using the private key of the department doctor t and verify the legality of the data, if the received ciphertext cannot be decrypted, the main doctor lead sends wrong data, and the department doctor t cannot decrypt the ciphertexts of other department doctors.
The process can realize subdivision and limitation of hierarchical encryption and decryption rights, and after ciphertext search is completed, the main doctor can encrypt ciphertext and decrypt ciphertext again at the same time, so that time cost of data transmission is saved.
The process finishes the data sharing from the data sending end S to the Leader, and after the Leader receives a plurality of pieces of data sent by the data sending end S, the Leader can quickly search out corresponding nodes and distribute the data to the child nodes according to the authority.
According to the data hierarchical protection transmission method provided by the embodiment of the invention, plaintext is encrypted based on keywords, and a searchable primary encrypted ciphertext is generated; searching the primary encrypted ciphertext through a searching trapdoor to determine an encrypted ciphertext receiving end; the central server performs overall planning on the data receiving end, and re-encrypts the data receiving end based on the personal authority and the central private key of the data receiving end; the ciphertext is prevented from being stolen, and data transmission in a secret state form is prevented from being stolen by a malicious attacker in the whole process of data sharing; the authority defines access control capability, and for a central server, the central server has the capability of decrypting all data, allocates the authority to a data receiving end, re-encrypts ciphertext data meeting the conditions and sends the encrypted ciphertext data to a corresponding data receiving end to define access control authority; the file distribution errors are prevented, the authority defines that the data received by different data receiving ends are different, the data cannot be decrypted mutually, namely the file distribution errors occur, and the data receiving ends which are wrongly transmitted cannot decrypt to obtain the data.
Example two
In order to solve the technical problems in the prior art, the embodiment of the invention provides a data grading protection transmission device.
FIG. 3 is a schematic diagram of a data hierarchical protection transmission device according to an embodiment of the present invention; referring to fig. 3, the data hierarchical protection transmission device according to the embodiment of the invention includes a primary encryption module, a category search module, a decryption verification module, a re-encryption module and a data transmission module.
The primary encryption module is used for receiving primary encryption ciphertext sent by the data sending end.
The category search module is used for matching the primary encryption ciphertext based on the search trapdoor to acquire the category to which the ciphertext belongs.
The decryption verification module is used for carrying out decryption verification on the primary encryption ciphertext based on the center private key, and accepting the primary encryption ciphertext after verification is successful and rejecting the primary encryption ciphertext after verification is failed.
The re-encryption module is used for generating a re-encryption key based on the central private key, re-encrypting the primary encryption ciphertext based on the re-encryption key, and obtaining the re-encryption ciphertext.
The data sending module is used for sending the re-encrypted ciphertext to a data receiving end corresponding to the class to which the ciphertext belongs.
The data grading protection transmission device provided by the embodiment of the invention encrypts the plaintext based on the keyword to generate the searchable primary encrypted ciphertext; searching the primary encrypted ciphertext through a searching trapdoor to determine an encrypted ciphertext receiving end; the central server performs overall planning on the data receiving end, and re-encrypts the data receiving end based on the personal authority and the central private key of the data receiving end; the ciphertext is prevented from being stolen, and data transmission in a secret state form is prevented from being stolen by a malicious attacker in the whole process of data sharing; the authority defines access control capability, and for a central server, the central server has the capability of decrypting all data, allocates the authority to a data receiving end, re-encrypts ciphertext data meeting the conditions and sends the encrypted ciphertext data to a corresponding data receiving end to define access control authority; the file distribution errors are prevented, the authority defines that the data received by different data receiving ends are different, the data cannot be decrypted mutually, namely the file distribution errors occur, and the data receiving ends which are wrongly transmitted cannot decrypt to obtain the data.
Example III
To solve the above-mentioned technical problems in the prior art, an embodiment of the present invention further provides a storage medium storing a computer program, where the computer program can implement all the steps in the data hierarchical protection transmission method described in the first embodiment when executed by a processor.
The specific steps of the data hierarchical protection transmission method and the beneficial effects obtained by applying the readable storage medium provided by the embodiment of the invention are the same as those of the first embodiment, and are not described in detail herein.
It should be noted that: the storage medium includes: various media that can store program code, such as ROM, RAM, magnetic or optical disks.
Example IV
In order to solve the technical problems in the prior art, the embodiment of the invention also provides a terminal.
Fig. 4 shows a schematic diagram of a fourth terminal structure according to an embodiment of the present invention, and referring to fig. 4, the terminal of the present embodiment includes a processor and a memory that are connected to each other; the memory is used for storing a computer program, and the processor is used for executing the computer program stored in the memory, so that the terminal can realize all the steps in the data hierarchical protection transmission method in the first embodiment when executing the computer program.
The specific steps of the data hierarchical protection transmission method and the beneficial effects obtained by the terminal provided by the embodiment of the invention are the same as those of the first embodiment, and are not repeated here.
It should be noted that the memory may include a random access memory (Random Access Memory, abbreviated as RAM) and may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. The same processor may be a general processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processing, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field programmable gate arrays (Field Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
Although the embodiments of the present invention are disclosed above, the embodiments are only used for the convenience of understanding the present invention, and are not intended to limit the present invention. Any person skilled in the art can make any modification and variation in form and detail without departing from the spirit and scope of the present disclosure, but the scope of the present disclosure is still subject to the scope of the present disclosure as defined by the appended claims.
Claims (9)
1. A data hierarchical protection transmission method, comprising:
receiving an initial encryption ciphertext sent by a data sending end;
matching the primary encryption ciphertext based on a search trapdoor to obtain the class to which the ciphertext belongs;
decrypting and verifying the primary encryption ciphertext based on a central private key, receiving the primary encryption ciphertext after verification is successful, and returning the primary encryption ciphertext after verification is failed;
generating a re-encryption key based on the receiving end identity and the central private key, and re-encrypting the primary encryption ciphertext based on the re-encryption key to obtain a re-encryption ciphertext;
the re-encrypted ciphertext is sent to a data receiving end corresponding to the class to which the ciphertext belongs;
the primary encryption ciphertext is matched based on a search trapdoor, and the step of obtaining the class to which the ciphertext belongs comprises the following steps:
acquiring keywords corresponding to each type of data category, and generating a search trapdoor corresponding to each type of data category based on the keywords corresponding to each type of data category, the main public key and the central private key;
and matching the primary encryption ciphertext with the search trapdoor corresponding to each type of data category respectively to obtain the category of the ciphertext of the primary encryption ciphertext.
2. The transmission method according to claim 1, wherein the primary encryption ciphertext is encrypted by:
signing the plaintext to be encrypted based on the sending private key to generate a plaintext signature pair;
acquiring an initial encryption ciphertext based on the plaintext signature pair and a target keyword;
the target keyword is a keyword corresponding to the data category to which the plaintext to be encrypted belongs.
3. The transmission method according to claim 1, wherein after receiving the re-encrypted ciphertext, the data receiving end corresponding to the class to which the ciphertext belongs decrypts and verifies the re-encrypted ciphertext based on the receiving key, receives the re-encrypted ciphertext after verification is successful, and refutes the re-encrypted ciphertext after verification fails.
4. The transmission method according to claim 3, wherein decrypting the preset encrypted ciphertext based on the preset private key comprises:
decrypting the preset encrypted ciphertext based on the preset private key to obtain a decrypted file;
verifying the signature pair in the preset encryption ciphertext based on the decryption file, if verification is successful, indicating that the preset encryption ciphertext is not tampered, otherwise, indicating that the preset encryption ciphertext is tampered;
when the preset private key is a central private key, the preset encrypted ciphertext is an initial encrypted ciphertext;
and when the preset private key is a receiving private key, the preset encrypted ciphertext is a re-encrypted ciphertext.
5. The transmission method according to claim 1, wherein the step of generating a re-encryption key based on the receiving end identification and the center private key, re-encrypting the primary encrypted ciphertext based on the re-encryption key, and obtaining the re-encrypted ciphertext includes:
generating a re-encryption key based on the receiving end identity and the central private key;
and re-encrypting the ciphertext segment of the primary encrypted ciphertext based on the re-encryption key to obtain a re-encrypted ciphertext.
6. The transmission method according to any one of claims 1 to 5, wherein the target private key generation process includes:
acquiring a target private key through a primary image sampling algorithm based on the target end identity;
when the target terminal is a data sending terminal, the target private key is a sending private key;
when the target terminal is a central server, the target private key is a central private key;
when the target terminal is a data receiving terminal, the target private key is a receiving private key.
7. The data grading protection transmission device is characterized by comprising a primary encryption module, a category search module, a decryption verification module, a re-encryption module and a data transmission module;
the primary encryption module is used for receiving primary encryption ciphertext sent by the data sending end;
the category searching module is used for matching the primary encryption ciphertext based on a searching trapdoor to acquire the category to which the ciphertext belongs;
the decryption verification module is used for carrying out decryption verification on the primary encryption ciphertext based on a central private key, receiving the primary encryption ciphertext after verification is successful, and returning the primary encryption ciphertext after verification is failed;
the re-encryption module is used for generating a re-encryption key based on the central private key, re-encrypting the primary encryption ciphertext based on the re-encryption key, and obtaining a re-encryption ciphertext;
the data sending module is used for sending the re-encrypted ciphertext to a data receiving end corresponding to the class to which the ciphertext belongs;
the primary encryption ciphertext is matched based on a search trapdoor, and the step of obtaining the class to which the ciphertext belongs comprises the following steps:
acquiring keywords corresponding to each type of data category, and generating a search trapdoor corresponding to each type of data category based on the keywords corresponding to each type of data category, the main public key and the central private key;
and matching the primary encryption ciphertext with the search trapdoor corresponding to each type of data category respectively to obtain the category of the ciphertext of the primary encryption ciphertext.
8. A storage medium having stored thereon a computer program, which when executed by a processor implements the data hierarchical protection transmission method of any one of claims 1 to 6.
9. A terminal, comprising: the device comprises a processor and a memory, wherein the memory is in communication connection with the processor;
the memory is used for storing a computer program, and the processor is used for executing the computer program stored in the memory, so that the terminal executes the data hierarchical protection transmission method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310861062.0A CN116599771B (en) | 2023-07-14 | 2023-07-14 | Data hierarchical protection transmission method and device, storage medium and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310861062.0A CN116599771B (en) | 2023-07-14 | 2023-07-14 | Data hierarchical protection transmission method and device, storage medium and terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116599771A CN116599771A (en) | 2023-08-15 |
| CN116599771B true CN116599771B (en) | 2023-09-22 |
Family
ID=87608391
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310861062.0A Active CN116599771B (en) | 2023-07-14 | 2023-07-14 | Data hierarchical protection transmission method and device, storage medium and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116599771B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107104982A (en) * | 2017-05-26 | 2017-08-29 | 福州大学 | Have traitor tracing function in mobile electron medical treatment can search for encryption system |
| CN113761229A (en) * | 2021-08-25 | 2021-12-07 | 浪潮电子信息产业股份有限公司 | Encrypted mail searching method, searching system and related components |
| CN114598472A (en) * | 2022-03-04 | 2022-06-07 | 浙江科技学院 | Conditional-hidden searchable agent re-encryption method based on block chain and storage medium |
| CN115021993A (en) * | 2022-05-27 | 2022-09-06 | 山东大学 | Verifiable public key searchable encryption system and method |
| CN115412259A (en) * | 2022-08-30 | 2022-11-29 | 东南大学 | Searchable proxy signcryption method and product of cloud health system based on block chain |
| CN116344013A (en) * | 2023-05-30 | 2023-06-27 | 浙江云针信息科技有限公司 | Medical data management method and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| IN2014CH00681A (en) * | 2014-02-13 | 2015-08-14 | Infosys Ltd | |
| CN111447192B (en) * | 2020-03-23 | 2022-05-10 | 齐鲁工业大学 | Lightweight attribute base signcryption method for cloud and mist assisted Internet of things |
| CN113014563B (en) * | 2021-02-10 | 2022-03-25 | 华中科技大学 | Method and system for guaranteeing integrity of searchable public key encryption retrieval |
-
2023
- 2023-07-14 CN CN202310861062.0A patent/CN116599771B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107104982A (en) * | 2017-05-26 | 2017-08-29 | 福州大学 | Have traitor tracing function in mobile electron medical treatment can search for encryption system |
| CN113761229A (en) * | 2021-08-25 | 2021-12-07 | 浪潮电子信息产业股份有限公司 | Encrypted mail searching method, searching system and related components |
| CN114598472A (en) * | 2022-03-04 | 2022-06-07 | 浙江科技学院 | Conditional-hidden searchable agent re-encryption method based on block chain and storage medium |
| CN115021993A (en) * | 2022-05-27 | 2022-09-06 | 山东大学 | Verifiable public key searchable encryption system and method |
| CN115412259A (en) * | 2022-08-30 | 2022-11-29 | 东南大学 | Searchable proxy signcryption method and product of cloud health system based on block chain |
| CN116344013A (en) * | 2023-05-30 | 2023-06-27 | 浙江云针信息科技有限公司 | Medical data management method and system |
Non-Patent Citations (2)
| Title |
|---|
| Applying Extended Chebyshev Polynomials to Construct a Trap-Door One-Way Function in Real Field;Jianli Yang、等;《2009 First International Conference on Information Science and Engineering》;全文 * |
| 基于联盟链的可搜索加密电子病历数据共享方案;牛淑芬;刘文科;陈俐霞;王彩芬;杜小妮;;通信学报(08);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116599771A (en) | 2023-08-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5562687B2 (en) | Securing communications sent by a first user to a second user | |
| US9191198B2 (en) | Method and device using one-time pad data | |
| US8683209B2 (en) | Method and apparatus for pseudonym generation and authentication | |
| CN101800738B (en) | Realization system and method for safely visiting and storing intranet data by mobile equipment | |
| US20230254129A1 (en) | Key management for multi-party computation | |
| US20120087495A1 (en) | Method for generating an encryption/decryption key | |
| JP2023500570A (en) | Digital signature generation using cold wallet | |
| US11374910B2 (en) | Method and apparatus for effecting a data-based activity | |
| CN108809633B (en) | Identity authentication method, device and system | |
| JP2020530726A (en) | NFC tag authentication to remote servers with applications that protect supply chain asset management | |
| JP2016158189A (en) | Change direction with key control system and change direction with key control method | |
| CN111970114B (en) | File encryption method, system, server and storage medium | |
| WO2018002856A1 (en) | Systems and methods for authenticating communications using a single message exchange and symmetric key | |
| CN112187798A (en) | Bidirectional access control method and system applied to cloud-side data sharing | |
| CN111769938A (en) | Key management system and data verification system of block chain sensor | |
| US11637817B2 (en) | Method and apparatus for effecting a data-based activity | |
| Fatahi et al. | High-efficient arbitrated quantum signature scheme based on cluster states | |
| CN110383755A (en) | The network equipment and trusted third party's equipment | |
| CN116599771B (en) | Data hierarchical protection transmission method and device, storage medium and terminal | |
| US11570008B2 (en) | Pseudonym credential configuration method and apparatus | |
| KR101793528B1 (en) | Certificateless public key encryption system and receiving terminal | |
| US20210028933A1 (en) | Key ladder generating a device public key | |
| Fasila et al. | Fast and Efficient Security Scheme for Blockchain-Based IoT Networks. | |
| KR20170001633A (en) | Tokenization-based encryption key managemnent sytem and method | |
| CN112398818B (en) | Software activation method and related device thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |