CN116827581A - Attribute encrypted cloud file sharing method based on double private key strategy - Google Patents
Attribute encrypted cloud file sharing method based on double private key strategy Download PDFInfo
- Publication number
- CN116827581A CN116827581A CN202310022175.1A CN202310022175A CN116827581A CN 116827581 A CN116827581 A CN 116827581A CN 202310022175 A CN202310022175 A CN 202310022175A CN 116827581 A CN116827581 A CN 116827581A
- Authority
- CN
- China
- Prior art keywords
- file
- key
- ciphertext
- encrypted
- enc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000005516 engineering process Methods 0.000 claims abstract description 16
- 101100065246 Mus musculus Enc1 gene Proteins 0.000 claims description 11
- 101150040334 KLHL25 gene Proteins 0.000 claims description 3
- 230000008569 process Effects 0.000 description 4
- 238000011217 control strategy Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 1
- 230000008570 general process Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to an attribute encryption cloud file sharing method based on a double private key strategy. The method comprises the steps of selecting a symmetric key, encrypting a file to be shared by adopting a symmetric encryption technology to obtain a file ciphertext, acquiring public keys of n target users by a public key infrastructure system, and encrypting the symmetric encryption key by using the public key of each user to obtain an encrypted symmetric key; splicing the file ciphertext and the encrypted key to obtain a spliced encrypted file, and formulating an access structure according to the attribute set of the target user; and the access structure encrypts the spliced encrypted file to obtain a final ciphertext file, and then uploads the final ciphertext file to the cloud server. When one file is safely shared to a plurality of target users, only the final ciphertext file is needed to be uploaded, so that the management complexity of the cloud server on the user file is simplified, and the sharing party adopts fine-grained access control on the target users of the file to be shared, thereby having both safety and efficiency.
Description
Technical Field
The invention belongs to the technical field of cloud service and cryptography, and relates to an attribute encryption cloud file sharing method based on a double private key strategy.
Background
Along with the gradual enhancement of personal information security consciousness, people pay more and more attention to file confidentiality during personal file sharing, and various cloud file sharing technologies are rapidly developed. The cloud file sharing technology generally consists of encryption technology and cloud service technology.
The existing cloud file sharing method with higher security is that a data owner encrypts a file by a symmetric encryption technology, encrypts a symmetric key by a public key of a data user, then sends the encrypted file and the encrypted key to the data user together, decrypts the encrypted key by the data user by using a private key of the data user, and decrypts the encrypted file by the symmetric key obtained by decryption. However, the sharing method is a point-to-point sharing method, in a one-time sharing process, only a file can be shared to one data user, if the file needs to be shared to a plurality of data users, the symmetric key needs to be encrypted for a plurality of times, and the encrypted key is transmitted for a plurality of times, so that the sharing process is complicated, and the file management is also troublesome due to the encrypted keys.
In view of the above problems, a cloud file sharing technology of attribute encryption is generated. The attribute encryption can hide the access control strategy in the ciphertext, one encrypted file is decrypted by different users with different attributes and private keys, and different access control strategies are adopted for different users, so that the file sharing is more flexible, and the access control is finer. The classical attribute encryption method is used for cloud file sharing, and the general process is as follows:
1) Initializing: a trusted third party performs system initialization to generate public parameters PK and a master key MK;
2) And (3) key generation: the trusted third party generates a user private key SK according to the attribute set S of the user and the master key MK;
3) Encryption: when a data owner wants to send an encrypted message, firstly requesting a trusted third party for a public parameter PK, then formulating an access structure AA, encrypting the message M through the public parameter PK and the access structure AA to obtain a ciphertext CT, and sending the ciphertext CT to a data user;
4) Decryption: when a data user wants to decrypt the ciphertext, firstly requesting a public parameter PK and a user private key SK from a trusted third party, then using the public parameter PK and the user private key SK to attempt to decrypt the ciphertext CT, and obtaining a message M if the result is successful, otherwise prompting failure.
However, there is an obvious potential safety hazard in applying the attribute encryption technology in the cloud environment, namely, the user generally uses own attribute as a public key, and the private key needs to be generated and maintained by a trusted third party. In a cloud environment, private keys are generally generated and managed by a cloud service provider, but the cloud service provider is not a trusted third party and is easy to attack, so that the private keys of all users are stolen, and a large security risk exists.
Disclosure of Invention
Aiming at the problems encountered in the existing cloud file sharing method, the invention provides a cloud file sharing method based on attribute encryption of a double private key strategy.
The method comprises the following steps: preparing a cloud server, wherein attribute encryption software based on a ciphertext policy is required to be deployed and installed, for example Advanced Crypto Software Collection, and the attribute encryption technology based on the ciphertext policy is a general technology in the field of privacy data protection. Public key infrastructure PKI can be built by itself, and can also subscribe to purchase services from public key infrastructure manufacturers for direct use. Respectively referred to as public key PubKey and private key PriKey. Data owner DO wants to share file F to multiple data consumers DU 1 ~DU n When in use, firstly, a symmetric key K is selected, and a symmetric encryption technology is adopted to encrypt a file to be shared to obtain a file ciphertext F enc Then the public key PubKey of n data users is obtained through public key infrastructure DU1 ~PubKey DUn Encrypting the symmetric key K by using the public key of each user one by one to obtain an encrypted symmetric key K enc1 ~K encn Then fixed-length splicing is carried out to obtain an encrypted key K enc Then the file ciphertext F enc And an encrypted key K enc Splicing to obtain spliced encrypted file FK enc Obtaining public parameters PK from a key distribution center KDC, formulating an access structure AA according to an attribute set of a data user, and combining the public parameters PK and the access structure AA to splice the encrypted file FK through an attribute encryption (CP-ABE) technology based on a ciphertext policy enc Encryption to obtain final ciphertext file F final Then the final ciphertext file F final Uploading to a cloud file server.
When one file is safely shared to a plurality of data users, only the final ciphertext file is needed to be uploaded, so that the management complexity of the cloud server on the user file is simplified, and the sharing party adopts fine-grained access control on the data users of the file to be shared, thereby having safety and efficiency.
The method comprises the following specific implementation steps:
and (1) deploying attribute encryption software based on ciphertext policies on a cloud server, and distributing a key distribution center KDC and a public key infrastructure PKI of a user private key. Initializing attribute encryption software based on a ciphertext strategy to obtain public parameters PK and a master key MK, and initializing a public key infrastructure.
And (2) deploying attribute encryption software, symmetric encryption software and asymmetric encryption software based on the ciphertext strategies on a local host of the user. The public key PubKey and the private key Prkey of the user are obtained through the public key infrastructure, and the private key SK of the user is obtained through the key distribution center.
Step (3), the data owner DO selects a file F to be shared, selects a symmetric key K, encrypts the file through symmetric encryption software to obtain a file ciphertext F enc . Acquiring n target data consumer DUs from public key infrastructure 1 ~DU n Public key PubKey of (a) DU1 ~PubKey DUn Public key PubKey for polling DU1 ~PubKey DUn Encrypting the symmetric key K correspondingly obtains the encrypted symmetric K enc1 ~K encn Then fixed-length splicing is carried out to obtain an encrypted key K enc =K enc1 |K enc2 |……|K encn Then the file ciphertext F enc And an encrypted key K enc Splicing to obtain spliced encrypted file FK enc =F enc |K enc Acquiring public parameters PK from a key distribution center, and formulating an access structure AA= { DU meeting all target data user attributes 1 |DU 2 |……|DU n Spliced encrypted file FK by attribute encryption software based on ciphertext strategy enc Encryption to obtain final ciphertextPart F final . And finally uploading the final ciphertext file to a cloud server.
Step (4), the data user DU downloads the final ciphertext file F from the cloud file server final And obtains the public parameter PK from the key distribution center. Final key ciphertext F through public parameter PK and user private key SK final Decrypting, if the target data is not the target data user, the decryption fails, otherwise, the spliced encrypted file FK is obtained enc . For spliced encrypted file FK enc Dividing to obtain file ciphertext F enc And an encrypted key K enc Dividing the encrypted key into fixed lengths to obtain an encrypted symmetric key K enc1 ~K encn The encrypted symmetric key K is polled through the private key Prike enci And (1) decrypting the data to obtain a symmetric key K, and if the symmetric key K cannot be obtained after polling is finished, prompting decryption failure. Finally, the file ciphertext F is obtained through the symmetric key K enc Decrypting to obtain the file F shared by the sharing party.
The invention provides a novel cloud file sharing method, which combines the characteristics of symmetric encryption technology, asymmetric encryption technology and attribute encryption based on ciphertext strategies to form a public key infrastructure-based cloud file sharing method of a PKI private key and an attribute private key. The method not only supports fine-grained access control, but also enables the user to have own private key, and the PKI private key well avoids the safety problem of user private key leakage caused by attribute private key leakage and attribute encrypted master key leakage when the key distribution center is attacked in the cloud file sharing process. In addition, only one file needs to be uploaded to the cloud server in the one-time cloud file sharing process, so that the management difficulty of the cloud server on the file is reduced.
Drawings
FIG. 1 is a flow chart of an overall embodiment of the present invention;
FIG. 2 is a schematic diagram of a method for sharing files by a data owner according to the present invention;
fig. 3 is a schematic diagram of a method for acquiring files by a data user according to the present invention.
Detailed Description
The technical scheme of the present invention will be described in detail with reference to the accompanying drawings.
As shown in fig. 1, the cloud file sharing method based on attribute encryption of the dual private key policy specifically includes the following steps:
and (1) deploying attribute encryption software based on ciphertext policies on a cloud server, and distributing a key distribution center KDC and a public key infrastructure PKI of a user private key. Initializing attribute encryption software based on a ciphertext strategy to obtain public parameters PK and a master key MK, and initializing a public key infrastructure.
And (2) deploying attribute encryption software, symmetric encryption software and asymmetric encryption software based on the ciphertext strategies on a local host of the user. The public key PubKey and the private key Prkey of the user are obtained through the public key infrastructure, and the private key SK of the user is obtained through the key distribution center.
Step (3), as shown in fig. 2, the data owner DO wants to encrypt one file F and share the file F to a plurality of data users DU at a time 1 ~DU n The specific steps are as follows: firstly, a data owner DO selects a file F to be shared, selects a symmetric key K, encrypts the file F through symmetric encryption software to obtain a file ciphertext F enc . Obtaining n data consumer DUs from public key infrastructure 1 ~DU n Public key PubKey of (a) DU1 ~PubKey DUn Public key PubKey for DO polling of data owners DU1 ~PubKey DUn Encrypting the symmetric key K correspondingly obtains the encrypted symmetric key K enc1 ~K encn Then fixed-length splicing is carried out to obtain an encrypted key K enc =K enc1 |K enc2 |……|K encn Then the file ciphertext F enc And an encrypted key K enc Splicing to obtain spliced encrypted file FK enc =F enc |K enc . Reproducing access structure aa= { DU satisfying all target data consumer attributes 1 |DU 2 |……|DU n Acquiring public parameters PK from a key distribution center, and encrypting the spliced encrypted file FK by attribute encryption software based on ciphertext strategies enc Encryption to obtain final ciphertext file F final . FinallyAnd uploading the final ciphertext file to a cloud file server.
Step (4), as shown in fig. 3, the specific steps of the data user obtaining an encrypted file and decrypting to obtain an original file are as follows: first, the final ciphertext file F is downloaded from the cloud file server final The public parameters PK are then obtained by the key distribution center. Final key ciphertext F through public parameter PK and user private key SK final Decrypting, if the data is not the data user DU of the DO selection area of the data owner, the decrypting fails, outputting errors and ending the acquisition; otherwise, obtaining the spliced encrypted file FK enc . For spliced encrypted file FK enc Dividing to obtain file ciphertext F enc And an encrypted key K enc For the encrypted key K enc Fixed-length segmentation to obtain encrypted symmetric key K enc1 ~K encn The encrypted symmetric key K is polled through the private key Prike enci And (1) decrypting the data to obtain a symmetric key K, and if the symmetric key K cannot be obtained after polling is finished, prompting decryption failure, outputting errors and finishing obtaining. Finally, the file ciphertext F is obtained through the symmetric key K enc Decrypting to obtain the file F shared by the sharing party.
Claims (2)
1. A cloud file sharing method based on attribute encryption of a double private key strategy is characterized by comprising the following steps: the method comprises the following steps:
firstly, selecting a symmetric key K, and encrypting a file F to be shared by adopting a symmetric encryption technology to obtain a file ciphertext F enc Then obtaining public keys PubKey of n target users through public key infrastructure system 1 ~PubKey n Encrypting the symmetric encryption key by using the public key of each user one by one to obtain K enc1 ~K encn Then fixed-length splicing is carried out to obtain an encrypted symmetric key K enc Then the file ciphertext and the encrypted key are spliced to obtain the spliced encrypted file FK enc And an access structure AA is formulated according to the attribute set of the target user, and the spliced encrypted file is encrypted by combining the formulated access structure AA through the attribute encryption CP-ABE technology based on the ciphertext policy to obtain a final ciphertext file F final However, it isThen final ciphertext file F final Uploading to a cloud server for deploying and installing attribute encryption software based on the ciphertext strategies.
2. The cloud file sharing method based on attribute encryption of the double private key strategy as claimed in claim 1, wherein: the method specifically comprises the following steps:
deploying attribute encryption software based on ciphertext policies on a cloud server, and generating a key management center and a public key infrastructure system for managing private keys of users; initializing attribute encryption software based on a ciphertext strategy to obtain public parameters PK and a master key MK, and initializing a public key infrastructure system;
step (2), the user deploys attribute encryption software, symmetric encryption software and asymmetric encryption software based on ciphertext policies on the local host; acquiring a public key PubKey and a private key Prkey of the user through a public key infrastructure, and acquiring a private key SK of the user through a key management center;
step (3), the sharing party selects a file F to be shared, selects a symmetric key K, and encrypts the file through symmetric encryption software to obtain a file ciphertext F enc The method comprises the steps of carrying out a first treatment on the surface of the Acquisition of n target receiver DUs from public key infrastructure 1 ~DU n Public key PubKey of (a) 1 ~PubKey n Encrypting the symmetric key with each public key correspondingly yields K enc1 ~K encn Then fixed-length splicing is carried out to obtain an encrypted symmetric key K enc =K enc1 |K enc2 |……|K encn Then the file ciphertext and the encrypted key are spliced to obtain the spliced encrypted file FK enc =F enc |K enc Public parameters PK are obtained from a key management center KDC, and an access structure AA= { DU meeting all target receiver attributes is formulated 1 |DU 2 |……|DU n Encryption of the spliced encrypted file by attribute encryption software based on ciphertext policies to obtain a final ciphertext file F final The method comprises the steps of carrying out a first treatment on the surface of the Finally, uploading the final ciphertext file to a cloud server;
step (4), the receiver downloads the final ciphertext file F from the cloud server final And a public parameter PK; final key ciphertext F through public parameter PK and user private key SK final Decrypting, if the target receiving party is not the target receiving party, the decryption fails, otherwise, the spliced encrypted file FK is obtained enc The method comprises the steps of carrying out a first treatment on the surface of the For spliced encrypted file FK enc Dividing to obtain file ciphertext F enc And an encrypted symmetric key K enc Cutting the encrypted symmetric key to obtain K enc1 ~K encn K is polled through a private key Prikey enci (1 is equal to or more than i is equal to or less than n) to decrypt so as to obtain a symmetric encryption key K, and if the symmetric key K cannot be obtained after polling is finished, prompting decryption failure; finally, the file ciphertext F is obtained through the symmetric key K enc And decrypting to obtain the file F shared by the sharing party.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310022175.1A CN116827581A (en) | 2023-01-06 | 2023-01-06 | Attribute encrypted cloud file sharing method based on double private key strategy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310022175.1A CN116827581A (en) | 2023-01-06 | 2023-01-06 | Attribute encrypted cloud file sharing method based on double private key strategy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116827581A true CN116827581A (en) | 2023-09-29 |
Family
ID=88117323
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310022175.1A Pending CN116827581A (en) | 2023-01-06 | 2023-01-06 | Attribute encrypted cloud file sharing method based on double private key strategy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116827581A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118051937A (en) * | 2024-04-16 | 2024-05-17 | 天清数安(天津)科技有限公司 | Data security destroying method based on data encryption and overwriting |
-
2023
- 2023-01-06 CN CN202310022175.1A patent/CN116827581A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118051937A (en) * | 2024-04-16 | 2024-05-17 | 天清数安(天津)科技有限公司 | Data security destroying method based on data encryption and overwriting |
| CN118051937B (en) * | 2024-04-16 | 2024-06-21 | 天清数安(天津)科技有限公司 | Data security destroying method based on data encryption and overwriting |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5944893B2 (en) | Re-encryption device and program | |
| CN113193953B (en) | Multi-authority attribute-based encryption method based on block chain | |
| US9197410B2 (en) | Key management system | |
| US9426131B2 (en) | Server apparatus and program to re-encrypt ciphertext data | |
| Xu et al. | Dynamic user revocation and key refreshing for attribute-based encryption in cloud storage | |
| US20060179478A1 (en) | Method of controlling content access and method of obtaining content key using the same | |
| CN103731432A (en) | Multi-user supported searchable encryption system and method | |
| JP6313074B2 (en) | Data management device, system, data sharing device, and program | |
| JP2003501877A (en) | Method and apparatus for secure distribution of public / private key pairs | |
| WO2020143131A1 (en) | Revocable cloud data security sharing method | |
| CN113411323B (en) | Medical record data access control system and method based on attribute encryption | |
| WO2014083784A1 (en) | Cryptosystem, data storage system, and device and method therefor | |
| CN104735070A (en) | Universal data sharing method for heterogeneous encryption clouds | |
| CN113098849A (en) | Access control method based on attribute and identity encryption, terminal and storage medium | |
| US20050033963A1 (en) | Method and system for authentication, data communication, storage and retrieval in a distributed key cryptography system | |
| CN116827581A (en) | Attribute encrypted cloud file sharing method based on double private key strategy | |
| KR20150081168A (en) | Identity- based broadcast method from lattices | |
| US9473471B2 (en) | Method, apparatus and system for performing proxy transformation | |
| US20220407690A1 (en) | Key ladder generating a device public key | |
| WO2016078382A1 (en) | Hsm enciphered message synchronization implementation method, apparatus and system | |
| CN107769915B (en) | Data encryption and decryption system and method with fine-grained user control | |
| CN113783898B (en) | Renewable hybrid encryption method | |
| CN114362924A (en) | CP-ABE-based system and method for supporting flexible revocation and verifiable ciphertext authorization | |
| CN118282778A (en) | Key management method, data transmission method and system for computing nodes in multi-computing base | |
| CN117040819A (en) | Efficient outsourcing decryption access control method based on mobile cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |