CN116933296B - Open format document OFD access control method and device - Google Patents

Open format document OFD access control method and device Download PDF

Info

Publication number
CN116933296B
CN116933296B CN202311191652.3A CN202311191652A CN116933296B CN 116933296 B CN116933296 B CN 116933296B CN 202311191652 A CN202311191652 A CN 202311191652A CN 116933296 B CN116933296 B CN 116933296B
Authority
CN
China
Prior art keywords
ofd
user
ofd file
target
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311191652.3A
Other languages
Chinese (zh)
Other versions
CN116933296A (en
Inventor
蔡佳杰
张治�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fuxin Kunpeng Beijing Information Technology Co ltd
Original Assignee
Fuxin Kunpeng Beijing Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fuxin Kunpeng Beijing Information Technology Co ltd filed Critical Fuxin Kunpeng Beijing Information Technology Co ltd
Priority to CN202311191652.3A priority Critical patent/CN116933296B/en
Publication of CN116933296A publication Critical patent/CN116933296A/en
Application granted granted Critical
Publication of CN116933296B publication Critical patent/CN116933296B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides an open format document OFD access control method and device, and relates to the technical field of data security, wherein the method comprises the following steps: the method comprises the steps that first equipment encrypts at least one primitive object in an OFD file of a first user to generate a target primitive object and a target OFD file; the method comprises the steps that first equipment uploads a target OFD file to a distributed storage network, and a storage address of the target OFD file in the distributed storage network is obtained; the first device submits a storage address of a target OFD file in a distributed storage network and an access policy aggregate of the OFD file to an intelligent contract deployed on a blockchain; the intelligent contract is used for verifying the attribute set submitted by the second user based on the maintained OFD file address and the access policy set data list and controlling the access of the second user to the OFD file. The method of the invention realizes accurate and effective access control on the OFD file.

Description

Open format document OFD access control method and device
Technical Field
The invention relates to the technical field of data security, in particular to an open format document OFD access control method and device.
Background
An Open Format Document (OFD) belongs to an autonomous file storage format in china, has completely autonomous intellectual property rights, and is used for realizing unification of electronic Document formats and conveniently storing, reading and editing electronic documents.
In the related technology, no effective method still realizes the accurate control of the access authority of the OFD document, so that great potential safety hazards exist for the access and storage of the OFD document. Therefore, how to realize the accurate control of the access authority of the OFD document so as to improve the security of the OFD document is a technical problem which needs to be solved by the technicians in the field.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides an open format document OFD access control method and device.
Specifically, the embodiment of the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides an access control method for an open format document OFD, including:
the method comprises the steps that first equipment encrypts at least one primitive object in an OFD file of a first user to generate a target primitive object and a target OFD file; the target primitive object is an encrypted primitive object; the target OFD file is an OFD file containing the encrypted primitive object; the first user is the owner of the OFD file;
the method comprises the steps that first equipment uploads a target OFD file to a distributed storage network, and a storage address of the target OFD file in the distributed storage network is obtained;
the first device submits a storage address of a target OFD file in a distributed storage network and an access policy aggregate of the OFD file to an intelligent contract deployed on a blockchain; the access policy collection of the OFD file is used for indicating the access policy of each primitive object in the OFD file; the intelligent contract is used for verifying the attribute set submitted by the second user based on the maintained OFD file address and the access policy set data list and controlling the access of the second user to the OFD file.
Further, the first device encrypts at least one primitive object in the OFD file to generate a target primitive object and a target OFD file, including:
the first device encrypts at least one primitive object in the OFD file by utilizing a ciphertext policy attribute-based encryption algorithm CP-ABE to generate a target primitive object and a target OFD file.
Further, the smart contract is for at least one of:
distributing attribute sets for each user;
determining an address list of at least one target OFD file corresponding to the second user according to the maintained OFD file address, the access policy collection data list and the attribute collection of the second user; the target OFD file is a target OFD file with access rights of the second user; the second user is a user of the target OFD file;
and verifying the attribute set submitted by the second user according to the maintained OFD file address and the access policy set data list, and generating a decrypted OFD file according to the storage address of the target OFD file submitted by the second user and to be accessed in the distributed storage network.
Further, verifying the attribute set submitted by the second user includes:
the intelligent contract encrypts the access strategy collection of the OFD file based on the homomorphic encryption algorithm to determine an access strategy ciphertext;
The intelligent contract encrypts the attribute set of the second user based on the homomorphic encryption algorithm to determine a user attribute ciphertext;
the intelligent contract determines the verification result of the access authority of the second user to each target primitive object in the target OFD file based on the access strategy ciphertext and the user attribute ciphertext.
Further, the smart contract determines a verification result of the access right of the second user to each target primitive object in the target OFD file based on the access policy ciphertext and the user attribute ciphertext, including:
determining a verification result of the access authority of the second user to each target primitive object in the target OFD file by using the following formula:
SEAL.Decrypt(Sa*Sp);
wherein seal. Decrypt represents a fully homomorphic decryption algorithm; sa represents access policy ciphertext; sp represents a user attribute ciphertext; seal.
In a second aspect, an embodiment of the present invention provides an access control method for an open layout document OFD, including:
the second device submits the attribute set of the second user to the intelligent contract to obtain a target OFD file address list set; the target OFD file is determined by the intelligent contract based on the attribute set of the second user, and the second user has access right; the target OFD file is an OFD file containing the encrypted primitive object;
The second device submits the attribute set of the second user and the storage address of the target OFD file to be accessed by the second user on the distributed storage network to an intelligent contract to obtain a decrypted OFD file; the OFD file is obtained by decrypting the target primitive object in the target OFD file based on the attribute set of the second user and the access policy set of the OFD file by the intelligent contract; the target primitive object is determined by the intelligent contract based on the attribute set of the second user and the access policy set of the OFD file, and the second user has access right.
In a third aspect, an embodiment of the present invention further provides an access control device for an open layout document OFD, including:
the encryption module is used for encrypting at least one primitive object in the OFD file of the first user to generate a target primitive object and a target OFD file; the target primitive object is an encrypted primitive object; the target OFD file is an OFD file containing the encrypted primitive object; the first user is the owner of the OFD file;
the storage module is used for uploading the target OFD file to a distributed storage network and acquiring a storage address of the target OFD file in the distributed storage network;
The access control module is used for submitting the storage address of the target OFD file in the distributed storage network and the access policy aggregate of the OFD file to an intelligent contract deployed on a blockchain; the access policy collection of the OFD file is used for indicating the access policy of each primitive object in the OFD file; the intelligent contract is used for verifying the attribute set submitted by the second user based on the maintained OFD file address and the access policy set data list, and controlling the access of the second user to the OFD file.
In a fourth aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the open format document OFD access control method according to the first aspect or the second aspect when executing the program.
In a fifth aspect, an embodiment of the present invention further provides a non-transitory computer readable storage medium, on which a computer program is stored, the computer program implementing the open layout document OFD access control method according to the first or second aspect when executed by a processor.
In a sixth aspect, an embodiment of the present invention further provides a computer program product, including a computer program, where the computer program when executed by a processor implements the open layout document OFD access control method according to the first or second aspect.
According to the open format document OFD access control method and device, the first device encrypts at least one primitive object in the OFD file of the first user, generates the target primitive object and the target OFD file, submits the storage address of the target OFD file in the distributed storage network and the access policy aggregate of the OFD file to the intelligent contract deployed on the blockchain, and accordingly the intelligent contract on the blockchain can accurately and effectively control access of the second user (a user of the OFD document) to the encrypted OFD primitive object in the OFD file stored in the distributed storage network based on the access policy aggregate of the OFD file sent by the first device.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an access control method for an open format document OFD provided in an embodiment of the present invention;
Fig. 2 is another flow diagram of an access control method for an open layout document OFD according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an open layout document OFD access control device provided in an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The method of the embodiment of the invention can be applied to the access control scene of the OFD document, and realizes accurate and effective access control of the OFD document.
In the related technology, no effective method still realizes the accurate control of the access authority of the OFD document, so that great potential safety hazards exist for the access and storage of the OFD document. Therefore, how to realize the accurate control of the access authority of the OFD document so as to improve the security of the OFD document is a technical problem which needs to be solved by the technicians in the field.
According to the open format document OFD access control method, the first device encrypts at least one primitive object in the OFD file of the first user to generate the target primitive object and the target OFD file, and submits the storage address of the target OFD file in the distributed storage network and the access policy aggregate of the OFD file to the intelligent contract deployed on the blockchain, so that the intelligent contract on the blockchain can accurately and effectively control access of the second user (a user of the OFD document) to the encrypted OFD primitive object in the OFD file stored in the distributed storage network based on the access policy aggregate of the OFD file sent by the first device.
The following describes the technical solution of the present invention in detail with reference to fig. 1 to 4. The following embodiments may be combined with each other, and some embodiments may not be repeated for the same or similar concepts or processes.
Fig. 1 is a schematic flow chart of an embodiment of an access control method for an open layout document OFD according to an embodiment of the present invention. As shown in fig. 1, the method provided in this embodiment includes:
step 101, a first device encrypts at least one primitive object in an OFD file of a first user to generate a target primitive object and a target OFD file; the target primitive object is an encrypted primitive object; the target OFD file is an OFD file containing the encrypted primitive object; the first user is the owner of the OFD file;
Specifically, an Open-layout Document (OFD) belongs to an autonomous file storage format in china, has completely autonomous intellectual property rights, and is used for realizing unification of electronic Document formats and conveniently storing, reading and editing electronic documents. However, in the related technology, no effective method is available to realize the accurate control of the access rights of the OFD document, so that great potential safety hazards exist in the access and storage of the OFD document.
In order to solve the above problem, in the embodiment of the present invention, a first device encrypts at least one primitive object in an OFD file of a first user to generate a target primitive object and a target OFD file; the primitive objects in the OFD file comprise characters, graphics, images and the like; the first user is a user who owns the OFD file and needs to access control the owning OFD file. In the method, the encryption and access control based on the dimension of the OFD primitive object are realized by encrypting the primitive object in the OFD file, so that the encryption and access control of the OFD file are more accurate, and the accuracy and efficiency of the OFD file control are improved; and through the way of encrypting the primitive object in the OFD file, a user can selectively encrypt the OFD primitive object which needs to be accessed and controlled in a targeted and accurate manner, and does not need to encrypt the whole OFD document, so that the flexibility and the accuracy of the access control of the OFD document are improved.
Step 102, a first device uploads a target OFD file to a distributed storage network, and a storage address of the target OFD file in the distributed storage network is obtained;
specifically, after encrypting at least one primitive object in an OFD file to obtain the OFD file containing the encrypted primitive object, the first device uploads the target OFD file to a distributed storage network and acquires a storage address of the target OFD file in the distributed storage network; alternatively, the target OFD file may be uploaded to the IPFS network.
Step 103, the first device submits the storage address of the target OFD file in the distributed storage network and the access policy aggregate of the OFD file to an intelligent contract deployed on a blockchain; the access policy collection of the OFD file is used for indicating the access policy of each primitive object in the OFD file; the intelligent contract is used for verifying the attribute set submitted by the second user based on the maintained OFD file address and the access policy set data list and controlling the access of the second user to the OFD file.
Specifically, after uploading a target OFD file to a distributed storage network and acquiring a storage address of the target OFD file in the distributed storage network, the first device submits a storage address of the target OFD file in the distributed storage network and an access policy aggregate of the OFD file to an intelligent contract deployed on a blockchain; the access policy collection of the OFD file is an access policy set by the first user for each OFD primitive object in the OFD file, so that the intelligent contract on the blockchain can accurately and effectively control the access of the second user (the user of the OFD file) to the encrypted OFD primitive object in the OFD file stored in the distributed storage network based on the access policy collection of the OFD file sent by the first device, and the access security of the OFD file is effectively improved.
According to the method, the first device encrypts at least one primitive object in the OFD file of the first user to generate the target primitive object and the target OFD file, and submits the storage address of the target OFD file in the distributed storage network and the access policy aggregate set of the OFD file to the intelligent contract deployed on the blockchain, so that the intelligent contract on the blockchain can accurately and effectively control the access of the second user (the user of the OFD file) to the encrypted OFD primitive object in the OFD file stored in the distributed storage network based on the access policy aggregate set of the OFD file sent by the first device; that is, in the process of performing access control on the OFD file, the first device only needs to encrypt the OFD primitive object in the OFD file and send the access policy of the encrypted OFD file to the intelligent contract; the second device only needs to send its own attribute set to the intelligent contract; further, the intelligent contract can realize the access control of the OFD file through the obtained access strategy of the OFD file corresponding to the first device and the obtained attribute set corresponding to the second device, so that all components in the first device, the second device and the intelligent contract can efficiently and accurately perform the access control of the OFD file only by storing and obtaining very little information. According to the OFD file access control method, firstly, the owner (first user) of the OFD file encrypts the OFD primitive object, so that encryption and access control based on the dimension of the OFD primitive object are realized, the encryption and access control of the OFD file are more accurate, and the accuracy and flexibility of the OFD file access control are improved; in the second aspect, submitting the storage address of the encrypted OFD file in the distributed storage network and the access policy aggregate of the OFD file to an intelligent contract deployed on a blockchain, so that the risk that the access authority of the OFD file is tampered is effectively avoided; in the third aspect, different access strategies can be set for different OFD primitive objects, so that under the condition of realizing refined access control of each primitive object in an OFD document, the security of an OFD file is higher, namely, even if an attacker acquires access rights of part of primitive objects in the OFD file, other primitive objects in the OFD file are still invisible, the security of the OFD file is greatly improved, and the uncontrollable leakage risk of the OFD file is reduced; according to the method and the device, the access strategy of each OFD primitive object in the OFD file is stored by using the intelligent contracts, so that the access control of the OFD file is performed through the intelligent contracts deployed on the blockchain, the efficiency is higher, the defect that a large amount of data needs to be configured for the access control by using the client is avoided, and the data in the client is easy to tamper is overcome, and the safety, convenience and efficiency of the access control are improved; in the fifth aspect, the encrypted OFD file is stored through the distributed storage network, so that functions of the distributed storage network and the intelligent contracts deployed on the blockchain are mutually matched, isolation between the encrypted OFD file and an OFD file access policy is realized, and the security of the OFD file is improved.
In an embodiment, the first device encrypts at least one primitive object in the OFD file to generate a target primitive object and a target OFD file, including:
the first device encrypts at least one primitive object in the OFD file by utilizing a ciphertext policy attribute-based encryption algorithm CP-ABE to generate a target primitive object and a target OFD file.
Specifically, in the embodiment of the application, at least one primitive object in the OFD file is encrypted based on the ciphertext policy attribute-based encryption algorithm CP-ABE to generate the target primitive object and the target OFD file, so that the encryption of the OFD primitive object in the OFD file is efficiently realized, the encryption and access control based on the dimension of the OFD primitive object are realized, the encryption and access control of the OFD file are more accurate, and the accuracy and efficiency of the OFD file control are improved.
For example, the data owner encrypts the primitive object Gi in the OFD file by using CP-ABE, outputs the encrypted ciphertext Si of the primitive object Gi, converts the description information of the primitive object Gi in the OFD file F into the ciphertext Si, and equivalently converts the OFD file into the local content encrypted file Fs.
In one embodiment, the smart contract is for at least one of:
distributing attribute sets for each user;
Determining an address list of at least one target OFD file corresponding to the second user according to the maintained OFD file address, the access policy collection data list and the attribute collection of the second user; the target OFD file is a target OFD file with access rights of the second user; the second user is a user of the target OFD file;
and verifying the attribute set submitted by the second user according to the maintained OFD file address and the access policy set data list, and generating a decrypted OFD file according to the storage address of the target OFD file submitted by the second user and to be accessed in the distributed storage network.
Specifically, the intelligent contract arranged on the blockchain in the embodiment of the application distributes attribute sets for all users on the system, and further in the process that a second user (a user of an OFD file) needs to access the OFD file, the intelligent contract can accurately determine the access authority of the second user to all the OFD files according to the access strategy of the OFD file sent by the first user by receiving the attribute sets submitted by the second user, and sends an address list of the OFD file with the access authority to the second user; and under the condition that the second user determines that the OFD file to be accessed exists in the address list of the OFD file, the attribute set of the second user and the storage address of the target OFD file to be accessed submitted by the second user in the distributed storage network can be further verified, and under the condition that the intelligent contract verification is successful, the intelligent contract sends the decrypted OFD file to the second user for access, so that the access control of the encrypted OFD file stored in the distributed storage network is efficiently and accurately realized based on the intelligent contract on the blockchain, and the high efficiency and the accuracy of the access control of the OFD file are improved.
According to the method, the intelligent contracts deployed on the blockchain are used for verifying the attribute set of the second user according to the access strategy of the OFD file sent by the first user by distributing the attribute set to each user on the system, so that the access authority of the second user to each OFD file can be accurately determined, namely, the access control of the encrypted OFD file stored on the distributed storage network is efficiently and accurately realized based on the intelligent contracts on the blockchain, the defect that a large amount of data need to be configured for access control by using the client is avoided, and the data in the client is easy to tamper is overcome, and the high efficiency, the safety, the accuracy and the convenience of the access control of the OFD file are improved.
In one embodiment, verifying the set of attributes submitted by the second user includes:
the intelligent contract encrypts the access strategy collection of the OFD file based on the homomorphic encryption algorithm to determine an access strategy ciphertext;
the intelligent contract encrypts the attribute set of the second user based on the homomorphic encryption algorithm to determine a user attribute ciphertext;
the intelligent contract determines the verification result of the access authority of the second user to each target primitive object in the target OFD file based on the access strategy ciphertext and the user attribute ciphertext.
Specifically, after the second device submits the attribute set of the second user, the intelligent contract encrypts the access policy set of the OFD file through the homomorphic encryption algorithm to determine an access policy ciphertext; encrypting the attribute set of the second user through the homomorphic encryption algorithm to determine a user attribute ciphertext; the intelligent contract further determines whether the second user has access rights to all OFD graphic primitive objects in the OFD file by matching the access policy ciphertext of the OFD file with the user attribute ciphertext; therefore, the intelligent contract can realize the refined access control of each primitive object in the OFD document based on the homomorphic encryption algorithm, the access strategy collection of the OFD document and the attribute collection of the second user, so that the security of the OFD document is higher, namely, even if an attacker acquires the access rights of part of primitive objects in the OFD document, other primitive objects in the OFD document are still invisible, the security of the OFD document is greatly improved, and the uncontrollable leakage risk of the OFD document is reduced.
Optionally, the smart contract determines a verification result of the access right of the second user to each target primitive object in the target OFD file based on the access policy ciphertext and the user attribute ciphertext, including:
Determining a verification result of the access authority of the second user to each target primitive object in the target OFD file by using the following formula:
SEAL.Decrypt(Sa*Sp);
wherein seal. Decrypt represents a fully homomorphic decryption algorithm; sa represents access policy ciphertext; sp represents a user attribute ciphertext; seal.
Specifically, the intelligent contracts deployed on the blockchain match the access policy ciphertext of the OFD file with the user attribute ciphertext through a fully homomorphic encryption algorithm, and whether the second user has access rights to all OFD primitive objects in the OFD file is determined. Optionally, if the seal. Decrypt (sa×sp) result is all 1, it indicates that the attribute set of the second user satisfies the access policy of all OFD primitive objects in the OFD file, and the verification is successful, then the intelligent contract sends the OFD primitive objects in the OFD file decrypted by the CP-ABE to the second user.
According to the method, firstly, the access strategy ciphertext of the OFD file and the user attribute ciphertext are matched through the full homomorphic decryption algorithm, the intelligent contract can further decrypt the OFD primitive object in the OFD file based on the CP-ABE and send the OFD primitive object to a second user only under the condition that the access strategy ciphertext of the OFD file and the user attribute ciphertext are successfully matched, namely, the access authority of each primitive object in the OFD file is finely controlled and verified through the matching of the access strategy ciphertext and the user attribute ciphertext, and the CP-ABE encrypts and decrypts, so that the effectiveness of the access control of the OFD primitive object in the OFD file is enhanced, and the access security of the primitive object in the OFD file is greatly improved.
In one embodiment, in performing the access control of the OFD file,
the second device submits the attribute set of the second user to the intelligent contract to obtain a target OFD file address list set; the target OFD file is determined by the intelligent contract based on the attribute set of the second user, and the second user has access right; the target OFD file is an OFD file containing the encrypted primitive object;
the second device submits the attribute set of the second user and the storage address of the target OFD file to be accessed by the second user on the distributed storage network to an intelligent contract to obtain a decrypted OFD file; the OFD file is obtained by decrypting the target primitive object in the target OFD file based on the attribute set of the second user and the access policy set of the OFD file by the intelligent contract; the target primitive object is determined by the intelligent contract based on the attribute set of the second user and the access policy set of the OFD file, and the second user has access right.
Specifically, in the embodiment of the present application, in the process of accessing the OFD file, the first device only needs to encrypt the OFD file and send the access policy of the encrypted OFD file to the intelligent contract; the second device only needs to send its own attribute set to the intelligent contract; after the access strategy ciphertext of the OFD file corresponding to the first device and the attribute set ciphertext corresponding to the second device are matched through the homomorphic decryption algorithm, the OFD file decrypted by the CP-ABE is sent to the second device by the intelligent contract, so that all components in the first device, the second device and the intelligent contract can efficiently and accurately perform access control of the OFD file only by storing and acquiring very little information.
According to the method, in the process of accessing the OFD file, the intelligent contract matches the access policy ciphertext of the OFD file corresponding to the first device with the attribute set ciphertext corresponding to the second device through the homomorphic decryption algorithm, and then the OFD file decrypted by the CP-ABE is sent to the second device, so that all components in the first device, the second device and the intelligent contract can efficiently and accurately access and control the OFD file only by storing and acquiring very little information. According to the OFD file access control method, firstly, the owner (first user) of the OFD file encrypts the OFD primitive object, so that encryption and access control based on the dimension of the OFD primitive object are realized, the encryption and access control of the OFD file are more accurate, and the accuracy and flexibility of the OFD file access control are improved; in the second aspect, submitting the storage address of the encrypted OFD file in the distributed storage network and the access policy aggregate of the OFD file to an intelligent contract deployed on a blockchain, so that the risk that the access authority of the OFD file is tampered is effectively avoided; in the third aspect, different access strategies can be set for different OFD primitive objects, so that under the condition of realizing refined access control of each primitive object in an OFD document, the security of an OFD file is higher, namely, even if an attacker acquires access rights of part of primitive objects in the OFD file, other primitive objects in the OFD file are still invisible, the security of the OFD file is greatly improved, and the uncontrollable leakage risk of the OFD file is reduced; according to the method and the device, the access strategy of each OFD primitive object in the OFD file is stored by using the intelligent contracts, so that the access control of the OFD file is performed through the intelligent contracts deployed on the blockchain, the efficiency is higher, the defect that a large amount of data needs to be configured for the access control by using the client is avoided, and the data in the client is easy to tamper is overcome, and the safety, convenience and efficiency of the access control are improved; in the fifth aspect, the encrypted OFD file is stored through the distributed storage network, so that functions of the distributed storage network and the intelligent contracts deployed on the blockchain are mutually matched, isolation between the encrypted OFD file and an OFD file access policy is realized, and the security of the OFD file is improved.
The specific flow of the OFD access control method in the embodiment of the present invention is shown in fig. 2:
step 201: initializing the blockchain environment, wherein the initializing comprises the following steps:
in the intelligent contracts on the blockchain, the generation of the master key pair is performed by selecting the appropriate elliptic curve pair and pairing group parameters. The master key pair comprises a public master key PubKey (Public Master Key) and a private master key PriKey (Private Master Key), the public master key and the private master key content are uploaded and stored in an IPFS network in a file form, and the storage address of PubKey, priKey in the IPFS network is stored in an intelligent contract;
determining a global attribute set GA in a CP-ABE scheme, uploading and storing the GA in an IPFS network, and storing the storage address in an intelligent contract;
a user registers in a blockchain network and distributes a user identity UID and an attribute set A;
step 202: the data owner extracts a primitive object set G= { G1, G2, …, gn } of an OFD format file F through an SDK tool package, sequentially sets an access policy Pi, executes an encryption function Enc (Gi, pi), encrypts the primitive object Gi by using a CP-ABE, outputs a primitive object Gi encrypted ciphertext Si, and finally converts descriptive information of the primitive object Gi in the OFD format file F into ciphertext Si, and finally converts the primitive object set G of the OFD format file F into encrypted primitive object sets S= { S1, S2, …, sn } in an equivalent manner, and converts the OFD format file F into Fs in an equivalent manner;
The data owner calls a ciphertext uploading function (Fs) to Upload the conversion result Fs to an IPFS network, and a storage address xi of the ciphertext FS in the IPFS network is obtained;
step 203, the data owner invokes an intelligent contract interface to submit the access strategy collection P= { P1, P2, …, pn }, the storage address ζ to an intelligent contract deployed on a blockchain;
step 204: the data user calls the intelligent contract interface to submit the attribute set A= { A1, A2, …, A3} to generate the attribute key lambda, the intelligent contract carries out attribute set judgment, returns a file address list H= { H1, H2, …, H2, n } which is successfully verified by the attribute, H i E H and xi=H. The data user obtains a format file list with authority to access;
step 205, the data user requests the OFD format file F to call an intelligent contract interface to submit the attribute set A of the data user and the format file Fs to an intelligent contract at an IPFS network storage address xi, the intelligent contract generates an attribute key lambda, the attribute set verification is carried out, the attribute set verification is passed, the intelligent contract obtains a ciphertext Fs according to the ciphertext storage address, the attribute set P is combined to decrypt a primitive object to obtain a plaintext file F, and a plaintext F' meeting the authority strategy is returned to the data user.
Optionally, the attribute key λ is read by the smart contract the public master key PubKey and the private master key PriKey and the data user's own data set a= { including }, executing cpabe. Keygen (PubKey, priKey, a) to output the user tree private key λ.
Optionally, the attribute set verifies, the isomorphic encryption access policy seal (P) is executed to output the access policy ciphertext Sp, the isomorphic encryption user attribute set a is executed to output the user attribute ciphertext Sa, the attribute set verifies that the computing seal (sa×sp) outputs the decryption result Sr, and if the decryption result Sr is equal to all 1, the attribute set satisfies the access policy, and the verification is successful.
Optionally, the primitive object Si decrypts and executes cpabe.
The open format document OFD access control device provided by the invention is described below, and the open format document OFD access control device described below and the open format document OFD access control method described above can be referred to correspondingly.
Fig. 3 is a schematic structural diagram of an open layout document OFD access control device provided by the invention. The open format document OFD access control device provided in this embodiment includes:
an encryption module 310, configured to encrypt at least one primitive object in the OFD file of the first user, and generate a target primitive object and a target OFD file; the target primitive object is an encrypted primitive object; the target OFD file is an OFD file containing the encrypted primitive object; the first user is the owner of the OFD file;
The storage module 320 is configured to upload the target OFD file to a distributed storage network, and obtain a storage address of the target OFD file in the distributed storage network;
an access control module 330, configured to submit a storage address of the target OFD file in the distributed storage network and an access policy set of the OFD file to an intelligent contract deployed on a blockchain; the access policy collection of the OFD file is used for indicating the access policy of each primitive object in the OFD file; and the intelligent contract is used for verifying the attribute set submitted by the second user and controlling the access of the second user to the OFD file.
Optionally, the encryption module 310 is specifically configured to: and encrypting at least one primitive object in the OFD file by utilizing a ciphertext policy attribute-based encryption algorithm CP-ABE to generate a target primitive object and a target OFD file.
Optionally, the smart contract is for at least one of:
distributing attribute sets for each user;
determining an address list of at least one target OFD file corresponding to the second user according to the attribute set of the second user; the target OFD file is a target OFD file with access rights of the second user; the second user is a user of the target OFD file;
And verifying the attribute set submitted by the second user, and generating a decrypted OFD file according to the storage address of the target OFD file to be accessed submitted by the second user in the distributed storage network.
Optionally, the intelligent contract is used for encrypting the access policy collection of the OFD file based on the homomorphic encryption algorithm to determine an access policy ciphertext;
the intelligent contract encrypts the attribute set of the second user based on the homomorphic encryption algorithm to determine a user attribute ciphertext;
the intelligent contract determines the verification result of the access authority of the second user to each target primitive object in the target OFD file based on the access strategy ciphertext and the user attribute ciphertext.
Optionally, the smart contract is configured to determine a verification result of the access rights of the second user to each target primitive object in the target OFD file by using the following formula:
SEAL.Decrypt(Sa*Sp);
wherein seal. Decrypt represents a fully homomorphic decryption algorithm; sa represents access policy ciphertext; sp represents a user attribute ciphertext; seal.
The device of the embodiment of the present invention is configured to perform the method of any of the foregoing method embodiments, and its implementation principle and technical effects are similar, and are not described in detail herein.
Fig. 4 illustrates a physical schematic diagram of an electronic device, which may include: processor 410, communication interface (Communications Interface) 420, memory 430 and communication bus 440, wherein processor 410, communication interface 420 and memory 430 communicate with each other via communication bus 440. The processor 410 may invoke logic instructions in the memory 430 to perform an open layout document OFD access control method comprising: encrypting at least one primitive object in the OFD file of the first user to generate a target primitive object and a target OFD file; the target primitive object is an encrypted primitive object; the target OFD file is an OFD file containing the encrypted primitive object; the first user is the owner of the OFD file; uploading the target OFD file to a distributed storage network, and acquiring a storage address of the target OFD file in the distributed storage network; submitting the storage address of the target OFD file in the distributed storage network and the access policy collection of the OFD file to an intelligent contract deployed on a blockchain; the access policy collection of the OFD file is used for indicating the access policy of each primitive object in the OFD file; the intelligent contract is used for verifying the attribute set submitted by the second user and controlling the access of the second user to the OFD file.
Further, the logic instructions in the memory 430 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of performing the open layout document OFD access control method provided by the above methods, the method comprising: encrypting at least one primitive object in the OFD file of the first user to generate a target primitive object and a target OFD file; the target primitive object is an encrypted primitive object; the target OFD file is an OFD file containing the encrypted primitive object; the first user is the owner of the OFD file; uploading the target OFD file to a distributed storage network, and acquiring a storage address of the target OFD file in the distributed storage network; submitting the storage address of the target OFD file in the distributed storage network and the access policy collection of the OFD file to an intelligent contract deployed on a blockchain; the access policy collection of the OFD file is used for indicating the access policy of each primitive object in the OFD file; the intelligent contract is used for verifying the attribute set submitted by the second user and controlling the access of the second user to the OFD file.
In still another aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the open-layout document OFD access control methods provided above, the method comprising: encrypting at least one primitive object in the OFD file of the first user to generate a target primitive object and a target OFD file; the target primitive object is an encrypted primitive object; the target OFD file is an OFD file containing the encrypted primitive object; the first user is the owner of the OFD file; uploading the target OFD file to a distributed storage network, and acquiring a storage address of the target OFD file in the distributed storage network; submitting the storage address of the target OFD file in the distributed storage network and the access policy collection of the OFD file to an intelligent contract deployed on a blockchain; the access policy collection of the OFD file is used for indicating the access policy of each primitive object in the OFD file; the intelligent contract is used for verifying the attribute set submitted by the second user and controlling the access of the second user to the OFD file.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (7)

1. An open format document OFD access control method, comprising:
the method comprises the steps that first equipment encrypts at least one primitive object in an OFD file of a first user to generate a target primitive object and a target OFD file; the target primitive object is an encrypted primitive object; the target OFD file is an OFD file containing the encrypted primitive object; the first user is the owner of the OFD file;
the first device uploads the target OFD file to a distributed storage network, and obtains a storage address of the target OFD file in the distributed storage network;
the first device submits the storage address of the target OFD file in the distributed storage network and the access policy aggregate of the OFD file to an intelligent contract deployed on a blockchain; the access policy collection of the OFD file is used for indicating the access policy of each primitive object in the OFD file; the intelligent contract is used for verifying the attribute set submitted by the second user based on the maintained OFD file address and the access policy set data list, and controlling the access of the second user to the OFD file;
the smart contract is for at least one of:
distributing attribute sets for each user;
Determining an address list of at least one target OFD file corresponding to the second user according to the maintained OFD file address, the access policy collection data list and the attribute collection of the second user; the target OFD file is a target OFD file with access rights of the second user; the second user is a user of the target OFD file;
verifying the attribute set submitted by the second user according to the maintained OFD file address and the access policy set data list, and generating a decrypted OFD file according to the storage address of the target OFD file submitted by the second user and to be accessed in the distributed storage network;
the verifying the attribute set submitted by the second user comprises the following steps:
the intelligent contract encrypts an access strategy collection of the OFD file based on an homomorphic encryption algorithm to determine an access strategy ciphertext;
the intelligent contract encrypts the attribute set of the second user based on the homomorphic encryption algorithm to determine a user attribute ciphertext;
and the intelligent contract determines the verification result of the access authority of the second user to each target primitive object in the target OFD file based on the access strategy ciphertext and the user attribute ciphertext.
2. The open layout document OFD access control method according to claim 1, wherein the first device encrypts at least one primitive object in the OFD file of the first user, generating the target primitive object and the target OFD file, comprising:
the first device encrypts at least one primitive object in the OFD file by utilizing a ciphertext policy attribute-based encryption algorithm CP-ABE to generate the target primitive object and the target OFD file.
3. The open layout document OFD access control method according to claim 1, wherein the smart contract determines a verification result of the access authority of the second user to each target primitive object in the target OFD file based on the access policy ciphertext and user attribute ciphertext, comprising:
determining a verification result of the access authority of the second user to each target primitive object in the target OFD file by using the following formula:
wherein seal. Decrypt represents a fully homomorphic decryption algorithm; sa represents access policy ciphertext; sp represents a user attribute ciphertext;and represents the verification result.
4. An open format document OFD access control method, comprising:
the second device submits the attribute set of the second user to the intelligent contract to obtain a target OFD file address list set; the target OFD file is determined by the intelligent contract based on the attribute set of the second user, and the second user has access right; the target OFD file is an OFD file containing the encrypted primitive object;
The second device submits the attribute set of the second user and the storage address of the target OFD file to be accessed by the second user on the distributed storage network to an intelligent contract to obtain a decrypted OFD file; the OFD file is obtained by decrypting the target primitive object in the target OFD file based on the attribute set of the second user and the access policy set of the OFD file by the intelligent contract; the target primitive object is determined by the intelligent contract based on the attribute set of the second user and the access policy set of the OFD file, and the second user has access right; the intelligent contract is used for matching the access strategy ciphertext of the OFD file corresponding to the first device with the attribute set ciphertext corresponding to the second device through an homomorphic decryption algorithm, decrypting the OFD file by using the CP-ABE and transmitting the decrypted OFD file to the second device; the first device is used for encrypting the OFD file and sending the access strategy of the encrypted OFD file to the intelligent contract.
5. An open-format document OFD access control apparatus, comprising:
the encryption module is used for encrypting at least one primitive object in the OFD file of the first user to generate a target primitive object and a target OFD file; the target primitive object is an encrypted primitive object; the target OFD file is an OFD file containing the encrypted primitive object; the first user is an owner of the OFD file;
The storage module is used for uploading the target OFD file to a distributed storage network and acquiring a storage address of the target OFD file in the distributed storage network;
the access control module is used for submitting the storage address of the target OFD file in the distributed storage network and the access policy aggregate of the OFD file to an intelligent contract deployed on a blockchain; the access policy collection of the OFD file is used for indicating the access policy of each primitive object in the OFD file; the intelligent contract is used for verifying the attribute set submitted by the second user based on the maintained OFD file address and the access policy set data list, and controlling the access of the second user to the OFD file; the smart contract is for at least one of:
distributing attribute sets for each user;
determining an address list of at least one target OFD file corresponding to the second user according to the maintained OFD file address, the access policy collection data list and the attribute collection of the second user; the target OFD file is a target OFD file with access rights of the second user; the second user is a user of the target OFD file;
verifying the attribute set submitted by the second user according to the maintained OFD file address and the access policy set data list, and generating a decrypted OFD file according to the storage address of the target OFD file submitted by the second user and to be accessed in the distributed storage network;
The verifying the attribute set submitted by the second user comprises the following steps:
the intelligent contract encrypts an access strategy collection of the OFD file based on an homomorphic encryption algorithm to determine an access strategy ciphertext;
the intelligent contract encrypts the attribute set of the second user based on the homomorphic encryption algorithm to determine a user attribute ciphertext;
and the intelligent contract determines the verification result of the access authority of the second user to each target primitive object in the target OFD file based on the access strategy ciphertext and the user attribute ciphertext.
6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the open layout document OFD access control method according to any one of claims 1 to 4 when executing the program.
7. A non-transitory computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the open-layout document OFD access control method according to any one of claims 1 to 4.
CN202311191652.3A 2023-09-15 2023-09-15 Open format document OFD access control method and device Active CN116933296B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311191652.3A CN116933296B (en) 2023-09-15 2023-09-15 Open format document OFD access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311191652.3A CN116933296B (en) 2023-09-15 2023-09-15 Open format document OFD access control method and device

Publications (2)

Publication Number Publication Date
CN116933296A CN116933296A (en) 2023-10-24
CN116933296B true CN116933296B (en) 2023-12-19

Family

ID=88375723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311191652.3A Active CN116933296B (en) 2023-09-15 2023-09-15 Open format document OFD access control method and device

Country Status (1)

Country Link
CN (1) CN116933296B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113326533A (en) * 2021-05-21 2021-08-31 南威软件股份有限公司 Electronic certificate service system and method based on block chain and distributed file storage
CN115442045A (en) * 2022-06-20 2022-12-06 上海市大数据中心 Government affair data access control method and system based on government affair alliance chain
CN115834200A (en) * 2022-11-23 2023-03-21 南京邮电大学 Attribute-based searchable encryption data sharing method based on block chain
WO2023077794A1 (en) * 2021-11-04 2023-05-11 中国信息通信研究院 Blockchain access permission control method, and system, device, program and medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230075433A1 (en) * 2018-10-16 2023-03-09 Chainyard Supplier Management, Inc. Blockchain Based Document and Data Sharing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113326533A (en) * 2021-05-21 2021-08-31 南威软件股份有限公司 Electronic certificate service system and method based on block chain and distributed file storage
WO2023077794A1 (en) * 2021-11-04 2023-05-11 中国信息通信研究院 Blockchain access permission control method, and system, device, program and medium
CN115442045A (en) * 2022-06-20 2022-12-06 上海市大数据中心 Government affair data access control method and system based on government affair alliance chain
CN115834200A (en) * 2022-11-23 2023-03-21 南京邮电大学 Attribute-based searchable encryption data sharing method based on block chain

Also Published As

Publication number Publication date
CN116933296A (en) 2023-10-24

Similar Documents

Publication Publication Date Title
US11706026B2 (en) Location aware cryptography
CN107528688B (en) Block chain key keeping and recovering method and device based on encryption delegation technology
CN111654367B (en) Method for cryptographic operation and creation of working key, cryptographic service platform and device
CN106487506B (en) Multi-mechanism KP-ABE method supporting pre-encryption and outsourcing decryption
Shen et al. Multi-security-level cloud storage system based on improved proxy re-encryption
CN103731432A (en) Multi-user supported searchable encryption system and method
CN110599163B (en) Transaction record outsourcing method facing block chain transaction supervision
CN113326541B (en) Cloud edge collaborative multi-mode private data transfer method based on intelligent contract
CN107306254B (en) Digital copyright protection method and system based on double-layer encryption
CN115296838B (en) Block chain-based data sharing method, system and storage medium
CN113836222B (en) Access control method of concealable strategy and attribute based on block chain
CN109525388B (en) Combined encryption method and system with separated keys
CN109889494A (en) A kind of voidable cloud data safety sharing method
CN113901512A (en) Data sharing method and system
CN111970114A (en) File encryption method, system, server and storage medium
CN104901968A (en) Method for managing and distributing secret keys in secure cloud storage system
Cao et al. A Privacy‐Preserving Outsourcing Data Storage Scheme with Fragile Digital Watermarking‐Based Data Auditing
CN114511322A (en) Relay-based chain-handling cross-link structure and access control method thereof
CN114301677A (en) Key negotiation method, device, electronic equipment and storage medium
CN115580415B (en) Data interaction authentication method, device and system in block chain
CN116933296B (en) Open format document OFD access control method and device
CN114567639B (en) Lightweight access control system and method based on blockchain
CN115935426A (en) Remote image feature extraction and retrieval method based on SGX
Marquet et al. Secure key management for multi-party computation in mozaik
CN114244501A (en) Power data privacy protection system and implementation method thereof, and encryption attribute revocation method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant