CN117097566A - Weighted attribute proxy re-encryption information fine granularity access control system and method - Google Patents
Weighted attribute proxy re-encryption information fine granularity access control system and method Download PDFInfo
- Publication number
- CN117097566A CN117097566A CN202311349672.9A CN202311349672A CN117097566A CN 117097566 A CN117097566 A CN 117097566A CN 202311349672 A CN202311349672 A CN 202311349672A CN 117097566 A CN117097566 A CN 117097566A
- Authority
- CN
- China
- Prior art keywords
- attribute
- data
- key
- ciphertext
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000012163 sequencing technique Methods 0.000 claims abstract description 24
- 238000010276 construction Methods 0.000 claims description 4
- 125000004122 cyclic group Chemical group 0.000 claims description 3
- 238000012545 processing Methods 0.000 abstract description 2
- 238000013461 design Methods 0.000 description 9
- 235000009508 confectionery Nutrition 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 238000013475 authorization Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 239000004744 fabric Substances 0.000 description 2
- 230000001737 promoting effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a weighted attribute agent re-encryption information fine-granularity access control system and a method thereof, wherein the system consists of a blockchain system and an interstellar file system, wherein the blockchain system comprises an authorization center,kThe data processing system comprises a plurality of attribute authentication centers, a data owner, a data requester and a sequencing node cluster; the method comprises the steps that an access strategy is converted into a weighted access strategy through a data owner to encrypt data; when an unauthorized user wants to access the encrypted data, the authorized user is used as a data sharing authorizer to check the data sharing request, and if the check is passed, a re-encryption key is generated and sent to the sequencing node cluster; and the sequencing node is used as a third party agent to execute agent re-encryption operation, the access strategy of the existing ciphertext is changed, and the re-encryption operation is recorded in a chain. The invention is generalEncrypted access to data is achieved in a simpler manner.
Description
Technical Field
The invention belongs to the technical field of blockchain systems, and relates to a weighted attribute proxy re-encryption information fine-granularity access control system and method.
Background
The blockchain system is used as a distributed database, and uses a specific data structure for storing data blocks in a chained combination in time sequence. The method has the characteristics of decentralization, non-tampering, traceability and the like, so that trusted data access control can be established between individuals or organizations in a low-trust network environment, and the method is suitable for realizing safe sharing of data.
In recent years, the introduction of attribute-based encryption technology effectively solves the limitation of 'all or nothing' in data sharing of the traditional public key encryption system, and promotes the development of access control towards finer granularity. The fine-grained access control plays a key role in guaranteeing the safe sharing of data in multi-user and big data application scenes. Which allows only users with specific properties to obtain data access rights through the specification of access policies. Proxy re-encryption technology allows one entity to re-encrypt encrypted data so that other entities can decrypt it without having to have the decryption key for the original data. This may be used to enable a third party agent to access and process data without decrypting the original ciphertext, while ensuring the security of the data. The attribute proxy re-encryption technology combines the attribute password and the proxy re-encryption technology, not only reserves the fine granularity access control characteristic of the traditional attribute-based encryption technology, but also realizes the dynamic update of the access strategy, and further enhances the flexibility and controllability of data security sharing.
Currently, many students implement access control of data in different scenarios using attribute-based encryption techniques and blockchain system techniques.
Document [1] (Tong Fei, shao Ranran ] study on a model of data access control on a cloud based on a blockchain system [ J ]. Computer science, 2023, 50 (09): 16-25.) proposes a personal privacy data access control scheme on a cloud based on a blockchain system. According to the scheme, an intelligent contract and a CP-ABE scheme of a multi-attribute authorization center are combined, and fine-grained access control of personal privacy data on the cloud is achieved. However, the document [1] adopts the conventional ciphertext policy attribute-based encryption technology, the ciphertext access policy cannot be updated, and when the access policy is changed, the data owner can only re-encrypt the original information and re-store the new ciphertext in the uplink.
Document [2] (Sheping, tong Tong, bai Xifang) provides a block chain system-based attribute proxy re-encryption data sharing scheme [ J/OL ]. Computer engineering and application 1-11[2023-02-17 ]) to satisfy the user fine-granularity data access control requirement, realize multi-user decryption authority authorization, and ensure the security of the data sharing process. However, document [2] requires a centralized server to complete access control processing and authorization, which is prone to single point failure, and does not consider the problem of excessive storage load of the blockchain system, and does not deviate from the limitation that the blockchain system cannot store large-volume files. Moreover, the expressivity of the access policy is closely related to the fine granularity of access control, and the existing scheme access policy can only represent binary states of "satisfied" and "unsatisfied" of a single attribute. Therefore, the existing scheme also has the problems of complex access strategy, large ciphertext volume and high encryption time cost.
Disclosure of Invention
In order to solve the problems of complex access strategy, large ciphertext volume and high encryption time cost in the prior art, the invention provides a weighted attribute proxy re-encryption information fine-granularity access control system and method.
The invention provides a weighted attribute agent re-encryption information fine-granularity access control system, which consists of a blockchain system and an interstellar file system, wherein the blockchain system comprises an authorization center, k attribute authentication centers, a data owner, a data requester and a sequencing node cluster;
storing metadata of transaction and shared data on a block chain system, wherein the metadata comprises hash values of encrypted data in an interstellar file system, and verifying the hash values after a data requester downloads the encrypted data from the interstellar file system; the authorization center is responsible for initially setting the system and generating public parameters;
the authorization center registers each user and maintains a list containing detailed information of the user for verifying the authenticity of the user;
each attribute authentication center is responsible for generating an attribute private key and an attribute public key pair for an attribute set belonging to the domain, one attribute authentication center manages a plurality of attributes, but one attribute can only be managed by one attribute authentication center; the attribute authentication center also generates a user attribute key related to the attribute of the user;
the data owner has absolute control right on the shared data, and the data owner self-defines the shared data access right, so that fine-granularity access control is realized; before uploading the data to the interstellar file system, the data owner encrypts the data using a defined weighted access policy;
the data requester consists of an authorized user and an unauthorized user; the authorized user uses the attribute private key to decrypt the ciphertext, and the unauthorized user obtains the access right by sending a data sharing request to the authorized user; when an unauthorized user wants to access the encrypted data, the authorized user is used as a data sharing authorizer to check the data sharing request, and if the check is passed, a re-encryption key is generated and sent to the sequencing node cluster;
and the sequencing node is used as a third party agent to execute agent re-encryption operation, the access strategy of the existing ciphertext is changed, and the re-encryption operation is recorded in a chain.
The invention provides a weighted attribute proxy re-encryption information fine granularity access control method which comprises four stages of system initialization, data encryption and ciphertext uplink, data ciphertext acquisition and decryption and ciphertext re-encryption.
Specifically, the system initialization phase process is as follows:
executing a function GlobalSetup by an authorization center, and generating public parameters by taking the security parameters as input parameters; calling an intelligent contract to disclose the public parameter GP to a blockchain system;
each attribute authentication center manages a part of attributes, the attribute authentication center executes a function Setup, and generates an attribute public key and an attribute private key for the attributes by taking public parameters as input parameters;
then the attribute public key is disclosed to a blockchain system, and the attribute private key is stored;
when a new user joins the blockchain system, firstly registering identity information with an authorization center, wherein the identity information comprises attribute sets and personal information, the authorization center selects a global user identifier for the user, then sends a key construction request to a corresponding attribute authentication center, and the attribute authentication center operates a KeyGen function after receiving the request, inputs an attribute private key and generates an attribute key assembly;
after receiving the attribute key assembly, the authorization center operates a KeyGen function to input the attribute key assembly, and generates an attribute key; the attribute key is then sent to the user for storage over the secure channel.
Specifically, the data encryption and ciphertext uplink process is as follows: and when a user acquires the data file, firstly decrypting the key ciphertext through a decryption algorithm to acquire the symmetric key, and then decrypting the data ciphertext through the symmetric key.
Specifically, the data ciphertext obtaining and decrypting stage: in the blockchain system, an authorized user freely inquires metadata stored in the blockchain system, and the authorized user acquires a corresponding key ciphertext and a corresponding data ciphertext from the interstellar file system through the inquired metadata; the authorized user calls the Decrypt function, inputs the key ciphertext and the attribute key, and outputs a decryption result.
Specifically, the ciphertext re-encryption stage: when an unauthorized user in a blockchain system needs to acquire data, acquiring metadata by calling an intelligent contract, then sending a data sharing request to an authorized user, wherein the request information comprises the metadata to be acquired and a global user identifier, and after the authorized user receives the data sharing request of the unauthorized user, if the authorized user receives the data sharing request of the unauthorized user, inquiring attribute information of the unauthorized user to an authorized center through the global user identifier, and defining a new weighted access strategy, wherein the new weighted access strategy comprises a global unique identifier of the unauthorized user, and the access strategy is limited to be met only by the unauthorized user; operating a re-encryption key generation algorithm reKey Gen, inputting an authorized user attribute key and a new weighted access strategy, and outputting a re-encryption key;
then the authorized user constructs re-encryption request information, the re-encryption key and metadata are sent to the sequencing node cluster, and after the sequencing node cluster receives the re-encryption request information sent by the authorized user, the re-encryption algorithm re-encrypt is operated to input the key ciphertext and the re-encryption key, and the re-encryption ciphertext is output;
the ordering node cluster returns the re-encrypted ciphertext to the authorized user, the authorized user uploads the re-encrypted ciphertext to the interstellar file system after receiving the re-encrypted ciphertext, and invokes the intelligent contract to store the storage address of the re-encrypted ciphertext and re-encrypted information, wherein the storage address comprises the global user identification of the authorized user, the global user identification of the unauthorized user, the original ciphertext information and the current timestamp, the unauthorized user uses an attribute private key to operate a decryption algorithm reDecrypt after acquiring the re-encrypted ciphertext, the re-encrypted ciphertext and an attribute key of the unauthorized user are input, a decryption result is output, and then a symmetric key and a data ciphertext are input through operating a symmetric decryption function to output a data file.
Specifically, the data encryption and ciphertext uplink process specifically includes:
data owner in block chain system generates a globally unique file number for data file, and randomly selects random number,/>Is a cyclic group of order prime number p, generating a symmetric key = -j =>Where H is a hash function, the hash function is to be usedThe element on the map to the integer field +.>Running a symmetric encryption algorithm, inputting a symmetric key and a data file, and generating a data ciphertext CF;
the data owner selects proper attributes to formulate an access strategy, and the access strategy is converted into a weighted access strategy; the data owner runs an Encrypt function, inputs an attribute public key set, a symmetric key and a weighted access strategy, and outputs a key ciphertext;
then uploading the key ciphertext and the data ciphertext to an interstellar file system, calling the intelligent contract to share metadata of the data= { UFID, , />profile is stored to the blockchain system, wherein +.>And->The storage addresses of the key ciphertext and the data ciphertext in the interstellar file system are respectively, profile is a brief introduction of a data file, and UFID is a globally unique file number.
Specifically, the access policy is a boolean expression containing "AND", "OR" AND attributes, attribute weights of the attributes are set respectively, AND are identified respectively, different attributes are represented by an attribute category having different weights, AND the attributes in the access policy are replaced by the attribute category AND the weights, so as to form a weighted access policy.
The invention has the beneficial effects that: the data owner converts the access strategy into a weighted access strategy to encrypt the data; when an unauthorized user wants to access the encrypted data, the authorized user is used as a data sharing authorizer to check the data sharing request, and if the check is passed, a re-encryption key is generated and sent to the sequencing node cluster; and the sequencing node is used as a third party agent to execute agent re-encryption operation, the access strategy of the existing ciphertext is changed, and the re-encryption operation is recorded in a chain. Data encryption and fine-grained access control are achieved in a simpler manner. In addition, the expression of the access strategy is closely related to the fine granularity characteristic of the access control and the size of the ciphertext, compared with the common access strategy, the attribute expression of the weighted access strategy is more diversified, and the complex access strategy can be converted into the more concise weighted access strategy.
Drawings
FIG. 1 is a schematic diagram of a weighted attribute proxy re-encryption information fine granularity access control system architecture.
Fig. 2 is a schematic diagram of the conversion of an access policy into a weighted access policy.
Detailed Description
As shown in fig. 1, the weighted attribute proxy re-encryption information fine granularity access control system provided by the present invention is composed of a blockchain system and an interstellar file system (Inter Planetary File System, IPFS), wherein the blockchain system comprises an authorization center (Central Authority, CA), k attribute authentication centers (Attribute Authority, AA), a Data Owner (Data Owner, DO), a Data Requester (Data Requester, DR) and a sequencing node cluster, and the detailed description of the components of the whole system is provided below.
Authorization Center (CA): the authority is responsible for initially setting up the system and generating common parameters (GP). The authorization center registers each user and maintains a list containing user details for verifying the authenticity of the user.
Attribute authentication center (AA): each attribute authentication center is responsible for generating attribute private and attribute public key pairs for the set of attributes belonging to its domain. In the present invention, one attribute authentication center may manage a plurality of attributes, but one attribute may be managed by only one attribute authentication center. The attribute verification center also generates a user attribute key associated with the attributes of the user.
Data Owner (DO): the data owner has absolute control right on the shared data, and can customize the shared data access right, thereby realizing fine-granularity access control. The data owner encrypts the data using a defined weighted access policy before uploading the data to the interstellar file system.
Data Requestor (DR): the data requester is composed of an authorized user and an unauthorized user. The authorized user can decrypt the ciphertext by using the attribute private key of the authorized user, and the unauthorized user obtains the access right by sending a data sharing request to the authorized user. When an unauthorized user wants to access the encrypted data, the authorized user is used as a data sharing authorizer to check the data sharing request, and if the check is passed, a re-encryption key is generated and sent to the sequencing node cluster.
Sorting the node clusters: the ordering node cluster is a key component to ensure consistency of transaction order in a blockchain system. In the system of the invention, the sequencing node is used as a third party agent to execute agent re-encryption operation, the existing ciphertext is subjected to access policy change, and the re-encryption operation is subjected to uplink record.
Blockchain system: the block chain system stores metadata (metadata) of the transaction and the shared data, wherein the metadata comprises hash values of encrypted data in an interstellar file system (IPFS), and the hash values can be verified after a data requester downloads the encrypted data from the interstellar file system (IPFS) so as to ensure the integrity of the encrypted data.
Interplanetary file system (IPFS): the interstellar file system is a point-to-point distributed file system integrating the Git, self-certifying file system, bitTorrent and distributed hash table. The interstellar file system is introduced into the system, so that the problems of single storage form and limited storage capacity of the block chain system are solved, and the trusted storage and sharing of encrypted data and re-encrypted data are ensured.
Each attribute authentication center (AA) respectively manages different attribute sets, generates and distributes corresponding attribute keys for the attribute sets according to the attribute sets of the users, a Data Owner (DO) encrypts data to be shared through a weighted access strategy which is defined by a user as shown in fig. 2, and uploads the encrypted ciphertext to an interstellar file system (IPFS), and only users meeting the access strategy formulated by the Data Owner (DO) can access the encrypted data, so that the Data Owner (DO) can control the access rights of other users in a fine granularity. Ciphertext needs to be downloaded from an interstellar file system (IPFS) and decrypted when a user wants to obtain shared data, so that the original data is obtained. Assuming that the user B satisfies the access structure of the encrypted data of the user a, the user B wants to access the encrypted data of the user a only by acquiring metadata (metadata) of the corresponding data from the blockchain system, then downloading the encrypted data ciphertext, decrypting the encrypted data by using the attribute key of the encrypted data ciphertext, and further acquiring the original data of the encrypted data. If the attribute set of the user C does not meet the ciphertext access structure, the original data of the encrypted data can be obtained by sending a data sharing request to the authorized user, after the ordering node cluster is re-encrypted, decrypting the re-encrypted ciphertext by using the attribute private key of the ordering node cluster.
The invention relates to a weighted attribute proxy re-encryption information fine granularity access control method which comprises four stages of system initialization, data encryption and ciphertext uplink, data ciphertext acquisition and decryption and ciphertext re-encryption.
(1) System initialization
In a blockchain system, a function GlobalSetup is first executed by a rights issuer (CA) to secure parametersFor the input parameters, a common parameter GP is generated.
(1);
Then, the intelligent contract is invoked to disclose the common parameter GP into the blockchain system.
Attribute corpus in blockchain system is u= { attr 1 , attr 2 ,…, attr j Weight set w= { W } 1 ,w 2 ,…,w n }( w 1 < w n ),attr j Represents the j-th attribute, w n Representing the n-th weight of the weight,thus, the blockchain system includes j×n weighting attributes, i.e., the weighting attribute set a= { attr 1 : w 1 ,…, attr 1 : w n ,…, attr j : w 1 ,…, attr j : w n Each attribute authentication center (AA) manages a part of attributes, and the current attribute authentication center is set as AA i ,AA i Executing a function Setup, taking a common parameter GP as an input parameter and taking the common parameter GP as an attribute attr j Generating attribute public keysAnd attribute private key->。
(2);
Then the attribute public keyPublic to blockchain system, attribute private key +.>And (5) preserving.
When a new user joins the blockchain system, firstly registering identity information with an authorization center (AA), wherein the identity information comprises an attribute set S and personal information, the authorization center (AA) selects a global user identification GID for the user, then sends a key construction request to a corresponding attribute authentication center (AA), the attribute authentication center (AA) operates a KeyGen function after receiving the request, and inputs an attribute private keyGenerate Attribute Key component->。
(3);
The authority center receives the attribute key assembly and then runs the KeyGen function to input the attribute key assembly, generates an attribute key USK,
(4);
the attribute key USK is then sent to the user for storage over the secure channel.
(2) Data encryption and ciphertext uplink
The method combines a symmetric encryption algorithm with a weighted attribute proxy re-encryption algorithm, firstly, symmetrically encrypts a data file to be encrypted to generate a symmetric data ciphertext, then, the weighted attribute proxy re-encryption algorithm is used for encrypting a symmetric key used by the symmetric encryption algorithm to generate a key ciphertext, when a user acquires the data file, firstly, the key ciphertext is decrypted through a decryption algorithm to obtain a symmetric key, and then, the symmetric key is used for decrypting the data ciphertext.
First, a Data Owner (DO) in a block chain system generates a globally unique File number UFID for a data File, and randomly selects a random number,/>Is a cyclic group of order prime number p, generating a symmetric key = -j =>Where H is a hash function, will +.>The element on the map to the integer field +.>Run symmetric encryption algorithm->And inputting a symmetric key and a data File to generate a data ciphertext CF.
(5);
The Data Owner (DO) then selects the appropriate attribute to formulate an access policy T, which is a Boolean expression containing "AND", "OR" AND attributes, such as T { ("group Length" OR "Master" OR manager ") AND (" Master "OR doctor") }. Then, the access policy T is converted into a weighted access policy WT, as shown in fig. 2, taking four attributes of staff, group leader, principal and manager as examples, and their attribute weights are set to 1,2,3 and 4 respectively, and are marked as "positions" respectively: 1"," position: 2"," position: 3"," job position: 4 "such that the four attributes may be represented by an attribute" job "having different weights. It may be any state attribute, such as "job: employee, group leader, principal, manager ", then access policy T { (" group leader "OR" principal "OR" manager ") AND (" master "OR" doctor ") } may be converted to WT {" position: 2"and (" master "OR" doctor ") }, because in the weighted access policy" job: 2 "indicates the lowest level that needs to be met, and by default" job "is included: 2"," position: 3"," job position: 4 "in comparison to access policy T { (" group leader "OR" master "OR" manager ") AND (" master "OR" doctor ") }, weighted access policy WT {" job: the representation of 2"AND (" Master "OR" doctor ") } is more flexible and compact. The Data Owner (DO) runs an Encrypt function, inputs a public key set of attributesThe symmetric key and the weighted access policy WT, and the key ciphertext CT is output.
(6);
The key ciphertext CT and the data ciphertext CF are then uploaded to the interstellar file system (IPFS), the smart contract is invoked to share the metadata = { UFID of the data, , />profile is stored to the blockchain system, wherein +.>And->Is the storage address of the key ciphertext CT and the data ciphertext CF in the interstellar file system (IPFS), profile is a profile of the data file.
(3) Data ciphertext acquisition and decryption
In the blockchain system, an authorized user can freely inquire metadata stored in the blockchain system, and the user obtains a corresponding key ciphertext CT and a corresponding data ciphertext CF from an interstellar file system (IPFS) through the inquired metadata. The authorized user calls the Decrypt function, inputs the key ciphertext CT and the attribute key USK, and outputs a decryption result.
(7);
For authorized users, user attribute sets= { "doctor", "job: 4"} is a subset of the weighted access policy WT, where the" doctor "attribute satisfies the (" master "OR" doctor ") policy," job: the weight of 4 "is 4 greater than the minimum weight of 2 for" position "in the access policy. The user can recover the symmetric key and then by running the symmetric decryption function +.>The input key and CF output a data File.
For unauthorized users, a set of user attributes= { "master", "job: 1"} is not a subset of the weighted access policy, where the" master "attribute satisfies the (" master "OR" doctor ") policy," job: the weight of 1 "is 1 less than the minimum weight of 2 for" position "in the access policy. The user obtains +.>I.e. decryption fails, and the data file cannot be acquired.
(4) Ciphertext re-encryption
When an unauthorized user in a blockchain system needs to acquire data, acquiring metadata by calling an intelligent contract, then sending a data sharing request to an authorized user, wherein the request information comprises the metadata to be acquired and a global user identification (GID), and after the authorized user receives the data sharing request of the unauthorized user, if the authorized user receives the data sharing request of the unauthorized user, inquiring attribute information of the unauthorized user to an authorization Center (CA) through the global user identification (GID), and defining a new weighted access strategy NWT {' GID 2 "AND" position: 1"AND (" Master "OR" doctor ") }, where GID 2 And limiting the access strategy to be only satisfied by the unauthorized user for the global unique identification of the unauthorized user, and ensuring the minimum range of the re-encrypted ciphertext decryption object. And running a re-encryption key generation algorithm reKeyGen, inputting an authorized user attribute key USK and a new weighted access policy NWT, and outputting a re-encryption key RK.
(8);
Then, the authorized user builds re-encryption request information, the re-encryption key RK and the metadata are sent to the sequencing node cluster, and after the sequencing node cluster receives the re-encryption request information sent by the authorized user, the re-encryption algorithm re-encrypter is operated to input the key ciphertext CT and the re-encryption key RK, and the re-encryption ciphertext RCT is output.
(9);
The sequencing node cluster returns the re-encrypted ciphertext RCT to the authorized user, the authorized user uploads the re-encrypted ciphertext RCT to the IPFS after receiving the re-encrypted ciphertext RCT and invokes the intelligent contract to store the storage address of the re-encrypted ciphertext RCT and re-encrypted information, wherein the storage address comprises a global user identification GID of the authorized user, a global user identification GID of an unauthorized user, original ciphertext information and a current timestamp to a blockchain system, the unauthorized user uses an attribute private key to run a decryption algorithm re-decrypt after acquiring the re-encrypted ciphertext RCT,
(10);
inputting the re-encrypted ciphertext and the attribute key USK of the unauthorized user, outputting a decryption result key, and then operating a symmetric decryption functionThe input symmetric key and the data ciphertext CF output the data File.
The present invention will be explained by taking a plan data access control of a design company a as an example. A Fabric alliance chain is built inside the company and maintains an inter-star file system (IPFS) private cluster.
1. System initialization phase
In the block chain system, firstly, a function GlobalSetup is executed by a authority Center (CA) node of a Fabric alliance chain, and a public parameter GP is generated by taking a security parameter 128bit as an input parameter. Then, the public parameter storage intelligent contract GPStore is called to disclose the public parameter GP to the blockchain system, and then a authority Center (CA) of the Fabric alliance chain registers detailed information for each user and generates a global user identification GID.
The attribute corpus in the blockchain system is U= { master, doctor, job, male, female, GID 1 ,GID 2 ,GID 3 },GID 1 ,GID 2 ,GID 3 The 1 st, 2 nd, 3 rd global user identities, weight set w= {1,2,3,4},position: 1,2,3,4 correspond to employee, group leader, principal, manager, respectively. The block chain system has 3 attribute authentication centers (AA), wherein the first attribute authentication center manages 'master' and 'doctor' attributes, the second attribute authentication center manages job position attributes, the third attribute authentication center manages GID attributes, and the ith attribute authentication center AA i Executing a function Setup for each attribute, generating an attribute public key for each attribute by taking a public parameter GP as an input parameterAnd attribute private key->。
There are Alice, bob, candy users in the system. When a user joins the blockchain system, firstly registering identity information with an authorization center, wherein the identity information comprises an attribute set S and personal information, the authorization center selects a global user identification GID for the user, then sends a key construction request to a corresponding attribute authentication center, the attribute authentication center operates a KeyGen function after receiving the request, and inputs an attribute private keyGenerate Attribute Key component->. And after receiving the attribute key component, the attribute authentication center operates a KeyGen function to input the attribute key component, and generates an attribute key USK for the user.
After the system initialization is completed, all three users have an attribute key USK and a global user identifier GID:
Alice={ Alice ,S 1 =(GID 1 doctor, employee, male), USK Alice };
Bob={ Bob ,S 2 =(GID 2 Doctor, owner, male), USK Bob };
Candy={ Candy ,S 3 =(GID 3 Master, staff, women), USK Candy }。
2. Data encryption and ciphertext uplink
The design department completes the design of the propaganda poster, in order to prevent the leakage of the design source file, the company prescribes that the data uplink of all design files must be personally executed by the designer himself, and the preset access policy is set to be accessible to personnel with positions at group length and above, and other personnel must initiate data sharing application to authorized users in the blockchain system for the access of the encrypted data.
Firstly, alice generates a globally unique File number UFID for a data File, randomly generates a symmetric key, and runs a symmetric encryption algorithmAnd inputting a symmetric key, propaganda poster design source data File, and generating a data ciphertext CF.
Alice then formulates a weighted access policy WT { "job: 2"}. And running an Encrypt function to generate a key ciphertext CT. Alice uploads the symmetric data ciphertext CF and the key ciphertext CT to an IPFS, which generates a unique index for CF and CTAndand returns to Alice, who stores metadata metadata= { UFID, ++for shared data by calling metadata store of smart contract metadata> , />Profile= "promotional poster design source data file" } is stored to the blockchain system.
3. Data ciphertext acquisition and decryption
In the blockchain system, bob and Candy can freely query metadata stored in the blockchain system, and Bob obtains a corresponding key ciphertext CT and a corresponding data ciphertext CF from the IPFS through the queried metadata. Bob uses his own attribute key USK Bob And calling the Decrypt function, wherein the position of Bob is the principal, the weight of the principal is 3, and the weight is greater than the minimum position weight 2 in the weighted access strategy, so that Bob meets the weighted access strategy, and can successfully Decrypt to obtain the key so as to obtain the propaganda poster design source data File.
4. Ciphertext re-encryption
Candy is a source file of a promotional poster that an unauthorized user cannot acquire through normal decryption operations. Acquiring metadata by calling an intelligent contract, then sending a data sharing request to Bob, wherein the request information comprises metadata and GID (global information storage) to be acquired, and after Bob receives the data sharing request of Candy, if Bob receives the data sharing request of Candy, inquiring attribute information of a user to an authorization center through the GID, and defining a new weighted access strategy NWT { "GID 3 "AND" position: 1' }, running a re-encryption key generation algorithm reKeyGen, and inputting a Bob attribute key USK Bob And a new weighted access policy NWT, outputting the re-encryption key RK.
And then Bob builds re-encryption request information, sends the re-encryption key RK and the metadata to the sequencing node cluster, and runs a re-encryption algorithm re-encryption to generate a re-encryption ciphertext RCT after the sequencing node cluster receives the re-encryption request information sent by Bob.
The sequencing node cluster returns the re-encryption ciphertext RCT to Bob, and after Bob receives the RCT, the RCT is uploaded to IPFS and invokes re-encryption operation to store the storage address of the RCT and GID of the intelligent contract renfo store 2 、GID 3 Storing metadata and a current timestamp into a blockchain system, and using an attribute key USK after Candy acquires a re-encrypted ciphertext RCT Candy Executing a decryption algorithm reDecrypt to obtain a symmetric key, and then executing a symmetric decryption functionAnd acquiring a propaganda poster design source data File.
Claims (8)
1. The weighted attribute agent re-encryption information fine-granularity access control system is characterized by comprising a blockchain system and an interstellar file system, wherein the blockchain system comprises an authorization center, k attribute authentication centers, a data owner, a data requester and a sequencing node cluster;
storing metadata of transaction and shared data on a block chain system, wherein the metadata comprises hash values of encrypted data in an interstellar file system, and verifying the hash values after a data requester downloads the encrypted data from the interstellar file system; the authorization center is responsible for initially setting the system and generating public parameters;
the authorization center registers each user and maintains a list containing detailed information of the user for verifying the authenticity of the user;
each attribute authentication center is responsible for generating an attribute private key and an attribute public key pair for an attribute set belonging to the domain, one attribute authentication center manages a plurality of attributes, but one attribute can only be managed by one attribute authentication center; the attribute authentication center also generates a user attribute key related to the attribute of the user;
the data owner has absolute control right on the shared data, and the data owner self-defines the shared data access right, so that fine-granularity access control is realized; before uploading the data to the interstellar file system, the data owner encrypts the data using a defined weighted access policy;
the data requester consists of an authorized user and an unauthorized user; the authorized user uses the attribute private key to decrypt the ciphertext, and the unauthorized user obtains the access right by sending a data sharing request to the authorized user; when an unauthorized user wants to access the encrypted data, the authorized user is used as a data sharing authorizer to check the data sharing request, and if the check is passed, a re-encryption key is generated and sent to the sequencing node cluster;
and the sequencing node is used as a third party agent to execute agent re-encryption operation, the access strategy of the existing ciphertext is changed, and the re-encryption operation is recorded in a chain.
2. A weighted attribute proxy re-encryption information fine granularity access control method is characterized in that the weighted attribute proxy re-encryption information fine granularity access control system is utilized to execute four stages of system initialization, data encryption and ciphertext uplink, data ciphertext acquisition and decryption and ciphertext re-encryption.
3. The weighted attribute proxy re-encryption information fine granularity access control method of claim 2, wherein the system initialization phase process is:
executing a function GlobalSetup by an authorization center, and generating public parameters by taking the security parameters as input parameters; calling an intelligent contract to disclose the public parameter GP to a blockchain system;
each attribute authentication center manages a part of attributes, the attribute authentication center executes a function Setup, and generates an attribute public key and an attribute private key for the attributes by taking public parameters as input parameters;
then the attribute public key is disclosed to a blockchain system, and the attribute private key is stored;
when a new user joins the blockchain system, firstly registering identity information with an authorization center, wherein the identity information comprises attribute sets and personal information, the authorization center selects a global user identifier for the user, then sends a key construction request to a corresponding attribute authentication center, and the attribute authentication center operates a KeyGen function after receiving the request, inputs an attribute private key and generates an attribute key assembly;
after receiving the attribute key assembly, the authorization center operates a KeyGen function to input the attribute key assembly, and generates an attribute key; the attribute key is then sent to the user for storage over the secure channel.
4. The weighted attribute proxy re-encryption information fine granularity access control method according to claim 2, wherein the data encryption and ciphertext uplink process is: and when a user acquires the data file, firstly decrypting the key ciphertext through a decryption algorithm to acquire the symmetric key, and then decrypting the data ciphertext through the symmetric key.
5. The weighted attribute proxy re-encryption information fine-granularity access control method according to claim 2, wherein the data ciphertext obtaining and decrypting stage: in the blockchain system, an authorized user freely inquires metadata stored in the blockchain system, and the authorized user acquires a corresponding key ciphertext and a corresponding data ciphertext from the interstellar file system through the inquired metadata; the authorized user calls the Decrypt function, inputs the key ciphertext and the attribute key, and outputs a decryption result.
6. The weighted attribute proxy re-encryption information fine-granularity access control method of claim 2, wherein the ciphertext re-encryption phase: when an unauthorized user in a blockchain system needs to acquire data, acquiring metadata by calling an intelligent contract, then sending a data sharing request to an authorized user, wherein the request information comprises the metadata to be acquired and a global user identifier, and after the authorized user receives the data sharing request of the unauthorized user, if the authorized user receives the data sharing request of the unauthorized user, inquiring attribute information of the unauthorized user to an authorized center through the global user identifier, and defining a new weighted access strategy, wherein the new weighted access strategy comprises a global unique identifier of the unauthorized user, and the access strategy is limited to be met only by the unauthorized user; operating a re-encryption key generation algorithm reKey Gen, inputting an authorized user attribute key and a new weighted access strategy, and outputting a re-encryption key;
then the authorized user constructs re-encryption request information, the re-encryption key and metadata are sent to the sequencing node cluster, and after the sequencing node cluster receives the re-encryption request information sent by the authorized user, the re-encryption algorithm re-encrypt is operated to input the key ciphertext and the re-encryption key, and the re-encryption ciphertext is output;
the ordering node cluster returns the re-encrypted ciphertext to the authorized user, the authorized user uploads the re-encrypted ciphertext to the interstellar file system after receiving the re-encrypted ciphertext, and invokes the intelligent contract to store the storage address of the re-encrypted ciphertext and re-encrypted information, wherein the storage address comprises the global user identification of the authorized user, the global user identification of the unauthorized user, the original ciphertext information and the current timestamp, the unauthorized user uses an attribute private key to operate a decryption algorithm reDecrypt after acquiring the re-encrypted ciphertext, the re-encrypted ciphertext and an attribute key of the unauthorized user are input, a decryption result is output, and then a symmetric key and a data ciphertext are input through operating a symmetric decryption function to output a data file.
7. The method for controlling fine-granularity access to weighted attribute proxy re-encryption information according to claim 2, wherein the data encryption and ciphertext uplink process specifically comprises:
data owner in block chain system generates a globally unique file number for data file, and randomly selects random number,/>Is a cyclic group of order prime number p, generating a symmetric key = -j =>Where H is a hash function, will +.>The element on the map to the integer field +.>Running a symmetric encryption algorithm, inputting a symmetric key and a data file, and generating a data ciphertext CF;
the data owner selects proper attributes to formulate an access strategy, and the access strategy is converted into a weighted access strategy; the data owner runs an Encrypt function, inputs an attribute public key set, a symmetric key and a weighted access strategy, and outputs a key ciphertext;
then uploading the key ciphertext and the data ciphertext to an interstellar file system, and calling the intelligenceMetadata= { UFID of the shared data can be contracted,,/>profile is stored to the blockchain system, wherein +.>And->The storage addresses of the key ciphertext and the data ciphertext in the interstellar file system are respectively, profile is a brief introduction of a data file, and UFID is a globally unique file number.
8. The method of claim 7, wherein the access policy is a boolean expression containing "AND", "OR" AND attributes, the attribute weights of the attributes are set respectively, AND the attributes are identified respectively, different attributes are represented by an attribute category having different weights, AND the attributes in the access policy are replaced by the attribute category AND weights, so as to form the weighted access policy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311349672.9A CN117097566B (en) | 2023-10-18 | 2023-10-18 | Weighted attribute proxy re-encryption information fine granularity access control system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311349672.9A CN117097566B (en) | 2023-10-18 | 2023-10-18 | Weighted attribute proxy re-encryption information fine granularity access control system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117097566A true CN117097566A (en) | 2023-11-21 |
| CN117097566B CN117097566B (en) | 2024-01-26 |
Family
ID=88773804
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311349672.9A Active CN117097566B (en) | 2023-10-18 | 2023-10-18 | Weighted attribute proxy re-encryption information fine granularity access control system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117097566B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117527445A (en) * | 2024-01-02 | 2024-02-06 | 江苏荣泽信息科技股份有限公司 | Data sharing system based on re-encryption and distributed digital identity |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111191288A (en) * | 2019-12-30 | 2020-05-22 | 中电海康集团有限公司 | Block chain data access authority control method based on proxy re-encryption |
| US20200313856A1 (en) * | 2019-03-29 | 2020-10-01 | 0Chain, LLC | Systems and methods of blockchain platform for intermediaries and passwordless login |
| CN112734572A (en) * | 2021-01-07 | 2021-04-30 | 华南农业大学 | Fine-grained access control method and system based on double block chains |
| CN112836229A (en) * | 2021-02-10 | 2021-05-25 | 北京深安信息科技有限公司 | Attribute-based encryption and block-chaining combined trusted data access control scheme |
| CN113360925A (en) * | 2021-06-04 | 2021-09-07 | 中国电力科学研究院有限公司 | Method and system for storing and accessing trusted data in electric power information physical system |
| CN113961535A (en) * | 2021-11-26 | 2022-01-21 | 北京航空航天大学 | Data trusted storage sharing system and method based on block chain |
| CN113992330A (en) * | 2021-10-30 | 2022-01-28 | 贵州大学 | Block chain data controlled sharing method and system based on proxy re-encryption |
| CN114039790A (en) * | 2021-11-23 | 2022-02-11 | 重庆邮电大学 | Block chain-based fine-grained cloud storage security access control method |
| CN114065265A (en) * | 2021-11-29 | 2022-02-18 | 重庆邮电大学 | Fine-grained cloud storage access control method, system and equipment based on block chain technology |
| CN114708939A (en) * | 2022-04-14 | 2022-07-05 | 安徽师范大学 | Medical data sharing system based on block chain and access authority proxy method |
| CN114826703A (en) * | 2022-04-11 | 2022-07-29 | 江苏大学 | Block chain-based data search fine-grained access control method and system |
| CN115987592A (en) * | 2022-12-15 | 2023-04-18 | 山东省计算中心(国家超级计算济南中心) | Block chain-based mobile medical internet of things fine-grained access control method and system |
| US20230138102A1 (en) * | 2021-11-02 | 2023-05-04 | Electronics And Telecommunications Research Institute | Method and system for managing decentralized data using attribute-based encryption |
| CN116318630A (en) * | 2023-03-16 | 2023-06-23 | 哈尔滨工业大学 | Space environment ground simulation device data safety sharing method based on block chain |
| CN116680241A (en) * | 2023-01-31 | 2023-09-01 | 北京邮电大学 | Electronic government affair data safe sharing method based on blockchain |
-
2023
- 2023-10-18 CN CN202311349672.9A patent/CN117097566B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200313856A1 (en) * | 2019-03-29 | 2020-10-01 | 0Chain, LLC | Systems and methods of blockchain platform for intermediaries and passwordless login |
| CN111191288A (en) * | 2019-12-30 | 2020-05-22 | 中电海康集团有限公司 | Block chain data access authority control method based on proxy re-encryption |
| CN112734572A (en) * | 2021-01-07 | 2021-04-30 | 华南农业大学 | Fine-grained access control method and system based on double block chains |
| CN112836229A (en) * | 2021-02-10 | 2021-05-25 | 北京深安信息科技有限公司 | Attribute-based encryption and block-chaining combined trusted data access control scheme |
| CN113360925A (en) * | 2021-06-04 | 2021-09-07 | 中国电力科学研究院有限公司 | Method and system for storing and accessing trusted data in electric power information physical system |
| CN113992330A (en) * | 2021-10-30 | 2022-01-28 | 贵州大学 | Block chain data controlled sharing method and system based on proxy re-encryption |
| US20230138102A1 (en) * | 2021-11-02 | 2023-05-04 | Electronics And Telecommunications Research Institute | Method and system for managing decentralized data using attribute-based encryption |
| CN114039790A (en) * | 2021-11-23 | 2022-02-11 | 重庆邮电大学 | Block chain-based fine-grained cloud storage security access control method |
| CN113961535A (en) * | 2021-11-26 | 2022-01-21 | 北京航空航天大学 | Data trusted storage sharing system and method based on block chain |
| CN114065265A (en) * | 2021-11-29 | 2022-02-18 | 重庆邮电大学 | Fine-grained cloud storage access control method, system and equipment based on block chain technology |
| CN114826703A (en) * | 2022-04-11 | 2022-07-29 | 江苏大学 | Block chain-based data search fine-grained access control method and system |
| CN114708939A (en) * | 2022-04-14 | 2022-07-05 | 安徽师范大学 | Medical data sharing system based on block chain and access authority proxy method |
| CN115987592A (en) * | 2022-12-15 | 2023-04-18 | 山东省计算中心(国家超级计算济南中心) | Block chain-based mobile medical internet of things fine-grained access control method and system |
| CN116680241A (en) * | 2023-01-31 | 2023-09-01 | 北京邮电大学 | Electronic government affair data safe sharing method based on blockchain |
| CN116318630A (en) * | 2023-03-16 | 2023-06-23 | 哈尔滨工业大学 | Space environment ground simulation device data safety sharing method based on block chain |
Non-Patent Citations (3)
| Title |
|---|
| AMEER KHADIM HADI; SHAHAD SALEM: "A proposed methodology to use a Block-chain in Supply Chain Traceability", 《2021 4TH INTERNATIONAL IRAQI CONFERENCE ON ENGINEERING TECHNOLOGY AND THEIR APPLICATIONS (IICETA)》 * |
| 吴立强;韩益亮;杨晓元;张敏情;杨凯;: "基于理想格的鲁棒门限代理重加密方案", 电子学报, no. 09 * |
| 李莉;曾庆贤;文义红;王士成;: "基于区块链与代理重加密的数据共享方案", 信息网络安全, no. 08 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117527445A (en) * | 2024-01-02 | 2024-02-06 | 江苏荣泽信息科技股份有限公司 | Data sharing system based on re-encryption and distributed digital identity |
| CN117527445B (en) * | 2024-01-02 | 2024-03-12 | 江苏荣泽信息科技股份有限公司 | Data sharing system based on re-encryption and distributed digital identity |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117097566B (en) | 2024-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109768858B (en) | Multi-authorization-based attribute encryption access control system in cloud environment and design method | |
| Zhou et al. | Achieving secure role-based access control on encrypted data in cloud storage | |
| CN108632030B (en) | CP-ABE-based fine-grained access control method | |
| CN108322447B (en) | Data sharing method and system under cloud environment, terminal and cloud server | |
| CN106059763B (en) | The properties base multi-mechanism hierarchical Ciphertext policy weight encryption method of cloud environment | |
| Fan et al. | TraceChain: A blockchain‐based scheme to protect data confidentiality and traceability | |
| CN111431898B (en) | Multi-attribute mechanism attribute-based encryption method with search function for cloud-assisted Internet of things | |
| CN104158880B (en) | User-end cloud data sharing solution | |
| CN117097566B (en) | Weighted attribute proxy re-encryption information fine granularity access control system and method | |
| CN113411323B (en) | Medical record data access control system and method based on attribute encryption | |
| Ma et al. | Revocable attribute-based encryption scheme with efficient deduplication for ehealth systems | |
| CN104144057B (en) | A kind of CP ABE methods for generating secure decryption key | |
| CN106612175A (en) | Proxy re-encryption algorithm for multi-element access control in mobile cloud | |
| CN117097469A (en) | Data hierarchical access control method based on attribute encryption | |
| CN113132345A (en) | Agent privacy set intersection method with searchable function | |
| CN117200966A (en) | Trusted authorization data sharing method based on distributed identity and alliance chain | |
| CN116611083A (en) | Medical data sharing method and system | |
| CN114826759A (en) | Verifiable fine-grained access control inner product function encryption method | |
| Chennam et al. | Cloud security in crypt database server using fine grained access control | |
| CN114490551A (en) | File security outsourcing and sharing method based on alliance chain | |
| CN114244567A (en) | CP-ABE method for supporting circuit structure in cloud environment | |
| Merdassi et al. | A new LTMA-ABE location and time access security control scheme for mobile cloud | |
| Xu et al. | Enforcing access control in distributed version control systems | |
| CN114567436B (en) | Biological characteristic data security access control method | |
| Gao et al. | TSM: An Efficient Time-Sensitive Data Sharing Scheme in Cloud Storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |