CN117896180B - Multi-system networking method based on attribute-based encryption technology, intelligent device and storage medium thereof - Google Patents
Multi-system networking method based on attribute-based encryption technology, intelligent device and storage medium thereof Download PDFInfo
- Publication number
- CN117896180B CN117896180B CN202410288764.9A CN202410288764A CN117896180B CN 117896180 B CN117896180 B CN 117896180B CN 202410288764 A CN202410288764 A CN 202410288764A CN 117896180 B CN117896180 B CN 117896180B
- Authority
- CN
- China
- Prior art keywords
- networking
- attribute
- applicant
- attributes
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000006855 networking Effects 0.000 title claims abstract description 205
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000005516 engineering process Methods 0.000 title claims abstract description 14
- 239000003795 chemical substances by application Substances 0.000 claims abstract description 29
- 239000003999 initiator Substances 0.000 claims abstract description 13
- 238000013507 mapping Methods 0.000 claims description 32
- 241000544061 Cuculus canorus Species 0.000 claims description 20
- 239000011159 matrix material Substances 0.000 claims description 18
- 238000011217 control strategy Methods 0.000 claims description 10
- 230000006870 function Effects 0.000 claims description 10
- 238000003780 insertion Methods 0.000 claims description 10
- 230000037431 insertion Effects 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 5
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 238000004590 computer program Methods 0.000 claims 3
- 230000007246 mechanism Effects 0.000 abstract description 15
- XEEYBQQBJWHFJM-UHFFFAOYSA-N Iron Chemical compound [Fe] XEEYBQQBJWHFJM-UHFFFAOYSA-N 0.000 description 88
- 229910052742 iron Inorganic materials 0.000 description 44
- 238000004519 manufacturing process Methods 0.000 description 44
- 241000196324 Embryophyta Species 0.000 description 40
- 229910000831 Steel Inorganic materials 0.000 description 39
- 239000010959 steel Substances 0.000 description 39
- 239000008186 active pharmaceutical agent Substances 0.000 description 9
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 241001232253 Xanthisma spinulosum Species 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000002994 raw material Substances 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention belongs to the technical field of information encryption and access control, and provides a multisystem networking mechanism based on an attribute-based encryption technology, intelligent equipment and a storage medium thereof. In the multi-system networking mechanism, a networking initiator initiates networking by issuing networking credentials ciphertext to the cloud. The networking applicant who wishes to join the networking downloads the networking certificate ciphertext. The attributes are sent to the proxy agent. The proxy agent updates the networking applicant attributes and matches the access control policy with the new attributes. The networking applicant decrypts the networking credentials using the matching attributes. And acquiring a networking public key from the networking certificate, encrypting registration information by using the networking public key and transmitting the registration information to a networking server. The networking server verifies the registration information, registers for the networking applicant and returns the networking password. The attribute-based encryption method used by the networking mechanism has attribute updating capability. The enterprise boundary can be broken to construct a multi-system networking.
Description
Technical Field
The invention relates to the technical field of information encryption and access control, in particular to a multisystem networking mechanism based on an attribute-based encryption technology, intelligent equipment and a storage medium thereof.
Background
With the development of the era, the problems of learning cost, deployment cost and data island of the traditional enterprise resource management system are more remarkable. One solution is to split the enterprise resource management system into multiple subsystems per enterprise department and deploy to the cloud to reduce costs. And then the department systems of the same or different companies are added into the same networking through the networking technology, so that the problem of data island is solved. However, although the conventional public key encryption can ensure the security of the networking credentials required to be shared during networking, the encryption overhead increases with the increase of the networking system, and the problem that fine-grained access control capability cannot be provided is faced.
Attribute-based encryption is an advanced encryption technology, and can provide networking services for N systems through one-time encryption and fine-grained access control capability. However, due to different business logic of different enterprises and security requirements of the enterprises, the attribute space used by different enterprises and the meaning, coding mode, numerical value and the like of the attribute in the attribute space are different. This prevents data sharing for different enterprises. It is necessary to update the attributes of the enterprise accessing the data so that it can decrypt the attributes encrypted by the access control policy of the enterprise delivering the data.
Disclosure of Invention
The invention aims to provide a multi-system networking mechanism, which solves the problems of high encryption overhead and fine-granularity access control of shared data in networking of the multi-system networking mechanism realized based on the traditional public key cryptography. On the other hand, the problem that a multi-system networking mechanism realized based on traditional attribute-based encryption cannot be networked with other enterprise department systems and the plaintext exposure of an access control strategy is solved.
In order to achieve the above purpose, the invention adopts the following technical scheme: a multi-system networking mechanism based on attribute-based encryption technology, comprising the steps of:
Step one: the key center issues a public key to the networking initiator The master key is reserved by the user himself, and the key center is used,/>Attribute space of two enterprises/>,/>Generating attribute mapping relation and sending the attribute mapping relation to the proxy agent, wherein the key center uses networking applicant attribute/>Generating networking applicant private key/>And sent to the networking applicant/>;
Step two: networking sponsor use access control policiesAnd public key/>The encrypted networking certificate is a networking certificate ciphertext, the networking certificate ciphertext is sent to a cloud service provider, and meanwhile, an access control strategy/>Mapping the access control strategy into a cuckoo filter by the proxy agent, and sending a networking certificate private key to a networking server by a networking initiator;
Step three: the networking applicant downloads networking certificate ciphertext from the cloud service provider;
step four: networking applicant links attributes And/>,/>Identity identification/>, of two enterprises,/>Send to the proxy agent;
Step five: proxy agent usage ,/>Searching the stored attribute mapping relation, and updating the networking applicant attribute/>, in the attribute mapping relationFor/>At enterprise/>Corresponding attribute/>Use/>Matching access control strategy, returning matching result/>Wherein/>;
Step six: networking applicant based on the matching resultFull rank submatrix/>Calculation ofThere is/>,/>Private key/>And (3) calculating:
next, the networking certificate is calculated ;
Step seven: the networking applicant obtains a networking public key from the networking certificate, encrypts registration information by using the networking public key and sends the registration information to a networking server;
step eight: the networking server decrypts the registration information and adds the networking applicant to the networking.
Further, from enterprisesThe networking applicant's attribute is/>Can decrypt only/>Networking credentials issued by the networking sponsor, but may be used to connect/>Updated as/>At enterprise/>Corresponding attribute/>Thereby decrypting/>Networking certificates issued by a networking initiator to realize cross-domain networking.
Further, the networking applicant sends its own attribute to the proxy agentReceive and/>Attributes/>, of access control policy matching for medium networking sponsors。
Further, the networking applicant uses attributes that match the access control policyAnd decrypting the networking credentials by using the private key, acquiring a networking public key from the networking credentials, encrypting registration information by using the networking public key, and sending the registration information to a networking server.
Further, the proxy agent is a type of computing and storage device for updating the enterprise through the attribute mapping relation stored by the cuckoo filterThe middle networking applicant attribute is enterprise/>Corresponding attributes in the database.
Further, inAnd/>When the attributes are equal, directly inquiring and returning the networking applicant attribute/>The part satisfying the access control policy is matching attribute/>; At/>And/>When the attribute mapping relation is not equal, firstly inquiring the attribute mapping relation, and returning/>Corresponding location attribute/>Then query for attributes/>Attributes/>, satisfying access control policies。
Compared with the prior art, the invention has the beneficial effects that;
1. The attribute-based encryption method used in the multi-system networking mechanism has strong attribute updating capability. So that the department systems of different enterprises can safely join the same network. This allows the enterprise to build a variety of data enabling modes including the digital supply chain by authorizing specific departments of the outside enterprise to participate in data sharing.
2. An attribute-based encryption method is used in a multisystem networking mechanism, and a networking initiator can safely share networking credentials to a client only by encrypting and sending the networking credentials onceAnd (5) networking the applicant. At/>The advantages of low encryption and transmission overhead are evident in the case of sufficiently large values. And provides fine-grained access control capability for sharing networking credentials.
Drawings
FIG. 1 is a flow chart of a multi-system networking mechanism based on attribute-based encryption technology according to the present invention.
FIG. 2 is a schematic diagram of a process for updating and matching attributes of a production system of a steel plant according to an embodiment of the present invention.
FIG. 3 is a schematic diagram of a registration process of a production system of a steel plant in an embodiment of the present invention.
FIG. 4 shows the request of the iron and steel works and production systems for quotation of the sales system in the embodiment of the inventionSchematic flow chart.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments.
The technical scheme of the invention is described in detail below by specific examples. The following specific embodiments may be combined with or replaced with each other according to actual situations, and the same or similar concepts or processes may not be described in detail in some embodiments.
The invention describes a multi-system networking mechanism based on attribute-based encryption technology and an integrated technical scheme of combination of intelligent equipment and storage media of the multi-system networking mechanism.
The invention provides a schematic diagram of registering a production system of a steel plant into a networking initiated by a sales system of an iron plant by a networking server in a multi-system networking mechanism based on an attribute-based encryption technology, as shown in fig. 1 to 3, wherein the method comprises the following steps of;
S1, key center is set Is of two prime orders/>Is a multiplicative cyclic group of (a). Bilinear mapping to. From/>Randomly selected generator/>And/or-Random number/>Use/>In/>Personal attribute association/>And use/>In/>Personal attribute association/> . Query from/>Randomly selected random number/>And/>. And (3) calculating: /(I),/>,. Generating: /(I)},/>/>And。/>Is the public key of the key center in the iron works. Master key of key center/>Is kept secret by the key center. The attribute space of the iron ore plant is/>。
S2, inquiring attribute space of steel plant by key center. According to constraints provided in advance in iron and steel works such as ((job: sales manager, 40W /)Annual pay/>30W) = (job: advanced bench worker, 30WAnnual pay/>20W))。
Generating attribute mapping relation among partial attributes: . If the attributes in the attribute space of the iron plant/> Attribute/>, in attribute space with steel worksIs/>Is recorded as equal, which meansThe same other quilt/>The random numbers corresponding to the attributes noted as equal are equal. Will/>Sent to the proxy agent and stored using a cuckoo filter. To store/>Is an item of (2)For example, a cuckoo filter would call a hash function/>Generating a fingerprint/>And/>Followed by the use of an index functionAnd/>Mapping tables/>, respectivelyPosition sequence in (a)Sum table/>Position sequence/>. Will/>Store table/>In (a)Any empty position and table/>Middle/>Is a hollow position. Picking out any item in the position sequence of the collision after the collision, and carrying out/>Insert the location of the picked entry. The selected item recalls the index function mapping position sequence and inserts, if no collision occurs after the insertion, the insertion is successful, otherwise, the index algorithm is recalled for insertion. When the remaining space after the table insertion is below 1/4, a new space is created for the table that is half of the currently used space. Map/>, one by one, as per the procedure described aboveEntry to/>And/>Is a kind of medium.
S3, the key center sends the public key to a sales system of the iron ore plant。
S4, selecting random number by key centerInput/>Production system attributes of steel works、/>Calculating private key/>, used in steel plant, of production system of steel plantThe following are provided:
)
the key center calculates the private key of the production system To the production system.
S4, the sales system of the iron ore plant initiates networking to generate networking certificates,/>With networking information
CertInfo = initiator enterprise: iron ore plant, sponsor: sales system, networking public key: PK Networking system , networking number: 99868676.
S5, sales system selection of iron ore plantAccess control policy/>Randomly selectCalculate vector/>,/>. Random selection/>Re-input/>And networking credentials/>Calculating networking certificate ciphertext/>:
S6, the sales system sends networking certificate ciphertextSent to the cloud. The sales system of the networking sponsor iron ore plant sends the private key/>To the networking server so that the networking server verifies whether the production system of the steel plant of the networking applicant can decrypt the networking certificate, and if so, the production system can acquire the networking public key/>, in the networking certificate。
S7, using functions of the sales systemAccess control policy/>Conversion to。/>(1 /)Line and attributes that satisfy access control policiesAssociation, wherein/>. Sales system will/>To the proxy agent.
S8, calling index function by cuckoo filter of proxy agentMapping/>Position sequence in a cuckoo filter/>。Is 4 different positions, and the cuckoo filter randomly selects one position to store/>, at the position without elements in the 4 positions. If there are already elements in all 4 positions, then randomly kick out an element/>Will/>Storing the position of the kicked element. RecallMapping new position sequence store/>If the new sequence of positions all has elements, then the elements are also randomly kicked out in the new sequence of positions and will/>And storing the position of the kicking element. The above procedure is repeated until the insertion is successful when no more elements kick out due to the insertion. In particular, to reduce the collision rate, when the remaining space after a certain insertion is less than 1/4, the proxy automatically creates a new space for the cuckoo filter that is half of the used space. Repeated invocation of cuckoo filter by proxy agentFunction up to/>, to be receivedAre all stored in the cuckoo filter.
S9, the steel plant production department downloads networking certificate ciphertext from the cloud.
S10, sending self attribute to proxy agent. The proxy agent updates the production department attributes and matches using the cloth filter. The specific process can be seen with reference to fig. 2.
S11, first, proxy agent receivesIdentity tag/>And find/>Corresponding attribute relationship/>Table stored in cuckoo Filter/>Is a kind of medium.
S12, ifThe iron works where the production system and the sales system are located are described as the same company, namely/>, the iron works where the production system is located and the sales system are located=/>. If/>The two do not belong to the same company, and the proxy agent updates the production system attribute/>, as followsUpdated attributes/>, available in iron ore plants: Pair/>Is/>Get/>Row/>, of corresponding access matrixCalculation/>. Use of the function/>When using/>The rows of the access matrix corresponding to the attribute values of (77 778 778 88) are queried (77 778 778 88,99 978 668 79) in the cuckoo filter. Adding 99 978 668 79 to the update attribute/>Corresponding access matrix/>Is a kind of medium. For a pair ofEach row/>Calculation/>Will/>Insertion/>. Obtaining attributes of a production System/>Corresponding update attributes/>, in iron ore plants。
S13, proxy agent uses hash functionGeneration/>Hash fingerprint/>Using an index function/>Find out whether the cuckoo filter stores/>An access control policy that can be satisfied,. When/>At this time, will/>The row of the corresponding access matrix adds the access matrix/>, which matches the attributeIs a kind of medium. Proxy agent returns/>, to production system of iron and steel plant,/>Is a row of the access matrix corresponding to the attribute satisfying the access control policy. Get/>Is used for constructing a full rank submatrix/>. Because/>So the production system can calculate/> />,/>Is with/>Sets of attributes corresponding to rows of (1), record. The production system substitutes the private key/>And (3) calculating:
/>
Recalculating the networking credentials 。
S14, production system of steel plantRead networking public key/>. CallingObtaining usage/>Encrypted registration information. TransmittingTo a networking server.
S15, registering the production departments of the steel plant to the networking by the networking server according to the flow shown in the figure 3. The specific process is as follows:
networking server invocation If you can decrypt/>Explaining that the production system of the steel plant can decrypt out/>I.e. the locally used properties of the production system of the steel plant/>Conversion to attributes used in iron mills/>Can then meet the access control policyAnd has networking authority. At this time, the networking server randomly generates/>, for the production systemThen, using the registration information to construct the account number/>, in the networking, of the steel plant production departmentAnd saving the account number to a networking system table.
S16, returning to the production system of the steel plant. The production system of the steel plant is successfully registered in a networking way.
In the case, the iron and steel plant and the enterprise where the iron and steel plant are located are different, the attribute space of the used attribute-based encryption method is also different, but the system in the iron and steel plant can also decrypt the networking voucher ciphertext generated by encrypting the access control strategy of the system in the iron and steel plant through the appointed attribute mapping relation, so that the networking initiated by the system in the iron and steel plant is added. Likewise, other systems of different enterprises can realize cross-domain networking through the agreed attribute mapping relation.
As shown in fig. 4, the present invention provides a steel plant in a multi-system networking mechanism based on attribute-based encryption technology: the production system requests the iron ore plant: a schematic diagram of a quotation API flow of a sales system, as shown in fig. 4, the method comprising;
S101, in a steel plant: the production system initiates a quotation API access application to the middleware server { (identity: requestor, steelworks: production system), (identity: recipient, iron works: sales system), (API: commodity quotation), (commodity category: iron ore), }。
S102, verifying the steel works by the middleware server: producing a system identity. Searching an iron ore plant: sales system key. To iron ore plants: the sales system sends { (identity: requester, iron and steel works: production system), (API: commodity price), (commodity category: iron ore),/>。
S103, iron ore factory: the sales system decrypts the API request, then sends it to the iron and steel plant: production system sends { (identity: respondent, iron works: sales system), (identity: recipient, iron works: production system), (API: commodity price), (commodity category: iron ore), quality, origin, quantity for sale。
S104, in the steel works: production system using networking keysDecrypting the commodity price API response. And acquiring commodity detailed information.
The above cases are in iron and steel works: the production system is used for the iron ore plant: the sales system initiates a commodity quote request, for example, to introduce a method for data sharing between networked users via an API. Notably, the iron and steel plant can conveniently know the commodity details of the iron and steel plant: a user of the production management system may arrange production according to the price and inventory trend of the upstream raw material iron ore.
The following data are parametric descriptions of the above:
a networking system is initiated and is positioned in an enterprise A;
Application for addition/> Is located in enterprise B;
The attribute space of the system in the enterprise A records the available attribute of the system in the enterprise A;
the attribute space of the system in the enterprise B records the available attribute of the system in the enterprise B;
,/> The number of the middle attributes is smaller than U;
,/> The number of the middle attributes is smaller than U;
p factorial cyclic group, P is a prime number;
P is a prime number, and is used for taking an integer smaller than P;
,/> Is a generator of (1);
e, a bilinear map I.e./>Two elements on map to/>Applying;
,/> the access control strategy used for encrypting the networking certificate sets the attribute which the system with the access authority should possess;
accessing matrix,/> Corresponds to an attribute that satisfies the access control policy;
: can/> Mapping a certain row of the row to satisfy the attribute of the row;
:/> is described in detail/> Identity information such as company, region, type code and the like of the company,/>Can use/>And private key/>Decrypting the networking certificate issued by the system in the step B;
:/> attribute corresponding in A,/> Use/>And/>Decrypting the networking certificate initiated by the system in the A;
:/> private key of (1), use/> Attribute/>The structure is that,),/>Is/>Random number on,/>,/>Is/>Is a component of the assembly. /(I),/>And/>Are all/>All components use/>As an index, the system cannot learn/>Therefore, the private key corresponding to the attribute which the private key does not have cannot be obtained through collusion;
: the public key of the system in A can be used for encrypting networking certificates and generating private keys;
: the public key of the system in B can be used for encrypting the networking certificate and generating a private key;
MK: the master key of the key center participates in constructing necessary parameters of the private key, and by avoiding MK leakage, only the key center can generate the private key;
: the identity of the enterprise A is uniquely specified by the identity of the enterprise A;
: the identity of the enterprise B is uniquely specified by the identity of the enterprise B;
: attribute mapping relationship by storing/> And/>The row of the access matrix corresponding to the attribute of (1) is recorded/>And/>Which attributes are in one-to-one correspondence;
:/> Access matrix corresponding to medium attribute,/> Derived from/>,/>Is denoted as/>;
:/>Access matrix/>, corresponding to the medium attributeIs denoted as/>;
: Proxy agent use/>Query stored in cuckoo filter/>Results of (1) show/>Attribute space/>, at aAccess control policies that can be satisfied by the corresponding attributes in (a);
:/> Through/>, and the mapping relation of the rows and the attributes corresponding to the rows Will/>Mapping as/>Completion/>Updated as/>Is the last step of (2);
: hash function capable of mapping arbitrary attribute to corresponding fingerprint/> Or/>The adversary can be prevented from directly acquiring plaintext data when the proxy agent is attacked;
: mapping entries in the attribute mapping relationship to a table/>, of a cuckoo filter Index function of (2) corresponding thereto/>Entries may be mapped to table/>;
: Fingerprint/>, corresponding to mapping attributeAn index function to the cuckoo filter can find an insertion position for the attribute meeting the access control strategy, and can provide inquiry service for attribute matching, and the attribute meets the access control strategy if the inquiry is successful;
: the matching result is a submatrix of the access matrix M for encryption; /(I) :/>If/>Full rank, then/>Meets the access control policy,/>With inverse matrix/>At this time let/>The important parameter/>, which restores the shared secret s, can be obtained;
: Vector/>By shared secret/>And/>Random number constitution, the system meeting access control policy can restore/>Thereby obtaining/>And use/>Decrypting the networking certificate;
: the networking certificate, the networking server uses the networking private key to verify whether the system decrypts the networking certificate, thereby confirming whether the system is allowed to join the networking;
: the networking certificate, the networking server uses the networking private key to verify whether the system decrypts the networking certificate, thereby confirming whether the system is allowed to join the networking;
: the networking certificate ciphertext has the structure that . Wherein/>Is the use/>Encryption component of networking credentials, other components/>,/>And/>May be used to restore/>, for systems that meet access control policies;
Iron ore plant: in the embodiment, the enterprise where the sales system initiating networking is located is regarded as the enterprise;
Sales system: the sales system of the iron ore plant is the initiator of networking, and is regarded asIs marked as/>;
Iron and steel works: in the embodiment, the enterprise where the production system applying networking is located is regarded as an enterprise;
The production system comprises: the production system of the iron and steel plant applies for networking of sales systems added to the iron and steel plant, and the production system is regarded asIs marked as/>;
: The properties of the production system of the steel plant are equivalent to the above/>;
:/>Corresponding attributes in iron mills. If the iron and steel works are not the same company, thenMust pass/>Updated as/>Otherwise/>;
: A private key of the production system;
: public key stored in networking certificate, system for decrypting networking certificate can send the user/> Encrypting the registration information to the networking server. Networking server authentication/>After the registration information is correct, using a registration information registration system to a networking server;
: and/> Matching private key, networking server/>Verifying whether the system is allowed to join the networking;
Rsa.enc: encryption algorithm of encapsulated RSA cryptographic algorithm using input Encrypting the registration information;
rsa.dec: decryption algorithm of encapsulated RSA cryptographic algorithm using input Decrypting the registration information;
: the networking server generates a secret key for registering a production system of the networking and can be used for verifying whether API access comes from other systems in the networking;
the foregoing is a description of some embodiments of the invention and is not intended to limit the scope of the invention, but any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (9)
1. A multi-system networking method based on attribute-based encryption technology, comprising the steps of:
Step one: the key center issues a public key to the networking initiator The master key is reserved by the user, and the key center uses/>,/>Attribute space of two enterprises/>,/>Generating attribute mapping relation and sending the attribute mapping relation to the proxy agent, wherein the key center uses networking applicant attribute/>Generating networking applicant private key/>And sent to the networking applicant/>;
Step two: networking sponsor use access control policiesAnd public key/>The encrypted networking certificate is a networking certificate ciphertext, the networking certificate ciphertext is sent to a cloud service provider, and meanwhile, an access control strategy/>Mapping the access control policy to a cuckoo filter by the proxy agent; the networking initiator sends a networking certificate private key to a networking server;
Step three: the networking applicant downloads networking certificate ciphertext from the cloud service provider;
step four: networking applicant links attributes And/>,/>Identity identification/>, of two enterprises,/>Send to the proxy agent;
Step five: proxy agent usage ,/>Searching the mapping relation of the stored attributes, if/>, andThen say that enterprises A and B are the same enterprise, then order/>; If/>The two do not belong to the same enterprise, and the proxy agent updates the applicant attribute according to the following steps ofUpdate properties/>, available for networking sponsors; Pair/>Is not equal to the value of each attribute of (a)Get/>Corresponding access matrix/>Is a row of (2); and according to/>The row of the access matrix corresponding to the attribute value of (a) determines the update attribute/>Corresponding access matrix/>; Pair/>Each row/>Calculation/>Will/>Insertion/>; Obtain the attribute/>, of the applicantUpdate attribute/>, corresponding to networking initiator;
Proxy agent using hash functionsGeneration/>Hash fingerprint/>Using an index function; Find out whether there is/>, in the cuckoo filterAccess control strategies which can be satisfied obtain access matrixes/>, which match attributes; Wherein/>Is a matrix composed of rows of an access matrix corresponding to attributes satisfying an access control policy;
step six: networking applicant based on the matching result Full rank submatrix/>Calculation ofThere is/>Substituting private key/>Calculating;
next, the networking certificate is calculated ;
Step seven: the networking applicant obtains a networking public key from the networking certificate, encrypts registration information by using the networking public key and sends the registration information to a networking server;
step eight: the networking server decrypts the registration information and adds the networking applicant into the networking;
Wherein,
Representing a system for initiating networking, which is located in an enterprise A;
representing addition/> Is located in enterprise B;
Representation/> Is a property of (2);
Representation/> Attributes corresponding in A;
Representation/> Is a private key of (a);
The public key representing the system in A can be used to encrypt networking credentials and generate private keys;
the public key representing the system in B can be used to encrypt networking credentials and generate private keys;
representing attribute mapping relationships by storing/> And/>The line of the access matrix corresponding to the attribute of (a) is recordedAnd/>Which attributes are in one-to-one correspondence;
representing proxy agent usage/> Query stored in cuckoo filter/>Results of (1) show/>Attribute space/>, at aAccess control policies that can be satisfied by the corresponding attributes in (a).
2. The method of claim 1, wherein the networking initiator and the networking applicant participating in the networking are each from an enterprise using different attribute setsAnd enterprises/>。
3. The attribute-based encryption technique-based multisystem networking method of claim 1, wherein the method is from an enterpriseThe networking applicant's attribute is/>Can decrypt only/>Networking credentials issued by the networking sponsor in the middle, but can be used forUpdated as/>At enterprise/>Corresponding attribute/>Thereby decrypting/>Networking certificates issued by a networking initiator to realize cross-domain networking.
4. The method of claim 1, wherein the networking applicant sends its own attributes to the proxy agentReceive and/>Attributes for access control policy matching for a mid-network initiator。
5. The method of claim 1, wherein the networking applicant uses attributes that match the access control policyAnd decrypting the networking credentials by using the private key, acquiring a networking public key from the networking credentials, encrypting registration information by using the networking public key, and sending the registration information to a networking server.
6. The method of claim 1, wherein the proxy agent is a computing and storage device capable of updating the enterprise via the attribute mapping stored by the cuckoo filterMiddle networking applicant attribute/>For enterprises/>Corresponding attribute/>。
7. The multi-system networking method based on attribute-based encryption technology of claim 1, wherein, in the following stepsAnd/>When equal, let/>=/>; At/>And/>When the attribute mapping relation is not equal, inquiring the attribute mapping relation and updating/>For/>Corresponding attribute/>Whether or not/>And/>Whether or not they are equal, then query the attribute/>Attributes/>, satisfying access control policies。
8. A smart device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor runs the computer program to cause the smart device to perform the steps of a multi-system networking method based on attribute-based encryption technology according to any one of claims 1 to 7.
9. A storage medium having stored thereon a computer program, which when executed by a processor performs the steps of a multi-system networking method based on attribute-based encryption techniques as claimed in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410288764.9A CN117896180B (en) | 2024-03-14 | 2024-03-14 | Multi-system networking method based on attribute-based encryption technology, intelligent device and storage medium thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410288764.9A CN117896180B (en) | 2024-03-14 | 2024-03-14 | Multi-system networking method based on attribute-based encryption technology, intelligent device and storage medium thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117896180A CN117896180A (en) | 2024-04-16 |
| CN117896180B true CN117896180B (en) | 2024-05-28 |
Family
ID=90642988
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410288764.9A Active CN117896180B (en) | 2024-03-14 | 2024-03-14 | Multi-system networking method based on attribute-based encryption technology, intelligent device and storage medium thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117896180B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118233096B (en) * | 2024-05-22 | 2024-07-16 | 贵州梦福网络技术有限公司 | Server-free multi-system networking method and storage device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109936630A (en) * | 2019-02-27 | 2019-06-25 | 重庆邮电大学 | A kind of Distributed Services access mandate and access control method based on attribute base password |
| CN113132103A (en) * | 2021-03-11 | 2021-07-16 | 西安电子科技大学 | Data cross-domain security sharing system and method |
| CN115714669A (en) * | 2022-10-20 | 2023-02-24 | 云南师范大学 | Private data cross-domain sharing method based on PURH-CP-ABE under block chain |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10104526B2 (en) * | 2016-06-01 | 2018-10-16 | Motorola Solutions, Inc. | Method and apparatus for issuing a credential for an incident area network |
-
2024
- 2024-03-14 CN CN202410288764.9A patent/CN117896180B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109936630A (en) * | 2019-02-27 | 2019-06-25 | 重庆邮电大学 | A kind of Distributed Services access mandate and access control method based on attribute base password |
| CN113132103A (en) * | 2021-03-11 | 2021-07-16 | 西安电子科技大学 | Data cross-domain security sharing system and method |
| CN115714669A (en) * | 2022-10-20 | 2023-02-24 | 云南师范大学 | Private data cross-domain sharing method based on PURH-CP-ABE under block chain |
Non-Patent Citations (1)
| Title |
|---|
| 云存储中基于MA-ABE的访问控制方案;李谢华;周茂仁;刘婷;;计算机科学;20170215(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117896180A (en) | 2024-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230070963A1 (en) | Blockchain-implemented method for control and distribution of digital content | |
| US8214637B2 (en) | Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium | |
| Gao et al. | Blockchain-based digital rights management scheme via multiauthority ciphertext-policy attribute-based encryption and proxy re-encryption | |
| Guo et al. | TABE-DAC: Efficient traceable attribute-based encryption scheme with dynamic access control based on blockchain | |
| CN109768987A (en) | A kind of storage of data file security privacy and sharing method based on block chain | |
| US10637670B2 (en) | Multiparty computation of a digital signature of a transaction with advanced approval system | |
| CN117896180B (en) | Multi-system networking method based on attribute-based encryption technology, intelligent device and storage medium thereof | |
| WO2020051710A1 (en) | System and process for managing digitized security tokens | |
| Sun et al. | Non-repudiation storage and access control scheme of insurance data based on blockchain in IPFS | |
| US20200084048A1 (en) | Multiparty computation for approving digital transaction by utilizing groups of key shares | |
| CN110601816A (en) | Lightweight node control method and device in block chain system | |
| CN111614680B (en) | CP-ABE-based traceable cloud storage access control method and system | |
| CN110719176A (en) | Logistics privacy protection method and system based on block chain and readable storage medium | |
| CN103078841A (en) | Method and system for preventive electronic data security | |
| GB2398713A (en) | Anonymous access to online services for users registered with a group membership authority | |
| CN113411323B (en) | Medical record data access control system and method based on attribute encryption | |
| CN113098683B (en) | Data encryption method and system based on attributes | |
| CN113901512A (en) | Data sharing method and system | |
| US8117456B2 (en) | Network system, server and information terminal for list matching | |
| CN113987533A (en) | Internet of things data fine-grained transaction method based on block chain | |
| Han et al. | AAC-OT: accountable oblivious transfer with access control | |
| CN117749349A (en) | Block chain-based secure data market management system and method | |
| CN113205378A (en) | Electric energy transaction system based on block chain | |
| CN117371011A (en) | Data hiding query method, electronic device and readable storage medium | |
| CN107360252A (en) | A kind of Data Access Security method that isomery cloud domain authorizes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |