CN117978371A - Novel searchable encryption method for reducing access mode leakage - Google Patents
Novel searchable encryption method for reducing access mode leakage Download PDFInfo
- Publication number
- CN117978371A CN117978371A CN202311767688.1A CN202311767688A CN117978371A CN 117978371 A CN117978371 A CN 117978371A CN 202311767688 A CN202311767688 A CN 202311767688A CN 117978371 A CN117978371 A CN 117978371A
- Authority
- CN
- China
- Prior art keywords
- file
- client
- encryption method
- access mode
- service provider
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 239000012634 fragment Substances 0.000 claims abstract description 23
- 238000007781 pre-processing Methods 0.000 claims abstract description 4
- 230000006870 function Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a novel searchable encryption method for reducing access mode leakage, which comprises the following steps: s1: the client generates a master key; s2: encrypting all files of the data set, and transferring the encrypted files to a cloud service provider for storage; s3: encoding the stored encrypted file; s4: preprocessing a data set to generate an index table; s5: the client generates a hash of the key through the master key and encrypts the hash, the client generates a shared key through exchanging a random number with the cloud service provider, and the cloud service provider is matched with the index table through a trap door sent by the client; s6: the cloud service provider searches documents in the data set; s7: the client receives the fragment to reconstruct the original encrypted file; s8: decrypting the reconstructed original encrypted file to generate the original file, generating a hash of the key by using the master key by generating the master key held by the client and encrypting the key so as to ensure the privacy of the cloud data.
Description
Technical Field
The invention relates to the technical field of encryption methods, in particular to a novel searchable encryption method for reducing access mode leakage.
Background
Cloud computing is becoming a necessity over time. As more and more Cloud Service Providers (CSPs) enter the marketplace, data security factors remain the most important issue. Since the owner of the data no longer has control, the confidentiality and integrity of the data is vulnerable to both internal and external threats. This can have a catastrophic effect if the confidentiality of the data is compromised.
Symmetric encryption techniques can be searched that help individuals and businesses search for their encrypted data on cloud servers in a secure manner. A common technique for achieving this is to use one secure index for the entire file set. The security index contains a mapping of the encrypted key to the encrypted document identifier so that the underlying data is never revealed to unauthorized persons/CSPs. Both the security index and the file set are stored on the server. In the searching stage, the client side queries the server; the server will return the relevant file using the index as a lookup table.
Two existing index-based methods (i.e., an inverted index method and a forward index-based method), inverted index is similar to a two-dimensional array that contains mappings between keywords and documents. The entire data set has only one inverted index. And based on the forward index, it is similar to a 4D array that is generated for each file, representing whether encrypted keywords are present in a particular file. Searching using forward index based methods is more efficient, especially for large data sets. The forward indexing method with enhanced security can be used directly for searchable encryption. Limitations of existing indexing methods include:
1. When searching for a keyword, keyword privacy in terms of search mode, access mode, size mode may be affected, because of which the entire index needs to be reconstructed. This would be very counterproductive and would add significant overhead to the client.
2. Existing systems using inverted indexes are vulnerable to several attacks, including but not limited to IKK ATTACK, frequency analysis attacks, and file injection attacks.
In summary, how to guarantee the leakage of the access mode and the searching efficiency of the searchable encryption in the cloud environment is needed to be further studied.
Disclosure of Invention
The invention aims to provide a novel searchable encryption method for reducing access mode leakage, which aims to solve the problems that confidentiality of data proposed in the background technology is easy to be destroyed, an access mode is easy to leak, and when a keyword is searched, the privacy of the keyword in the aspects of a search mode, an access mode and a size mode is influenced, so that the whole index needs to be reconstructed, the searching efficiency is low and the like.
In order to achieve the above purpose, the present invention provides the following technical solutions: a novel searchable encryption method that reduces access mode leakage comprising the steps of:
s1: the client generates a master key;
s2: encrypting all files of the data set, and transferring the encrypted files to a cloud service provider for storage;
s3: encoding the stored encrypted file;
S4: preprocessing a data set to generate an index table;
S5: the client generates a hash of the key by using the master key and encrypts the hash, the client generates a shared key by exchanging random numbers with the cloud service provider, and the cloud service provider is matched with the index table through a trap door sent by the client;
s6: the cloud service provider searches documents in the data set;
s7: the client receives the fragment to reconstruct the original encrypted file;
s8: and decrypting the reconstructed original encrypted file to generate an original file.
Preferably, in the step S1, the key generation adopts an AES-256 bit encryption method, and the master key is held only by the client, and the security of the master key is further ensured by inputting reasonable security parameters.
Preferably, the step S2 includes reading a file in the data set, encrypting the file by AES-256 bit encryption algorithm, and adding the encrypted file to the encrypted data set for storage.
Preferably, in the step S3, the encrypted file is divided into k+m segments, k, m, ec_type and a file D i are used as inputs through a function, and k+m segments are generated through encoding, wherein the segment size of the file D i is the sum of the total size of the file and some redundant data sizes; where k represents the number of data fragments, m represents the number of parity fragments, and ec_type is the erasure code type.
Preferably, in the step S4, the encrypted data set is preprocessed by the natural language tool NLTK, and the index table includes a document identifier list and a keyword list.
Preferably, the step S4 includes the following substeps:
S41: extracting a keyword list from the encrypted file, and converting the token/keyword into lowercase or uppercase letters;
S42: deleting redundant vocabulary for generating an index;
s43: performing stem processing on the keywords;
S44: and calculating the hash value of the keyword, and encrypting the hash value.
Preferably, the step S6 includes the following substeps:
s61: the cloud service provider performs xor with the encryption hash through the shared key;
S62: the cloud service provider saves or adds a positive hit to the new list by iteratively looking up entries of the keyword list.
Preferably, in said S7, the client will receive a plurality of fragments for a single document and reconstruct the original encrypted file by means of an error null code algorithm.
Preferably, in S8, the reconstructed original encrypted file is decrypted by the master key and AES algorithm.
The invention has the beneficial effects that:
1. by generating a master key held only by the client, a hash of the key is generated and encrypted with the master key to ensure the privacy of the cloud data.
2. The cloud service provider solves the one-time search limitation of the conventional method by iteratively searching each entry of the keyword list, and if a positive hit is found, saving the file name to a new list.
3. By constructing the probability trap gate, the number of the data and the parity check fragments are hidden from all entities, the relevance of the existing trap gate is eliminated, and a third party adversary is deceived by adopting the probability trap gate confusion technology, so that the searchable symmetric encryption method based on the forward index is more suitable for application in the cloud service scene of data outsourcing.
Drawings
FIG. 1 is a schematic flow chart of the steps of the method of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the present invention provides a new searchable encryption method for reducing access mode leakage, comprising the steps of:
s1: a key generation stage, which is used for generating a master key K by the client;
s2: in the encryption stage, all files of the data set are encrypted through an encryption algorithm, the encrypted files are transferred to a cloud service provider for storage, and each time a query is generated, the cloud service provider retrieves the matched files according to specific keywords;
S3: a coding stage, coding the stored encrypted file;
S4: the index constructing stage is used for preprocessing the data set to generate an efficient and easy-to-read index table I;
S5: constructing a trap gate stage, wherein a client generates a hash H () of a keyword through a master key K and encrypts the hash H (), the client generates a shared key through exchanging a random number pi with a cloud service provider, and the cloud service provider is matched with an index table I through the trap gate sent by the client;
S6: in the searching stage, the cloud service provider performs searching according to the trap gate received from the client, the server has an encrypted keyword, the client has transmitted the keyword as a trap gate to the cloud service provider, at the server, when the keyword is to be shared in the index table I, the matched document identifier is added into a specific list, and then the server searches the document identifier list for the document in the data set provided by the client;
S7: in the decoding stage, the client receives the fragment to reconstruct the original encrypted file;
s8: and in the decryption stage, decrypting the reconstructed original encrypted file to generate the original file.
The S1 comprises the following content that a client generates a master key K only held by the client by an AES-256 bit encryption method, and uses lambda as a security parameter for the client to generate the master key K, whereinThe security of the master key K is further ensured by inputting a reasonable security parameter lambda.
The order of S2 and S3 may be interchanged.
The S2 comprises the following steps of reading files in a data set, encrypting the files through an AES-256 bit encryption algorithm, and adding the encrypted files into the encrypted data set for storage.
The S3 comprises the following steps of dividing an encrypted file into k+m fragments, taking k, m, ec_type and a file D i as inputs through a function, and encoding to generate k+m fragments, wherein the fragment size of the file D i is the sum of the total size of the file and some redundant data sizes; where k represents the number of data fragments, m represents the number of parity fragments, and ec_type is the erasure code type.
The S4 comprises the following contents: the encrypted data set is preprocessed by the natural language tool NLTK, and the index table I includes a list of document identifiers and keywords Enc k(H(kwi).
The step S4 comprises the following substeps:
s41: each file in the encrypted dataset is read, after the natural language tool NLTK performs a keyword analysis step, a unique keyword list is extracted from each file, then the token/keyword is converted into lowercase or uppercase letters, when the token/keyword is converted into lowercase letters, if there is a uppercase letter keyword in the file, the trap door of the keyword will be different, so the query will not return the required output;
s42: deleting redundant vocabulary for generating the index, wherein the redundant vocabulary comprises punctuation marks, stop words and top-level vocabulary which is considered to be redundant for establishing the index, so that the index efficiency is improved;
s43: performing stem processing on the extracted keywords;
S44: the hash value of the key is calculated by SHA-384 bit algorithm and encrypted by AES-256 bit encryption algorithm.
The S5 comprises the following contents: the client loosens a file recovery query containing a specific keyword to a cloud service provider, then the client uses a master key K to generate a hash H (a) of the keyword represented by a, before communication starts, a random number pi is exchanged between the client and a server, then the client encrypts the hash keyword a, the encrypted hash keyword is represented by b, the random number pi is a shared key between the client and the server, the random number pi is paired with an encrypted hash value of the keyword, the length of a trap gate is 256 bits, and the trap gate is formed byThe composition is sent to the cloud service provider by the client and matches the trap door with the keyword list contained in index I by the cloud service provider executing its respective algorithm.
The step S6 comprises the following substeps:
S61: when the keyword Enc k(H(kwi) list is constructed, the server may add different numbers of fragments according to the selection of the random number pi under the effect of erasure code encoding, for example: the client has 3 data fragments and 9 parity fragments, when the server constructs a matching list, the server will include the data fragments, but the number of parity fragments will be different from 1 to 6, the number of data and parity fragments have been hidden from all entities except the client, so the server will not be able to identify the probability trap gate of any keyword, and there is a different file list to be returned to the client;
The cloud service provider will get the actual encrypted hash form done at the index build stage by extracting 256 bits in the middle of the shared key and making the xor with the encrypted hash received from the client, since the reciprocal of the xor is the xor, the cloud service provider will check the index table I and look up in the keyword list.
S62: the cloud service provider will add the file name to a new list by iteratively looking up each entry of the keyword list if a positive hit is found.
The S7 includes that for a single document client will receive a plurality of fragments and reconstruct the original encrypted file by means of an error null code algorithm.
And S8, if the client reconstructs the original encrypted file, the original encrypted file needs to be decrypted, and the reconstructed original encrypted file is decrypted by using the master key K and the AES algorithm to generate an original text.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, or alternatives falling within the spirit and principles of the invention.
Claims (9)
1. A novel searchable encryption method that reduces access mode leakage comprising the steps of:
s1: the client generates a master key;
s2: encrypting all files of the data set, and transferring the encrypted files to a cloud service provider for storage;
s3: encoding the stored encrypted file;
S4: preprocessing a data set to generate an index table;
S5: the client generates a hash of the key by using the master key and encrypts the hash, the client generates a shared key by exchanging random numbers with the cloud service provider, and the cloud service provider is matched with the index table through a trap door sent by the client;
s6: the cloud service provider searches documents in the data set;
s7: the client receives the fragment to reconstruct the original encrypted file;
s8: and decrypting the reconstructed original encrypted file to generate an original file.
2. A new searchable encryption method that reduces access mode leakage as defined in claim 1, wherein: in the S1, the key generation adopts an AES-256 bit encryption method, the master key is held only by the client, and the security of the master key is further ensured by inputting reasonable security parameters.
3. A new searchable encryption method that reduces access mode leakage as defined in claim 1, wherein: in the step S2, the file in the data set is read, the file is encrypted through an AES-256 bit encryption algorithm, and the encrypted file is added into the encrypted data set for storage.
4. A new searchable encryption method that reduces access mode leakage as defined in claim 1, wherein: the S3 includes dividing the encrypted file into k+m segments, taking k, m, ec_type and a file D i as inputs through a function, and encoding to generate k+m segments, wherein the segment size of the file D i is the sum of the total size of the file and some redundant data sizes; where k represents the number of data fragments, m represents the number of parity fragments, and ec_type is the erasure code type.
5. A new searchable encryption method that reduces access mode leakage as defined in claim 1, wherein: in S4, the encrypted data set is preprocessed by the natural language tool NLTK, and the index table includes a document identifier list and a keyword list.
6. A new searchable encryption method that reduces access mode leakage as defined in claim 1, wherein: the step S4 comprises the following substeps;
S41: extracting a keyword list from the encrypted file, and converting the token/keyword into lowercase or uppercase letters;
S42: deleting redundant vocabulary for generating an index;
s43: performing stem processing on the keywords;
s44: and calculating the hash value of the keyword, and encrypting the hash value of the keyword.
7. A new searchable encryption method that reduces access mode leakage as defined in claim 1, wherein: the step S6 comprises the following substeps;
s61: the cloud service provider performs xor with the encryption hash through the shared key;
S62: the cloud service provider saves a positive hit to the new list by iteratively looking up entries of the keyword list.
8. A new searchable encryption method that reduces access mode leakage as defined in claim 1, wherein: in S7, the client will receive a plurality of fragments for a single document and reconstruct the original encrypted file by an error null code algorithm.
9. A new searchable encryption method that reduces access mode leakage as defined in claim 1, wherein: in S8, the reconstructed original encrypted file is decrypted by the master key and AES algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311767688.1A CN117978371A (en) | 2023-12-21 | 2023-12-21 | Novel searchable encryption method for reducing access mode leakage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311767688.1A CN117978371A (en) | 2023-12-21 | 2023-12-21 | Novel searchable encryption method for reducing access mode leakage |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117978371A true CN117978371A (en) | 2024-05-03 |
Family
ID=90846682
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311767688.1A Pending CN117978371A (en) | 2023-12-21 | 2023-12-21 | Novel searchable encryption method for reducing access mode leakage |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117978371A (en) |
-
2023
- 2023-12-21 CN CN202311767688.1A patent/CN117978371A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Du et al. | Privacy-preserving indexing and query processing for secure dynamic cloud storage | |
| CN108334612B (en) | Shape-near Chinese character full-text fuzzy retrieval method aiming at ciphertext domain | |
| US11232216B1 (en) | Systems and methods for generation of secure indexes for cryptographically-secure queries | |
| Yiu et al. | Enabling search services on outsourced private spatial data | |
| Wang et al. | An AES-based secure image retrieval scheme using random mapping and BOW in cloud computing | |
| US9313023B1 (en) | Format-preserving cipher | |
| CN109213731B (en) | Multi-keyword ciphertext retrieval method based on iterative encryption in cloud environment | |
| Li et al. | Multi-keyword fuzzy search over encrypted cloud storage data | |
| WO2023019762A1 (en) | Storage and similarity retrieval methods and apparatuses for encrypted document, device, and medium | |
| Wang et al. | QuickN: Practical and secure nearest neighbor search on encrypted large-scale data | |
| Bijral et al. | Efficient fuzzy search engine with B-tree search mechanism | |
| US11977657B1 (en) | Method and system for confidential repository searching and retrieval | |
| Karakasidis et al. | Advances in privacy preserving record linkage | |
| CN117978371A (en) | Novel searchable encryption method for reducing access mode leakage | |
| Sun et al. | Research of data security model in cloud computing platform for SMEs | |
| RU2259639C2 (en) | Method for complex protection of distributed information processing in computer systems and system for realization of said method | |
| Yang et al. | Effective error-tolerant keyword search for secure cloud computing | |
| Xu et al. | Toward full accounting for leakage exploitation and mitigation in dynamic encrypted databases | |
| Al Sibahee et al. | Dynamic Searchable Scheme with Forward Privacy for Encrypted Document Similarity | |
| Kamini et al. | Encrypted multi-keyword ranked search supporting gram based search technique | |
| Mei et al. | Fuzzy keyword search method over ciphertexts supporting access control | |
| Bonomi et al. | A review of privacy preserving mechanisms for record linkage | |
| Guangli et al. | A Study of Ciphertext Fuzzy Retrieval Based on Information Matrix | |
| CN113626485B (en) | Searchable encryption method and system suitable for database management system | |
| CN116127498B (en) | Multi-keyword searchable encryption method capable of verifying ciphertext search result |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |