CN205754415U - Fine granularity access control systems based on many authorization center in cloud storage - Google Patents
Fine granularity access control systems based on many authorization center in cloud storage Download PDFInfo
- Publication number
- CN205754415U CN205754415U CN201620408397.2U CN201620408397U CN205754415U CN 205754415 U CN205754415 U CN 205754415U CN 201620408397 U CN201620408397 U CN 201620408397U CN 205754415 U CN205754415 U CN 205754415U
- Authority
- CN
- China
- Prior art keywords
- attribute
- file
- server
- module
- management server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
This utility model belongs to cloud storage technical field, particularly relate to fine granularity access control systems based on many authorization center in a kind of cloud storage, including files passe client, cipher key initialization server, attribute management server, Cloud Server, attribute authority and and file access client, files passe client respectively with cipher key initialization server, attribute management server is connected with Cloud Server, Cloud Server respectively with cipher key initialization server, attribute management server, file access client is connected, attribute authority is connected with attribute management server.Multiple attribute authority collaborative works complete to verify authorization tasks jointly, alleviate work load and improve the safety of high in the clouds file;Attribute management server is concealed the access rights of file, it is achieved thereby that the protection to access rights;At each attribute authority and Cloud Server, all it is provided with re-encryption function, prevents the user cancelled from holding original private key and again access file.
Description
Technical field
This utility model belongs to cloud storage technical field, particularly relates in a kind of cloud storage based on many authorization center
Fine granularity access control system.
Background technology
Cloud service has high in the clouds storage easily, substantial amounts of Freeware service, powerful cloud computing Zhi Chiping
Platform.Terminal configuration requirement is low, extensibility high.Along with the rise of cloud storage, more and more use
Family has been enjoyed bigger memory space that cloud computing brings and has stored service easily.But user in cloud storage
Data are stored on Cloud Server, separate with user, and the safety of data and integrity are difficult to be protected,
The control difficulty of its data is greatly increased by user.
Then occur in that the access control scheme the most relevant with cloud storage, have scholar to propose the visit of identity-based
Ask control mechanism, user key and subscriber identity information are associated, but this needs server storage institute useful
The identity information at family, when registering user and being too much, not only to consume substantial amounts of memory headroom, during Query Information
The most extremely inconvenient.There is for this scholar to propose beam-based alignment scheme, ensureing cloud storage safety
While, facilitate multi-user and the safety of data is shared.Current scheme is many to be completed based on single authorization center
Cipher key calculation, the work load of authorization center is excessive thus and once breaks down and will cause whole system
Paralysis.Additionally, after user cancels, the key of the original that should upgrade in time is with the safety of safeguard file.
But how to realize efficient re-encryption, be unlikely to while safeguard file safety to make whole system the most complicated,
It need to solve.
Utility model content
In order to solve the problems referred to above, the utility model proposes particulates based on many authorization center in a kind of cloud storage
Degree accesses control system, including files passe client (data owner is called for short DO), cipher key initialization service
Device (setup-sever is called for short SS), attribute management server (attribute manage sever is called for short AMS), cloud
Server (cloud sever is called for short CS), attribute authority (attribute authority is called for short AA) and and literary composition
Part access client (data require is called for short DR), wherein, files passe client respectively with cipher key initialization
Server, attribute management server are connected with Cloud Server, Cloud Server respectively with cipher key initialization server,
Attribute management server, file access client are connected, and attribute authority is connected with attribute management server.
Node registry storehouse that described cipher key initialization server includes being sequentially connected, key production module and close
Key distribution module.
File output port that described files passe client includes being sequentially connected, file encryption module, file
Input port, attribute grouping module, attribute-name output port, and include being sequentially connected key input mouth,
Encrypting module, encryption attribute module, property value output port, wherein attribute grouping module and encrypting module phase
Even.
Described attribute management server includes that the attribute-name input port being sequentially connected, allotter, attribute distribute
Storehouse, allotter respectively with attribute authority COM1, Cloud Server COM1, key output port
It is connected.
Document inlet mouth that described Cloud Server includes being sequentially connected, searcher, file request responsor,
Wherein, re-encryption module, ciphertext storehouse, attribute management server COM1, file request receiver are respectively
It is connected with searcher.
Request receiver that described attribute authority includes being sequentially connected, validator, key updating module,
Cipher key store, attribute library, cipher key store, key sender be connected with validator respectively, multiple attribute authority
It is connected with attribute management server.
Described file access client includes file request module and the attribute acquisition mould being connected respectively with emitter
Block, also includes receptor and the file decryption module being connected, multiple file access clients and Cloud Server phase
Even.
The beneficial effects of the utility model are:
Multiple attribute authority collaborative works, jointly complete to verify authorization tasks, alleviate each attribute and award
The work load at power center;If certain attribute authority is trespassed, effractor can only obtain file
Partial content, it is impossible to obtain the full detail of file, thus improve the safety of high in the clouds file;To attribute
Management server conceals the access rights of file, and attribute management server only knows attribute-name, in this case it is not apparent that
Concrete property value, it is achieved thereby that the protection to access rights;Original for preventing the user cancelled from holding
Private key accesses file again, and this system is all provided with re-encryption at each attribute authority and Cloud Server
Function.When attribute authority is while user sends private key, just carry out key updating, produce new public affairs
Key and private key;Cloud Server, after sending file to user, can utilize the PKI that attribute authority is newly generated
To file re-encryption, to guarantee that the user accessing file must be authenticated through attribute authority every time
Validated user.
Accompanying drawing explanation
Fig. 1 is structure chart of the present utility model, this system include cipher key initialization server (setup-sever,
Be called for short SS), attribute management server (attribute manage sever is called for short AMS), 3 attribute authority
(attribute authority is called for short AA), Cloud Server (cloud sever is called for short CS) and files passe client
(data owner is called for short DO) and 4 file access clients (data require is called for short DR).
Detailed description of the invention
Below in conjunction with the accompanying drawings, embodiment is elaborated.
The utility model proposes fine granularity access control systems based on many authorization center in a kind of cloud storage, as
Shown in Fig. 1, including files passe client, cipher key initialization server, attribute management server, cloud clothes
Business device, attribute authority and and file access client, wherein, files passe client is respectively with close
Key initializes server, attribute management server is connected with Cloud Server, and Cloud Server is initial with key respectively
Change server, attribute management server, file access client are connected, attribute authority and attribute management
Server is connected.
Cipher key initialization server comprises Node registry storehouse, key production module and secret key distribution module.Joint
Point registry is included files passe person and the log-on message of all properties authorization center, and registration has been saved
The relevant information of point is stored in Node registry storehouse;Key production module uses rivest, shamir, adelman to be each
Individual node produces corresponding double secret key (PKI and private key), and last secret key distribution module is on each file
Biography person and attribute authority distribution key.
Files passe client comprises document inlet mouth, attribute grouping module, and attribute-name output port is close
Key input port, encrypting module, encryption attribute module, property value output port, file encryption module, literary composition
Part output port.After file input, files passe person passes through attribute grouping module to different files or same literary composition
The different piece of part is grouped, and arranges different access attributes, is then sent to the form of attribute-name
Attribute management server processes.Attribute-name is distributed to different attribute authority by attribute management server,
And the PKI of the attribute authority corresponding to each attribute-name of circular document uploader.Meanwhile, will belong to
Property name stores in attribute distribution library with the corresponding table of attribute authority.Finally, files passe client profit
It is delivered to Cloud Server after encrypting with these key-pair files, passes to each attribute after property value is encrypted and award
Power center.
Attribute management server comprises attribute-name input port, allotter, and attribute distribution library, in attribute authority
Heart COM1, Cloud Server COM1, and key output port.Attribute management server is by belonging to
Property name input port, receive the attribute-name of file, and by allotter, all of attribute-name distributed to difference
Attribute authority management.Finally, allotter corresponding with attribute authority for attribute-name table is stored
In attribute distribution library, by key output port, attribute-name is sent out with the corresponding table of attribute authority PKI
The person that gives files passe.
Cloud Server comprises document inlet mouth, searcher, ciphertext storehouse, attribute management server COM1,
Re-encryption module, file request receiver, file request responsor.Cloud Server passes through document inlet mouth
Receive the encryption file of files passe person, and be stored in ciphertext storehouse.When visitor sends literary composition to Cloud Server
During part request, Cloud Server retrieves this document by searcher in ciphertext storehouse, subsequently by filename and
The attribute of visitor is sent to attribute management server, attribute management by attribute management server COM1
Server passes it to corresponding attribute management server again and processes.Afterwards, Cloud Server will wait
Treat the result of attribute authority.If attribute authority is granted by Accessor Access's authority, then by literary composition
The private key of part is sent to requestor in the lump together with this document, and to the file re-encryption in ciphertext storehouse.Otherwise,
Then refusal provides private key.
Attribute authority includes request receiver, validator, attribute library, cipher key store, key updating.Belong to
Property authorization center by request receiver receive via attribute management server transmission file access request, with
Rear validator verifies attribute, and and visitor according to the access finding this document in file name dependence storehouse
Attribute contrast.If the property value of visitor is contained in the access checking attribute of this document, attribute authority
Center is then transferred private key from cipher key store and is sent to visitor, and carries out key updating.Otherwise, then refuse to
Visitor provides private key;
File access client comprises file request module, attribute acquisition module, emitter, receptor, with
And file decryption module.Visitor inputs file request and the self attributes of oneself, is sent to by emitter
Cloud Server.Afterwards, receiving ciphertext and private key at receptor, deciphering draws in plain text.
This embodiment is only this utility model preferably detailed description of the invention, but protection domain of the present utility model
It is not limited thereto, the technical scope that any those familiar with the art discloses at this utility model
In, the change that can readily occur in or replacement, all should contain within protection domain of the present utility model.Therefore,
Protection domain of the present utility model should be as the criterion with scope of the claims.
Claims (7)
1. fine granularity access control systems based on many authorization center in a cloud storage, it is characterised in that bag
Include files passe client, cipher key initialization server, attribute management server, Cloud Server, attribute are awarded
Power center and and file access client, wherein, files passe client respectively with cipher key initialization service
Device, attribute management server are connected with Cloud Server, Cloud Server respectively with cipher key initialization server, genus
Property management server, file access client be connected, attribute authority is connected with attribute management server.
System the most according to claim 1, it is characterised in that described cipher key initialization server includes depending on
Secondary connected Node registry storehouse, key production module and secret key distribution module.
System the most according to claim 1, it is characterised in that described files passe client includes successively
Be connected file output port, file encryption module, document inlet mouth, attribute grouping module, attribute-name
Output port, and include being sequentially connected key input mouth, encrypting module, encryption attribute module, attribute
Value output port, wherein attribute grouping module is connected with encrypting module.
System the most according to claim 1, it is characterised in that described attribute management server includes successively
Be connected attribute-name input port, allotter, attribute distribution library, allotter respectively with attribute authority lead to
Letter port, Cloud Server COM1, key output port are connected.
System the most according to claim 1, it is characterised in that described Cloud Server includes being sequentially connected
Document inlet mouth, searcher, file request responsor, wherein, re-encryption module, ciphertext storehouse, attribute
Management server communication port, file request receiver are connected with searcher respectively.
System the most according to claim 1, it is characterised in that described attribute authority includes phase successively
Request receiver even, validator, key updating module, cipher key store, attribute library, cipher key store, key are sent out
Sending device to be connected with validator respectively, multiple attribute authority are connected with attribute management server.
System the most according to claim 1, it is characterised in that described file access client includes respectively
The file request module being connected with emitter and attribute acquisition module, also include receptor and the file solution being connected
Close module, multiple file access clients are connected with Cloud Server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201620408397.2U CN205754415U (en) | 2016-05-06 | 2016-05-06 | Fine granularity access control systems based on many authorization center in cloud storage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201620408397.2U CN205754415U (en) | 2016-05-06 | 2016-05-06 | Fine granularity access control systems based on many authorization center in cloud storage |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN205754415U true CN205754415U (en) | 2016-11-30 |
Family
ID=57370470
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201620408397.2U Expired - Fee Related CN205754415U (en) | 2016-05-06 | 2016-05-06 | Fine granularity access control systems based on many authorization center in cloud storage |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN205754415U (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109818923A (en) * | 2018-12-18 | 2019-05-28 | 北京九州云腾科技有限公司 | A kind of attribute base cloud service access control method based on attribute ciphertext re-encryption |
-
2016
- 2016-05-06 CN CN201620408397.2U patent/CN205754415U/en not_active Expired - Fee Related
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109818923A (en) * | 2018-12-18 | 2019-05-28 | 北京九州云腾科技有限公司 | A kind of attribute base cloud service access control method based on attribute ciphertext re-encryption |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103763319B (en) | Method for safely sharing mobile cloud storage light-level data | |
| Wang et al. | Achieving fine‐grained access control for secure data sharing on cloud servers | |
| CN108833393A (en) | A kind of revocable data sharing method calculated based on mist | |
| CN103780607B (en) | The method of the data de-duplication based on different rights | |
| CN104935590A (en) | HDFS access control method based on role and user trust value | |
| Ying et al. | Adaptively secure ciphertext-policy attribute-based encryption with dynamic policy updating | |
| Swathy et al. | Providing advanced security mechanism for scalable data sharing in cloud storage | |
| Li et al. | Privacy-preserving data utilization in hybrid clouds | |
| CN109587101A (en) | A kind of digital certificate management method, device and storage medium | |
| CN108111540A (en) | The hierarchical access control system and method for data sharing are supported in a kind of cloud storage | |
| CN113645195B (en) | Cloud medical record ciphertext access control system and method based on CP-ABE and SM4 | |
| CN106685919A (en) | Secure cloud storage method with passive dynamic key distribution mechanism | |
| CN105933345A (en) | Verifiable outsourcing attribute-based encryption method based on linear secret sharing | |
| GB2489676A (en) | Overlay network comprising management node controlling access of subordinate nodes | |
| CN102945356A (en) | Access control method and system for search engine under cloud environment | |
| Murala et al. | Secure dynamic groups data sharing with modified revocable attribute-based encryption in cloud | |
| Liu et al. | Dynamic attribute-based access control in cloud storage systems | |
| Li et al. | A novel framework for outsourcing and sharing searchable encrypted data on hybrid cloud | |
| CN113127927B (en) | Attribute reconstruction encryption method and system for license chain data sharing and supervision | |
| CN205754415U (en) | Fine granularity access control systems based on many authorization center in cloud storage | |
| CN206962851U (en) | Cloud storage file access control system | |
| Ghani et al. | A Blockchain-based secure PHR data storage and sharing framework | |
| Pise et al. | Efficient security framework for sensitive data sharing and privacy preserving on big-data and cloud platforms | |
| CN103391187B (en) | A kind of method of cloud storage security control | |
| CN104135495B (en) | The attribute base encryption method of the ciphertext policy of the without authority with secret protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20161130 Termination date: 20170506 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |