WO2016106752A1 - 一种共享数据的访问控制方法、装置及系统 - Google Patents
一种共享数据的访问控制方法、装置及系统 Download PDFInfo
- Publication number
- WO2016106752A1 WO2016106752A1 PCT/CN2014/096064 CN2014096064W WO2016106752A1 WO 2016106752 A1 WO2016106752 A1 WO 2016106752A1 CN 2014096064 W CN2014096064 W CN 2014096064W WO 2016106752 A1 WO2016106752 A1 WO 2016106752A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- attribute
- ciphertext
- visitor
- component
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Definitions
- the present invention belongs to the field of data security, and in particular, to a method, device and system for access control of shared data.
- the degree of data sharing reflects the level of information development in a region and a country. The higher the degree of data sharing, the higher the level of information development. Achieving data sharing can enable more people to use existing data resources more fully, reduce duplication of labor and corresponding expenses such as data collection and data collection, and cloud storage provides a safer and more effective platform for data sharing.
- Cloud storage is a new concept extended and developed in the concept of cloud computing. It refers to a large number of different types of storage devices in the network through functions such as cluster application, grid technology or distributed file system. A system that combines application software to work together to provide data storage and service access functions. Users can easily access data at any time, anywhere, by connecting to the cloud via any networkable device.
- Attribute-based Encryption is an emerging public key encryption mechanism in recent years. It is an extension of the identity encryption method. In attribute encryption, the user's identity is described by a series of attributes, and the plaintext can be decrypted only when the user's identity attribute satisfies the system-defined access policy. This access control mechanism further enhances the security of shared data while ensuring the flexibility of data sharing. For example, different access rights can be opened to users according to the identity attributes and identity attribute values that the user has, which is particularly advantageous for access control of data shared by some fields.
- a doctor with a certain title, a setting, a certain age of employment, and a related field doctor can be set to view. Medical records of a class of patients. If the access control policy of the username/password is simply adopted, it is difficult to implement effective access control of the shared data.
- the existing attribute-based encryption-based access control policy requires a central identity authentication licensor as a medium to authenticate the user identity to provide corresponding parameters to different attribute licensors, so that different attribute licensors can provide user attribute components for the same user. . It can be seen that due to the existence of the central identity licensor, once the central identity licensor is compromised, the user attribute component can be easily stolen, thereby decrypting the data, thereby reducing the security of the data and increasing the security. The complexity of data sharing access control.
- An object of the present invention is to provide an access control method and system for sharing data, which aims to solve the problem that the prior art cannot provide an effective shared data access control method, resulting in reduced data security and data sharing access control.
- the present invention provides an access control method for sharing data, the method comprising the following steps:
- the data visitor sends an access request to a shared data to the data storage provider
- the data visitor obtains the shared data ciphertext, the ciphertext of the encryption key, the access policy, and the ciphertext attribute component corresponding to the shared data from the data storage provider, where the ciphertext attribute component is a value used to represent the data visitor.
- the encryption key is used to encrypt the shared data
- the data visitor sends a request for acquiring the user attribute component of the data visitor to the K attribute licensors associated with the access policy, where the user attribute component is a value indicating that the data visitor owns the attribute corresponding to the value;
- the K attribute licensor After receiving the request for acquiring the user attribute component, the K attribute licensor respectively generates a user attribute component of the data visitor and sends the data attribute component to the data visitor;
- the data visitor recovers the encryption key according to the received access policy, the ciphertext of the encryption key, the ciphertext attribute component, and the user attribute component;
- the data visitor decrypts the shared data ciphertext using the encryption key to obtain shared data requesting access.
- the present invention provides an access control device for sharing data, the device comprising:
- An access request sending unit configured to send, by the data visitor, an access request for a shared data to the data storage provider
- a data obtaining unit configured to acquire, by the data provider, the shared data ciphertext, the ciphertext of the encryption key, the access policy, and the ciphertext attribute component corresponding to the shared data, where the ciphertext attribute component is a value.
- a data request sending unit configured to send, by the data visitor, a request for acquiring a user attribute component of the data visitor to the K attribute licensors associated with the access policy, where the user attribute component is a value indicating that the data visitor owns the request The attribute corresponding to the value;
- a data returning unit configured to: after receiving the request for acquiring the user attribute component, each of the K attribute licensors generates a user attribute component of the data visitor, and sends the data attribute component to the data visitor;
- a key recovery unit configured to recover, by the data visitor, the encryption key according to the received access policy, the ciphertext of the encryption key, the ciphertext attribute component, and the user attribute component; as well as
- a data decryption unit configured to decrypt, by the data visitor, the shared data ciphertext by using the encryption key to obtain shared data that is requested to be accessed.
- the present invention provides an access control system for sharing data, the system including a data visitor, an attribute licensor, and a data storage provider, wherein:
- a data visitor configured to send an access request for a shared data to the data storage provider, and obtain, from the data storage provider, the shared data ciphertext, the ciphertext of the encryption key, the access policy, and the ciphertext attribute component of the shared data
- the ciphertext attribute component is a value used to represent an attribute of a data visitor
- the encryption key is used to encrypt the shared data, and respectively send the acquired data to the K attribute licensors associated with the access policy.
- An attribute licensor configured to: after receiving a request sent by the data visitor to obtain the user attribute component, generate a user attribute component of the data visitor, and send the data attribute component to the data visitor;
- a data storage provider configured to receive an access request for a shared data sent by the data visitor, and return, to the data visitor, a shared data ciphertext, an encryption key ciphertext, an access policy, and Ciphertext attribute component;
- the data visitor is further configured to use the encryption according to the received access policy, the ciphertext of the encryption key, the ciphertext attribute component, and the user attribute component to recover the encryption key.
- the key decrypts the shared data ciphertext to obtain shared data requested to be accessed.
- the central identity authentication authorization is not required, and each attribute licensor performs independent authorization and authentication on the attributes of the user, thereby improving data security and reducing the complexity of data sharing access control.
- FIG. 1 is a flowchart of implementing an access control method for shared data according to Embodiment 1 of the present invention
- FIG. 2 is a flowchart of implementing an access control method for shared data according to Embodiment 2 of the present invention
- FIG. 3 is a flowchart of implementing an access control method for shared data according to Embodiment 3 of the present invention.
- FIG. 4 is a structural diagram of an access control apparatus for shared data according to Embodiment 4 of the present invention.
- FIG. 5 is a structural diagram of an access control system for shared data according to Embodiment 5 of the present invention.
- Embodiment 1 is a diagrammatic representation of Embodiment 1:
- FIG. 1 is a flowchart showing an implementation process of an access control method for shared data according to Embodiment 1 of the present invention, which is described in detail as follows:
- step S101 the data visitor sends an access request to a shared data to the data store.
- the data storage provider is configured to store data shared by the user (ie, the data owner), and perform access control on the shared data of the user according to the access policy set by the user (data owner).
- the data storage provider is a cloud storage server, thereby providing a cloud storage data sharing service to the user.
- step S102 the data visitor obtains the shared data ciphertext, the ciphertext of the encryption key, the access policy, and the ciphertext attribute component corresponding to the shared data from the data storage provider.
- access control of the shared data is performed based on the attribute, so that the access control decision can be updated according to the dynamic change of the attribute of the related entity/user, thereby providing a fine-grained and more flexible access control method.
- a user may have multiple attributes, such as work department, job title, working years, and the like.
- the data owner that is, the owner of the shared data
- the access policy can set the access policy when sharing the data.
- the access policy refers to a tree logical structure that can be used to decrypt a series of attributes of the ciphertext, that is, an access policy tree.
- the data owner can combine a series of attributes in a tree structure according to the security strength requirements of the shared data to form an access policy.
- the leaf nodes of this tree structure are the textual descriptions of the attributes, and the non-leaf nodes are some "OR gates" and "threshold gates”.
- the ciphertext attribute component is a value to represent an attribute of a data visitor requesting access to the shared data, and is used to recover an encryption key of the shared data ciphertext in the following, the encryption key The key is used to encrypt the shared data, where the encryption key is stored in the form of ciphertext.
- step S103 the data visitor separately sends a request for acquiring the user attribute component of the data visitor to the K attribute licensors associated with the access policy.
- the user attribute component is a value indicating that the data visitor owns the attribute associated with the access policy, and is used together with the ciphertext attribute component to recover the encryption key of the shared data.
- the user attribute component is a value indicating that the data visitor owns the attribute corresponding to the value.
- the request for acquiring the data visitor user attribute component sent by the data visitor includes a Globally Unique Identifier (GID) of the data visitor, and the GID is used to globally and uniquely identify the identity of the user. For example, username, etc.
- GID Globally Unique Identifier
- an attribute licensor is used to define an attribute, identify whether the data visitor owns the defined attribute, and generate a user attribute component for the data visitor. Since the access policy is associated with multiple attributes, which can be managed by one or more attribute licensors, the data visitor needs to send the user attribute component request to the K attribute licensors, and the K attribute licensors are the access policies.
- the request for obtaining the user attribute component is digitally signed to prevent the data visitor from refusing .
- the attribute licensor also authenticates the data requester when receiving the request for obtaining the user attribute component sent by the data visitor, for example, by using a traditional username/password, biometric authentication, and the like.
- step S104 after receiving the request for acquiring the user attribute component, the K attribute licensors respectively generate a user attribute component of the data visitor.
- the attribute licensor after receiving the request for decrypting the private key by the data visitor, the attribute licensor respectively generates the decrypted private key of the data visitor. Specifically, each attribute licensor generates a first hash value according to a global unique identifier of the data visitor included in the request for acquiring the user attribute component, and generates a second hash value according to the identifier of the attribute of the data visitor, according to The first hash value, the second The hash value and the pre-generated attribute master key generate the user attribute component, wherein the attribute master key includes two values, and in the embodiment of the present invention, the two values are recorded as the first parameter value and the second Parameter value.
- one or more preset attributes managed by the attribute licensor correspond to the same attribute master key, and the attribute master key is managed and saved by the attribute licensor itself, so that the security cannot be reduced. , reduce the storage requirements of the attribute master key, and at the same time, simplify the user attribute component generation process.
- a user attribute component of a data visitor can be generated by the following formula:
- Att represents an identifier of the attribute of the data visitor
- H(att) represents the second hash value
- H(GID) represents the first hash value
- a, b represents two of the attribute master key. Parameter values.
- step S105 the attribute licensor sends the respective generated user attribute components to the data visitor.
- step S106 the data visitor recovers the encryption key according to the received access policy, the ciphertext of the encryption key, the ciphertext attribute component, and the user attribute component, and the data access
- the shared data ciphertext is decrypted using the encryption key to obtain shared data requesting access.
- the data visitor may receive N pieces of the user attribute component and M pieces of the ciphertext attribute component.
- the data visitor may recover the encryption key according to the received data in the following manner:
- each layer needs to follow the inverse operation of the preset secret sharing function, with the section of the layer
- the point correlation value is used as an input, and the node correlation value of the parent node of the layer is calculated.
- the inverse of the secret sharing function is iteratively used until the node correlation value of the root node of the access policy tree is finally obtained, and the correlation value is used as the first intermediate recovery data.
- the central identity authentication authorization is not required, and each attribute licensor performs independent authorization and authentication on the attributes of the user, thereby improving data security and reducing the complexity of data sharing access control.
- the owner of the shared data ie, The data owner shall generate the ciphertext of the encryption key and the ciphertext attribute component according to the encryption key, the attribute public key, the second hash value, and the access policy, to share
- the data is subjected to access control, and the ciphertext of the encryption key and the ciphertext attribute component are sent to the data storage provider.
- the ciphertext of the encryption key can be generated by the following formula:
- key represents an encryption key
- g a represents the attribute public key
- H(att) represents the second hash value
- s represents a random value
- g is a generator of a group preset by the system.
- the ciphertext attribute component includes three values, preferably calculated by the following formula:
- s x is the value obtained by the random value s of the xth node of the access policy
- the r x represents another random value
- w x represents the fixed value 0 calculated by the secret sharing function. Value, the remaining symbols have the same meaning as in the previous formula.
- the data owner before the data is shared, the data owner generates the ciphertext of the encryption key and the ciphertext attribute component according to the encryption key, the attribute public key, the second hash value, the access policy, and the shared data. Access control, while improving the security of shared data, also reduces the complexity of data sharing access control.
- the data visitor, the attribute licensor, the data storage provider, and the data owner may be a personal computer, a server, or the like that provides a corresponding function, and the foregoing steps are performed by the corresponding hardware module.
- Embodiment 2 is a diagrammatic representation of Embodiment 1:
- FIG. 2 is a flowchart showing an implementation process of an access control method for shared data according to Embodiment 2 of the present invention, which is described in detail as follows:
- step S201 the attribute licensor generates a new attribute master key and a new attribute version number according to the received attribute update instruction, and generates according to the new attribute master key and the saved original attribute master key.
- the ciphertext attribute component updates parameters.
- the saved original attribute master key is an unupdated, old attribute master key.
- the attribute master key includes two parameter values, namely a first parameter value and a second parameter value, where the ciphertext attribute component can be updated by changing the two parameters.
- the difference between the second parameter value of the new attribute master key and the second parameter value of the saved attribute master key may be used as the ciphertext attribute component update parameter.
- the ciphertext attribute component update parameter may be generated by using the following formula (6):
- b' is the second parameter value of the new attribute master key
- b is the saved second parameter value of the original attribute master key
- step S202 the attribute licensor sends the new attribute version number and the ciphertext attribute component update parameter to the data storage provider.
- step S203 the data store will receive the new attribute version number and the The ciphertext attribute component update parameter is saved to a pre-established update parameter list.
- the attribute licensor when the attribute of the user (for example, the data visitor) changes with management requirements, time, etc., the attribute licensor can update the ciphertext attribute component corresponding to the attribute managed by the attribute in time. Therefore, the user's attribute authorization is adjusted in time to realize a quick recall of the attribute.
- the data storage provider pre-establishes an update parameter list for recording each version of the managed attribute and the corresponding ciphertext attribute component update parameter.
- step S204 the data visitor sends an access request to a shared data to the data store.
- step S205 the data visitor obtains the shared data ciphertext, the ciphertext of the encryption key, the access policy, and the ciphertext attribute component corresponding to the shared data from the data storage provider.
- the data storage provider when the data storage provider receives the ciphertext, the access policy, and the ciphertext attribute component of the shared data ciphertext, the encryption key, and the ciphertext attribute component sent by the data visitor, the data storage provider The stored update parameter list determines whether the attribute version number attached to the ciphertext attribute component corresponding to the data visitor is the latest version number of the attribute, and if yes, returns the shared data ciphertext and the encryption corresponding to the shared data to the data visitor.
- the ciphertext, the access policy, and the ciphertext attribute component of the key if not, update the ciphertext attribute component corresponding to the data visitor to the latest version of the ciphertext attribute component according to the stored update parameter, and then corresponding the shared data.
- the shared data ciphertext, the ciphertext of the encryption key, the access policy, and the updated ciphertext attribute component are returned to the data visitor. In this way, only when the user requests access to the shared data, the ciphertext attribute component is updated, which greatly reduces the load of the data storage provider.
- step S206 the data visitor queries whether to store in the preset user attribute component database according to the shared data ciphertext, the ciphertext of the encryption key, the access policy, and the ciphertext attribute component returned by the data storage provider. There is a corresponding user attribute component.
- the data visitor when the data visitor does not store the corresponding user attribute component, the data visitor obtains the user attribute component of the data visitor from the K attribute licensors associated with the access policy, and the specific implementation steps are as before. As described, it will not be repeated here.
- step S207 is performed. If the data is consistent, the data visitor recovers the encryption key according to the received access policy, the ciphertext of the encryption key, the ciphertext attribute component, and the stored user attribute component, and the data visitor uses the encryption key. The key decrypts the shared data ciphertext to obtain the shared data requested to be accessed.
- step S207 the data visitor sends a request for acquiring the user attribute component update parameter to the attribute licensor corresponding to the user attribute component whose version number is inconsistent.
- the previous user attribute component can no longer be used, and the user attribute component update parameter needs to be obtained from the attribute licensor corresponding to the user attribute component whose version number is inconsistent.
- the user property component is updated.
- step S208 after receiving the request for acquiring the user attribute component update parameter, the attribute licensor respectively generates a user attribute component update parameter of the data visitor.
- the attribute licensor generates a first hash value according to the global unique identifier (GID) of the data visitor, according to the first hash value, the new attribute master key
- the second parameter value and the second parameter value of the saved attribute master key generate a user attribute component update parameter.
- the user attribute component update parameter may be generated by the following formula (7):
- the user attribute component update parameters of each data visitor are inconsistent, and therefore, the data visitor cannot share the update parameters, thereby improving the security of the shared data.
- step S209 the attribute licensor sends the respective generated user attribute component update parameters to the data visitor.
- step S210 the data visitor recovers the encryption key according to the received access policy, the ciphertext of the encryption key, the ciphertext attribute component, the user attribute component update parameter, and the stored original user attribute component, and the data visitor uses the encryption.
- the key decrypts the shared data ciphertext to obtain a total of requests for access. Enjoy the data.
- the central identity authentication authorization is not required, and each attribute licensor performs independent authorization and authentication on the attributes of the user, thereby improving data security and reducing the complexity of data sharing access control.
- Embodiment 3 is a diagrammatic representation of Embodiment 3
- FIG. 3 is a flowchart showing an implementation process of an access control method for shared data according to Embodiment 3 of the present invention, which is described in detail as follows:
- step S301 the attribute licensor generates a new attribute master key according to the received attribute update instruction, and generates a new attribute version number, and generates a second hash according to the identifier of the attribute of the data visitor. And generating a ciphertext attribute component update parameter according to the second hash value, the new attribute master key, and the saved original attribute master key.
- a new parameter value of the attribute master key may be generated, and a new attribute version number is generated, according to the identifier of the attribute of the data visitor.
- the ciphertext attribute component update parameter may be generated by the following formula (8):
- a' is the first parameter value of the new attribute master key
- a is the first parameter value of the saved original attribute master key
- step S302 the attribute licensor sends the new attribute version number and the ciphertext attribute component update parameter to the data storage provider.
- step S303 the data store saves the received new attribute version number and the ciphertext attribute component update parameter to a pre-established update parameter list.
- the attribute licensor when the attribute of the user (for example, the data visitor) changes with management requirements, time, etc., the attribute licensor can update the attribute managed by the attribute in time. Therefore, the user's attribute authorization is adjusted in time to realize a quick recall of the attribute.
- the data storage provider pre-establishes an update parameter list for recording each version of the managed attribute and the corresponding update parameter.
- step S304 the data visitor sends an access request to a shared data to the data store.
- step S305 the data visitor obtains the shared data ciphertext, the ciphertext of the encryption key, the access policy, and the ciphertext attribute component corresponding to the shared data from the data storage provider.
- the data storage provider when the data storage provider receives the ciphertext, the access policy, and the ciphertext attribute component of the shared data ciphertext, the encryption key, and the ciphertext attribute component sent by the data visitor, the data storage provider The stored update parameter list determines whether the attribute version number attached to the ciphertext attribute component corresponding to the data visitor is the latest version number of the attribute, and if yes, returns the shared data ciphertext and the encryption corresponding to the shared data to the data visitor.
- the ciphertext, the access policy, and the ciphertext attribute component of the key if not, update the ciphertext attribute component corresponding to the data visitor to the latest version of the ciphertext attribute component according to the stored update parameter, and then corresponding the shared data.
- the shared data ciphertext, the ciphertext of the encryption key, the access policy, and the updated ciphertext attribute component are returned to the data visitor. In this way, only when the user requests access to the shared data, the ciphertext attribute component is updated, which greatly reduces the load of the data storage provider.
- step S306 the data visitor queries whether to store in the preset user attribute component database according to the shared data ciphertext, the ciphertext of the encryption key, the access policy, and the ciphertext attribute component returned by the data storage provider. There is a corresponding user attribute component.
- the data visitor when the data visitor does not store the corresponding user attribute component, the data visitor obtains the user attribute component of the data visitor from the K attribute licensors associated with the access policy, and the specific implementation steps are as before. As described, it will not be repeated here.
- step S307 is performed, and if they are consistent, the data visitor is based on the received access policy, The ciphertext of the encryption key, the ciphertext attribute component, and the stored user attribute component recover the encryption key, and the data visitor decrypts the shared data ciphertext using the encryption key to obtain the shared data requested to be accessed.
- step S307 the data visitor sends a request for acquiring the user attribute component update parameter to the attribute licensor corresponding to the user attribute component whose version number is inconsistent.
- the previous user attribute component can no longer be used, and the user attribute component update parameter needs to be obtained from the attribute licensor corresponding to the user attribute component whose version number is inconsistent.
- the user property component is updated.
- step S308 after receiving the request for acquiring the user attribute component update parameter, the attribute licensor respectively generates a user attribute component update parameter of the data visitor.
- a new parameter value of the attribute master key may be generated, and a new attribute version number is generated, and the second hash value is generated according to the identifier of the data visitor attribute, according to The second hash value, the first parameter value of the new attribute master key, and the saved original attribute master key first parameter value generate a user attribute component update parameter, which may be generated by the following formula (9)
- the user attribute component update parameter :
- the user attribute component update parameter of each data visitor is consistent, thereby reducing the calculation amount of the attribute licensor generating the user attribute component update parameter, and improving the calculation efficiency.
- step S309 the attribute licensor sends the respective generated user attribute component update parameters to the data visitor.
- step S310 the data visitor recovers the encryption key according to the received access policy, the ciphertext of the encryption key, the ciphertext attribute component, the user attribute component update parameter, and the stored original user attribute component, and the data visitor uses the encryption.
- the key decrypts the shared data ciphertext to obtain the shared data requested to be accessed.
- the central identity authentication authorization is not required, and each attribute licensor performs independent authorization and authentication on the attributes of the user, thereby improving data security and reducing the complexity of data sharing access control.
- Embodiment 4 is a diagrammatic representation of Embodiment 4:
- FIG. 4 is a diagram showing the structure of the access control device 4 for sharing data according to the fourth embodiment of the present invention. For the convenience of description, only the portion related to the embodiment of the present invention is shown.
- the access device 4 includes:
- the access request sending unit 401 is configured to send, by the data visitor, an access request for a shared data to the data storage provider;
- the data obtaining unit 402 is configured to obtain, by the data visitor, the shared data ciphertext corresponding to the shared data, the ciphertext of the encryption key, the access policy, and the ciphertext attribute component, where the ciphertext attribute component is a value.
- the data request sending unit 403 is configured to send, by the data visitor, a request for acquiring a user attribute component of the data visitor to the K attribute licensors associated with the access policy, where the user attribute component is a value indicating that the data visitor owns The attribute corresponding to the value;
- the data returning unit 411 is configured to: after the K attribute licensors receive the request for acquiring the user attribute component, respectively generate a user attribute component of the data visitor, and send the data attribute component to the data visitor;
- the key recovery unit 404 is configured to restore, by the data visitor, the encryption key according to the received access policy, the ciphertext of the encryption key, the ciphertext attribute component, and the user attribute component. ;as well as
- the data decryption unit 405 is configured to decrypt the shared data ciphertext by the data visitor using the encryption key to obtain the shared data requested to be accessed.
- the access request transmitting unit 401, the data obtaining unit 402, the data request transmitting unit 403, the key restoring unit 404, and the data decrypting unit 405 are located in a data visitor 40, and the data returning unit 411 is located in the attribute licensor 41.
- the data returning unit 411 may include a component generating unit 4111, configured for each attribute licensor to obtain a global data visitor included in the request for the user attribute component according to the method.
- the unique identifier generates a first hash value, and generates a second hash value according to the identifier of the attribute of the data visitor, according to the first hash value, the second hash value, and the pre-generated attribute primary key
- the key generates the user attribute component, wherein one or more preset attributes managed by the attribute licensor correspond to the same attribute master key.
- the shared data access control apparatus further includes a data generating unit 421, configured to use, by the data owner, the encryption key, the attribute public key, the second hash value, The access policy generates the ciphertext of the encryption key and the ciphertext attribute component, and sends the ciphertext of the encryption key and the ciphertext attribute component to the data storage provider.
- the data generating unit 421 can be located in a data owner 42
- each unit of the access control device 4 for sharing data may be specifically referred to the implementation of the corresponding steps in the first embodiment, and details are not described herein again.
- the data visitor, the attribute licensor, the data storage provider, and the data owner may be a personal computer, a server, or the like that provides a corresponding function, and the above unit may perform its function through a corresponding hardware in a personal computer or a server.
- Functional unit or hardware unit may perform its function through a corresponding hardware in a personal computer or a server.
- Embodiment 5 is a diagrammatic representation of Embodiment 5:
- FIG. 5 is a diagram showing the structure of the shared data access control system 5 according to the fifth embodiment of the present invention. For the convenience of description, only the parts related to the embodiment of the present invention are shown, including:
- the system 5 includes a data visitor 51, an attribute licensor 52, and a data store 53, wherein:
- the data visitor 51 is configured to send an access request for a shared data to the data storage provider 53, and obtain the ciphertext of the shared data ciphertext and the encryption key corresponding to the shared data from the data storage 53.
- a policy and a ciphertext attribute component the ciphertext attribute component is a value for characterizing a data visitor
- the encryption key is used to encrypt the shared data
- the K associated with the access policy The attribute licensor separately sends a request for obtaining a user attribute component of the data visitor, the user attribute component being a value indicating that the data visitor owns the attribute corresponding to the value;
- the attribute licensor 52 is configured to: after receiving the request for acquiring the user attribute component sent by the data visitor 51, generate a user attribute component of the data visitor, and send the data attribute component to the data visitor;
- the data storage provider 53 is configured to receive an access request for the shared data sent by the data visitor 51, and return the ciphertext of the shared data ciphertext and the encryption key corresponding to the shared data to the data visitor 51. Access policy and ciphertext attribute artifacts.
- the data visitor 51 is further configured to recover the encryption key according to the received access policy, the ciphertext of the encryption key, the ciphertext attribute component, and the user attribute component, and use the The encryption key decrypts the shared data ciphertext to obtain shared data requested to be accessed.
- the system further includes a data owner 50, the data owner 50 generating the encryption according to the encryption key, the attribute public key, the second hash value, and the access policy. And the ciphertext attribute component of the key, and sending the ciphertext of the encryption key and the ciphertext attribute component to the data storage 53.
- the central identity authentication authorization is not required, and each attribute licensor performs independent authorization and authentication on the attributes of the user, thereby improving data security and reducing the complexity of data sharing access control.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims (10)
- 一种共享数据的访问控制方法,其特征在于,所述方法包括下述步骤:数据访问者向数据存储商发送对一共享数据的访问请求;数据访问者从数据存储商获取所述共享数据对应的共享数据密文、加密密钥的密文、访问策略以及密文属性构件,所述密文属性构件为一个数值,用于表征数据访问者的属性,所述加密密钥用于对所述共享数据进行加密;数据访问者向所述访问策略关联的K个属性授权商分别发送获取数据访问者的用户属性构件的请求,所述用户属性构件为一个数值,表示数据访问者拥有该数值对应的属性;所述K个属性授权商接收到获取所述用户属性构件的请求后,各自生成该数据访问者的用户属性构件,并发送给该数据访问者;数据访问者根据接收到的所述访问策略、所述加密密钥的所述密文、所述密文属性构件、所述用户属性构件恢复出所述加密密钥;数据访问者使用所述加密密钥对所述共享数据密文进行解密,以得到请求访问的共享数据。
- 如权利要求1所述的方法,其特征在于,生成该数据访问者的用户属性构件的步骤包括:各个属性授权商根据所述获取所述用户属性构件的请求中包含的数据访问者的全局唯一标识符生成第一哈希值,并根据所述数据访问者的属性的标识符生成第二哈希值,根据所述第一哈希值、第二哈希值以及预先生成的属性主密钥生成所述用户属性构件。
- 如权利要求2所述的方法,其特征在于,属性授权商管理的一个或多个预设属性对应同一个属性主密钥。
- 如权利要求1所述的方法,其特征在于,数据访问者从数据存储商获取所述共享数据对应的共享数据密文、加密密钥的密文、访问策略以及密文属 性构件的步骤之前,还包括:数据拥有者根据所述加密密钥、属性公钥、所述第二哈希值、所述访问策略生成所述加密密钥的所述密文以及所述密文属性构件,并将所述加密密钥的所述密文以及所述密文属性构件发送给所述数据存储商。
- 一种共享数据的访问控制装置,其特征在于,所述装置包括:访问请求发送单元,用于数据访问者向数据存储商发送对一共享数据的访问请求;数据获取单元,用于数据访问者从数据存储商获取所述共享数据对应的共享数据密文、加密密钥的密文、访问策略以及密文属性构件,所述密文属性构件为一个数值,用于表征数据访问者的属性,所述加密密钥用于对所述共享数据进行加密;数据请求发送单元,用于数据访问者向所述访问策略关联的K个属性授权商分别发送获取数据访问者的用户属性构件的请求,所述用户属性构件为一个数值,表示数据访问者拥有该数值对应的属性;数据返回单元,用于所述K个属性授权商接收到获取所述用户属性构件的请求后,各自生成该数据访问者的用户属性构件,并发送给该数据访问者;密钥恢复单元,用于数据访问者根据接收到的所述访问策略、所述加密密钥的所述密文、所述密文属性构件、所述用户属性构件恢复出所述加密密钥;以及数据解密单元,用于数据访问者使用所述加密密钥对所述共享数据密文进行解密,以得到请求访问的共享数据。
- 如权利要求5所述的装置,其特征在于,所述数据返回单元包括:构件生成单元,用于各个属性授权商根据所述获取所述用户属性构件的请求中包含的数据访问者的全局唯一标识符生成第一哈希值,并根据所述数据访问者的属性的标识符生成第二哈希值,根据所述第一哈希值、第二哈希值以及预先生成的属性主密钥生成所述用户属性构件。
- 如权利要求6所述的装置,其特征在于,属性授权商管理的一个或多个预设属性对应同一个属性主密钥。
- 如权利要求5所述的装置,其特征在于,所述装置还包括:数据生成单元,用于数据拥有者根据所述加密密钥、属性公钥、所述第二哈希值、所述访问策略生成所述加密密钥的所述密文以及所述密文属性构件,并将所述加密密钥的所述密文以及所述密文属性构件发送给所述数据存储商。
- 一种共享数据的访问控制系统,其特征在于,所述系统包括数据访问者、属性授权商以及数据存储商,其中:数据访问者,用于向数据存储商发送对一共享数据的访问请求,从数据存储商获取所述共享数据对应的共享数据密文、加密密钥的密文、访问策略以及密文属性构件,所述密文属性构件为一个数值,用于表征数据访问者的属性,所述加密密钥用于对所述共享数据进行加密,向所述访问策略关联的K个属性授权商分别发送获取数据访问者的用户属性构件的请求,所述用户属性构件为一个数值,表示数据访问者拥有该数值对应的属性;属性授权商,用于接收到数据访问者发送的获取所述用户属性构件的请求后,生成该数据访问者的用户属性构件,并发送给该数据访问者;数据存储商,用于接收所述数据访问者发送的对一共享数据的访问请求,向所述数据访问者返回所述共享数据对应的共享数据密文、加密密钥的密文、访问策略以及密文属性构件;数据访问者还用于根据接收到的所述访问策略、所述加密密钥的所述密文、所述密文属性构件、所述用户属性构件恢复出所述加密密钥,使用所述加密密钥对所述共享数据密文进行解密,以得到请求访问的共享数据。
- 如权利要求9所述的访问控制系统,其特征在于,所述系统还包括数据拥有者,所述数据拥有者根据所述加密密钥、属性公钥、所述第二哈希值、所述访问策略生成所述加密密钥的所述密文以及所述密文属性构件,并将所述加密密钥的所述密文以及所述密文属性构件发送给所述数据存储商。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201480001781.4A CN104584509A (zh) | 2014-12-31 | 2014-12-31 | 一种共享数据的访问控制方法、装置及系统 |
PCT/CN2014/096064 WO2016106752A1 (zh) | 2014-12-31 | 2014-12-31 | 一种共享数据的访问控制方法、装置及系统 |
US15/024,379 US10050968B2 (en) | 2014-12-31 | 2014-12-31 | Method, apparatus, and system for access control of shared data |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2014/096064 WO2016106752A1 (zh) | 2014-12-31 | 2014-12-31 | 一种共享数据的访问控制方法、装置及系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016106752A1 true WO2016106752A1 (zh) | 2016-07-07 |
Family
ID=53097346
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2014/096064 WO2016106752A1 (zh) | 2014-12-31 | 2014-12-31 | 一种共享数据的访问控制方法、装置及系统 |
Country Status (3)
Country | Link |
---|---|
US (1) | US10050968B2 (zh) |
CN (1) | CN104584509A (zh) |
WO (1) | WO2016106752A1 (zh) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108683626A (zh) * | 2018-03-15 | 2018-10-19 | 众安信息技术服务有限公司 | 一种数据访问控制方法及装置 |
WO2020093809A1 (zh) * | 2018-11-07 | 2020-05-14 | 阿里巴巴集团控股有限公司 | 一种区块链数据读取方法及装置 |
CN115150142A (zh) * | 2022-06-24 | 2022-10-04 | 深圳市北科瑞声科技股份有限公司 | 一种数据访问处理方法、系统、设备及存储介质 |
CN117424700A (zh) * | 2023-10-20 | 2024-01-19 | 重庆大学 | 基于充电桩自组网的数据安全访问方法及装置 |
Families Citing this family (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014146265A1 (en) * | 2013-03-20 | 2014-09-25 | Nokia Corporation | Method and apparatus for personalized resource recommendations |
WO2016106752A1 (zh) * | 2014-12-31 | 2016-07-07 | 深圳大学 | 一种共享数据的访问控制方法、装置及系统 |
WO2016158721A1 (ja) * | 2015-03-27 | 2016-10-06 | Necソリューションイノベータ株式会社 | データ管理装置、データ管理方法、及びコンピュータ読み取り可能な記録媒体 |
CN104883254B (zh) * | 2015-06-12 | 2018-01-12 | 深圳大学 | 面向云计算平台的密文访问控制系统及其访问控制方法 |
CN106657059B (zh) * | 2016-12-21 | 2020-04-21 | 哈尔滨工业大学深圳研究生院 | 一种具有访问控制功能的数据库查询方法和系统 |
US10536465B2 (en) | 2017-01-18 | 2020-01-14 | Microsoft Technology Licensing, Llc | Security for accessing stored resources |
US10838819B2 (en) * | 2017-01-18 | 2020-11-17 | Microsoft Technology Licensing, Llc | Including personal relationship metadata within duplicated resources shared across partitioned storage |
US10542088B2 (en) | 2017-01-18 | 2020-01-21 | Microsoft Technology Licensing, Llc | Modifying data resources within party-partitioned storage areas |
CN106789055B (zh) * | 2017-01-20 | 2019-08-30 | 兴唐通信科技有限公司 | 单向流程前向安全技术实现方法 |
CN107302524B (zh) * | 2017-06-02 | 2020-10-09 | 西安电子科技大学 | 一种云计算环境下的密文数据共享系统 |
CN107659574A (zh) * | 2017-10-10 | 2018-02-02 | 郑州云海信息技术有限公司 | 一种数据访问控制系统 |
CN109995712B (zh) * | 2017-12-29 | 2021-10-01 | 中国移动通信集团湖北有限公司 | 数据加解密方法、装置、设备及介质 |
CN108200074A (zh) * | 2018-01-14 | 2018-06-22 | 南京邮电大学 | 一种基于属性加密的物流大数据访问控制系统及方法 |
CN108765230B (zh) * | 2018-04-10 | 2020-02-14 | 平安科技(深圳)有限公司 | 一种居民户籍信息管理方法及服务器 |
CN111325545B (zh) * | 2018-12-13 | 2023-05-02 | 北京沃东天骏信息技术有限公司 | 基于区块链的密钥管理方法、装置及设备 |
CN110321732A (zh) * | 2019-05-23 | 2019-10-11 | 深圳壹账通智能科技有限公司 | 区块链系统的数据授权方法、装置、存储介质及电子设备 |
US11468175B2 (en) * | 2019-07-31 | 2022-10-11 | Salesforce, Inc. | Caching for high-performance web applications |
CN111212084B (zh) * | 2020-01-15 | 2021-04-23 | 广西师范大学 | 一种面向边缘计算的属性加密访问控制方法 |
CN112532588B (zh) * | 2020-11-06 | 2023-01-31 | 北京工业大学 | 一种基于区块链的策略隐藏型数据访问控制方法 |
CN112953815B (zh) * | 2021-02-08 | 2022-07-15 | 北京字跳网络技术有限公司 | 信息访问的控制方法、装置、设备和存储介质 |
CN113127927B (zh) * | 2021-04-27 | 2022-03-18 | 泰山学院 | 一种许可链数据共享及监管的属性重构加密方法及系统 |
CN114244838A (zh) * | 2021-12-17 | 2022-03-25 | 东软集团股份有限公司 | 区块链数据的加密方法及系统、解密方法、装置及设备 |
CN115001730B (zh) * | 2022-03-02 | 2023-09-05 | 上海交通大学 | 分布式场景下基于角色属性的访问控制系统及方法 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102546764A (zh) * | 2011-12-20 | 2012-07-04 | 华中科技大学 | 一种云存储系统的安全访问方法 |
CN102624522A (zh) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | 一种基于文件属性的密钥加密方法 |
US20130080765A1 (en) * | 2011-09-26 | 2013-03-28 | Subhashis Mohanty | Secure cloud storage and synchronization systems and methods |
CN103763319A (zh) * | 2014-01-13 | 2014-04-30 | 华中科技大学 | 一种移动云存储轻量级数据安全共享方法 |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10200522A (ja) * | 1997-01-08 | 1998-07-31 | Hitachi Software Eng Co Ltd | Icカード利用暗号化方法およびシステムおよびicカード |
US7353388B1 (en) * | 2004-02-09 | 2008-04-01 | Avaya Technology Corp. | Key server for securing IP telephony registration, control, and maintenance |
US8594332B2 (en) * | 2007-05-25 | 2013-11-26 | Nec Corporation | Key generating apparatus, encrypting apparatus and decrypting appatatus |
US20090080658A1 (en) * | 2007-07-13 | 2009-03-26 | Brent Waters | Method and apparatus for encrypting data for fine-grained access control |
US20100185861A1 (en) * | 2009-01-19 | 2010-07-22 | Microsoft Corporation | Anonymous key issuing for attribute-based encryption |
GB2467580B (en) * | 2009-02-06 | 2013-06-12 | Thales Holdings Uk Plc | System and method for multilevel secure object management |
CN101807991B (zh) * | 2009-02-18 | 2014-03-12 | 上海交通大学 | 密文政策属性基加密系统和方法 |
FR2950769B1 (fr) * | 2009-09-30 | 2022-09-16 | Trustseed Sas | Systeme et procede de gestion de sessions de correspondance electronique securisee |
US8423764B2 (en) * | 2010-06-23 | 2013-04-16 | Motorola Solutions, Inc. | Method and apparatus for key revocation in an attribute-based encryption scheme |
US8594329B2 (en) * | 2010-12-17 | 2013-11-26 | Microsoft Corporation | Non-interactive verifiable, delegated computation |
US8516244B2 (en) * | 2011-06-10 | 2013-08-20 | Zeutro Llc | System, apparatus and method for decentralizing attribute-based encryption information |
US8891772B2 (en) * | 2011-06-17 | 2014-11-18 | Microsoft Corporation | Cloud key escrow system |
CN103457725B (zh) * | 2013-07-02 | 2017-02-08 | 河海大学 | 一种多授权中心的加密方法 |
CN103701833B (zh) * | 2014-01-20 | 2018-02-16 | 深圳大学 | 一种基于云计算平台的密文访问控制方法及系统 |
WO2016106752A1 (zh) * | 2014-12-31 | 2016-07-07 | 深圳大学 | 一种共享数据的访问控制方法、装置及系统 |
-
2014
- 2014-12-31 WO PCT/CN2014/096064 patent/WO2016106752A1/zh active Application Filing
- 2014-12-31 US US15/024,379 patent/US10050968B2/en not_active Expired - Fee Related
- 2014-12-31 CN CN201480001781.4A patent/CN104584509A/zh active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130080765A1 (en) * | 2011-09-26 | 2013-03-28 | Subhashis Mohanty | Secure cloud storage and synchronization systems and methods |
CN102546764A (zh) * | 2011-12-20 | 2012-07-04 | 华中科技大学 | 一种云存储系统的安全访问方法 |
CN102624522A (zh) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | 一种基于文件属性的密钥加密方法 |
CN103763319A (zh) * | 2014-01-13 | 2014-04-30 | 华中科技大学 | 一种移动云存储轻量级数据安全共享方法 |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108683626A (zh) * | 2018-03-15 | 2018-10-19 | 众安信息技术服务有限公司 | 一种数据访问控制方法及装置 |
WO2020093809A1 (zh) * | 2018-11-07 | 2020-05-14 | 阿里巴巴集团控股有限公司 | 一种区块链数据读取方法及装置 |
US11108547B2 (en) | 2018-11-07 | 2021-08-31 | Advanced New Technologies Co., Ltd. | Methods and apparatuses for reading blockchain data |
CN115150142A (zh) * | 2022-06-24 | 2022-10-04 | 深圳市北科瑞声科技股份有限公司 | 一种数据访问处理方法、系统、设备及存储介质 |
CN117424700A (zh) * | 2023-10-20 | 2024-01-19 | 重庆大学 | 基于充电桩自组网的数据安全访问方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
US10050968B2 (en) | 2018-08-14 |
CN104584509A (zh) | 2015-04-29 |
US20160359856A1 (en) | 2016-12-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2016106752A1 (zh) | 一种共享数据的访问控制方法、装置及系统 | |
Thwin et al. | Blockchain-based access control model to preserve privacy for personal health record systems | |
CN110099043B (zh) | 支持策略隐藏的多授权中心访问控制方法、云存储系统 | |
Tian et al. | Medical data management on blockchain with privacy | |
CN111916173B (zh) | 基于ipfs和联盟链的医疗数据安全共享系统及方法 | |
CN112765650B (zh) | 一种属性基可搜索加密的区块链医疗数据共享方法 | |
Tong et al. | Cloud-assisted mobile-access of health data with privacy and auditability | |
WO2019090988A1 (zh) | 一种基于动态规则的密码学属性基访问控制方法与系统 | |
WO2018045568A1 (zh) | 一种面向云存储服务平台的访问控制方法及其系统 | |
WO2018113563A1 (zh) | 一种具有访问控制功能的数据库查询方法和系统 | |
Huang et al. | A hierarchical framework for secure and scalable EHR sharing and access control in multi-cloud | |
Pussewalage et al. | A patient-centric attribute based access control scheme for secure sharing of personal health records using cloud computing | |
CN108632385B (zh) | 基于时间序列的多叉树数据索引结构云存储隐私保护方法 | |
KR101220160B1 (ko) | 모바일 클라우드 환경에서 안전한 프록시 재암호화 기반의 데이터 관리 방법 | |
CN112365945A (zh) | 基于区块链的电子病历细粒度访问控制和密文可搜索方法 | |
Jiang et al. | Attribute-based encryption with blockchain protection scheme for electronic health records | |
CN113098849A (zh) | 基于属性及身份加密的访问控制方法、终端及存储介质 | |
Pussewalage et al. | An attribute based access control scheme for secure sharing of electronic health records | |
Sethia et al. | CP-ABE for selective access with scalable revocation: A case study for mobile-based healthfolder. | |
Thummavet et al. | A novel personal health record system for handling emergency situations | |
Tian et al. | Role-based Access Control for Body Area Networks Using Attribute-based Encryption in Cloud Storage. | |
CN113411323A (zh) | 基于属性加密的医疗病历数据访问控制系统及方法 | |
Wang et al. | Multi-authority based weighted attribute encryption scheme in cloud computing | |
CN115758396B (zh) | 基于可信执行环境的数据库安全访问控制技术 | |
Chennam et al. | Cloud security in crypt database server using fine grained access control |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 15024379 Country of ref document: US |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14909558 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14909558 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 30/05/2018) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14909558 Country of ref document: EP Kind code of ref document: A1 |