WO2019090841A1 - Procédé et système de récupération de fichier chiffré, dispositif terminal et support d'informations - Google Patents

Procédé et système de récupération de fichier chiffré, dispositif terminal et support d'informations Download PDF

Info

Publication number
WO2019090841A1
WO2019090841A1 PCT/CN2017/112600 CN2017112600W WO2019090841A1 WO 2019090841 A1 WO2019090841 A1 WO 2019090841A1 CN 2017112600 W CN2017112600 W CN 2017112600W WO 2019090841 A1 WO2019090841 A1 WO 2019090841A1
Authority
WO
WIPO (PCT)
Prior art keywords
target
key
server
keyword
terminal
Prior art date
Application number
PCT/CN2017/112600
Other languages
English (en)
Chinese (zh)
Inventor
王翼
吴逸明
黄度新
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2019090841A1 publication Critical patent/WO2019090841A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/176Support for shared access to files; File sharing support
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Definitions

  • the present application relates to the field of electronic technologies, and in particular, to a method, system, terminal device, and storage medium for retrieving encrypted files.
  • the files are usually encrypted and then uploaded to the cloud server.
  • the search keyword of the search keyword may be sent to the cloud server, and the cloud server uses the search credential to match each encrypted file, and returns the successfully matched encrypted file to the user, and the user performs the returned file.
  • the file can be read after decryption.
  • the traditional searchable encryption method can realize the function of retrieving encrypted files, it only supports the way of sharing keys, that is, the data provider and the user share the same key to encrypt, decrypt, and retrieve files. Operation, this way of sharing keys can easily lead to key leakage and affect data security.
  • the embodiment of the present invention provides a method for retrieving an encrypted file, so as to solve the problem that the existing retrieval of the encrypted file by the shared key method results in low data security.
  • an embodiment of the present application provides a method for retrieving an encrypted file, including:
  • the first terminal encrypts the shared file by using the first user key, and obtains the encrypted file, and sends the encrypted file and the index information corresponding to the shared file to the server, where the first user key is secreted.
  • the key management center generates according to a preset root key;
  • the server encrypts the encrypted file by using the first server key to obtain a double encrypted file, where the first server key is generated by the key management center according to a preset root key. And with the first user key Unique correspondence
  • the second terminal acquires the target keyword information, and sends the target keyword information to the server, where the second terminal is an authorized user end of the first terminal;
  • the server performs a search in the index information according to the target keyword information, acquires a target double-encrypted file that matches the retrieved target keyword information, and uses a second server-side key pair. Decrypting the target double-encrypted file to obtain a target encrypted file, where the second server-side key is generated by the key management center according to the root key;
  • the embodiment of the present application provides a retrieval system for an encrypted file, including a first terminal, a second terminal, a server, and a key management center; and between the first terminal and the server, the second The connection between the terminal and the server, and the key management center and the first terminal, the second terminal, and the server are respectively connected through a network;
  • the first terminal includes:
  • An encryption module configured to encrypt the shared file by using the first user key, to obtain an encrypted file, and send the encrypted file and the index information corresponding to the shared file to the server, where the first user key Generated by the key management center according to the preset root key;
  • the second terminal includes:
  • a target keyword module configured to acquire target keyword information, and send the target keyword information to the server, where the second terminal is an authorized user end of the first terminal;
  • the server includes:
  • a double encryption module configured to encrypt the encrypted file by using a first server key to obtain a double encrypted file, where the first server key is determined by the key management center according to a preset root Key generation and uniquely corresponding to the first user key;
  • a search module configured to perform a search in the index information according to the target keyword information, acquire a target double-encrypted file that matches the retrieved target keyword information, and use a second server-side key Decrypting the target double-encrypted file to obtain a target encrypted file, where the second server-side key is generated by the key management center according to the root key;
  • a sending module configured to send the target encrypted file to the second terminal
  • the second terminal further includes:
  • a decryption module configured to decrypt the target encrypted file by using a second user key to obtain a target shared file, where the second user key is generated by the key management center according to the root key, and Uniquely corresponding to the second server key;
  • the key management center is configured to generate, according to the preset root key, the first user key, the first server key, the second user key, and the second server Key.
  • an embodiment of the present application provides a terminal device, including a memory, a processor, and computer readable instructions stored in the memory and executable on the processor, where the processor executes the computer The following steps are implemented when reading the instruction:
  • the first terminal encrypts the shared file by using the first user key, and obtains the encrypted file, and sends the encrypted file and the index information corresponding to the shared file to the server, where the first user key is secreted.
  • the key management center generates according to a preset root key;
  • the server encrypts the encrypted file by using the first server key to obtain a double encrypted file, where the first server key is generated by the key management center according to a preset root key. And uniquely corresponding to the first user key;
  • the second terminal acquires the target keyword information, and sends the target keyword information to the server, where the second terminal is an authorized user end of the first terminal;
  • the server performs a search in the index information according to the target keyword information, acquires a target double-encrypted file that matches the retrieved target keyword information, and uses a second server-side key pair. Decrypting the target double-encrypted file to obtain a target encrypted file, where the second server-side key is generated by the key management center according to the root key;
  • an embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium stores computer readable instructions, and when the computer readable instructions are executed by a processor, the following steps are implemented:
  • the first terminal encrypts the shared file by using the first user key, and obtains the encrypted file, and sends the encrypted file and the index information corresponding to the shared file to the server, where the first user key is secreted.
  • Key management center Generated according to a preset root key;
  • the server encrypts the encrypted file by using the first server key to obtain a double encrypted file, where the first server key is generated by the key management center according to a preset root key. And uniquely corresponding to the first user key;
  • the second terminal acquires the target keyword information, and sends the target keyword information to the server, where the second terminal is an authorized user end of the first terminal;
  • the server performs a search in the index information according to the target keyword information, acquires a target double-encrypted file that matches the retrieved target keyword information, and uses a second server-side key pair. Decrypting the target double-encrypted file to obtain a target encrypted file, where the second server-side key is generated by the key management center according to the root key;
  • the embodiment of the present application has the following advantages: the first terminal as the data provider encrypts the shared file by using the first user key, and then uploads the file to the server, and the server uses the first server key pair to encrypt the file.
  • the second terminal serves as an authorized user end of the first terminal, and sends the target keyword information for searching to the server, and the server searches for the corresponding double encrypted file according to the target keyword information, and then uses the first
  • the second server key decrypts the double encrypted file, and sends the obtained target encrypted file to the second terminal, and the second terminal decrypts the target encrypted file by using the second user key to obtain the target shared file.
  • a user key uniquely corresponds to the first server key, the second user key and the second server key uniquely correspond, and the first user key and the first server key and the second user key and The second server key is generated by the key management center according to the root key, so that the first terminal and the second terminal can use different keys to share files.
  • the encryption and decryption, and the keys between different second terminals may also be different from each other, thereby realizing that multiple authorized users can retrieve the shared files through different keys, thereby improving the data security of the shared files. Because the server encrypts the encrypted file twice, the data security of the shared file is further improved.
  • FIG. 1 is a schematic diagram of an application scenario of a method for retrieving an encrypted file according to an embodiment of the present application
  • FIG. 2 is a flowchart of an implementation of a method for retrieving an encrypted file according to an embodiment of the present application
  • step S1 is a flowchart of an implementation of step S1 in a method for retrieving an encrypted file according to an embodiment of the present application
  • step S2 is a flowchart of an implementation of step S2 in a method for retrieving an encrypted file according to an embodiment of the present application
  • FIG. 5 is a flowchart of implementing step S4 in the method for retrieving an encrypted file according to an embodiment of the present application
  • FIG. 6 is a schematic diagram of a retrieval system for an encrypted file according to an embodiment of the present application.
  • FIG. 7 is a schematic diagram of a terminal device according to an embodiment of the present application.
  • FIG. 1 shows an application scenario of a method for retrieving an encrypted file according to an embodiment of the present application.
  • the application scenario of the method for retrieving the encrypted file involves a first terminal, a second terminal, a server, and a key.
  • the first terminal is a data provider
  • the second terminal is an authorized user end of the first terminal
  • the first terminal can simultaneously authorize multiple second terminals as authorized users, whether it is the first terminal or each In the second terminal
  • the key is uniformly distributed by the key management center
  • the key management center completes management operations such as generation and distribution of all keys used in the process of encrypting the file
  • the first terminal and each second terminal The keys are different, and each terminal uses its own key to encrypt and decrypt the shared file.
  • FIG. 2 is a flowchart showing an implementation process of a method for retrieving an encrypted file according to an embodiment of the present application. Details are as follows:
  • S1 The first terminal encrypts the shared file by using the first user key to obtain an encrypted file, and sends the encrypted file and the index information corresponding to the shared file to the server, where the first user key is used by the key management center. Generated according to the preset root key.
  • the key management center generates the first user key and the first server key according to the preset root key, and the first user key and the first server key uniquely correspond to each other.
  • the key management center sends the first user key to the first terminal, and sends the corresponding first server key to the server.
  • the key management center when the second terminal successfully requests to be the authorized user of the first terminal, the key management center generates an authorized user based on the same root key as the first user key and the first server key. Second user secret And the second server key is sent to the second terminal, and the corresponding second server key is sent to the server.
  • the server associates each server key received with the corresponding user identification information of the client.
  • the implementation process of key generation and allocation includes (a1) to (a5), and the details are as follows:
  • the key management center sends K uk to user k and sends K sk to the server;
  • the server After receiving the K sk , the server associates the user identification information k and K sk as (k, K sk ).
  • the shared file to be uploaded is encrypted using the first user key to obtain an encrypted file.
  • xi1 is the first user key
  • g is a generating element of the cyclic group generated by the key management center according to the preset security parameter
  • r is a randomly selected one in the basic key set. The random number, when the key management center sends the first user key to the first terminal, synchronously sends g and r to the first terminal.
  • the index information corresponding to the shared file is used to search for the shared file, and the first terminal may determine the corresponding index information by identifying the content of the shared file, or directly obtain the index key of the user input index information, which is not limited herein.
  • the first terminal sends the encrypted file and the index information to the server, and also sends its own user identification information to the server.
  • the server encrypts the encrypted file by using the first server key to obtain a double encrypted file, where the first server key is generated by the key management center according to the preset root key, and is generated by the first user.
  • the key uniquely corresponds.
  • the server after receiving the encrypted file sent by the first terminal, the server obtains the first service corresponding to the user identifier information of the first terminal from the associated saved record according to the user identification information of the first terminal.
  • the key is double-en
  • the server saves the index information and the double encrypted file in association, so that the corresponding double encrypted file can be searched through the index information.
  • the second terminal acquires the target keyword information, and sends the target keyword information to the server, where the second terminal is the authorized user end of the first terminal.
  • the target keyword information for searching is acquired, and the target keyword information is generated by the search keyword input by the user of the second terminal.
  • the second terminal When the second terminal sends the target keyword information to the server, the second terminal also sends its own identification information to the server.
  • the server searches in the index information according to the target keyword information, acquires a target double-encrypted file that matches the retrieved target keyword information, and uses the second server-side key to encrypt the file with the target server. Decrypting to obtain a target encrypted file, wherein the second server key is generated by the key management center according to the preset root key.
  • the server receives the target keyword information sent by the second terminal, searches in the pre-stored index information, and if the target keyword information is retrieved, acquires the target two corresponding to the target keyword information. Re-encrypt the file.
  • the server obtains the second server key corresponding to the identifier information of the second terminal from the associated saved record according to the identifier information of the second terminal, and decrypts the target double encrypted file by using the second server key. Get the target encrypted file.
  • S5 The server sends the target encrypted file to the second terminal.
  • the second terminal decrypts the target encrypted file by using the second user key to obtain a target shared file, where the second user key is generated by the key management center according to the preset root key, and is connected to the second server.
  • the key uniquely corresponds.
  • the target encrypted file received by the second terminal has been encrypted according to the second second user key xj1, and therefore, the second terminal completes the target encrypted file by using the second user key xj1.
  • first user key xi1 and the first server key xi2 used in the encryption process, and the second user key xj1 and the second server key xi2 used in the decryption process may not be mutually exclusive.
  • the key encrypts and decrypts the shared file, thereby improving the data security of the shared file.
  • the first terminal as the data provider encrypts the shared file and uploads it to the server by using the first user key
  • the server encrypts the encrypted file by using the first server key
  • the terminal serves as an authorized client of the first terminal, and sends the target keyword information for the retrieval to the server. After the server retrieves the corresponding double encrypted file according to the target keyword information, the terminal uses the second server key.
  • the second terminal decrypting the target encrypted file by using the second user key to obtain the target shared file, because the first user key and The first server key uniquely corresponds, the second user key and the second server key uniquely correspond, and the first user key and the first server key and the second user key and the second server end are densely connected
  • the keys are all generated by the key management center according to the root key, so that the first terminal and the second terminal can encrypt and decrypt the shared file using different keys, and different
  • the keys between the second terminals may also be different from each other, thereby realizing that multiple authorized users can retrieve the shared files through different keys, thereby improving the data security of the shared files, and at the same time, the server encrypts the files. Secondary encryption further improves the data security of shared files.
  • step S1 the following step is performed in step S1 by a specific embodiment.
  • the specific terminal implemented by the first terminal encrypts the shared file by using the first user key to obtain an encrypted file, and sends the index information corresponding to the encrypted file and the shared file to the server.
  • FIG. 3 shows a specific implementation process of step S1 provided by the embodiment of the present application, which is described in detail as follows:
  • S11 The first terminal acquires the shared file and the search keyword corresponding to the shared file.
  • the first terminal acquires a shared file provided by the user, and a search keyword corresponding to the shared file.
  • the first terminal may determine the corresponding search keyword by identifying the content of the shared file, or directly obtain the search keyword input by the user, which is not limited herein.
  • S12 The first terminal encrypts the shared file by using the first user key to obtain an encrypted file.
  • the first terminal encrypts the shared file by using the first user key, and the process of obtaining the encrypted file is the same as the method for obtaining the encrypted file described in the foregoing step S1, and details are not described herein again.
  • S13 The first terminal generates a fuzzy keyword set according to the search keyword.
  • the first terminal generates a fuzzy keyword set according to the determined search keyword, and the fuzzy keyword set is used for performing fuzzy search on the shared file, and the fuzzy keyword set includes a series of fuzzy generated based on the search keyword. Key words, using fuzzy keywords in the fuzzy keyword set to search, can meet the needs of a wider range of retrieval.
  • the first terminal constructs a fuzzy keyword set by using a wildcard character according to the search keyword.
  • a fuzzy keyword set S w,d is created for the search key w of the edit distance d by using a wildcard character, and a wildcard character is used to represent an edit operation at a certain position in the search key.
  • the editing operation includes three modes of operation:
  • Insert operation insert a character into the word of the search keyword
  • the search key w is student
  • the established fuzzy keyword set S student,1 ⁇ student,*student,s*tudent,*tudent,s*udent,...,studen* , student* ⁇
  • the number of words in the fuzzy keyword set is 16.
  • the size of the constructed fuzzy keyword set S w,1 is (2l+1)+1.
  • the size of the constructed fuzzy keyword set S w,d also increases.
  • the fuzzy keyword set constructed by it That is, for the search keyword whose search key length is l and the edit distance is d, the size of the fuzzy keyword word set constructed by using the wildcard character is expressed as O(l d ) by the data complexity.
  • S14 The first terminal encrypts each keyword in the fuzzy keyword set by using the first index key to obtain a first trapdoor set, where the first index key is generated by the first user key.
  • S15 The first terminal encrypts the identification information of the shared file by using the first index key, and forms the encrypted identification information, the first trapdoor set, and the first index key into index information.
  • AES Advanced Encryption Standard
  • DES Data Encryption Standard
  • the identification information of the shared file is used to uniquely identify the shared file, and the identifier information may be a unique number of the file, but is not limited thereto, and may be set according to the needs of the application, and is not limited herein.
  • S16 The first terminal sends the encrypted file and the index information to the server.
  • the first terminal sends the encrypted file C(file) and the index information Index to the server.
  • the first terminal encrypts the shared file by using the first user key, and obtains the addition. a secret file, and constructing a fuzzy keyword set by using a wildcard character according to the search keyword, and then encrypting each keyword in the fuzzy keyword set using the first index key to obtain a first trapdoor set and using the first
  • the index key encrypts the identification information of the shared file, and the encrypted identification information, the first trapdoor set and the first index key are combined into index information, and the encrypted file and the index information are jointly sent to the server, so that the server end
  • the retrieval is carried out, and the fuzzy search of the search keywords is realized by constructing the fuzzy keyword set, which can effectively improve the search success rate and accuracy, and the fuzzy keyword set constructed by using the wildcard is more complete and can satisfy a larger range. Fuzzy retrieval requirements.
  • the specific implementation method for acquiring the target keyword information by the second terminal mentioned in step S2 and transmitting the target keyword information to the server is performed by a specific embodiment. Detailed instructions are given.
  • the target keyword information acquired by the second terminal includes a target trapdoor set.
  • FIG. 4 shows a specific implementation process of step S2 provided by the embodiment of the present application, which is described in detail as follows:
  • S21 The second terminal acquires a keyword to be retrieved.
  • the second terminal acquires a keyword to be retrieved input by the user.
  • S22 The second terminal generates a target fuzzy keyword set according to the keyword to be retrieved.
  • the process of generating the target fuzzy keyword set according to the keyword to be searched by the second terminal and the first terminal in step S13 may generate the fuzzy keyword set according to the search keyword, and the same method may be used. Let me repeat.
  • the keyword to be searched is w2
  • the edit distance is d2
  • the generated target fuzzy keyword set is S w2, d2 .
  • S23 The second terminal encrypts each keyword in the target fuzzy keyword set by using the second index key to obtain a target trapdoor set, where the second index key is generated by the second user key, and the second The user key is generated by the Key Management Center based on the root key.
  • S24 The second terminal sends the target trapdoor set to the server.
  • the second terminal sends the target trapdoor set Fuzzy Enc2 as the target keyword information to the server.
  • the second terminal when the authorized user of the second terminal needs to retrieve the related encrypted file by using the keyword to be searched, the second terminal generates a target fuzzy keyword set according to the keyword to be retrieved, and the target fuzzy keyword
  • the method for generating the set is the same as the method for generating the fuzzy keyword set by the first terminal according to the search key, and then encrypting each keyword in the target fuzzy keyword set by using the second index key to obtain the target trapdoor.
  • the set sends the target trapdoor set as the target keyword information to the server, so that the server can perform the search, and realizes the fuzzy search by constructing the fuzzy keyword set, which can effectively improve the search success rate and the accuracy rate, and adopts
  • the fuzzy keyword set constructed by the wildcard method is more complete and can meet the needs of fuzzy retrieval in a wider range.
  • the server mentioned in step S4 searches for the target keyword according to the target keyword information, and obtains and retrieves the target keyword according to a specific embodiment.
  • the target double-encrypted file is matched with the information, and the target double-encrypted file is decrypted by using the second server-side key, and a specific implementation method of obtaining the target encrypted file is described in detail.
  • FIG. 5 shows a specific implementation process of step S4 provided by the embodiment of the present application, which is described in detail as follows:
  • the server after receiving the target trapdoor set sent by the second terminal, the server performs fuzzy search in the index information according to the target trapdoor set, and the index information is sent by the first terminal to the server, including The identification information of the encrypted shared file, the first trapdoor set, and the first index key. If the server retrieves the first trapdoor set that matches the target trapdoor set, the index information of the retrieved first trapdoor set is used as the target encryption index.
  • Index' obtaining the first index key K I included in the index information as the target index key, and the encrypted information of the encrypted shared file Enc(K I , fid w1 ) included in the index information as the encrypted The identification information of the target shared file.
  • the target trapdoor set sent by the second terminal is obtained by using the second index key
  • the first trapdoor set in the index information sent by the first terminal saved on the server is densely bound by the first index.
  • the key encryption is obtained, that is, the encryption key of the first trapdoor set and the target trapdoor set is different, but since the first index key is generated by the first user key, the second index key is generated by the second user key, and Both the first user key and the second user key are generated by the key management center according to the same root key. Therefore, the fuzzy retrieval process performed by the server can achieve matching with the target trapdoor set in the index information.
  • the first trapdoor collection is obtained by using the second index key
  • the first trapdoor set in the index information sent by the first terminal saved on the server is densely bound by the first index.
  • the key encryption is obtained, that is, the encryption key of the first trapdoor set and the target trapdoor set is different, but since the first index key is generated by the first user key, the second index key is generated by the second user key, and Both the
  • S42 The server decrypts the identification information of the target shared file by using the target index key, and obtains the target double encrypted file according to the decrypted identification information.
  • the server decrypts the identification information Enc(K I , fid w1 ) of the target shared file by using the target index key obtained in step S41, that is, the first index key K I , to obtain the decrypted Identification information fid w .
  • the server Since the server has associated the index information and the double encrypted file in step S2, the server can obtain the target double encrypted file C * (file) corresponding to the identifier information according to the decrypted identification information fid w . .
  • S43 The server decrypts the target double encrypted file by using the second server key to obtain the target encrypted file.
  • the server decrypts the target double-encrypted file by using the second server-side key, and the process of obtaining the target encrypted file is the same as the method for obtaining the target encrypted file described in step S4 above. Let me repeat.
  • the server retrieves a target encrypted index matching the target trapdoor set in the index information according to the target trapdoor set sent by the second terminal, and obtains a corresponding index according to the target encrypted index.
  • the target index key and the identifier information of the encrypted target shared file and then use the target index key to decrypt the identification information of the target shared file, and obtain the target double encrypted file according to the decrypted identification information, and use the second service.
  • the terminal key pair decrypts the target double-encrypted file to obtain the target encrypted file, so that the second terminal can decrypt the target encrypted file by using the second user key to obtain the target shared file that is finally retrieved, thereby obtaining the target shared file. It realizes that multiple authorized users can retrieve shared files through different keys to improve the data security of shared files.
  • FIG. 6 is a structural block diagram of the retrieval system of the encrypted file provided by the embodiment of the present application. For the convenience of description, only the embodiment related to the embodiment of the present application is shown. section.
  • the retrieval system of the encrypted file includes a first terminal 61, a second terminal 62, a server 63, and a key management center 64, wherein between the first terminal and the server, between the second terminal and the server, And the key management center and the first terminal, the second terminal, and the server are respectively connected through the network.
  • the key management center 64 is configured to generate a first user key, a first server key, a second user key, and a second server key according to the preset root key.
  • the first terminal 61 includes an encryption module 611
  • the second terminal 62 includes a target keyword module 621 and a decryption module 622.
  • the server 63 includes a double encryption module 631, a retrieval module 632, and a transmission module 633.
  • the functional modules are described in detail as follows:
  • the encryption module 611 is configured to encrypt the shared file by using the first user key to obtain an encrypted file, and send the encrypted file and the index information corresponding to the shared file to the server, where the first user key is obtained by the key Management
  • the heart is generated according to the preset root key
  • the target keyword module 621 is configured to acquire target keyword information, and send the target keyword information to the server, where the second terminal 62 is an authorized user end of the first terminal 61;
  • the decryption module 622 is configured to decrypt the target encrypted file by using the second user key to obtain a target shared file, where the second user key is generated by the key management center according to the root key, and is combined with the second server key Unique correspondence
  • the double encryption module 631 is configured to encrypt the encrypted file by using the first server key to obtain a double encrypted file, where the first server key is generated by the key management center according to the preset root key, and Uniquely corresponding to the first user key;
  • the searching module 632 is configured to perform a search in the index information according to the target keyword information, acquire a target double-encrypted file that matches the retrieved target keyword information, and use the second server-side key to target the target double Decrypting the encrypted file to obtain a target encrypted file, wherein the second server key is generated by the key management center according to the root key;
  • the sending module 633 is configured to send the target encrypted file to the second terminal 62.
  • the encryption module 611 includes:
  • a first obtaining submodule 6111 configured to acquire a shared file and a search keyword corresponding to the shared file
  • a file encryption sub-module 6112 configured to encrypt the shared file by using the first user key to obtain an encrypted file
  • a first word set generation sub-module 6113 configured to generate a fuzzy keyword set according to the search keyword
  • the keyword encryption sub-module 6114 is configured to encrypt each keyword in the fuzzy keyword set by using the first index key to obtain a first trapdoor set, where the first index key is generated by the first user key;
  • the identifier encryption sub-module 6115 is configured to encrypt the identifier information of the shared file by using the first index key, and form the encrypted identifier information, the first trapdoor set, and the first index key into index information;
  • the first sending submodule 6116 is configured to send the encrypted file and the index information to the server 63.
  • the first word set generation sub-module 6113 is further configured to construct a fuzzy keyword set by using a wildcard according to the search keyword.
  • the target keyword information includes a target trapdoor set
  • the target keyword module 621 includes:
  • a second obtaining sub-module 6211 configured to acquire a keyword to be retrieved
  • a second word set generation sub-module 6212 configured to generate a target fuzzy keyword set according to the keyword to be retrieved
  • the second encryption sub-module 6213 is configured to encrypt each keyword in the target fuzzy keyword set by using the second index key to obtain a target trapdoor set, where the second index key is generated by the second user key.
  • the second user key is generated by the key management center according to the root key;
  • the second sending sub-module 6214 is configured to send the target trapdoor set to the server 63.
  • retrieval module 632 includes:
  • the matching sub-module 6321 is configured to: if the target encrypted index matching the target trapdoor set is retrieved in the index information, obtain the corresponding target index key and the identifier information of the encrypted target shared file according to the target encrypted index;
  • the first decryption sub-module 6322 is configured to decrypt the identification information of the target shared file by using the target index key, and obtain the target double-encrypted file according to the decrypted identification information;
  • the second decryption sub-module 6323 is configured to decrypt the target double-encrypted file by using the second server-side key to obtain the target encrypted file.
  • the embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium is stored with a computer readable instruction, and when the computer readable instruction is executed by the processor, the method for retrieving the encrypted file in the foregoing method embodiment is implemented, or When the computer readable instructions are executed by the processor, the functions of the modules/units in the retrieval system of the encrypted file in the foregoing device embodiment are not repeated herein.
  • FIG. 7 is a schematic diagram of a terminal device according to an embodiment of the present application.
  • the terminal device 70 of this embodiment includes a processor 71, a memory 72, and computer readable instructions 73 stored in the memory 72 and operable on the processor 71, such as a retrieval program for encrypting files.
  • the processor 71 executes the computer readable instructions 73, the steps in the embodiment of the method for retrieving the respective encrypted files described above are implemented, such as steps S1 to S6 shown in FIG.
  • the processor 71 executes the computer readable instructions 73
  • the functions of the modules/units in the above various apparatus embodiments are implemented, for example, the first terminal 61, the second terminal 62, the server 63, and the key management center 64 shown in FIG. The function of each module/unit.
  • computer readable instructions 73 may be partitioned into one or more modules/units, one or more modules/units being stored in memory 72 and executed by processor 71 to complete the application.
  • the one or more modules/units may be a series of computer readable instruction segments capable of performing a particular function for describing the execution of computer readable instructions 73 in the terminal device 70.
  • the computer readable instructions 73 may be divided into an encryption module on the first terminal, a target keyword module and a decryption module on the second terminal, a double encryption module, a retrieval module, and a transmission module on the server, and key management.
  • the program on the center The specific functions of each function module are as follows:
  • the key management center is configured to generate a first user key, a first server key, a second user key, and a second server key according to the preset root key.
  • An encryption module configured to encrypt the shared file by using the first user key, obtain an encrypted file, and encrypt the file
  • the file and the index information corresponding to the shared file are sent to the server, where the first user key is generated by the key management center according to the preset root key;
  • a target keyword module configured to acquire the target keyword information, and send the target keyword information to the server, where the second terminal is an authorized user end of the first terminal;
  • a decryption module configured to decrypt the target encrypted file by using the second user key to obtain a target shared file, where the second user key is generated by the key management center according to the root key, and is unique with the second server key correspond;
  • the double encryption module is configured to encrypt the encrypted file by using the first server key to obtain a double encrypted file, where the first server key is generated by the key management center according to the preset root key, and The first user key uniquely corresponds;
  • a retrieval module configured to perform retrieval in the index information according to the target keyword information, acquire a target double-encrypted file that matches the retrieved target keyword information, and encrypt the target by using the second server-side key Decrypting the file to obtain a target encrypted file, wherein the second server key is generated by the key management center according to the root key;
  • a sending module configured to send the target encrypted file to the second terminal.
  • the encryption module includes:
  • a first obtaining submodule configured to acquire a shared file and a search keyword corresponding to the shared file
  • a file encryption submodule configured to encrypt the shared file by using the first user key to obtain an encrypted file
  • a first word set generation submodule configured to generate a fuzzy keyword set according to the search keyword
  • a keyword encryption submodule configured to encrypt each keyword in the fuzzy keyword set by using the first index key to obtain a first trapdoor set, wherein the first index key is generated by the first user key;
  • An identifier encryption submodule configured to encrypt the identification information of the shared file by using the first index key, and form the encrypted identification information, the first trapdoor set, and the first index key into index information;
  • the first sending submodule is configured to send the encrypted file and the index information to the server.
  • the first word set generation sub-module is further configured to construct a fuzzy keyword set by using a wildcard according to the search keyword.
  • the target keyword information includes a target trapdoor set
  • the target keyword module includes:
  • a second obtaining submodule configured to acquire a keyword to be retrieved
  • a second word set generation submodule configured to generate a target fuzzy keyword set according to the keyword to be retrieved
  • a second encryption submodule configured to encrypt each keyword in the target fuzzy keyword set by using the second index key to obtain a target trapdoor set, wherein the second index key is generated by the second user key, The second user key is generated by the key management center according to the root key;
  • the second sending submodule is configured to send the target trapdoor set to the server.
  • the retrieval module includes:
  • a matching submodule configured to: if the target encrypted index matching the target trapdoor set is retrieved in the index information, obtain the corresponding target index key and the identifier information of the encrypted target shared file according to the target encrypted index;
  • a first decryption sub-module configured to decrypt the identification information of the target shared file by using the target index key, and obtain the target double-encrypted file according to the decrypted identification information
  • the second decryption sub-module is configured to decrypt the target double-encrypted file by using the second server-side key to obtain the target encrypted file.
  • the terminal device 70 can be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server.
  • Terminal device 70 may include, but is not limited to, processor 71, memory 72. It will be understood by those skilled in the art that FIG. 7 is merely an example of the terminal device 70, and does not constitute a limitation of the terminal device 70, and may include more or less components than those illustrated, or may combine certain components or different components.
  • the terminal device 70 may further include an input/output device, a network access device, a bus, and the like.
  • the processor 71 may be a central processing unit (CPU), or may be other general-purpose processors, a digital signal processor (DSP), an application specific integrated circuit (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, etc.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 72 may be an internal storage unit of the terminal device 70, such as a hard disk or memory of the terminal device 60.
  • the memory 72 may also be an external storage device of the terminal device 70, such as a plug-in hard disk provided on the terminal device 70, a smart memory card (SMC), a Secure Digital (SD) card, and a flash memory card (Flash). Card) and so on.
  • the memory 72 may also include both an internal storage unit of the terminal device 70 and an external storage device.
  • Memory 72 is used to store computer readable instructions as well as other programs and data required by terminal device 70.
  • the memory 72 can also be used to temporarily store data that has been or will be output.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit is It can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated modules/units if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium.
  • the present application implements all or part of the processes in the foregoing embodiments, and may also be implemented by computer readable instructions, which may be stored in a computer readable storage medium.
  • the computer readable instructions when executed by a processor, may implement the steps of the various method embodiments described above.
  • the computer readable instructions comprise computer readable instruction code, which may be in the form of source code, an object code form, an executable file or some intermediate form or the like.
  • the computer readable medium can include any entity or device capable of carrying the computer readable instruction code, a recording medium, a USB flash drive, a removable hard drive, a magnetic disk, an optical disk, a computer memory, a read only memory (ROM, Read-Only) Memory), random access memory (RAM), electrical carrier signals, telecommunications signals, and software distribution media.
  • a recording medium a USB flash drive
  • a removable hard drive a magnetic disk, an optical disk
  • a computer memory a read only memory (ROM, Read-Only) Memory
  • RAM random access memory

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé et un système de récupération de fichier chiffré, un dispositif terminal et un support d'informations, le procédé de récupération de fichier chiffré comprenant : un premier terminal qui utilise une première clé secrète d'utilisateur afin de chiffrer un fichier partagé et qui envoie des informations d'indice correspondant au fichier chiffré et au fichier partagé à un serveur ; le serveur qui utilise une première clé secrète de serveur afin de chiffrer le fichier chiffré ; un second terminal qui envoie des informations de mot-clé cible au serveur ; le serveur qui obtient un fichier double chiffré cible qui correspond à des informations de mot-clé cible récupérées conformément aux informations de mot-clé cible et utilise une seconde clé secrète de serveur afin de déchiffrer le fichier chiffré à double cible ; le serveur qui envoie le fichier chiffré cible au second terminal ; et le second terminal qui utilise une seconde clé secrète d'utilisateur afin de déchiffrer le fichier chiffré cible. Selon la solution technique de la présente invention, de multiples utilisateurs autorisés peuvent récupérer un fichier partagé au moyen de différentes clés secrètes respectives, ce qui permet d'augmenter la sécurité des données du fichier partagé.
PCT/CN2017/112600 2017-11-08 2017-11-23 Procédé et système de récupération de fichier chiffré, dispositif terminal et support d'informations WO2019090841A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711089073.2A CN108038128B (zh) 2017-11-08 2017-11-08 一种加密文件的检索方法、系统、终端设备及存储介质
CN201711089073.2 2017-11-08

Publications (1)

Publication Number Publication Date
WO2019090841A1 true WO2019090841A1 (fr) 2019-05-16

Family

ID=62092782

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/112600 WO2019090841A1 (fr) 2017-11-08 2017-11-23 Procédé et système de récupération de fichier chiffré, dispositif terminal et support d'informations

Country Status (2)

Country Link
CN (1) CN108038128B (fr)
WO (1) WO2019090841A1 (fr)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040109B (zh) * 2018-08-31 2022-01-21 国鼎网络空间安全技术有限公司 基于密钥管理机制的数据交易方法及系统
CN109660555B (zh) * 2019-01-09 2020-07-14 上海交通大学 基于代理重加密的内容安全分享方法和系统
CN111191266A (zh) * 2019-12-31 2020-05-22 中国广核电力股份有限公司 一种文件加密方法和系统以及解密方法和系统
CN113315626B (zh) * 2020-02-27 2023-01-10 阿里巴巴集团控股有限公司 一种通信方法、密钥管理方法、设备、系统及存储介质
CN111737720B (zh) * 2020-07-21 2022-03-25 腾讯科技(深圳)有限公司 数据处理方法、装置及电子设备
CN112822255B (zh) * 2020-12-31 2023-02-28 平安科技(深圳)有限公司 基于区块链的邮件处理方法、邮件发送端、接收端及设备
CN112887087B (zh) * 2021-01-20 2023-04-18 成都质数斯达克科技有限公司 数据管理方法、装置、电子设备及可读存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102176709A (zh) * 2010-12-13 2011-09-07 北京交通大学 一种带隐私保护的数据共享与发布的方法和装置
CN103281377A (zh) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 一种面向云的密文数据存储与查询方法
CN105320896A (zh) * 2015-10-21 2016-02-10 成都卫士通信息产业股份有限公司 一种云存储加密以及其密文检索方法与系统
WO2016063254A1 (fr) * 2014-10-23 2016-04-28 Pageproof.Com Limited Système et procédé de collaboration chiffrée

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040117621A1 (en) * 2002-12-12 2004-06-17 Knight Erik A. System and method for managing resource sharing between computer nodes of a network
CN103457733B (zh) * 2013-08-15 2016-12-07 中电长城网际系统应用有限公司 一种云计算环境数据共享方法和系统
CN103731432B (zh) * 2014-01-11 2017-02-08 西安电子科技大学昆山创新研究院 一种支持多用户的可搜索加密方法
WO2016063344A1 (fr) * 2014-10-21 2016-04-28 三菱電機株式会社 Dispositif serveur, système de récupération, dispositif terminal, procédé de récupération, programme de serveur et programme de terminal
CN107330340B (zh) * 2017-06-19 2020-09-11 国家计算机网络与信息安全管理中心 文件加密方法、设备、文件解密方法、设备及存储介质

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102176709A (zh) * 2010-12-13 2011-09-07 北京交通大学 一种带隐私保护的数据共享与发布的方法和装置
CN103281377A (zh) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 一种面向云的密文数据存储与查询方法
WO2016063254A1 (fr) * 2014-10-23 2016-04-28 Pageproof.Com Limited Système et procédé de collaboration chiffrée
CN105320896A (zh) * 2015-10-21 2016-02-10 成都卫士通信息产业股份有限公司 一种云存储加密以及其密文检索方法与系统

Also Published As

Publication number Publication date
CN108038128A (zh) 2018-05-15
CN108038128B (zh) 2020-02-14

Similar Documents

Publication Publication Date Title
WO2019090841A1 (fr) Procédé et système de récupération de fichier chiffré, dispositif terminal et support d'informations
Yuan et al. SEISA: Secure and efficient encrypted image search with access control
JP6180177B2 (ja) プライバシーを保護することができる暗号化データの問い合わせ方法及びシステム
US10268834B2 (en) Privacy-preserving querying mechanism on privately encrypted data on semi-trusted cloud
WO2019178958A1 (fr) Procédé de chiffrement de données, procédé de requête de données, appareil de chiffrement de données, appareil de requête de données, dispositif et support de mémoire
JP4958246B2 (ja) 高速検索可能な暗号化のための方法、装置およびシステム
US20180212753A1 (en) End-To-End Secure Operations Using a Query Vector
Wang et al. Search in my way: Practical outsourced image retrieval framework supporting unshared key
US10664610B2 (en) Method and system for range search on encrypted data
WO2024077948A1 (fr) Procédé, appareil et système d'interrogation privée, et support de stockage
CN109361644B (zh) 一种支持快速搜索和解密的模糊属性基加密方法
Al Sibahee et al. Efficient encrypted image retrieval in IoT-cloud with multi-user authentication
Huang et al. FSSR: Fine-grained EHRs sharing via similarity-based recommendation in cloud-assisted eHealthcare system
EP4020265A1 (fr) Procédé et dispositif de stockage de données cryptées
US12074966B2 (en) Encrypted information retrieval
Zhu et al. Privacy-preserving search for a similar genomic makeup in the cloud
CN117951730A (zh) 一种基于哈希索引的云端安全可搜索加密方法
CN114760081A (zh) 档案加密与解密方法、装置及电子设备
CN115510490A (zh) 一种非密钥共享的加密数据查询方法、装置、系统及设备
Kamini et al. Encrypted multi-keyword ranked search supporting gram based search technique
JP7440662B2 (ja) マルチキー情報検索
Shan et al. Fuzzy keyword search over encrypted cloud data with dynamic fine-grained access control
Souror et al. Secure query processing for smart grid data using searchable symmetric encryption
Shruthishree et al. Secure Conjunctive Keyword Ranked Search over Encrypted Cloud Data
CN117336010A (zh) 基于可信执行环境的轻量级布尔查询可搜索对称加密方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17931500

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 01.10.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 17931500

Country of ref document: EP

Kind code of ref document: A1