WO2020082687A1 - File sharing method and apparatus based on cp-abe layered access control, and device and medium - Google Patents

File sharing method and apparatus based on cp-abe layered access control, and device and medium Download PDF

Info

Publication number
WO2020082687A1
WO2020082687A1 PCT/CN2019/079637 CN2019079637W WO2020082687A1 WO 2020082687 A1 WO2020082687 A1 WO 2020082687A1 CN 2019079637 W CN2019079637 W CN 2019079637W WO 2020082687 A1 WO2020082687 A1 WO 2020082687A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
access
gate
key
ciphertext
Prior art date
Application number
PCT/CN2019/079637
Other languages
French (fr)
Chinese (zh)
Inventor
王树兰
黄美东
王磊
王汇文
Original Assignee
深圳技术大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳技术大学 filed Critical 深圳技术大学
Publication of WO2020082687A1 publication Critical patent/WO2020082687A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Definitions

  • the invention belongs to the technical field of ciphertext access control, and particularly relates to a file sharing method, device, device and medium based on CP-ABE hierarchical access control.
  • the traditional method is to encrypt the data to be shared by the user and then transmit it to the cloud server in the form of cipher text.
  • This encryption scheme is used to distribute these encryptions. It is very inefficient for data to be given to users of a specific group, and cannot ensure that the data is completely safe. If you want to ensure the security of the data, you can achieve it by designing an encryption mechanism for access control, which prevents unauthorized users from accessing cloud private data The first line of security, so access control technology is particularly important.
  • the object of the present invention is to provide a file sharing method, device, device and medium based on CP-ABE hierarchical access control, aiming to solve the problem that the existing technology cannot provide an effective access control method, resulting in low security of shared data problem.
  • the present invention provides a file sharing method based on CP-ABE hierarchical access control.
  • the method includes the following steps:
  • the shared file set is encrypted using a symmetric encryption algorithm according to the preset content key set to obtain a file ciphertext set;
  • the content key set is encrypted using a preset encryption function to obtain a secret key corresponding to the content key set A set of key ciphertexts, the set of key ciphertexts containing the AND gate access control strategy;
  • the present invention provides a file sharing device based on CP-ABE hierarchical access control.
  • the device includes:
  • the first encryption unit is used to encrypt the shared file set by using a symmetric encryption algorithm according to the preset content key set when receiving the file sharing request sent by the file owner to obtain a file ciphertext set;
  • the second encryption unit is configured to encrypt the content key set using a preset encryption function according to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix to obtain the A set of key ciphertexts corresponding to the set of content keys, the set of key ciphertexts containing the AND gate access control policy;
  • a ciphertext uploading unit is used to upload the set of file ciphertexts and the set of key ciphertexts to a cloud server, so as to realize cloud file sharing.
  • the present invention also provides a computing device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, which is implemented when the processor executes the computer program
  • a computing device including a memory, a processor, and a computer program stored in the memory and executable on the processor, which is implemented when the processor executes the computer program
  • the present invention also provides a computer-readable storage medium that stores a computer program, and when the computer program is executed by a processor, implements the CP-ABE-based hierarchical access control as described above The steps described in the file sharing method.
  • the present invention When receiving the file sharing request sent by the file owner, the present invention encrypts the shared file set using a symmetric encryption algorithm according to the content key set to obtain a file ciphertext set.
  • the Door access control strategy use a preset encryption function to encrypt the content key set to obtain the key ciphertext set corresponding to the content key set, and upload the file ciphertext set and key ciphertext set to the cloud server to Realize cloud file sharing, so as to achieve hierarchical access to ciphertext through CP-ABE, reduce the storage overhead, communication overhead and decryption computational complexity of ciphertext, improve encryption efficiency, decryption efficiency and the degree of security of shared data .
  • Embodiment 1 is an implementation flowchart of a file sharing method based on CP-ABE hierarchical access control provided in Embodiment 1 of the present invention
  • Embodiment 2 is an implementation flowchart of a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention
  • FIG. 3 is a schematic diagram of an access structure of an AND gate structure constructed in a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention
  • FIG. 4 is a schematic diagram of an AND gate hierarchical access tree integrated in a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention
  • FIG. 5 is a schematic diagram of converting a gate hierarchical access tree into an AND gate strategy LSSS matrix in a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention
  • FIG. 6 is a schematic structural diagram of a file sharing device based on CP-ABE hierarchical access control provided by Embodiment 3 of the present invention.
  • FIG. 7 is a schematic structural diagram of a file sharing device based on CP-ABE hierarchical access control provided by Embodiment 4 of the present invention.
  • FIG. 8 is a schematic structural diagram of a computing device according to Embodiment 5 of the present invention.
  • FIG. 1 shows an implementation process of a file sharing method based on CP-ABE hierarchical access control provided in Embodiment 1 of the present invention. For ease of description, only the parts related to the embodiment of the present invention are shown. The details are as follows:
  • step S101 when a file sharing request sent by the file owner is received, the shared file set is encrypted using a symmetric encryption algorithm according to the preset content key set to obtain a file ciphertext set.
  • the embodiments of the present invention are applicable to data processing platforms, devices or servers, such as personal computing devices and servers.
  • the embodiments of the present invention mainly include four entities: a file owner, a file visitor, an attribute authorization center, and a cloud server.
  • the file owner can encrypt a large number of files at once, and store the encrypted ciphertext to the cloud server.
  • the control attribute authorization center Before using the symmetric encryption algorithm to encrypt the shared file set, preferably, the control attribute authorization center generates the public parameter (public key) PK and the master private key MSK through the system initialization function Setup ( ⁇ ), thereby improving the public parameter and the master private The trustworthiness of the key.
  • is a preset security parameter.
  • control attribute authorization center When the control attribute authorization center generates the public parameter (public key) PK and the master private key MSK through the system initialization function Setup ( ⁇ ), it is preferably implemented through the following steps:
  • the public parameters PK and the master private key MSK are generated through the above steps 1) to 3), and the trustworthiness of the public parameters and the master private key is further improved.
  • step S102 according to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix, the content key set is encrypted using a preset encryption function to obtain the corresponding content key set Key ciphertext collection.
  • the key ciphertext set CT includes the AND gate access control strategy (M, ⁇ ), where (M, ⁇ ) is the AND gate access control corresponding to the matrix M of the linear secret sharing scheme (LSSS) matrix Strategy, function ⁇ is a single mapping function that maps each row of matrix M to system attributes in the system attribute set, M is an n ⁇ n matrix, and n is the number of system attributes in matrix M.
  • the encryption function CT Encrypt (PK, (M, ⁇ ), ck) is used to encrypt the content key set, preferably, the content key set is encrypted through the following steps:
  • the encryption of the content key set is realized through the above steps 1) to 5), and a key ciphertext set corresponding to the file set to be shared is obtained, which improves the efficiency and security of encrypting the shared file.
  • step S103 the file ciphertext set and the key ciphertext set are uploaded to the cloud server, so as to realize cloud file sharing.
  • the file owner uploads the file ciphertext set E ck ( ⁇ ) and the key ciphertext set CT corresponding to the file ciphertext set to the cloud server for the file visitor to access the corresponding cloud server Files to achieve cloud file sharing.
  • the shared file set is encrypted using a symmetric encryption algorithm according to the content key set to obtain a file ciphertext set, based on the common parameters and AND gate strategy
  • the AND gate access control strategy corresponding to the LSSS matrix uses an encryption function to encrypt the content key set to obtain the key ciphertext set corresponding to the content key set, and uploads the file ciphertext set and key ciphertext set to the cloud server , To achieve cloud file sharing, thereby reducing the storage overhead, communication overhead, and decryption computational complexity of ciphertext while achieving hierarchical access to ciphertext through CP-ABE, improving encryption efficiency, decryption efficiency, and shared data Security.
  • FIG. 2 shows an implementation process of a file sharing method based on CP-ABE hierarchical access control provided in Embodiment 2 of the present invention.
  • FIG. 2 shows an implementation process of a file sharing method based on CP-ABE hierarchical access control provided in Embodiment 2 of the present invention.
  • the details are as follows:
  • step S201 when a file sharing request sent by the file owner is received, the control file owner constructs a corresponding AND gate structure access tree for each file in the shared file set according to a preset system attribute set.
  • the file owner when a file sharing request sent by the file owner is received, the file owner constructs a corresponding AND gate structure access tree for each file in the shared file set according to the system attribute set defined by the attribute authorization center , That is, different files have different access policies.
  • file m 1 is configured with a gate structure of an access tree T 1
  • access tree T to the document 2 is configured with the gate structure m 2
  • FIG. 3 shows the access tree T.
  • step S202 according to the commonality between each AND gate structure access tree, all AND gate structure access trees are integrated into an AND gate hierarchical access tree.
  • each AND gate structure access tree includes a rank node, a transmission node, and a leaf node with attributes.
  • all The access tree of the gate structure is integrated into a hierarchical access tree of AND gates, thereby reducing the calculation and storage overhead in the form of a shared access strategy.
  • users only need to calculate the key once to decrypt all ciphertext, which improves the decryption efficiency.
  • the corresponding access strategy is (A, (B, C, 2), 2)
  • the corresponding access strategy for T 2 is (B, C, 2).
  • T 2 is a subset of T 1 , between each other
  • the access policy tree T 2 can be obtained by expanding the access policy tree T 1 , and then integrate T 1 and T 2 into a hierarchical access tree T as shown in FIG. 4, that is, if this
  • the two files are encrypted using an access policy tree T, where the access policy can be used jointly by file m 1 and file m 2 .
  • step S203 the AND gate hierarchical access tree is converted into an AND gate strategy LSSS matrix according to a preset matrix conversion rule.
  • the root node of the AND gate hierarchical access tree is first marked as a vector v, And initialize a global counter variable c to 1, after traversing the AND gate hierarchical access tree, c is the longest length of the vector, and then traverse the AND gate hierarchical access tree from top to bottom, marking a child node as its parent Node assigned vector v
  • the leaf nodes labeled by the vector are converted into each row in the LSSS matrix. If the length of these vectors is different, the vector 0 will be filled at the end of the vector to achieve With the same vector length, the access structure of the hierarchical access tree is replaced by the AND gate strategy LSSS matrix, which achieves the effect of hierarchical access, improves the efficiency of encrypting shared files, and reduces the storage overhead of ciphertext.
  • FIG. 5 shows that the AND gate hierarchical access tree T is converted into an AND gate strategy LSSS matrix M according to a matrix conversion rule.
  • step S204 according to the preset content key set, a symmetric encryption algorithm is used to encrypt the set of shared files to obtain a set of file ciphertexts.
  • step S205 the content key set is encrypted using a preset encryption function according to the common parameters and the AND access control policy corresponding to the gate policy LSSS matrix to obtain a key ciphertext set corresponding to the content key set.
  • step S206 the set of file ciphertexts and the set of key ciphertexts are uploaded to the cloud server to achieve cloud file sharing.
  • step S204 to step S206 for the specific implementation of step S204 to step S206, reference may be made to the description of step S101 to step S103 in Embodiment 1, and details are not described herein again.
  • step S207 when receiving the file access request sent by the file accessor, the control file accessor obtains the file accessor's user private key from the attribute authorization center, and the user private key contains the user attribute set corresponding to the file accessor.
  • the attribute authorization center when a file access request sent by a file visitor is received, the attribute authorization center takes the master private key MSK and the user attribute set corresponding to the file visitor as input according to the file access request, and passes the key The generating function KeyGen (MSK, S) generates the user private key of the file visitor.
  • the file visitor Before the file visitor sends the file access request, preferably, the file visitor registers with the attribute authorization center. During registration, the attribute authorization center verifies the legality of the file visitor ’s identity. Assign user attribute sets to improve the security of file access in the cloud.
  • step S208 according to the public parameters and the user's private key, the key ciphertext set in the cloud server is decrypted using a preset decryption function to obtain an access content key set corresponding to the user attribute set.
  • the file visitor inputs the public parameter PK, the user's private key SK, and the set of key ciphertext CT into the decryption function Decrypt (PK, CT, SK), and uses the decryption function to encrypt
  • PK, CT, SK decryption function Decrypt
  • the key ciphertext set CT is decrypted to obtain the access content key set corresponding to the user attribute set.
  • the AND gate access control policy (M, ⁇ ).
  • M the AND gate access control policy
  • the first row and first column in the matrix M j are deleted to generate a new matrix M j + 1 , where j ⁇ [ 1, n-2], M is a matrix of n ⁇ n, n is the number of system attributes in matrix M, and then judge whether the user attribute set S satisfies M j + 1 , if not, then M j + 1
  • the first row and the first column in the are deleted, a new matrix is generated, and the judgment is continued until the user attribute set meets the AND access control strategy corresponding to the generated new matrix, thereby improving the rationality of the obtained file access strategy.
  • the file access strategy is the AND gate access control strategy (M, ⁇ ) corresponding to the gate strategy LSSS matrix M
  • M AND gate access control strategy
  • step S209 according to the access content key set, a symmetric decryption algorithm is used to decrypt the file ciphertext set in the cloud server to obtain the access file plaintext set corresponding to the access content key set.
  • each file to be shared has a different access strategy
  • the file owner constructs a corresponding AND structure access tree for each to be shared, and then accesses the tree according to the AND structure
  • the AND gate structure access tree is integrated into an AND gate hierarchical access tree, and the file gate owner uses the AND gate hierarchical access tree when encrypting shared files; during file access, the file visitor matches the user attribute carried by itself
  • Each subtree of the hierarchical access tree traverses to determine which file access strategy the visitor satisfies, and finally decrypts the corresponding content key, and obtains the corresponding plaintext file through symmetric decryption, thus achieving ciphertext separation through CP-ABE
  • it reduces the storage overhead of ciphertext, communication overhead, and the computational complexity of decryption, and improves the efficiency of encryption, decryption, and the security of shared data.
  • FIG. 6 shows the structure of a file sharing device based on CP-ABE hierarchical access control provided in Embodiment 3 of the present invention. For ease of description, only parts related to the embodiment of the present invention are shown, including:
  • the first encryption unit 61 is configured to, when receiving a file sharing request sent by the file owner, encrypt the shared file set using a symmetric encryption algorithm according to the preset content key set to obtain a set of file ciphertexts;
  • the second encryption unit 62 is used to encrypt the content key set using a preset encryption function according to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix to obtain the content key The set of key ciphertexts corresponding to the set; and
  • the ciphertext uploading unit 63 is used to upload the set of file ciphertext and the set of key ciphertext to the cloud server, so as to realize cloud file sharing.
  • each unit of the file sharing device based on CP-ABE hierarchical access control may be implemented by a corresponding hardware or software unit, and each unit may be an independent software or hardware unit, or may be integrated into one software or hardware unit
  • the unit is not used here to limit the invention. Specifically, for the implementation of each unit, reference may be made to the foregoing description of Embodiment 1, and details are not described herein again.
  • FIG. 7 shows the structure of a file sharing device based on CP-ABE hierarchical access control provided in Embodiment 4 of the present invention. For ease of description, only parts related to the embodiment of the present invention are shown, including:
  • the access tree construction unit 71 when receiving the file sharing request sent by the file owner, controls the file owner to construct a corresponding AND gate structure access tree for each file in the shared file set according to the preset system attribute set;
  • the access tree integration unit 72 is used to integrate all AND gate structure access trees into one AND gate hierarchical access tree according to the commonality between each AND gate structure access tree;
  • the matrix conversion unit 73 is configured to convert the AND gate layered access tree into an AND gate strategy LSSS matrix according to a preset matrix conversion rule;
  • the first encryption unit 74 is configured to encrypt the set of shared files using a symmetric encryption algorithm according to the preset content key set to obtain a set of file ciphertexts;
  • the second encryption unit 75 is used to encrypt the content key set using a preset encryption function according to the common parameters and the AND access control policy corresponding to the gate policy LSSS matrix to obtain the key secret corresponding to the content key set Text collection
  • the ciphertext upload unit 76 is used to upload the set of file ciphertext and the set of key ciphertext to the cloud server, so as to realize cloud file sharing;
  • the user private key acquisition unit 77 is used to control the file accessor to obtain the file accessor's user private key from the attribute authorization center when receiving the file access request sent by the file accessor, and the user private key contains the user corresponding to the file accessor Attribute collection
  • the key ciphertext decryption unit 78 is used to decrypt the key ciphertext set in the cloud server using a preset decryption function according to the public parameters and the user's private key to obtain the access content key set corresponding to the user attribute set; as well as
  • the file ciphertext decryption unit 79 is configured to decrypt the file ciphertext set in the cloud server using a symmetric decryption algorithm according to the access content key set, to obtain the access file cleartext set corresponding to the access content key set.
  • each unit of the file sharing device based on CP-ABE hierarchical access control may be implemented by a corresponding hardware or software unit, and each unit may be an independent software or hardware unit, or may be integrated into one software or hardware unit
  • the unit is not used here to limit the invention. Specifically, for the implementation of each unit, reference may be made to the description of the foregoing method embodiments, and details are not described herein again.
  • FIG. 8 shows the structure of the computing device provided in Embodiment 5 of the present invention. For convenience of description, only parts related to the embodiment of the present invention are shown.
  • the computing device 8 of the embodiment of the present invention includes a processor 80, a memory 81, and a computer program 82 stored in the memory 81 and executable on the processor 80.
  • the processor 80 executes the computer program 82
  • the steps in the embodiment of the file sharing method based on CP-ABE hierarchical access control described above are implemented, for example, steps S101 to S103 shown in FIG. 1.
  • the processor 80 executes the computer program 82
  • the functions of the units in the foregoing device embodiments are realized, for example, the functions of the units 61 to 63 shown in FIG. 6.
  • the shared file set is encrypted using a symmetric encryption algorithm according to the content key set to obtain a file ciphertext set, based on the common parameters and AND gate strategy
  • the AND gate access control strategy corresponding to the LSSS matrix uses an encryption function to encrypt the content key set to obtain the key ciphertext set corresponding to the content key set, and uploads the file ciphertext set and key ciphertext set to the cloud server , To achieve cloud file sharing, thereby reducing the storage overhead, communication overhead, and decryption computational complexity of ciphertext while achieving hierarchical access to ciphertext through CP-ABE, improving encryption efficiency, decryption efficiency, and shared data Security.
  • the computing device in this embodiment of the present invention may be a personal computing device or a server.
  • the processor 80 in the computing device 8 executes the computer program 82 to implement the file sharing method based on CP-ABE hierarchical access control, reference may be made to the description of the foregoing method embodiments, and details are not described herein again.
  • a computer-readable storage medium stores a computer program that implements the above-mentioned file sharing method based on CP-ABE hierarchical access control when the computer program is executed by a processor
  • the steps in the embodiment are, for example, steps S101 to S103 shown in FIG. 1.
  • the functions of the units in the above device embodiments are realized, for example, the functions of the units 61 to 63 shown in FIG. 6.
  • the shared file set is encrypted using a symmetric encryption algorithm according to the content key set to obtain a file ciphertext set, based on the common parameters and AND gate strategy
  • the AND gate access control strategy corresponding to the LSSS matrix uses an encryption function to encrypt the content key set to obtain the key ciphertext set corresponding to the content key set, and uploads the file ciphertext set and key ciphertext set to the cloud server , To achieve cloud file sharing, thereby reducing the storage overhead, communication overhead, and decryption computational complexity of ciphertext while achieving hierarchical access to ciphertext through CP-ABE, improving encryption efficiency, decryption efficiency, and shared data Security.
  • the computer-readable storage medium in the embodiments of the present invention may include any entity or device capable of carrying computer program code, and a recording medium, such as ROM / RAM, magnetic disk, optical disk, flash memory, and other memories.

Abstract

The present invention is applicable to the technical field of ciphertext access control. Provided are a file sharing method and apparatus based on CP-ABE layered access control, and a device and a medium. The method comprises: when a file sharing request sent by a file owner is received, encrypting a set of files to be shared by means of a symmetric encryption algorithm and according to a content key set to obtain a file ciphertext set; encrypting the content key set by means of an encryption function and according to common parameters and an AND gate access control policy corresponding to an AND gate policy LSSS matrix to obtain a key ciphertext set corresponding to the content key set; and uploading the file ciphertext set and the key ciphertext set to a cloud server so as to realize cloud-end file sharing. Thus, while ciphertext layered access is realized by means of CP-ABE, the storage overhead, the communication overhead and the decryption computational complexity of a ciphertext are reduced, and the encryption efficiency, the decryption efficiency and the security degree of shared data are improved.

Description

基于CP-ABE分层访问控制的文件共享方法、装置、设备及介质File sharing method, device, equipment and medium based on CP-ABE hierarchical access control 技术领域Technical field
本发明属于密文访问控制技术领域,尤其涉及一种基于CP-ABE分层访问控制的文件共享方法、装置、设备及介质。The invention belongs to the technical field of ciphertext access control, and particularly relates to a file sharing method, device, device and medium based on CP-ABE hierarchical access control.
背景技术Background technique
随着云计算的发展以及大数据使用规模的逐级增大,数据成为最有价值的信息,人们将自己的数据存储在云服务器上已经成为了一种趋势,而云数据的使用与共享给人们的生活和工作带来便利性的同时,也带来了前所未有的数据安全风险,因此,如何实现对云数据的受控共享成为亟待解决的问题。With the development of cloud computing and the increasing use of big data, data has become the most valuable information. It has become a trend for people to store their data on cloud servers. The use and sharing of cloud data At the same time that people's lives and work bring convenience, it also brings unprecedented data security risks. Therefore, how to achieve controlled sharing of cloud data has become an urgent problem to be solved.
为了解决云数据的受控共享问题,同时避免隐私数据被窃取,传统的方法是通过用户对待共享的数据进行加密,再以密文的形式传输至云服务器,这种利用加密方案来分发这些加密数据给特定群体的用户非常低效,且不能确保数据是完全安全的,若想确保数据的安全性可通过设计加密机制的访问控制来实现,其中访问控制是阻止非授权用户访问云端隐私数据的第一道安全防线,所以访问控制技术尤为重要。In order to solve the problem of controlled sharing of cloud data and avoid theft of private data, the traditional method is to encrypt the data to be shared by the user and then transmit it to the cloud server in the form of cipher text. This encryption scheme is used to distribute these encryptions. It is very inefficient for data to be given to users of a specific group, and cannot ensure that the data is completely safe. If you want to ensure the security of the data, you can achieve it by designing an encryption mechanism for access control, which prevents unauthorized users from accessing cloud private data The first line of security, so access control technology is particularly important.
为了避免特权用户非法访问用户的敏感数据,同时又能够实现在云存储环境中的细粒度访问控制,Sahai等人在2005年提出了属性基加密(Attribute Based Encryption,ABE)的概念,ABE能够对共享数据进行细粒度控制且降低了私钥存储和分发的工作量,然而基本的ABE无法支持灵活的访问控制策略。因此,Bethencourt等人提出了适用于访问控制类应用的密文策略属性基加密(Ciphertext Policy-Attribute Based Encryption,CP-ABE)机制,CP-ABE通过灵活的访问策略使得加密方加密信息时不需要知道具体是谁解密,而解密方只需要符合相应条件便可解密。国内外许多学者对CP-ABE算法进行研究,虽然 获得了很多成果但与实际应用相结合的具体实施模型还有不少问题亟待研究,例如,如何构造易维护的访问控制结构,如何增强访问控制的表达能力等。In order to prevent privileged users from illegally accessing users ’sensitive data and at the same time enabling fine-grained access control in cloud storage environments, Sahai et al. Proposed the concept of attribute-based encryption (ABE) in 2005. ABE can Sharing data for fine-grained control reduces the workload of storing and distributing private keys. However, basic ABE cannot support flexible access control strategies. Therefore, Bethencourt et al. Proposed a Ciphertext Policy-Attribute Based Encryption (CP-ABE) mechanism suitable for access control applications. With a flexible access policy, CP-ABE makes it unnecessary for the encrypting party to encrypt information Know who is decrypting, and the decrypting party only needs to meet the corresponding conditions to decrypt. Many scholars at home and abroad have studied the CP-ABE algorithm. Although many achievements have been obtained, there are still many problems in the specific implementation model combined with practical applications, such as how to construct an easy-to-maintain access control structure and how to enhance access control The ability to express etc.
发明内容Summary of the invention
本发明的目的在于提供一种基于CP-ABE分层访问控制的文件共享方法、装置、设备及介质,旨在解决由于现有技术无法提供一种有效的访问控制方法,导致共享数据安全低的问题。The object of the present invention is to provide a file sharing method, device, device and medium based on CP-ABE hierarchical access control, aiming to solve the problem that the existing technology cannot provide an effective access control method, resulting in low security of shared data problem.
一方面,本发明提供了一种基于CP-ABE分层访问控制的文件共享方法,所述方法包括下述步骤:In one aspect, the present invention provides a file sharing method based on CP-ABE hierarchical access control. The method includes the following steps:
当接收到文件拥有者发送的文件共享请求时,根据预先设置的内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合;When a file sharing request sent by the file owner is received, the shared file set is encrypted using a symmetric encryption algorithm according to the preset content key set to obtain a file ciphertext set;
根据预先生成的公共参数和预先构建的与门策略LSSS矩阵对应的与门访问控制策略,使用预设的加密函数对所述内容密钥集合进行加密,得到与所述内容密钥集合对应的密钥密文集合,所述密钥密文集合包含所述与门访问控制策略;According to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix, the content key set is encrypted using a preset encryption function to obtain a secret key corresponding to the content key set A set of key ciphertexts, the set of key ciphertexts containing the AND gate access control strategy;
将所述文件密文集合和所述密钥密文集合上传至云服务器,以实现云端文件共享。Upload the set of file ciphertexts and the set of key ciphertexts to a cloud server to achieve cloud file sharing.
另一方面,本发明提供了一种基于CP-ABE分层访问控制的文件共享装置,所述装置包括:On the other hand, the present invention provides a file sharing device based on CP-ABE hierarchical access control. The device includes:
第一加密单元,用于当接收到文件拥有者发送的文件共享请求时,根据预先设置的内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合;The first encryption unit is used to encrypt the shared file set by using a symmetric encryption algorithm according to the preset content key set when receiving the file sharing request sent by the file owner to obtain a file ciphertext set;
第二加密单元,用于根据预先生成的公共参数和预先构建的与门策略LSSS矩阵对应的与门访问控制策略,使用预设的加密函数对所述内容密钥集合进行加密,得到与所述内容密钥集合对应的密钥密文集合,所述密钥密文集合包含所述与门访问控制策略;以及The second encryption unit is configured to encrypt the content key set using a preset encryption function according to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix to obtain the A set of key ciphertexts corresponding to the set of content keys, the set of key ciphertexts containing the AND gate access control policy; and
密文上传单元,用于将所述文件密文集合和所述密钥密文集合上传至云服务器,以实现云端文件共享。A ciphertext uploading unit is used to upload the set of file ciphertexts and the set of key ciphertexts to a cloud server, so as to realize cloud file sharing.
另一方面,本发明还提供了一种计算设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如上述基于CP-ABE分层访问控制的文件共享方法所述的步骤。On the other hand, the present invention also provides a computing device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, which is implemented when the processor executes the computer program The steps are as described in the above file sharing method based on CP-ABE hierarchical access control.
另一方面,本发明还提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现如上述基于CP-ABE分层访问控制的文件共享方法所述的步骤。On the other hand, the present invention also provides a computer-readable storage medium that stores a computer program, and when the computer program is executed by a processor, implements the CP-ABE-based hierarchical access control as described above The steps described in the file sharing method.
本发明当接收到文件拥有者发送的文件共享请求时,根据内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合,根据公共参数和与门策略LSSS矩阵对应的与门访问控制策略,使用预设的加密函数对内容密钥集合进行加密,得到与内容密钥集合对应的密钥密文集合,将文件密文集合和密钥密文集合上传至云服务器,以实现云端文件共享,从而在通过CP-ABE实现密文分层访问的同时,降低了密文的存储开销、通信开销以及解密的计算复杂度,提高了加密效率、解密效率以及共享数据的安全程度。When receiving the file sharing request sent by the file owner, the present invention encrypts the shared file set using a symmetric encryption algorithm according to the content key set to obtain a file ciphertext set. According to the common parameters and the corresponding gate strategy LSSS matrix, the Door access control strategy, use a preset encryption function to encrypt the content key set to obtain the key ciphertext set corresponding to the content key set, and upload the file ciphertext set and key ciphertext set to the cloud server to Realize cloud file sharing, so as to achieve hierarchical access to ciphertext through CP-ABE, reduce the storage overhead, communication overhead and decryption computational complexity of ciphertext, improve encryption efficiency, decryption efficiency and the degree of security of shared data .
附图说明BRIEF DESCRIPTION
图1是本发明实施例一提供的基于CP-ABE分层访问控制的文件共享方法的实现流程图;1 is an implementation flowchart of a file sharing method based on CP-ABE hierarchical access control provided in Embodiment 1 of the present invention;
图2是本发明实施例二提供的基于CP-ABE分层访问控制的文件共享方法的实现流程图;2 is an implementation flowchart of a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention;
图3是本发明实施例二提供的基于CP-ABE分层访问控制的文件共享方法中构造的与门结构访问树示意图;3 is a schematic diagram of an access structure of an AND gate structure constructed in a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention;
图4是本发明实施例二提供的基于CP-ABE分层访问控制的文件共享方法中集成的与门分层访问树示意图;4 is a schematic diagram of an AND gate hierarchical access tree integrated in a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention;
图5是本发明实施例二提供的基于CP-ABE分层访问控制的文件共享方法中将门分层访问树转换成与门策略LSSS矩阵的示意图;5 is a schematic diagram of converting a gate hierarchical access tree into an AND gate strategy LSSS matrix in a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention;
图6是本发明实施例三提供的基于CP-ABE分层访问控制的文件共享装置的结构示意图;6 is a schematic structural diagram of a file sharing device based on CP-ABE hierarchical access control provided by Embodiment 3 of the present invention;
图7是本发明实施例四提供的基于CP-ABE分层访问控制的文件共享装置的结构示意图;以及7 is a schematic structural diagram of a file sharing device based on CP-ABE hierarchical access control provided by Embodiment 4 of the present invention; and
图8是本发明实施例五提供的计算设备的结构示意图。8 is a schematic structural diagram of a computing device according to Embodiment 5 of the present invention.
具体实施方式detailed description
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the objectives, technical solutions and advantages of the present invention more clear, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, and are not intended to limit the present invention.
以下结合具体实施例对本发明的具体实现进行详细描述:The following describes the specific implementation of the present invention in detail with reference to specific embodiments:
实施例一:Example one:
图1示出了本发明实施例一提供的基于CP-ABE分层访问控制的文件共享方法的实现流程,为了便于说明,仅示出了与本发明实施例相关的部分,详述如下:FIG. 1 shows an implementation process of a file sharing method based on CP-ABE hierarchical access control provided in Embodiment 1 of the present invention. For ease of description, only the parts related to the embodiment of the present invention are shown. The details are as follows:
在步骤S101中,当接收到文件拥有者发送的文件共享请求时,根据预先设置的内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合。In step S101, when a file sharing request sent by the file owner is received, the shared file set is encrypted using a symmetric encryption algorithm according to the preset content key set to obtain a file ciphertext set.
本发明实施例适用于数据处理平台、设备或服务器,例如个人计算设备、服务器等。本发明实施例主要包括文件拥有者、文件访问者、属性授权中心以及云服务器四个实体,其中,文件拥有者可将大量的文件进行一次加密,并将加密后的密文存储到云服务器,实现多文件共享;文件访问者根据自身访问权限访问存储在云服务器的文件;属性授权中心除了负责密钥的管理以外,还是负责定义系统属性集合,它是完全信任的,其主要的功能是接受用户的注册、 密钥分发、用户验证和管理属性域等;云服务器主要作用是提供密文的存储和文件传输服务。The embodiments of the present invention are applicable to data processing platforms, devices or servers, such as personal computing devices and servers. The embodiments of the present invention mainly include four entities: a file owner, a file visitor, an attribute authorization center, and a cloud server. Among them, the file owner can encrypt a large number of files at once, and store the encrypted ciphertext to the cloud server. Achieve multi-file sharing; file accessors access files stored in cloud servers according to their own access rights; in addition to the management of keys, the attribute authorization center is also responsible for defining the set of system attributes. It is fully trusted and its main function is to accept User registration, key distribution, user verification and management of attribute domains, etc .; the main role of the cloud server is to provide ciphertext storage and file transfer services.
在本发明实施例中,当接收到文件拥有者发送的文件共享请求时,根据文件拥有者预先设置的内容密钥集合ck={ck 1,......,ck k},采用对称加密算法(例如,数据加密算法(Data Encryption Standard,DES)、高级加密标准(Advanced Encryption Standard,AES)等)对待共享文件集合进行加密,得到文件密文集合
Figure PCTCN2019079637-appb-000001
其中,待共享文件集合包含一个或多个待共享文件,内容密钥集合ck={ck 1,......,ck k}中的第k个内容密钥ck k为待共享文件集合中第k个待共享文件采用对称加密算法时的密钥,
Figure PCTCN2019079637-appb-000002
为第k个待共享文件对应的文件密文。 In the embodiment of the present invention, when a file sharing request sent by the file owner is received, according to the content key set preset by the file owner ck = {ck 1 , ......, ck k }, symmetric Encryption algorithm (for example, Data Encryption Standard (DES), Advanced Encryption Standard (AES), etc.) encrypts the set of shared files to obtain a set of file ciphertexts
Figure PCTCN2019079637-appb-000001
The file set to be shared contains one or more files to be shared, and the content key set ck = {ck 1 , ......, ck k } is the kth content key ck k to be the file set to be shared The key of the k-th file to be shared in the symmetric encryption algorithm,
Figure PCTCN2019079637-appb-000002
The file ciphertext corresponding to the k-th file to be shared.
在使用对称加密算法对待共享文件集合进行加密之前,优选地,控制属性授权中心通过系统初始化函数Setup(λ)生成公共参数(公钥)PK和主私钥MSK,从而提高了公共参数和主私钥的信任度。其中,λ为预设安全参数。Before using the symmetric encryption algorithm to encrypt the shared file set, preferably, the control attribute authorization center generates the public parameter (public key) PK and the master private key MSK through the system initialization function Setup (λ), thereby improving the public parameter and the master private The trustworthiness of the key. Among them, λ is a preset security parameter.
在控制属性授权中心通过系统初始化函数Setup(λ)生成公共参数(公钥)PK和主私钥MSK时,优选地,通过下述步骤具体实现:When the control attribute authorization center generates the public parameter (public key) PK and the master private key MSK through the system initialization function Setup (λ), it is preferably implemented through the following steps:
1)、选取一个素数阶为p的双线性群G 0、G T,双线性映射e:G 0×G 0→G T,且选取双线性群G 0的一个生成元g; 1). Select a bilinear group G 0 , G T with prime order p, bilinear map e: G 0 × G 0 → G T , and select a generator g of the bilinear group G 0 ;
2)、定义一个哈希函数H:{0,1} *→G 0,并在Z p:{0,1,...,p-1}域中随机选择两个元素α和β; 2). Define a hash function H: {0,1} * → G 0 and randomly select two elements α and β in the Z p : {0,1, ..., p-1} domain;
3)、通过公式PK=(G 0,p,g,e(g,g) α,h=g β)计算公共参数PK,通过公式MSK=(g α,β)计算主私钥MSK,PK作为公钥对外开放,MSK作为主密钥由属性授权中心保管。 3) Calculate the public parameter PK by the formula PK = (G 0 , p, g, e (g, g) α , h = g β ), and calculate the master private key MSK, PK by the formula MSK = (g α , β) As the public key is open to the public, MSK is kept by the attribute authorization center as the master key.
从而通过上述步骤1)~3)实现了公共参数PK和主私钥MSK的生成,进一步提高了公共参数和主私钥的信任度。Therefore, the public parameters PK and the master private key MSK are generated through the above steps 1) to 3), and the trustworthiness of the public parameters and the master private key is further improved.
在步骤S102中,根据预先生成的公共参数和预先构建的与门策略LSSS矩阵对应的与门访问控制策略,使用预设的加密函数对内容密钥集合进行加密,得到与内容密钥集合对应的密钥密文集合。In step S102, according to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix, the content key set is encrypted using a preset encryption function to obtain the corresponding content key set Key ciphertext collection.
在本发明实施例中,文件拥有者将公共参数PK、内容密钥集合ck={ck 1,......,ck k}以及与门策略LSSS矩阵对应的与门访问控制策略(M,ρ)输入到加密函数CT=Encrypt(PK,(M,ρ),ck)中,通过该加密函数对内容密钥集合进行加密,得到与内容密钥集合对应的密钥密文集合CT,且密钥密文集合CT包含与门访问控制策略(M,ρ),其中,(M,ρ)为与门策略线性秘密分享方案(Linear Secret Sharing Scheme,LSSS)矩阵M对应的与门访问控制策略,函数ρ为将矩阵M的每一行映射成系统属性集合中系统属性的单映射函数,M为n×n的矩阵,n也即矩阵M中系统属性的数目。 In the embodiment of the present invention, the file owner combines the common parameter PK, the content key set ck = {ck 1 , ......, ck k } and the AND gate access control strategy (M , ρ) is input into the encryption function CT = Encrypt (PK, (M, ρ), ck), and the content key set is encrypted by the encryption function to obtain the key ciphertext set CT corresponding to the content key set, And the key ciphertext set CT includes the AND gate access control strategy (M, ρ), where (M, ρ) is the AND gate access control corresponding to the matrix M of the linear secret sharing scheme (LSSS) matrix Strategy, function ρ is a single mapping function that maps each row of matrix M to system attributes in the system attribute set, M is an n × n matrix, and n is the number of system attributes in matrix M.
在使用加密函数CT=Encrypt(PK,(M,ρ),ck)对内容密钥集合进行加密时,优选地,通过下述步骤实现对内容密钥集合的加密:When the encryption function CT = Encrypt (PK, (M, ρ), ck) is used to encrypt the content key set, preferably, the content key set is encrypted through the following steps:
1)在Z p:{0,1,...,p-1}域中选择k个随机数s 1、s 2、...、s k作为加密指数秘密值,对于所有的i=1,2,...,k计算C i和C′ i
Figure PCTCN2019079637-appb-000003
1) Select k random numbers s 1 , s 2 , ..., s k as the secret value of the encryption index in the Z p : {0,1, ..., p-1} field, for all i = 1 , 2, ..., k calculate C i and C ′ i :
Figure PCTCN2019079637-appb-000003
2)选择一组随机向量集合
Figure PCTCN2019079637-appb-000004
其中,
Figure PCTCN2019079637-appb-000005
Figure PCTCN2019079637-appb-000006
其中,y 2,...,y n是为了分享加密指数秘密值s i(i∈[1,k]); 2) Choose a set of random vectors
Figure PCTCN2019079637-appb-000004
among them,
Figure PCTCN2019079637-appb-000005
Figure PCTCN2019079637-appb-000006
Among them, y 2 , ..., y n is to share the secret value of the encryption index s i (i∈ [1, k]);
3)计算
Figure PCTCN2019079637-appb-000007
并在Z p:{0,1,...,p-1}域中选择n个随机数λ′ 1,j、λ′ 2,j、...、λ′ n,j作为属性掩码,其中,i∈[1,n],j∈[1,n-1],M i,j为第j个矩阵M j的第i行,
Figure PCTCN2019079637-appb-000008
为随机向量集合
Figure PCTCN2019079637-appb-000009
中的第j个向量; 3) Calculation
Figure PCTCN2019079637-appb-000007
And select n random numbers λ ′ 1, j , λ ′ 2, j , ..., λ ′ n, j as the attribute mask in the field of Z p : {0,1, ..., p-1} , Where i∈ [1, n], j∈ [1, n-1], M i, j is the i-th row of the j-th matrix M j ,
Figure PCTCN2019079637-appb-000008
Random vector collection
Figure PCTCN2019079637-appb-000009
The jth vector in;
4)对于i∈[1,n],计算C 1,i和C 2,i
Figure PCTCN2019079637-appb-000010
C 2,i=λ i,j-λ′ i,j4) For i ∈ [1, n], calculate C 1, i and C 2, i :
Figure PCTCN2019079637-appb-000010
C 2, i = λ i, j -λ ′ i, j ;
5)根据密文公式
Figure PCTCN2019079637-appb-000011
计算密钥密文集合CT。 5) According to the ciphertext formula
Figure PCTCN2019079637-appb-000011
Compute the key ciphertext set CT.
从而通过上述步骤1)~5)实现了对内容密钥集合的加密,得到与待共享文件集合对应的密钥密文集合,提高了对共享文件加密的效率和安全程度。Therefore, the encryption of the content key set is realized through the above steps 1) to 5), and a key ciphertext set corresponding to the file set to be shared is obtained, which improves the efficiency and security of encrypting the shared file.
在步骤S103中,将文件密文集合和密钥密文集合上传至云服务器,以实现云端文件共享。In step S103, the file ciphertext set and the key ciphertext set are uploaded to the cloud server, so as to realize cloud file sharing.
在本发明实施例中,文件拥有者将文件密文集合E ck(Μ)和与该文件密文集合对应的密钥密文集合CT上传至云服务器,以供文件访问者访问云服务器中相应的文件,从而实现云端文件共享。 In the embodiment of the present invention, the file owner uploads the file ciphertext set E ck (Μ) and the key ciphertext set CT corresponding to the file ciphertext set to the cloud server for the file visitor to access the corresponding cloud server Files to achieve cloud file sharing.
在本发明实施例中,当接收到文件拥有者发送的文件共享请求时,根据内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合,根据公共参数和与门策略LSSS矩阵对应的与门访问控制策略,使用加密函数对内容密钥集合进行加密,得到与内容密钥集合对应的密钥密文集合,将文件密文集合和密钥密文集合上传至云服务器,以实现云端文件共享,从而在通过CP-ABE实现密文分层访问的同时,降低了密文的存储开销、通信开销以及解密的计算复杂度,提高了加密效率、解密效率以及共享数据的安全程度。In the embodiment of the present invention, when a file sharing request sent by the file owner is received, the shared file set is encrypted using a symmetric encryption algorithm according to the content key set to obtain a file ciphertext set, based on the common parameters and AND gate strategy The AND gate access control strategy corresponding to the LSSS matrix uses an encryption function to encrypt the content key set to obtain the key ciphertext set corresponding to the content key set, and uploads the file ciphertext set and key ciphertext set to the cloud server , To achieve cloud file sharing, thereby reducing the storage overhead, communication overhead, and decryption computational complexity of ciphertext while achieving hierarchical access to ciphertext through CP-ABE, improving encryption efficiency, decryption efficiency, and shared data Security.
实施例二:Example 2:
图2示出了本发明实施例二提供的基于CP-ABE分层访问控制的文件共享方法的实现流程,为了便于说明,仅示出了与本发明实施例相关的部分,详述如下:FIG. 2 shows an implementation process of a file sharing method based on CP-ABE hierarchical access control provided in Embodiment 2 of the present invention. For ease of description, only the parts related to the embodiment of the present invention are shown, and the details are as follows:
在步骤S201中,当接收到文件拥有者发送的文件共享请求时,控制文件拥有者根据预设的系统属性集合对待共享文件集合中每个文件构造对应的与门结构访问树。In step S201, when a file sharing request sent by the file owner is received, the control file owner constructs a corresponding AND gate structure access tree for each file in the shared file set according to a preset system attribute set.
在本发明实施例中,当接收到文件拥有者发送的文件共享请求时,文件拥有者根据属性授权中心定义的系统属性集合对待共享文件集合中每个文件一一构造对应的与门结构访问树,即不同的文件具有不同的访问策略。In the embodiment of the present invention, when a file sharing request sent by the file owner is received, the file owner constructs a corresponding AND gate structure access tree for each file in the shared file set according to the system attribute set defined by the attribute authorization center , That is, different files have different access policies.
作为示例地,文件拥有者要将文件集合Μ={m 1,m 2}加密后上传到云服务器,首先,根据系统属性集合Y={"主治医生","糖尿病学","研究员"}对文件m 1构造 与门结构访问树T 1、对文件m 2构造与门结构访问树T 2,图3示出了与门结构访问树T 1和与门结构访问树T 2,T 1对应的访问策略的属性集合Y 1={"主治医生","糖尿病学","研究员"},即只有达到主治医生级别的糖尿病学研究员才能访问文件m 1,T 2对应的访问策略的属性集合Y 2={"糖尿病学","研究员"},即只要是糖尿病学研究员就能访问文件m 2As an example, the file owner wants to encrypt the file set M = {m 1 , m 2 } and upload it to the cloud server. First, according to the system attribute set Y = {"attending doctor", "diabetes", "researcher"} file m 1 is configured with a gate structure of an access tree T 1, access tree T to the document 2 is configured with the gate structure m 2, FIG. 3 shows the access tree T. 1 and a door structure and a door structure of an access tree T 2, T 1 corresponding to Attribute set of access strategy Y 1 = {"attending doctor", "diabetes", "researcher"}, that is, only diabetic researchers who reach the level of attending doctor can access the attribute set of access strategy corresponding to file m 1 and T 2 Y 2 = {"Diabetes", "Researcher"}, that is, as long as a diabetes researcher can access the file m 2 .
在步骤S202中,根据每个与门结构访问树之间的共性,将所有的与门结构访问树集成为一个与门分层访问树。In step S202, according to the commonality between each AND gate structure access tree, all AND gate structure access trees are integrated into an AND gate hierarchical access tree.
在本发明实施例中,每个与门结构访问树都包括等级节点、传输节点和具有属性的叶节点,根据每个与门结构访问树之间的共性(即等级关系),将所有的与门结构访问树集成为一个与门分层访问树,从而通过共享访问策略的形式降低计算和存储开销,除此之外,用户解密所有密文时仅需要计算一次密钥,提高了解密效率。In the embodiment of the present invention, each AND gate structure access tree includes a rank node, a transmission node, and a leaf node with attributes. According to the commonality between each AND gate structure access tree (that is, a hierarchical relationship), all The access tree of the gate structure is integrated into a hierarchical access tree of AND gates, thereby reducing the calculation and storage overhead in the form of a shared access strategy. In addition, users only need to calculate the key once to decrypt all ciphertext, which improves the decryption efficiency.
作为示例地,如图3示出的与门结构访问树T 1和与门结构访问树T 2,假设属性A="主治医生",B="糖尿病学",C="研究员",则T 1相应的访问策略为(A,(B,C,2),2),T 2相应的访问策略为(B,C,2),经过观察发现T 2是T 1的子集,彼此之间有明显的等级关系,即访问策略树T 2可通过扩展的形式得到访问策略树T 1,则将T 1和T 2集成一个如图4所示的与门分层访问树T,即如果这两份文件采用访问策略树T进行加密,其中访问策略可以被文件m 1和文件m 2共同使用。 As an example, as shown in the AND gate structure access tree T 1 and the AND gate structure access tree T 2 shown in FIG. 3, assuming that the attributes A = "attending doctor", B = "diabetes", and C = "researcher", then T 1 The corresponding access strategy is (A, (B, C, 2), 2), and the corresponding access strategy for T 2 is (B, C, 2). After observation, it is found that T 2 is a subset of T 1 , between each other There is an obvious hierarchical relationship, that is, the access policy tree T 2 can be obtained by expanding the access policy tree T 1 , and then integrate T 1 and T 2 into a hierarchical access tree T as shown in FIG. 4, that is, if this The two files are encrypted using an access policy tree T, where the access policy can be used jointly by file m 1 and file m 2 .
在步骤S203中,根据预设的矩阵转换规则将与门分层访问树转换成与门策略LSSS矩阵。In step S203, the AND gate hierarchical access tree is converted into an AND gate strategy LSSS matrix according to a preset matrix conversion rule.
在本发明实施例中,在根据预设的矩阵转换规则将与门分层访问树转换成与门策略LSSS矩阵时,优选地,首先将与门分层访问树的根节点标记为矢量v,并初始化一个全局计数器变量c为1,遍历完与门分层访问树后,c即向量的最长长度,然后从上往下遍历与门分层访问树,将一个子节点标记为由其父节点分配的矢量v|1(父节点|子节点连接),标记该父节点的另一个子节点为矢量(0,...,0)|-1,其中(0,...,0)表示的是0向量的长度为c,最后,一旦完成整个树的 标记,将向量标记的叶节点转换成LSSS矩阵中的每一行,若这些向量长度不同,将在向量尾部填充矢量0,从而达到相同的向量长度,从而通过与门策略LSSS矩阵替换分层访问树的访问结构,实现了分层访问的效果,提高了对共享文件加密的效率,并降低了密文的存储开销。In the embodiment of the present invention, when converting the AND gate hierarchical access tree into an AND gate strategy LSSS matrix according to a preset matrix conversion rule, preferably, the root node of the AND gate hierarchical access tree is first marked as a vector v, And initialize a global counter variable c to 1, after traversing the AND gate hierarchical access tree, c is the longest length of the vector, and then traverse the AND gate hierarchical access tree from top to bottom, marking a child node as its parent Node assigned vector v | 1 (parent node | child node connection), mark the other child node of the parent node as vector (0, ..., 0) | -1, where (0, ..., 0) It means that the length of the 0 vector is c. Finally, once the entire tree is marked, the leaf nodes labeled by the vector are converted into each row in the LSSS matrix. If the length of these vectors is different, the vector 0 will be filled at the end of the vector to achieve With the same vector length, the access structure of the hierarchical access tree is replaced by the AND gate strategy LSSS matrix, which achieves the effect of hierarchical access, improves the efficiency of encrypting shared files, and reduces the storage overhead of ciphertext.
作为示例地,图5示出了将与门分层访问树T按照矩阵转换规则转换成与门策略LSSS矩阵M。As an example, FIG. 5 shows that the AND gate hierarchical access tree T is converted into an AND gate strategy LSSS matrix M according to a matrix conversion rule.
在步骤S204中,根据预先设置的内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合。In step S204, according to the preset content key set, a symmetric encryption algorithm is used to encrypt the set of shared files to obtain a set of file ciphertexts.
在步骤S205中,根据公共参数和与门策略LSSS矩阵对应的与门访问控制策略,使用预设的加密函数对内容密钥集合进行加密,得到与内容密钥集合对应的密钥密文集合。In step S205, the content key set is encrypted using a preset encryption function according to the common parameters and the AND access control policy corresponding to the gate policy LSSS matrix to obtain a key ciphertext set corresponding to the content key set.
在步骤S206中,将文件密文集合和密钥密文集合上传至云服务器,以实现云端文件共享。In step S206, the set of file ciphertexts and the set of key ciphertexts are uploaded to the cloud server to achieve cloud file sharing.
在本发明实施,步骤S204~步骤S206的具体实施方式可参考实施例一的步骤S101-步骤S103的描述,在此不再赘述。In the implementation of the present invention, for the specific implementation of step S204 to step S206, reference may be made to the description of step S101 to step S103 in Embodiment 1, and details are not described herein again.
在步骤S207中,当接收到文件访问者发送的文件访问请求时,控制文件访问者从属性授权中心获得文件访问者的用户私钥,用户私钥包含与文件访问者对应的用户属性集合。In step S207, when receiving the file access request sent by the file accessor, the control file accessor obtains the file accessor's user private key from the attribute authorization center, and the user private key contains the user attribute set corresponding to the file accessor.
在本发明实施例中,当接收到文件访问者发送的文件访问请求时,属性授权中心根据该文件访问请求,以主私钥MSK和该文件访问者对应的用户属性集合作为输入,通过密钥生成函数KeyGen(MSK,S)生成文件访问者的用户私钥。In the embodiment of the present invention, when a file access request sent by a file visitor is received, the attribute authorization center takes the master private key MSK and the user attribute set corresponding to the file visitor as input according to the file access request, and passes the key The generating function KeyGen (MSK, S) generates the user private key of the file visitor.
文件访问者在发送文件访问请求之前,优选地,文件访问者在属性授权中心进行注册,在注册时,属性授权中心对文件访问者身份的合法性进行验证,验证通过后,为该文件访问者分配用户属性集合,从而提高云端文件访问的安全性。Before the file visitor sends the file access request, preferably, the file visitor registers with the attribute authorization center. During registration, the attribute authorization center verifies the legality of the file visitor ’s identity. Assign user attribute sets to improve the security of file access in the cloud.
在通过密钥生成函数KeyGen(MSK,S)生成文件访问者的用户私钥时,优选 地,当文件访问者身份的合法性验证通过后,通过公式
Figure PCTCN2019079637-appb-000012
计算文件访问者的用户私钥,其中,K 0=g αh r,K 1=g r
Figure PCTCN2019079637-appb-000013
r为Z p:{0,1,...,p-1}域中一随机元素,用户属性集合S={A 1,...,A x},A x为S中第x个属性,从而进一步提高云端文件访问的安全性。 When generating the file visitor's user private key through the key generation function KeyGen (MSK, S), preferably, after the file visitor's identity verification is passed, the formula is passed
Figure PCTCN2019079637-appb-000012
Calculate the user private key of the file visitor, where K 0 = g α h r and K 1 = g r ,
Figure PCTCN2019079637-appb-000013
r is Z p : a random element in the domain {0,1, ..., p-1}, user attribute set S = {A 1 , ..., A x }, A x is the xth attribute in S To further improve the security of file access in the cloud.
在步骤S208中,根据公共参数和用户私钥,使用预设的解密函数对云服务器中的密钥密文集合进行解密,得到与用户属性集合对应的访问内容密钥集合。In step S208, according to the public parameters and the user's private key, the key ciphertext set in the cloud server is decrypted using a preset decryption function to obtain an access content key set corresponding to the user attribute set.
在本发明实施例中,文件访问者将公共参数PK、用户私钥SK以及密钥密文集合CT输入到解密函数Decrypt(PK,CT,SK)中,通过该解密函数对云服务器中的密钥密文集合CT进行解密,得到与用户属性集合对应的访问内容密钥集合。In the embodiment of the present invention, the file visitor inputs the public parameter PK, the user's private key SK, and the set of key ciphertext CT into the decryption function Decrypt (PK, CT, SK), and uses the decryption function to encrypt The key ciphertext set CT is decrypted to obtain the access content key set corresponding to the user attribute set.
在对密钥密文集合进行解密时,优选地,通过下述步骤实现对密钥密文集合的解密:When decrypting the set of key ciphertexts, it is preferable to decrypt the set of key ciphertexts through the following steps:
1)根据与门访问控制策略,获取满足用户属性集合的文件访问策略。1) According to the AND gate access control strategy, obtain the file access strategy that satisfies the user attribute set.
在本发明实施例中,在获取满足用户属性集合的文件访问策略时,优选地,判断用户属性集合S是否满足与门访问控制策略(M,ρ),是则,将与门访问控制策略设置为文件访问策略,否则,根据与门策略LSSS矩阵M中等级关系规则,将矩阵M j(即M)中的第一行和第一列删除产生新的矩阵M j+1,其中j∈[1,n-2],M为n×n的矩阵,n也即矩阵M中系统属性的的数目,再判断用户属性集合S是否满足M j+1,若不满足,则对M j+1中的第一行和第一列进行删除,产生新的矩阵,继续判断,直至用户属性集合满足生成的新矩阵对应的与门访问控制策略,从而提高获取的文件访问策略的合理性。 In the embodiment of the present invention, when obtaining a file access policy that satisfies the user attribute set, it is preferable to determine whether the user attribute set S satisfies the AND gate access control policy (M, ρ). Is a file access strategy, otherwise, according to the hierarchical relationship rules in the AND gate strategy LSSS matrix M, the first row and first column in the matrix M j (ie, M) are deleted to generate a new matrix M j + 1 , where j∈ [ 1, n-2], M is a matrix of n × n, n is the number of system attributes in matrix M, and then judge whether the user attribute set S satisfies M j + 1 , if not, then M j + 1 The first row and the first column in the are deleted, a new matrix is generated, and the judgment is continued until the user attribute set meets the AND access control strategy corresponding to the generated new matrix, thereby improving the rationality of the obtained file access strategy.
2)根据文件访问策略解密出对应的访问内容密钥集合。2) Decrypt the corresponding access content key set according to the file access strategy.
在本发明实施例中,在根据文件访问策略解密出对应的访问内容密钥集合时,优选地,In the embodiment of the present invention, when decrypting the corresponding set of access content keys according to the file access policy, preferably,
当文件访问策略为与门策略LSSS矩阵M对应的与门访问控制策略(M,ρ)时,首先,通过∑ i∈Sω i·M i=(1,0,...,0)计算ω i,且使得ω i∈Z p,其中M i为矩阵M的第i行,再通过公式
Figure PCTCN2019079637-appb-000014
计算第i个用户属性A i,最后,通过公式
Figure PCTCN2019079637-appb-000015
计算出对应的访问内容密钥集合ck={ck 1,......,ck k}; When the file access strategy is the AND gate access control strategy (M, ρ) corresponding to the gate strategy LSSS matrix M, first, it is calculated by ∑ i∈S ω i · M i = (1,0, ..., 0) ω i , and make ω i ∈ Z p , where M i is the i-th row of matrix M, and then pass the formula
Figure PCTCN2019079637-appb-000014
Calculate the i-th user attribute A i , and finally, pass the formula
Figure PCTCN2019079637-appb-000015
Calculate the corresponding access content key set ck = {ck 1 , ......, ck k };
当文件访问策略为M j+1对应的与门访问控制策略时,首先,选择满足M j+1对应的访问策略的属性集合I={i:ρ(i)∈S},再通过∑ i∈Iω i·M i,j+1=(1,0,...,0)计算ω i,且使得ω i∈Z p,其中,M i,j+1为矩阵M j+1的第i行,j∈[1,n-2],然后,通过公式
Figure PCTCN2019079637-appb-000016
计算第i个用户属性A i,最后,通过公式
Figure PCTCN2019079637-appb-000017
计算出对应的访问内容密钥集合ck={ck j+1,ck j+2,......,ck k}。 When the file access strategy is the AND access control strategy corresponding to M j + 1 , first, select the attribute set I = {i: ρ (i) ∈S} that satisfies the access strategy corresponding to M j + 1 , and then pass ∑ i ∈I ω i · M i, j + 1 = (1,0, ..., 0) calculate ω i and make ω i ∈Z p , where M i, j + 1 is the matrix M j + 1 Line i, j ∈ [1, n-2], then, through the formula
Figure PCTCN2019079637-appb-000016
Calculate the i-th user attribute A i , and finally, pass the formula
Figure PCTCN2019079637-appb-000017
Calculate the corresponding access content key set ck = {ck j + 1 , ck j + 2 , ......, ck k }.
通过上述步骤,可提高解密出的访问内容密钥的适应性和可信度。Through the above steps, the adaptability and credibility of the decrypted access content key can be improved.
在步骤S209中,根据访问内容密钥集合,使用对称解密算法对云服务器中的文件密文集合进行解密,得到与访问内容密钥集合相应的访问文件明文集合。In step S209, according to the access content key set, a symmetric decryption algorithm is used to decrypt the file ciphertext set in the cloud server to obtain the access file plaintext set corresponding to the access content key set.
在本发明实施例中,根据访问内容密钥集合,采用对称解密算法对云服务器中的文件密文集合E ck(Μ)进行解密,得到与访问内容密钥集合相应的访问文件明文集合,例如,若根据用户属性集合解密出的访问内容密钥集合为ck={ck 1,......,ck k},根据该访问内容密钥集合,采用对称解密算法对文件密文集合
Figure PCTCN2019079637-appb-000018
进行解密,则获得的访问文件明文集合 为Μ={m 1,m 2,....,m k},若根据用户属性集合解密出的访问内容密钥集合为ck={ck j+1,ck j+2,......,ck k},根据该访问内容密钥集合,采用对称解密算法对文件密文集合
Figure PCTCN2019079637-appb-000019
进行解密,则获得的访问文件明文集合为Μ={m j+1,m j+2,....,m k}。 In the embodiment of the present invention, according to the access content key set, a symmetric decryption algorithm is used to decrypt the file ciphertext set E ck (Μ) in the cloud server to obtain the access file clear text set corresponding to the access content key set, for example If the access content key set decrypted according to the user attribute set is ck = {ck 1 , ......, ck k }, according to the access content key set, a symmetric decryption algorithm is used to set the file ciphertext set
Figure PCTCN2019079637-appb-000018
For decryption, the obtained plaintext set of access files is M = {m 1 , m 2 , ..., m k }, and if the set of access content keys decrypted according to the user attribute set is ck = {ck j + 1 , ck j + 2 , ......, ck k }, according to the access content key set, a symmetric decryption algorithm is used to set the file ciphertext
Figure PCTCN2019079637-appb-000019
After decryption, the obtained plaintext set of access files is M = {m j + 1 , m j + 2 , ..., m k }.
在本发明实施例中,文件共享时,每个待共享文件都有不同的访问策略,文件拥有者为每个待共享构造对应的与门结构访问树,再根据与门结构访问树之间共性,将与门结构访问树集成为一个与门分层访问树,文件拥有者对共享文件加密时都采用该与门分层访问树;文件访问时,文件访问者根据自身携带的用户属性对与门分层访问树的每个子树遍历进而判断该访问者满足哪个文件的访问策略,最终解密相应的内容密钥,同时通过对称解密获得相应的明文文件,从而在通过CP-ABE实现密文分层访问的同时,降低了密文的存储开销、通信开销以及解密的计算复杂度,提高了加密效率、解密效率以及共享数据的安全程度。In the embodiment of the present invention, when files are shared, each file to be shared has a different access strategy, and the file owner constructs a corresponding AND structure access tree for each to be shared, and then accesses the tree according to the AND structure , The AND gate structure access tree is integrated into an AND gate hierarchical access tree, and the file gate owner uses the AND gate hierarchical access tree when encrypting shared files; during file access, the file visitor matches the user attribute carried by itself Each subtree of the hierarchical access tree traverses to determine which file access strategy the visitor satisfies, and finally decrypts the corresponding content key, and obtains the corresponding plaintext file through symmetric decryption, thus achieving ciphertext separation through CP-ABE At the same time of layer access, it reduces the storage overhead of ciphertext, communication overhead, and the computational complexity of decryption, and improves the efficiency of encryption, decryption, and the security of shared data.
实施例三:Example three:
图6示出了本发明实施例三提供的基于CP-ABE分层访问控制的文件共享装置的结构,为了便于说明,仅示出了与本发明实施例相关的部分,其中包括:FIG. 6 shows the structure of a file sharing device based on CP-ABE hierarchical access control provided in Embodiment 3 of the present invention. For ease of description, only parts related to the embodiment of the present invention are shown, including:
第一加密单元61,用于当接收到文件拥有者发送的文件共享请求时,根据预先设置的内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合;The first encryption unit 61 is configured to, when receiving a file sharing request sent by the file owner, encrypt the shared file set using a symmetric encryption algorithm according to the preset content key set to obtain a set of file ciphertexts;
第二加密单元62,用于根据预先生成的公共参数和预先构建的与门策略LSSS矩阵对应的与门访问控制策略,使用预设的加密函数对内容密钥集合进行加密,得到与内容密钥集合对应的密钥密文集合;以及The second encryption unit 62 is used to encrypt the content key set using a preset encryption function according to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix to obtain the content key The set of key ciphertexts corresponding to the set; and
密文上传单元63,用于将文件密文集合和密钥密文集合上传至云服务器,以实现云端文件共享。The ciphertext uploading unit 63 is used to upload the set of file ciphertext and the set of key ciphertext to the cloud server, so as to realize cloud file sharing.
在本发明实施例中,基于CP-ABE分层访问控制的文件共享装置的各单元 可由相应的硬件或软件单元实现,各单元可以为独立的软、硬件单元,也可以集成为一个软、硬件单元,在此不用以限制本发明。具体地,各单元的实施方式可参考前述实施例一的描述,在此不再赘述。In the embodiment of the present invention, each unit of the file sharing device based on CP-ABE hierarchical access control may be implemented by a corresponding hardware or software unit, and each unit may be an independent software or hardware unit, or may be integrated into one software or hardware unit The unit is not used here to limit the invention. Specifically, for the implementation of each unit, reference may be made to the foregoing description of Embodiment 1, and details are not described herein again.
实施例四:Example 4:
图7示出了本发明实施例四提供的基于CP-ABE分层访问控制的文件共享装置的结构,为了便于说明,仅示出了与本发明实施例相关的部分,其中包括:FIG. 7 shows the structure of a file sharing device based on CP-ABE hierarchical access control provided in Embodiment 4 of the present invention. For ease of description, only parts related to the embodiment of the present invention are shown, including:
访问树构造单元71,当接收到文件拥有者发送的文件共享请求时,控制文件拥有者根据预设的系统属性集合对待共享文件集合中每个文件构造对应的与门结构访问树;The access tree construction unit 71, when receiving the file sharing request sent by the file owner, controls the file owner to construct a corresponding AND gate structure access tree for each file in the shared file set according to the preset system attribute set;
访问树集成单元72,用于根据每个与门结构访问树之间的共性,将所有的与门结构访问树集成为一个与门分层访问树;The access tree integration unit 72 is used to integrate all AND gate structure access trees into one AND gate hierarchical access tree according to the commonality between each AND gate structure access tree;
矩阵转换单元73,用于根据预设的矩阵转换规则将与门分层访问树转换成与门策略LSSS矩阵;The matrix conversion unit 73 is configured to convert the AND gate layered access tree into an AND gate strategy LSSS matrix according to a preset matrix conversion rule;
第一加密单元74,用于根据预先设置的内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合;The first encryption unit 74 is configured to encrypt the set of shared files using a symmetric encryption algorithm according to the preset content key set to obtain a set of file ciphertexts;
第二加密单元75,用于根据公共参数和与门策略LSSS矩阵对应的与门访问控制策略,使用预设的加密函数对内容密钥集合进行加密,得到与内容密钥集合对应的密钥密文集合;The second encryption unit 75 is used to encrypt the content key set using a preset encryption function according to the common parameters and the AND access control policy corresponding to the gate policy LSSS matrix to obtain the key secret corresponding to the content key set Text collection
密文上传单元76,用于将文件密文集合和密钥密文集合上传至云服务器,以实现云端文件共享;The ciphertext upload unit 76 is used to upload the set of file ciphertext and the set of key ciphertext to the cloud server, so as to realize cloud file sharing;
用户私钥获取单元77,用于当接收到文件访问者发送的文件访问请求时,控制文件访问者从属性授权中心获得文件访问者的用户私钥,用户私钥包含与文件访问者对应的用户属性集合;The user private key acquisition unit 77 is used to control the file accessor to obtain the file accessor's user private key from the attribute authorization center when receiving the file access request sent by the file accessor, and the user private key contains the user corresponding to the file accessor Attribute collection
密钥密文解密单元78,用于根据公共参数和用户私钥,使用预设的解密函数对云服务器中的密钥密文集合进行解密,得到与用户属性集合对应的访问内容密钥集合;以及The key ciphertext decryption unit 78 is used to decrypt the key ciphertext set in the cloud server using a preset decryption function according to the public parameters and the user's private key to obtain the access content key set corresponding to the user attribute set; as well as
文件密文解密单元79,用于根据访问内容密钥集合,使用对称解密算法对云服务器中的文件密文集合进行解密,得到与访问内容密钥集合相应的访问文件明文集合。The file ciphertext decryption unit 79 is configured to decrypt the file ciphertext set in the cloud server using a symmetric decryption algorithm according to the access content key set, to obtain the access file cleartext set corresponding to the access content key set.
在本发明实施例中,基于CP-ABE分层访问控制的文件共享装置的各单元可由相应的硬件或软件单元实现,各单元可以为独立的软、硬件单元,也可以集成为一个软、硬件单元,在此不用以限制本发明。具体地,各单元的实施方式可参考前述方法实施例的描述,在此不再赘述。In the embodiment of the present invention, each unit of the file sharing device based on CP-ABE hierarchical access control may be implemented by a corresponding hardware or software unit, and each unit may be an independent software or hardware unit, or may be integrated into one software or hardware unit The unit is not used here to limit the invention. Specifically, for the implementation of each unit, reference may be made to the description of the foregoing method embodiments, and details are not described herein again.
实施例五:Example 5:
图8示出了本发明实施例五提供的计算设备的结构,为了便于说明,仅示出了与本发明实施例相关的部分。FIG. 8 shows the structure of the computing device provided in Embodiment 5 of the present invention. For convenience of description, only parts related to the embodiment of the present invention are shown.
本发明实施例的计算设备8包括处理器80、存储器81以及存储在存储器81中并可在处理器80上运行的计算机程序82。该处理器80执行计算机程序82时实现上述基于CP-ABE分层访问控制的文件共享方法实施例中的步骤,例如图1所示的步骤S101至S103。或者,处理器80执行计算机程序82时实现上述各装置实施例中各单元的功能,例如图6所示单元61至63的功能。The computing device 8 of the embodiment of the present invention includes a processor 80, a memory 81, and a computer program 82 stored in the memory 81 and executable on the processor 80. When the processor 80 executes the computer program 82, the steps in the embodiment of the file sharing method based on CP-ABE hierarchical access control described above are implemented, for example, steps S101 to S103 shown in FIG. 1. Alternatively, when the processor 80 executes the computer program 82, the functions of the units in the foregoing device embodiments are realized, for example, the functions of the units 61 to 63 shown in FIG. 6.
在本发明实施例中,当接收到文件拥有者发送的文件共享请求时,根据内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合,根据公共参数和与门策略LSSS矩阵对应的与门访问控制策略,使用加密函数对内容密钥集合进行加密,得到与内容密钥集合对应的密钥密文集合,将文件密文集合和密钥密文集合上传至云服务器,以实现云端文件共享,从而在通过CP-ABE实现密文分层访问的同时,降低了密文的存储开销、通信开销以及解密的计算复杂度,提高了加密效率、解密效率以及共享数据的安全程度。In the embodiment of the present invention, when a file sharing request sent by the file owner is received, the shared file set is encrypted using a symmetric encryption algorithm according to the content key set to obtain a file ciphertext set, based on the common parameters and AND gate strategy The AND gate access control strategy corresponding to the LSSS matrix uses an encryption function to encrypt the content key set to obtain the key ciphertext set corresponding to the content key set, and uploads the file ciphertext set and key ciphertext set to the cloud server , To achieve cloud file sharing, thereby reducing the storage overhead, communication overhead, and decryption computational complexity of ciphertext while achieving hierarchical access to ciphertext through CP-ABE, improving encryption efficiency, decryption efficiency, and shared data Security.
本发明实施例的计算设备可以为个人计算设备、服务器。该计算设备8中处理器80执行计算机程序82时实现基于CP-ABE分层访问控制的文件共享方法时实现的步骤可参考前述方法实施例的描述,在此不再赘述。The computing device in this embodiment of the present invention may be a personal computing device or a server. For the steps implemented when the processor 80 in the computing device 8 executes the computer program 82 to implement the file sharing method based on CP-ABE hierarchical access control, reference may be made to the description of the foregoing method embodiments, and details are not described herein again.
实施例六:Example 6:
在本发明实施例中,提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序,该计算机程序被处理器执行时实现上述基于CP-ABE分层访问控制的文件共享方法实施例中的步骤,例如,图1所示的步骤S101至S103。或者,该计算机程序被处理器执行时实现上述各装置实施例中各单元的功能,例如图6所示单元61至63的功能。In an embodiment of the present invention, a computer-readable storage medium is provided, and the computer-readable storage medium stores a computer program that implements the above-mentioned file sharing method based on CP-ABE hierarchical access control when the computer program is executed by a processor The steps in the embodiment are, for example, steps S101 to S103 shown in FIG. 1. Alternatively, when the computer program is executed by the processor, the functions of the units in the above device embodiments are realized, for example, the functions of the units 61 to 63 shown in FIG. 6.
在本发明实施例中,当接收到文件拥有者发送的文件共享请求时,根据内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合,根据公共参数和与门策略LSSS矩阵对应的与门访问控制策略,使用加密函数对内容密钥集合进行加密,得到与内容密钥集合对应的密钥密文集合,将文件密文集合和密钥密文集合上传至云服务器,以实现云端文件共享,从而在通过CP-ABE实现密文分层访问的同时,降低了密文的存储开销、通信开销以及解密的计算复杂度,提高了加密效率、解密效率以及共享数据的安全程度。In the embodiment of the present invention, when a file sharing request sent by the file owner is received, the shared file set is encrypted using a symmetric encryption algorithm according to the content key set to obtain a file ciphertext set, based on the common parameters and AND gate strategy The AND gate access control strategy corresponding to the LSSS matrix uses an encryption function to encrypt the content key set to obtain the key ciphertext set corresponding to the content key set, and uploads the file ciphertext set and key ciphertext set to the cloud server , To achieve cloud file sharing, thereby reducing the storage overhead, communication overhead, and decryption computational complexity of ciphertext while achieving hierarchical access to ciphertext through CP-ABE, improving encryption efficiency, decryption efficiency, and shared data Security.
本发明实施例的计算机可读存储介质可以包括能够携带计算机程序代码的任何实体或装置、记录介质,例如,ROM/RAM、磁盘、光盘、闪存等存储器。The computer-readable storage medium in the embodiments of the present invention may include any entity or device capable of carrying computer program code, and a recording medium, such as ROM / RAM, magnetic disk, optical disk, flash memory, and other memories.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。The above are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modification, equivalent replacement and improvement made within the spirit and principle of the present invention should be included in the protection of the present invention Within range.

Claims (10)

  1. 一种基于CP-ABE分层访问控制的文件共享方法,其特征在于,所述方法包括下述步骤:A file sharing method based on CP-ABE hierarchical access control, characterized in that the method includes the following steps:
    当接收到文件拥有者发送的文件共享请求时,根据预先设置的内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合;When a file sharing request sent by the file owner is received, the shared file set is encrypted using a symmetric encryption algorithm according to the preset content key set to obtain a file ciphertext set;
    根据预先生成的公共参数和预先构建的与门策略LSSS矩阵对应的与门访问控制策略,使用预设的加密函数对所述内容密钥集合进行加密,得到与所述内容密钥集合对应的密钥密文集合,所述密钥密文集合包含所述与门访问控制策略;According to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix, the content key set is encrypted using a preset encryption function to obtain a secret key corresponding to the content key set A set of key ciphertexts, the set of key ciphertexts containing the AND gate access control strategy;
    将所述文件密文集合和所述密钥密文集合上传至云服务器,以实现云端文件共享。Upload the set of file ciphertexts and the set of key ciphertexts to a cloud server to achieve cloud file sharing.
  2. 如权利要求1所述的方法,其特征在于,通过对称加密算法对待共享的文件集合进行加密的步骤之前,所述方法还包括:The method according to claim 1, wherein before the step of encrypting the set of files to be shared through a symmetric encryption algorithm, the method further comprises:
    控制所述文件拥有者根据预设的系统属性集合对所述待共享文件集合中每个文件构造对应的与门结构访问树;Controlling the file owner to construct a corresponding AND gate structure access tree for each file in the file set to be shared according to a preset system attribute set;
    根据每个所述与门结构访问树之间的共性,将所有的所述与门结构访问树集成为一个与门分层访问树;According to the commonality between each of the AND gate structure access trees, integrate all the AND gate structure access trees into one AND gate hierarchical access tree;
    根据预设的矩阵转换规则将所述与门分层访问树转换成所述与门策略LSSS矩阵。Convert the AND gate hierarchical access tree into the AND gate strategy LSSS matrix according to a preset matrix conversion rule.
  3. 如权利要求1所述的方法,其特征在于,将所述文件密文集合和所述密钥密文集合上传至云服务器的步骤之后,所述方法还包括:The method according to claim 1, wherein after the step of uploading the set of file ciphertexts and the set of key ciphertexts to a cloud server, the method further comprises:
    当接收到文件访问者发送的文件访问请求时,控制所述文件访问者从属性授权中心获得所述文件访问者的用户私钥,所述用户私钥包含与所述文件访问者对应的用户属性集合;When receiving the file access request sent by the file accessor, the file accessor is controlled to obtain the user private key of the file accessor from the attribute authorization center, and the user private key contains the user attribute corresponding to the file accessor set;
    根据所述公共参数和所述用户私钥,使用预设的解密函数对所述云服务器中的所述密钥密文集合进行解密,得到与所述用户属性集合对应的访问内容密 钥集合;According to the public parameter and the user private key, use a preset decryption function to decrypt the key ciphertext set in the cloud server to obtain a set of access content keys corresponding to the user attribute set;
    根据所述访问内容密钥集合,使用对称解密算法对所述云服务器中的所述文件密文集合进行解密,得到与所述访问内容密钥集合相应的访问文件明文集合。According to the access content key set, a symmetric decryption algorithm is used to decrypt the file ciphertext set in the cloud server to obtain an access file plaintext set corresponding to the access content key set.
  4. 如权利要求3所述的方法,其特征在于,使用预设的解密函数对所述云服务器中的所述密钥密文集合进行解密的步骤,包括:The method of claim 3, wherein the step of decrypting the set of key ciphertexts in the cloud server using a preset decryption function includes:
    根据所述与门访问控制策略,获取满足所述用户属性集合的文件访问策略;Obtain a file access strategy that satisfies the user attribute set according to the AND gate access control strategy;
    根据所述文件访问策略解密出对应的所述访问内容密钥集合。Decrypt the corresponding access content key set according to the file access policy.
  5. 如权利要求4所述的方法,其特征在于,获取满足所述用户属性集合的文件访问策略的步骤,包括:The method of claim 4, wherein the step of obtaining a file access policy that satisfies the user attribute set includes:
    判断所述用户属性集合是否满足所述与门访问控制策略;Determine whether the user attribute set meets the AND access control strategy;
    是则,将所述与门访问控制策略设置为所述文件访问策略;If yes, set the AND access control policy to the file access policy;
    否则,将所述与门访问控制策略对应的与门策略LSSS矩阵中的第一行和第一列进行删除,将删除后的所述与门策略LSSS矩阵对应的访问策略设置为所述与门访问控制策略,并跳转到判断所述用户属性集合是否满足所述与门访问控制策略的步骤。Otherwise, delete the first row and first column in the AND gate strategy LSSS matrix corresponding to the gate access control strategy, and set the deleted access strategy corresponding to the AND gate strategy LSSS matrix as the AND gate Access control strategy, and jump to the step of judging whether the user attribute set satisfies the AND gate access control strategy.
  6. 一种基于CP-ABE分层访问控制的文件共享装置,其特征在于,所述装置包括:A file sharing device based on CP-ABE hierarchical access control, characterized in that the device includes:
    第一加密单元,用于当接收到文件拥有者发送的文件共享请求时,根据预先设置的内容密钥集合,使用对称加密算法对待共享文件集合进行加密,得到文件密文集合;The first encryption unit is used to encrypt the shared file set by using a symmetric encryption algorithm according to the preset content key set when receiving the file sharing request sent by the file owner to obtain a file ciphertext set;
    第二加密单元,用于根据预先生成的公共参数和预先构建的与门策略LSSS矩阵对应的与门访问控制策略,使用预设的加密函数对所述内容密钥集合进行加密,得到与所述内容密钥集合对应的密钥密文集合,所述密钥密文集合包含所述与门访问控制策略;以及The second encryption unit is configured to encrypt the content key set using a preset encryption function according to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix to obtain the A set of key ciphertexts corresponding to the set of content keys, the set of key ciphertexts containing the AND gate access control policy; and
    密文上传单元,用于将所述文件密文集合和所述密钥密文集合上传至云服 务器,以实现云端文件共享。A ciphertext uploading unit is used to upload the set of file ciphertexts and the set of key ciphertexts to a cloud server to achieve cloud file sharing.
  7. 如权利要求6所述的装置,其特征在于,所述装置还包括:The device of claim 6, wherein the device further comprises:
    访问树构造单元,用于控制所述文件拥有者根据预设的系统属性集合对所述待共享文件集合中每个文件构造对应的与门结构访问树;An access tree construction unit, configured to control the file owner to construct a corresponding AND gate structure access tree for each file in the file set to be shared according to a preset system attribute set;
    访问树集成单元,用于根据每个所述与门结构访问树之间的共性,将所有的所述与门结构访问树集成为一个与门分层访问树;以及An access tree integration unit for integrating all of the AND gate structure access trees into one AND gate hierarchical access tree according to the commonality between each of the AND gate structure access trees; and
    矩阵转换单元,用于根据预设的矩阵转换规则将所述与门分层访问树转换成所述与门策略LSSS矩阵。The matrix conversion unit is configured to convert the AND gate layered access tree into the AND gate strategy LSSS matrix according to a preset matrix conversion rule.
  8. 如权利要求6所述的装置,其特征在于,所述装置还包括:The device of claim 6, wherein the device further comprises:
    用户私钥获取单元,用于当接收到文件访问者发送的文件访问请求时,控制所述文件访问者从属性授权中心获得所述文件访问者的用户私钥,所述用户私钥包含与所述文件访问者对应的用户属性集合;The user private key acquisition unit is used to control the file accessor to obtain the file accessor's user private key from the attribute authorization center when receiving the file access request sent by the file accessor. The set of user attributes corresponding to the file visitor;
    密钥密文解密单元,用于根据所述公共参数和所述用户私钥,使用预设的解密函数对所述云服务器中的所述密钥密文集合进行解密,得到与所述用户属性集合对应的访问内容密钥集合;以及The key ciphertext decryption unit is used to decrypt the key ciphertext set in the cloud server using a preset decryption function according to the public parameter and the user private key to obtain the user attribute The set of access content keys corresponding to the set; and
    文件密文解密单元,用于根据所述访问内容密钥集合,使用对称解密算法对所述云服务器中的所述文件密文集合进行解密,得到与所述访问内容密钥集合相应的访问文件明文集合。A file ciphertext decryption unit, used to decrypt the file ciphertext set in the cloud server according to the set of access content keys, to obtain an access file corresponding to the set of access content keys Clear text collection.
  9. 一种计算设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求1至5任一项所述方法的步骤。A computing device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, when the processor executes the computer program, claims 1 to 5. Steps of the method of any one.
  10. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1至5任一项所述方法的步骤。A computer-readable storage medium storing a computer program, characterized in that, when the computer program is executed by a processor, the steps of the method according to any one of claims 1 to 5 are implemented.
PCT/CN2019/079637 2018-10-25 2019-03-26 File sharing method and apparatus based on cp-abe layered access control, and device and medium WO2020082687A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811251332.1 2018-10-25
CN201811251332.1A CN109617855B (en) 2018-10-25 2018-10-25 File sharing method, device, equipment and medium based on CP-ABE layered access control

Publications (1)

Publication Number Publication Date
WO2020082687A1 true WO2020082687A1 (en) 2020-04-30

Family

ID=66002856

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/079637 WO2020082687A1 (en) 2018-10-25 2019-03-26 File sharing method and apparatus based on cp-abe layered access control, and device and medium

Country Status (2)

Country Link
CN (1) CN109617855B (en)
WO (1) WO2020082687A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109617855B (en) * 2018-10-25 2020-10-09 深圳技术大学(筹) File sharing method, device, equipment and medium based on CP-ABE layered access control
CN112446038B (en) * 2020-11-09 2024-04-02 桂林电子科技大学 Access strategy intelligent generation method based on matrix decomposition
CN112883399B (en) * 2021-03-11 2022-03-25 郑州信大捷安信息技术股份有限公司 Method and system for realizing secure sharing of encrypted file
CN113271309B (en) * 2021-05-24 2022-04-08 四川师范大学 Hierarchical file encryption method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103107992A (en) * 2013-02-04 2013-05-15 杭州师范大学 Multistage authority management method for cloud storage enciphered data sharing
CN104580205A (en) * 2015-01-05 2015-04-29 南京邮电大学 CP-ABE-based fixed ciphertext length proxy re-encryption system and method in cloud computing
WO2015197930A1 (en) * 2014-06-24 2015-12-30 Outscale Method of sharing digital files between several computers, and computer, data storage assembly and digital file sharing system associated therewith
CN105991278A (en) * 2016-07-11 2016-10-05 河北省科学院应用数学研究所 Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption)
CN109327448A (en) * 2018-10-25 2019-02-12 深圳技术大学(筹) A kind of cloud file sharing method, device, equipment and storage medium
CN109617855A (en) * 2018-10-25 2019-04-12 深圳技术大学(筹) File sharing method, device, equipment and medium based on the control of CP-ABE hierarchical access

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8559631B1 (en) * 2013-02-09 2013-10-15 Zeutro Llc Systems and methods for efficient decryption of attribute-based encryption
US9735959B2 (en) * 2013-04-24 2017-08-15 Nec Corporation Method and system for enforcing access control policies on data
CN104022868A (en) * 2014-02-18 2014-09-03 杭州师范大学 Outsourcing decryption method of attribute-based encryption based on ciphertext policy
CN104883254B (en) * 2015-06-12 2018-01-12 深圳大学 Towards the ciphertext access control system and its access control method of cloud computing platform
CN105406967B (en) * 2015-12-10 2018-10-19 西安电子科技大学 A kind of hierarchical attribute encipherment scheme
CN106411962B (en) * 2016-12-15 2019-08-27 中国科学技术大学 A kind of date storage method of combination user side access control and cloud access control
CN108632030B (en) * 2018-03-22 2020-11-27 中山大学 CP-ABE-based fine-grained access control method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103107992A (en) * 2013-02-04 2013-05-15 杭州师范大学 Multistage authority management method for cloud storage enciphered data sharing
WO2015197930A1 (en) * 2014-06-24 2015-12-30 Outscale Method of sharing digital files between several computers, and computer, data storage assembly and digital file sharing system associated therewith
CN104580205A (en) * 2015-01-05 2015-04-29 南京邮电大学 CP-ABE-based fixed ciphertext length proxy re-encryption system and method in cloud computing
CN105991278A (en) * 2016-07-11 2016-10-05 河北省科学院应用数学研究所 Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption)
CN109327448A (en) * 2018-10-25 2019-02-12 深圳技术大学(筹) A kind of cloud file sharing method, device, equipment and storage medium
CN109617855A (en) * 2018-10-25 2019-04-12 深圳技术大学(筹) File sharing method, device, equipment and medium based on the control of CP-ABE hierarchical access

Also Published As

Publication number Publication date
CN109617855A (en) 2019-04-12
CN109617855B (en) 2020-10-09

Similar Documents

Publication Publication Date Title
CN108600217B (en) Cloud-based data authorization certainty updating method based on proxy re-encryption
WO2020082687A1 (en) File sharing method and apparatus based on cp-abe layered access control, and device and medium
WO2019090988A1 (en) Cryptography attribute-based access control method and system based on dynamic rule
WO2016197770A1 (en) Access control system and access control method thereof for cloud storage service platform
WO2020082688A1 (en) Cloud-end file sharing method and apparatus, and device and storage medium
WO2023044963A1 (en) Method and system for re-encrypting threshold proxy based on attribute condition
Namasudra et al. Data accessing based on the popularity value for cloud computing
CN114065265A (en) Fine-grained cloud storage access control method, system and equipment based on block chain technology
Fugkeaw et al. Privacy-preserving access control model for big data cloud
Xu et al. Enabling authorized encrypted search for multi-authority medical databases
Bacis et al. Access control management for secure cloud storage
Saha et al. A cloud security framework for a data centric WSN application
Zhang et al. A dynamic cryptographic access control scheme in cloud storage services
Chaudhary et al. RMA-CPABE: A multi-authority CPABE scheme with reduced ciphertext size for IoT devices
Lin et al. Priguarder: A privacy-aware access control approach based on attribute fuzzy grouping in cloud environments
CN106612175A (en) Proxy re-encryption algorithm for multi-element access control in mobile cloud
Sandhia et al. Multi-authority-based file hierarchy hidden CP-ABE scheme for cloud security
Kalaiselvi et al. Scalable and secure sharing of personal health records in cloud computing
Feng et al. Secure data sharing solution for mobile cloud storage
SOWMYA et al. An Approach of Secure Cloud Based Services Accessing Using KAE and IABS Schemes
Jagdale et al. Secure Sharing of Personal Health Records in Cloud using Attribute-based Encryption
Joshi et al. Secure Cloud Storage System Based On Ciphertext Retrieval
Li et al. Data sharing with fine-grained access control for multi-tenancy cloud storage system
Kayem et al. Efficient enforcement of dynamic cryptographic access control policies for outsourced data
Peethambaran et al. Cloud Based Access Control Model For Selective Encryption Of Documents With Traitor Detection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19877271

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19877271

Country of ref document: EP

Kind code of ref document: A1