CN103825903A - Safe file sharing method based on mobile social network - Google Patents

Abstract

The invention discloses a safe file sharing method based on a mobile social network. The safe file sharing method comprises the steps that S1, a family shared network is established on the basis of a short-range wireless communication technology, wherein participants of the family shared network comprise a trusted third party institution, a file owner and a user; S2, the trusted third party institution generates a public key of attribute and a master key of attribute according to a global attribute set; S3, the trusted third party institution generates a private key of attribute on the basis of a user attribute set and an attribute access structure; S4, mobile communication equipment of the file owner encrypts a shared file by a symmetric key and encrypts the symmetric key on the basis of the attribute of the shared file and the public key of attribute; S5, whether the attribute access structure of the user is matched with the attribute of the shared file is judged, wherein the user can access and decrypt the ciphertext of the shared file corresponding to the matched attribute. By the safe file sharing method, the content privacy of the shared file can be ensured when the file is shared simply and rapidly by the nonprofessional file owner and the user.

Description

File security based on mobile social networking is shared method

Technical field

The invention belongs to mobile social networking technical field, relate in particular to a kind of file security based on mobile social networking and share method.

Background technology

Benefit from the continuous reduction of electronic equipment manufacturing cost, support that the mobile device of express network communication (for example, 3G/4G, WIFI, bluetooth) is more and more universal in general population.According to statistics, to the end of the year 2013, dull and stereotyped and these two kinds mobile device whole world total sales volumes that possess network communicating function of smart mobile phone will reach 1,200,000,000, and by 2017, everyone will have 1.4 mobile devices the whole world.These mobile devices that possess high-speed communication ability have expedited the emergence of the birth of mobile Internet, and have changed deeply the intrinsic life style of people.

In the mobile Internet epoch, people can use mobile communication equipment between friend, colleague, acquaintance, to share fast existing file.Then due to the unbalanced regional development level of 3G/4G network, high rate, limited network coverage, the file-sharing of random time, anywhere is restricted, and mobile internet make mobile network can't bear the heavy load in many cases.Consider that certain intragroup people can gather sometime certain fixed location activity, if employee's work hours of a company are all in office, student's class period of a class is all in a classroom, and the soldier on a warship is on same warship etc.Under this environment, use the short distance wireless communication technology such as WIFI and bluetooth on mobile device, connect into mobile social networking (Mobile Social Network with Ad-hoc form, MSN), just can realize freely, freely file-sharing, this specific applied environment is called as " home environment (Home environment) ", and this environment network is called as " home network (Home Network) ", the file distributing pattern of employing is referred to as " (Home Sharing) shares in family ".Since nearly one or two years, file-sharing application under the home environment that the virtual focus of use WIFI is built emerges in multitude, this class file sharing application can be divided two kinds of forms: a kind of file owner of being forges into mobile device the form of ftp file server, then user is connected on this mobile device, according to self needs, download corresponding document; Another kind is that file owner sets up and is connected one to one with user, then by file owner, file is sent to user.

Because the shared file on mobile device comprises some sensitive informations, therefore, under aforesaid way, family's shared model will inevitably cause user and pays close attention to shared file fail safe.But in family's shared model, account form becomes passive computation model from traditional active computation model, mean the passive wait service end service of client needs; User is nearly all layman, and traditional access control scheme, because implementing complexity, very flexible, is difficult to adapt to the provisional and polytropy of family's shared model.Therefore, consider user's non-professionality feature, the access control model of real-time interactive is all taked in much research in family's shared model, and has proposed some interactive visit schemes, realizes simple and access control flexibly.This method is used for controlling a small amount of visitor's resource access request for Smart Home environment and can also deals with, but in family's shared environment of file-sharing, in the time that a file owner has much more relatively users, the access control model of this real-time interactive inefficiency that just seems.In the mobile Internet epoch of multimedia messages blast, in family's shared model, user's final purpose is to the people who needs by sharing files, and a large amount of mutual request in this short time, make a file owner that request response should be tied and is too busy, user also needs pending file owner's answer, this poor efficiency can further worsen in the time that same file owner has many parts of files, is enough to allow user lose interest to file-sharing.Exactly because also like this, just have and abandoned safe application for efficiency.

Generally speaking, in family's shared model, passive computing environment and non-professional participant have limited fine-grained sharing and shared efficiency, therefore design an access control scheme that needs are simple to operation, new.

Summary of the invention

The problem existing for prior art, the invention provides a kind of user identity privacy, fine-grained security and efficient file security based on mobile social networking protected and shares method, is applicable to family's shared model.

Thinking of the present invention is as follows:

In family's shared model, what restrict sharing efficiency is mainly passive computing environment.If computing environment can be changed into initiatively, can improve sharing efficiency.But under active computing environment, just need file owner, for shared resource is formulated good access control scheme.Notice under social environment, the file that user is shared often has social property, and user self is fully aware of to these attributes.If use a kind of access control scheme, can well adopt the control that conducts interviews of these social propertys, can help unprofessional user's control that conducts interviews, and encryption attribute scheme exactly just can meet this character.The present invention adopts virtual hot spot technology, and file owner's mobile communication equipment is forged into file server, so just computing environment has been become initiatively; Adopt the encryption attribute scheme based on key strategy, shared file is conducted interviews to control to be arranged simultaneously, and user only need to use the associated social property of file, just can be to conduct interviews control strategy formulation of file.Effectively improve shared efficiency, and obtained good access control granularity.

For solving the problems of the technologies described above, the present invention adopts following technical scheme:

File security based on mobile social networking is shared method, is applicable to family's shared model, comprises step:

S1 is set up family's shared network based on the short distance wireless communication technology:

Based on the short distance wireless communication technology, file owner's mobile communication equipment is built into wireless access node, and wireless access node is set to without access authentication pattern, user's mobile communication equipment connects wireless access node, sets up family's shared network; Family's shared network participant of setting up comprises mechanism of trusted third party, file owner and user;

S2 attribute public-key cryptography PK and attribute master key MK obtain:

Mechanism of trusted third party is according to the global property set U based on semantic of definition, adopt the encryption attribute mechanism based on key strategy to generate attribute public-key cryptography PK and attribute master key MK, and attribute public-key cryptography PK is open to file owner and user, attribute master key MK only mechanism of trusted third party retains;

The private key SK that S3 is corresponding with user property access structure obtains:

Trusted third party is that user specifies property set and attribute access structure corresponding to property set based on semantic, according to attribute public-key cryptography PK and attribute master key MK, adopt the encryption attribute mechanism based on key strategy to generate private key SK corresponding to user property access structure, and private key SK is sent to corresponding user;

The processing of S4 shared file:

Adopt symmetric key encryption shared file, file owner selects the attribute FS based on semantic of shared file from global property set U according to shared file content, according to the attribute FS of shared file and attribute public-key cryptography PK, adopt encryption attribute encryption mechanism symmetric key based on key strategy to obtain attribute ciphertext, and by the attribute FS of shared file and attribute Cryptograph Sharing thereof to user;

The distribution of S5 shared file:

Judge user property access structure and shared file attribute FS _iwhether mate the attribute FS of user-accessible coupling _icorresponding shared file; Meanwhile, user's mobile communication equipment, according to private key SK and attribute ciphertext corresponding to addressable shared file, adopts the encryption attribute mechanism based on key strategy to decrypt symmetric key, and adopts symmetric key to decipher and obtain shared file.

Above-mentioned user and described trusted third party are inter-agency carries out data data communication with SSL SSL technique construction safe lane.

In step S2, adopt the encryption attribute mechanism based on key strategy to generate attribute public-key cryptography PK and attribute master key MK, be specially:

Take the input of the described global property set U initialization function Setup () in the encryption attribute mechanism based on key strategy based on semantic, generate attribute public-key cryptography PK and attribute master key MK.

In step S3, adopt the encryption attribute mechanism based on key strategy to generate private key SK corresponding to user property access structure, be specially:

Take the input of user property access structure, attribute public-key cryptography and attribute master key key-function KeyGen () in the encryption attribute mechanism based on key strategy, generate private key SK corresponding to user property access structure.

In step S4, adopt the encryption attribute encryption mechanism symmetric key based on key strategy to obtain attribute ciphertext, be specially:

Take the input of the attribute FS based on semantic, attribute public-key cryptography PK and symmetric key encryption function Encrypt () in the encryption attribute mechanism based on key strategy of shared file, encrypted symmetric key obtains attribute ciphertext.

In step S4, handle after shared file, spanned file visit information table and file information table memory on file owner's mobile communication equipment, described file access information table comprises attribute and the attribute ciphertext that each shared file is corresponding, described file information table memory comprises the file cipher text store path that each shared file is corresponding, file access information table shares to user, and file information table memory is only stored on file owner's mobile communication equipment.

In step S5, adopt the encryption attribute mechanism based on key strategy to decrypt symmetric key, be specially:

Input take user's private key and attribute ciphertext as the attribute decryption function UDecrypt () of the encryption attribute mechanism based on key strategy, deciphering obtains symmetric key.

The present invention has contribution:

In family's shared model, can obtain good file access control granularity and sharing efficiency first simultaneously.

Compared with file sharing method in existing mobile device, the present invention has advantage:

1) file owner only need to file use have semantic attribute tags conduct interviews control configuration, non-professional ordinary people can implement.

2) before file-sharing, carried out access control configuration, it is mutual that file owner need not participate in request in the time of Real-Time Sharing, user obtains file from file owner voluntarily, is realizing the access control of file fine granularity simultaneously, has improved file-sharing efficiency and user and has experienced.

Embodiment

Below the prior art to related to the present invention and technical solution of the present invention are described in further details.

One, network model and Security Model

1, family's shared network model

The shared network model assumption file owner of family of the present invention and user are physically in region among a small circle, and file owner uses high speed the short distance wireless communication technology (WIFI) and user's direct communication.User carries out data communication by its mobile communication equipment threaded file owner's mobile communication equipment.Whole network system participant comprises mechanism of trusted third party (can be file administration mechanism or information departments), file owner and user.File owner and user can arrive in advance mechanism of trusted third party and register, and obtain initial parameter information.Carry out in the only a certain place within certain a period of time of sharing conventionally between file owner and user, has change in time and space feature, and the file owner in current space-time unique can be also user in other space-time unique.

2, Security Model

Seemingly, at family's net environment, file owner and user are honest and curious for Security Model of the present invention and opponent's model class.Specifically, file owner and user can observe file-sharing mechanism conventionally, and user wants to obtain more shared file from file owner there.In order to simplify and improve the sharing efficiency under network model, the present invention does not encrypt wireless communication link, and the access of wireless network is also without password authentification requirement.

It is a principal object of the present invention to allow file owner and user in non-professional family shared model; in simple as far as possible mode; in distributing rapidly and accepting file, protected file content privacy to greatest extent, prevents that inappropriate user from obtaining some fileinfo.

Under family's shared network model, the access control safety attribute kit that file-sharing mechanism should have is containing what time following:

(1) confidentiality of file-sharing person's file content, ensures that in shared procedure, file content is not revealed;

(2) integrality of file-sharing person's file content, ensures that in shared procedure, file content is not tampered;

Two, related art

1, bilinear map

Order

with

be the multiplication loop group of two Prime Orders P, make g be

generator, bilinear map

a mapping with following character:

(1) bilinearity: for arbitrarily

with e (u ^a, v ^b)=e (u, v) ^abalways set up;

(2) non-degeneracy: e (g, g) ≠ 1;

(3) computability: exist the effective algorithm can be from arbitrarily

in calculate

2, the encryption attribute mechanism (KP-ABE) based on key strategy

KP-ABE is one of important branch of Arithmetic of Public-key Cryptosystem encryption attribute, is used to implement one-to-many and encrypts, and this encryption character has determined KP-ABE extensive application prospect in data distribution system.In KP-ABE, each attribute is realized has an open code corresponding with it, and data combine to encrypt with the open code of some attribute in the time encrypting.Each user has an access structure that uses self attributes set to build, access structure is a linear sharing matrix, be transformed by structuring boolean access strategy (as access structure tree), a leaf node in the corresponding access structure tree of every a line in matrix, user's private key is generated by access matrix, when the combination of and if only if the attribute associated with ciphertext meet access structure requires, user could decrypting ciphertext.

KP-ABE is made up of following 4 algorithms:

1) initialization algorithm Setup (λ, U) → (PK, MK).

First select a Prime Orders p ∈ Θ (2 ^λ) Bilinear Groups

a generator of random selection

with

then the global property collection U={a that is n by radix ₁, a ₂..., a _nas initialization algorithm input, generate following attribute key:

MK＝(PK,α) （1）

Wherein, h _x=H (a _x), H () is a disclosed hash function

pK is open for all participants, and MK is only retained by authorized party's (being the mechanism of trusted third party in the present invention).

2) cryptographic algorithm Encrypt (PK, M, S) → CT.

With an attribute public-key cryptography PK, a message to be encrypted

as input, cryptographic algorithm is selected a random parameter with a community set S

ciphertext with

form issue, wherein:

$C=M\·e{(g,g)}^{\mathrm{\αs}},\hat{C}=g^s,{\{C_x=h_x^s\}}_{{\mathrm{\α}}_x\∈S}---\left(2\right)$

3) key schedule

Using attribute master key MK and a LSSS access structure (W, ρ) as input, generate corresponding private key SK.Making W is l × n matrix, and function ρ maps the row of W and property value.Make Γ express the indexed set of mutually different attribute in present access structure matrix W, that is to say

.First key schedule selects a random vector

these values will be used to share main secret α.To l, calculate λ for i=1 _i=vW _i, W _ithat in matrix W, i is capable.In addition, algorithm is selected at random

finally calculate private key SK in mode below:

$\begin{array}{c}{D}_1=g^{{\mathrm{\λ}}_1}\·h_{\mathrm{\ρ}\left(1\right)}^{r_1},R_1=g^{r_1},\∀d\∈\mathrm{\Γ}/\mathrm{\ρ}\left(1\right),Q_{1,d}=h_d^{r_1}\\ ,...,\\ D_l=g^{{\mathrm{\λ}}_l}\·h_{\mathrm{\ρ}\left(l\right)}^{r_l},R_l=g^{r_l},\∀d\∈\mathrm{\Γ}/\mathrm{\ρ}\left(l\right),Q_{l,d}=h_d^{r_l}\end{array}---\left(3\right)$

Wherein, Γ/x represents, if there is attribute subscript x, from Γ, to get rid of x.

4) decipherment algorithm Decrypt (SK, CT) → M.

By corresponding access structure secret private key SK=(PK, (D ₁, R ₁, { Q _{1, d}) ..., (D _l, R _l, { Q _l,d)), community set S and ciphertext as input.If S does not meet access structure (W, ρ), it exports ⊥.Suppose that S meets access structure, making SU is the indexed set of S correspondence in U, i.e. SU={x:a _x∈ S}, I ∈ 1,2 ..., l} is an index set, has one

be a constant set, make 1. for all i ∈ I ρ (i) ∈ SU; 2. Σ _{i ∈ I}ω _iw _i=(1,0,0 ..., 0).

And then, definition , I is for deciphering out the index set of ciphertext institute corresponding row, and Δ is the attribute indexed set associated with these row.Notice Δ ∈ SU, SU is the attribute indexed set associated with ciphertext, Δ ∈ Γ, and Γ is the attribute indexed set for generating private key for user.

Further defined function f, it is converted into group by community set in the following manner

an element:

$f\left(\mathrm{\Δ}\right)=\underset{x\∈\mathrm{\Δ}}{\mathrm{\Π}}{h}_x---\left(4\right)$

Before decrypting ciphertext, first secret private key is carried out to preliminary treatment.For each i ∈ I, first calculate:

${\hat{D}}_i=D_i\·\underset{x\∈\mathrm{\Δ}/\mathrm{\ρ}\left(i\right)}{\mathrm{\Π}}{Q}_{i,x}=g^{{\mathrm{\λ}}_i}f{\left(\mathrm{\Δ}\right)}^{r_i}---\left(5\right)$

Then, continue to calculate:

$L=\underset{x\∈\mathrm{\Δ}}{\mathrm{\Π}}{C}_x=\underset{x\∈\mathrm{\Δ}}{\mathrm{\Π}}{h}_x^s=f{\left(\mathrm{\Δ}\right)}^s---\left(6\right)$

Finally, recover as follows e (g, g) ^{α s}:

$\begin{array}{c}e(\hat{C},\underset{i\∈I}{\mathrm{\Π}}{D}_i^{{\mathrm{\ω}}_i})/e(\underset{i\∈I}{\mathrm{\Π}}{R}_i^{{\mathrm{\ω}}_i},L)=e(g^s,\underset{i\∈I}{\mathrm{\Π}}{g}^{{\mathrm{\λ}}_i{\mathrm{\ω}}_i}f{\left(\mathrm{\Δ}\right)}^{r_i{\mathrm{\ω}}_i})/e(\underset{i\∈I}{\mathrm{\Π}}{g}^{{\mathrm{\λ}}_i{\mathrm{\ω}}_i},f{\left(\mathrm{\Δ}\right)}^s)\\ =e{(g,g)}^{\mathrm{\αs}}\·e(g,f{\left(\mathrm{\Δ}\right)}^{s{\mathrm{\Σ}}_{i\∈I}{r}_i{\mathrm{\ω}}_i})/e(g,f{\left(\mathrm{\Δ}\right)}^{s{\mathrm{\Σ}}_{i\∈I}{r}_i{\mathrm{\ω}}_i})=e{(g,g)}^{\mathrm{\αs}}\end{array}---\left(7\right)$

Deciphering place original plaintext is:

M＝C/e(g,g) ^αs （8）

The detailed encrypting and decrypting process of KP-ABE can be referring to document:

Hohenberger S,Waters B.Attribute-Based Encryption with Fast Decryption[M]//Public-Key Cryptography–PKC2013.Springer Berlin Heidelberg,2013:162-179.

Three, technical scheme

In order to allow non-professional file owner and user simply, quickly when shared file, can also ensure shared file content privacy, the present invention has used the file sharing method based on virtual focus quickly networking and KP-ABE cryptographic algorithm.Specifically, first, use the virtual focus technique construction of WIFI to become wireless aps (wireless access node) file owner's mobile communication equipment, and wireless aps is set to without access authentication pattern; User can efficiently be connected to wireless aps, is not having under the condition of dedicated network communication equipment like this, has set up the high-speed radiocommunication LAN of an opening.Then, file owner uses association attributes to be encrypted shared file on the mobile communication equipment of oneself, by ciphertext and corresponding Attribute Association, and the attribute description of ciphertext and associated is shared with file server form.Finally, the listed files on user's download file server and corresponding attribute description, judge whether the attribute description of shared file on file server meets self access structure, and download the ciphertext that meets self access structure.

To describe the present invention below:

1, initialization.

The participant of family of the present invention shared network model comprises mechanism of trusted third party, file owner and user.Security parameter λ of mechanism of trusted third party selection and global property set U are as the input of initialization function Setup () in KP-ABE, generate attribute public-key cryptography PK and attribute master key MK, (PK, MK) ← Setup (λ, U).Attribute public-key cryptography PK is all open to all participants in family's shared network, and attribute master key MK is retained by trusted third party.Security parameter λ determines by elliptic curve parameter, and global property set U is pre-defined.

2, user adds.

The data relevant to self information submitted to mechanism of trusted third party by user, and the data that mechanism of trusted third party provides according to user is that user specifies the attribute access structure that unique identify label UID, property set and property set are corresponding

.Subsequently, mechanism of trusted third party is according to attribute public-key cryptography PK and attribute master key MK, and the key-function calling in KP-ABE generates the private key SK corresponding with user property access structure,

and the private key of private key SK and PKI are together sent to user.For guaranteeing that private key is not revealed, user and trusted third party inter-agency can SSL SSL etc. technique construction safe lane carry out data data communication.

User's property set can be to comprise the character string that represents user interest, hobby etc.User's attribute access structure comprises Cover matrix W and best property of attribute mapping relation function ρ, can be expressed as (W, ρ), and function ρ is by the property value mapping in the row of W and property set.

3, shared file processing.

File owner shared file is shared to before user, need to be handled as follows file:

(1) for shared file generates unique identification FID _i.

(2) select at random finite field

upper element is as shared file encrypted symmetric key

and use FID _{i, key}encrypt corresponding shared file, obtain file cipher text.

(3) file owner selects the attribute FS of shared file from global property set U according to shared file content, uses this attribute FS and attribute public-key cryptography PK, calls and in KP-ABE, encrypts Encrypt () function encrypting symmetric key FID _{i, key}obtain attribute ciphertext, $(C,\hat{C},{\left\{C_x\right\}}_{{\mathrm{\α}}_x\∈S})\←\mathrm{Encrypt}(\mathrm{FS},{\mathrm{FID}}_{i,\mathrm{key}},\mathrm{PK}).$ The attribute FS of shared file can be different according to concrete application, and for example, the shared file in a class is student performance, the attribute such as definable A, B, C, D, E.

(4) repeating step (1)～(3) until all shared files be disposed.

(5) spanned file visit information table and file information table memory, file access information table comprises shared file mark FID _i, corresponding attribute FS _iwith attribute cipher-text information table, and offer user, in table 1; File information table memory comprises file identification FID _iwith file cipher text store path, remain in file owner's mobile communication equipment, in table 2.

Table 1 file access information table

Table 2 file information table memory

FID	File cipher text store path
		1	FilePath1
2	FilePath2
		…	…

4, the distribution of shared file

After shared file is disposed, file owner opens mobile communication equipment virtual AP function, and file access information table is distributed in the memory module of the mobile communication equipment of building, and notice user's download around.

The distribution procedure of shared file mainly comprises step:

(1) user is connected to after file owner's mobile communication equipment, carries out following operation:

1.1 download file visit information tables, with the attribute FS in file access information table _ifor inputting, move access control verification algorithm with user property access structure (W, ρ)

differentiate the attribute FS in file access information table _iwhether mate with user property access structure (W, ρ), if coupling, user can access match attribute FS _icorresponding shared file.

1.2 users' mobile communication equipment sends the mark FID of the addressable shared file of obtaining to file owner's mobile communication equipment _i, move the attribute decipherment algorithm (FID of KP-ABE simultaneously _i, FID _{i, key}) ← UDecrypt (SK, FID _i, CT _i) attribute ciphertext is decrypted, obtain shared file FID _isymmetric key FID _{i, key}.

(2) file owner's mobile communication equipment is received user's demand file identification list { FID _i, from file information table memory, obtain the store path of asking shared file, then the shared file ciphertext of request is sent to the mobile communication equipment of respective user.

(3) user's mobile communication equipment receives shared file ciphertext and adopts symmetric key FID _{i, key}be decrypted,, disconnect from file owner's mobile communication equipment meanwhile.

(4) file owner's mobile communication equipment is under without active user connection, and close file share service, removes file access information table and file information table memory.

Four, application example and effect analysis

1, application example

(1) application background

In the many areas of China, according to medical insurance policies, large hospital covers near the community hospital of its certain area, and local resident is under the jurisdiction of community hospital.For convenience of resident, it is regularly that near resident provides advice and medical treatment explanation service to community hospital that large hospital doctor needs.Because community hospital's condition is relatively simple and crude, environment is comparatively open, doctor uses mobile phone to carry relevant disease data, as disease health care data, heal the sick each stage audiovisual information, expert to relevant disease diagnosis and treatment data etc., these disease association data can only offer relevant patient, in order to avoid cause harmful effect.Above-mentioned is the background of this application example.

(2) file owner

In this application background, the doctor that makes a round of visits is file owner, and its shared file having comprises disease health care data, Case treatment situation etc.Shared file is stored in file owner's mobile communication equipment, can be audio frequency, video and document form.

File owner's interface display, on file owner's mobile communication equipment, is previewing file interface, can be checked shared file and be selected the attribute of shared file by this file preview interface.File owner, according to defined global property collection, selects respectively the attribute corresponding with it for each shared file content, and afterwards, mobile communication equipment is encrypted respectively each shared file attribute.

(3) sharing users

In this application background, participating in this patient who makes a round of visits is user.The mobile communication equipment of mobile communication equipment threaded file owner based on virtual focus technical user, and from file owner's mobile communication equipment, obtain the shared file that meets its access strategy, after download decryption, shared file is presented in the previewing file interface on user's mobile communication equipment.

(4) shared file processing

Suppose that certain doctor that makes a round of visits is gynaecologist.Gynaecologist, after tentatively explaining, be sent in given patient " sex dysfunction " disease association data, and gynaecologist only need add upper " gynaecology ", " functional disorder " and " sex dysfunction " three attributes to file, and encrypts.The rest may be inferred, and all shared files are set to access strategy, and finally around notice, patient obtains corresponding data.

(5) shared file is downloaded

The access strategy of supposing certain gynecological disease patient is ∨ (∧ of gynaecology functional disorder ∧ sex dysfunction), this gynecological disease patient is after the file access information table getting on doctor's mobile communication equipment, mate by access strategy, just know that she can access attribute label be the shared file of " gynaecology ", " functional disorder " and " sex dysfunction ", mobile communication equipment Transmit message with backward doctor obtains request, obtains file cipher text deciphering.Gynecological disease patient's access strategy is formulated by mechanism of trusted third party, and mechanism of trusted third party formulates patient's access strategy at the disease archives of hospital according to patient.

2, convenience analysis

Non-professional file owner only need to add respective attributes label to shared file, and the access control that just can complete shared file is set; And user only need to obtain file attribute label and just can know whether that shared file is had to access rights, and determine whether obtain file from file owner thus.In the middle of this, file owner is without artificial identifying user identity, also without the fail safe of worrying wireless communication link.File owner has control completely to shared file, and user is in the time obtaining file, authorizes without file owner's scene.Realize the access convenience of independent and flexible.

3, safety analysis

(1) fine granularity access control

File owner can be neatly arranges corresponding access attribute and limits the access profile of file to shared file, and user's access rights are in the time of registration,, customized according to user profile by third party personalizedly.Realize thus the fine granularity access control of shared file.

(2) data confidentiality

The present invention adopts symmetric key encryption shared file, supposes that symmetric key is safe, and the confidentiality of data just relies on KP-ABE algorithm security so.And the fail safe of KP-ABE algorithm, document (Hohenberger S, Waters B.Attribute-Based Encryption with Fast Decryption[M] //Public-Key Cryptography – PKC2013.Springer Berlin Heidelberg, 2013:162-179.), issued a certificate, KP-ABE algorithm has anti-selection plaintext attack ability.

Share and access controlling mechanism of the present invention is safe for undelegated access.Reason is, undelegated user has two classes: the one, and normal but do not have enough attributes to meet access structure, want to use its existing attribute key to obtain the user of file content; The 2nd, do not belong to the user of system, want to obtain file-sharing person's file content.For first kind user, do not meet at attribute under the condition of access structure, user does not just have enough attribute private keys can recover encryption key, in this case, the user that multiple attributes do not meet access structure conspires to recover encryption key, because the attribute private key difference of different user on same alike result; For Equations of The Second Kind user, owing to there is no attribute private key, just can not obtain file decryption key, also just cannot obtain file content.

Claims (7)

1. the file security based on mobile social networking is shared method, is applicable to family's shared model, it is characterized in that, comprises step:

S1 is set up family's shared network based on the short distance wireless communication technology:

Based on the short distance wireless communication technology, file owner's mobile communication equipment is built into wireless access node, and wireless access node is set to without access authentication pattern, user's mobile communication equipment connects wireless access node, sets up family's shared network; Family's shared network participant of setting up comprises mechanism of trusted third party, file owner and user;

S2 attribute public-key cryptography PK and attribute master key MK obtain:

Mechanism of trusted third party is according to the global property set U based on semantic of definition, adopt the encryption attribute mechanism based on key strategy to generate attribute public-key cryptography PK and attribute master key MK, and attribute public-key cryptography PK is open to file owner and user, attribute master key MK only mechanism of trusted third party retains;

The private key SK that S3 is corresponding with user property access structure obtains:

Trusted third party is that user specifies property set and attribute access structure corresponding to property set based on semantic, according to attribute public-key cryptography PK and attribute master key MK, adopt the encryption attribute mechanism based on key strategy to generate private key SK corresponding to user property access structure, and private key SK is sent to corresponding user;

The processing of S4 shared file:

Adopt symmetric key encryption shared file, file owner selects the attribute FS based on semantic of shared file from global property set U according to shared file content, according to the attribute FS of shared file and attribute public-key cryptography PK, adopt encryption attribute encryption mechanism symmetric key based on key strategy to obtain attribute ciphertext, and by the attribute FS of shared file and attribute Cryptograph Sharing thereof to user;

The distribution of S5 shared file:

Judge user property access structure and shared file attribute FS _iwhether mate the attribute FS of user-accessible coupling _icorresponding shared file; Meanwhile, user's mobile communication equipment, according to private key SK and attribute ciphertext corresponding to addressable shared file, adopts the encryption attribute mechanism based on key strategy to decrypt symmetric key, and adopts symmetric key to decipher and obtain shared file.

2. the file security based on mobile social networking as claimed in claim 1 is shared method, it is characterized in that:

Described user and described trusted third party are inter-agency carries out data data communication with SSL SSL technique construction safe lane.

3. the file security based on mobile social networking as claimed in claim 1 is shared method, it is characterized in that:

The encryption attribute mechanism of described employing based on key strategy generates attribute public-key cryptography PK and attribute master key MK, is specially:

Take the input of the described global property set U initialization function Setup () in the encryption attribute mechanism based on key strategy based on semantic, generate attribute public-key cryptography PK and attribute master key MK.

4. the file security based on mobile social networking as claimed in claim 1 is shared method, it is characterized in that:

The encryption attribute mechanism of described employing based on key strategy generates private key SK corresponding to user property access structure, is specially:

Take the input of user property access structure, attribute public-key cryptography and attribute master key key-function KeyGen () in the encryption attribute mechanism based on key strategy, generate private key SK corresponding to user property access structure.

5. the file security based on mobile social networking as claimed in claim 1 is shared method, it is characterized in that:

The encryption attribute encryption mechanism symmetric key of described employing based on key strategy obtains attribute ciphertext, is specially:

Take the input of the attribute FS based on semantic, attribute public-key cryptography PK and symmetric key encryption function Encrypt () in the encryption attribute mechanism based on key strategy of shared file, encrypted symmetric key obtains attribute ciphertext.

6. the file security based on mobile social networking as claimed in claim 1 is shared method, it is characterized in that:

The encryption attribute mechanism of described employing based on key strategy decrypts symmetric key, is specially:

Input take user's private key and attribute ciphertext as the attribute decryption function UDecrypt () of the encryption attribute mechanism based on key strategy, deciphering obtains symmetric key.

7. the file security based on mobile social networking as claimed in claim 1 is shared method, it is characterized in that:

In step S4, handle after shared file, spanned file visit information table and file information table memory on file owner's mobile communication equipment, described file access information table comprises attribute and the attribute ciphertext that each shared file is corresponding, described file information table memory comprises the file cipher text store path that each shared file is corresponding, file access information table shares to user, and file information table memory is only stored on file owner's mobile communication equipment.