CN105141574A - Cloud storage cipher text access control system based on table attributes - Google Patents
Cloud storage cipher text access control system based on table attributes Download PDFInfo
- Publication number
- CN105141574A CN105141574A CN201510326052.2A CN201510326052A CN105141574A CN 105141574 A CN105141574 A CN 105141574A CN 201510326052 A CN201510326052 A CN 201510326052A CN 105141574 A CN105141574 A CN 105141574A
- Authority
- CN
- China
- Prior art keywords
- session key
- user
- ciphertext
- node
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention belongs to the technical field of cloud storage service, and provides a cloud storage cipher text access control system based on table attributes and an access control method thereof. According to the system and the method, a data owner classifies leaf nodes on an access structure tree according to whether the threshold of a parent node corresponding to each leaf node is 1 in the process of encryption, the data owner further classifies a set of leaf nodes of which the thresholds of the parent nodes are 1 according to different types of parent nodes, and finally, the data owner encrypts data according to the result of classification and uploads the data to the cloud. Thus, the length of cipher text obtained by the data owner, the amount of encryption calculation and the amount of decryption calculation for subsequent sharing users are only related to an attribute set of which the threshold of the parent node is not 1. In the access structure tree, the threshold corresponds to an OR gate when the threshold is 1, or the threshold corresponds to an AND gate. Therefore, the system overload is only related to an attribute set of which the parent node is an OR gate. When the number of OR gates in the access structure tree increases, the computational cost and communication overhead of the system are greatly reduced.
Description
Technical field
The invention belongs to cloud stores service technical field, particularly relate to a kind of cloud based on form attributes and store ciphertext access control system.
Background technology
In cloud stores service platform, owing to adopting remote data trustship technology, cloud storage service provider is the physics owner of data, but with data owner not in same trust domain.Cloud storage service provider manages multiple user and resource thereof, when other user resources of the cross-border access of user, needs the access adopting certain access control policy to control data and service.But in reality, because cloud stores service platform adopts virtualization storage technology, cloud stores service, with being loose coupling between bottom hardware environment, lacks changeless secure border between the data of different user, thereby increases the difficulty executing access control at cloud stores service platform logarithm factually.
In prior art, based on the encryption (Attribute-basedEncryption of attribute, ABE) scheme is with attribute description user identity, private key for user and ciphertext are relevant to one group of attribute respectively, when private key for user attribute and the mutual matching degree of ciphertext attribute reach set threshold value time, user could successful decryption ciphertext.
But ABE scheme only can support thresholding access control policy, in order to express access control policy more flexibly, encryption attribute (CipherPolicyAttribute-basedEncryption, the CP-ABE) scheme based on Ciphertext policy is suggested.In CP-ABE scheme, ciphertext is relevant to access strategy, and private key for user is relevant to community set, and when the attribute of and if only if private key for user meets the access strategy of ciphertext, user could successful decryption ciphertext.Reduce the network bandwidth that data sharing fine-granularity access control brings and the expense that node calculates CP-ABE schemes tend, be best suited for one of the ciphertext access control technology in cloud storage platform.
For the cloud storage platform adopting CP-ABE scheme, consider enterprise's application scenarios, attribute and access strategy need to be disposed by form.But because community set is comparatively huge, access structure is very complicated, the execution efficiency of CP-ABE scheme in cloud storage platform is very low.
Summary of the invention
A kind of cloud based on form attributes is the object of the present invention is to provide to store ciphertext access control system, the cloud storage platform being intended to solve existing employing CP-ABE scheme disposes attribute and access strategy by form, because community set is huge, access structure is complicated, make the problem that CP-ABE scheme execution efficiency is low.
The present invention is achieved in that a kind of cloud based on form attributes stores ciphertext access control system, and described system comprises:
The management end run by authentication center, for generate and to each validated user dispatch user private key, described private key for user is associated with the attribute of respective user;
The client run by user, for when uploading data to high in the clouds, the data decimation session key that need upload is encrypted, whether the threshold value setting father node corresponding to each leaf node afterwards according to access structure is 1, each leaf node is classified, and further according to the difference of father node type, the set that the threshold value of father node is the leaf node of 1 is classified, afterwards according to classification results to described session key to obtain session key ciphertext, afterwards by described session key ciphertext and encryption after data upload to high in the clouds, also for when from high in the clouds downloading data, from high in the clouds download session key ciphertext and corresponding shared data, and when the attribute be associated with own user private key meet access structure set time, session key is obtained by session key decrypt ciphertext, utilize afterwards and decipher the shared data that the described session key obtained deciphers described correspondence.
Another object of the present invention is to provide a kind of as above based on the access control method of the cloud storage ciphertext access control system of form attributes, described method comprises:
Authentication center's operational management end, generation system PKI and main private key, be uploaded to high in the clouds by described system PKI;
Authentication center's operational management end, joins request according to the system that user sends, and whether authenticated user is validated user, and when user is validated user, calculates the private key for user of user, and be distributed to user;
Data owner running client, the data decimation session key that need upload is encrypted, whether the threshold value setting father node corresponding to each leaf node afterwards according to access structure is 1, classifies to each leaf node, and further according to the difference of father node type, classify to the set that the threshold value of father node is the leaf node of 1, afterwards according to classification results to described session key to obtain session key ciphertext, afterwards by described session key ciphertext and encryption after data upload to high in the clouds;
Sharing users running client, from high in the clouds download session key ciphertext and corresponding shared data, and when the attribute be associated with own user private key meet access structure set time, obtain session key by session key decrypt ciphertext, utilize afterwards and decipher the shared data that the described session key obtained deciphers described correspondence.
Cloud based on form attributes provided by the invention stores in ciphertext access control system and access control method thereof, data owner is in ciphering process, whether the threshold value setting father node corresponding to each leaf node upper according to access structure is 1, classifies to each leaf node, and further according to the difference of father node type, classify to the set that the threshold value of father node is the leaf node of 1, be uploaded to high in the clouds according to classification results to after data encryption afterwards.Like this, the ciphertext length that data owner obtains, the deciphering amount of calculation of computation degree and follow-up sharing users with father node threshold value be not all only 1 community set relevant, and in access structure tree, threshold value is 1 corresponding or door, otherwise corresponding and door, therefore can say, overhead is relevant with the community set of door with father node, when access structure tree in or door increase time, relative to existing CP-ABE scheme, the calculation cost of system and communication overhead will greatly reduce, thus secret protection can be provided for user more efficiently, data sharing and access control service.
Accompanying drawing explanation
Fig. 1 is the structure chart that the cloud based on form attributes provided by the invention stores ciphertext access control system;
Fig. 2 is the flow chart that the cloud based on form attributes provided by the invention stores the access control method of ciphertext access control system;
Fig. 3 is a kind of access structure tree instance graph of the present invention.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
For prior art Problems existing, consider that form attributes has following two features: one, attribute is classification, as shown in table 1 below is the register of an enterprise:
Table 1
Sequence number | Name | Sex | Position | Department |
001 | Alan | Female | CEO | General headquarters |
002 | John | Man | General manager | General headquarters |
003 | Alex | Man | Manager | Human Resource Department |
004 | Steven | Man | Manager | Finance Department |
… | … | … | … | … |
In upper table, all properties is divided into 5 types; Two, in access structure tree attribute type of the same race or door (OR door) more than with door (AND door), as shown above, sequence number 001OR002OR003 probability of happening is comparatively large, and sequence number 001AND002AND003 probability of happening is extremely low.Thus, in the present invention, data owner is in ciphering process, whether the threshold value setting father node corresponding to each leaf node upper according to access structure is 1, classifies to each leaf node, and further according to the difference of father node type, classify to the set that the threshold value of father node is the leaf node of 1, be uploaded to high in the clouds according to classification results to after data encryption afterwards.
Fig. 1 shows the structure that the cloud based on form attributes provided by the invention stores ciphertext access control system, for convenience of explanation, illustrate only part related to the present invention.
Specifically, system of the present invention comprises: the management end 11 run by authentication center, for generate and to each validated user dispatch user private key, private key for user is associated with the attribute of respective user, the client 12 run by user, for when uploading data to high in the clouds, the data decimation session key that need upload is encrypted, whether the threshold value setting father node corresponding to each leaf node afterwards according to access structure is 1, each leaf node is classified, and further according to the difference of father node type, the set that the threshold value of father node is the leaf node of 1 is classified, afterwards according to classification results to session key to obtain session key ciphertext, afterwards by session key ciphertext and encryption after data upload to high in the clouds, also for when from high in the clouds downloading data, from high in the clouds download session key ciphertext and corresponding shared data, and when the attribute be associated with own user private key meet access structure set time, session key is obtained by session key decrypt ciphertext, utilize the shared data of deciphering the session key deciphering correspondence obtained afterwards.
In the present invention, the validated user of system can be divided into data owner and sharing users, and data owner, sharing users are the operation main body of client 12 respectively, and authentication center is the operation main body of management end 11.Wherein, data owner refers to and the provider of data is shared in high in the clouds, and data owner formulates access strategy, and is encrypted the data that need upload based on access strategy, afterwards by the Data Hosting after encryption to high in the clouds; Sharing users (i.e. visitor) refers to from high in the clouds download of sharing data side, the encrypt data that sharing users access high in the clouds stores, the attribute in the private key for user of sharing users is only had to meet the access strategy defined in ciphertext, sharing users ability successful decryption ciphertext; Authentication center refers to except data owner and sharing users, the trusted third party mutual with high in the clouds, and authentication center sets up system and accepts user's registration, is responsible for the private key for user that each user generates its attribute separately of association.Be to be understood that, definition data owner and the object of sharing users are the function of main body in certain running of system in order to distinguish running client 12 is uploading data or downloading data, thus the data owner in certain running of system can be the sharing users in another running, similarly, the sharing users in certain running of system can be the data owner in another running.
The operation principle that cloud based on form attributes of the present invention stores ciphertext access control system is: after system is set up, authentication center's operational management end 11, generation system PKI and main private key, be uploaded to high in the clouds by system PKI.
If user wishes to add system, then running client 12, sends system to authentication center and joins request, authentication center's operational management end 11, joins request according to this system, and whether this user of certification is validated user, be calculate the private key for user of this user, and be distributed to this user.
When data owner uploading data, data owner running client 12, the data decimation session key that need upload is encrypted, whether the threshold value setting father node corresponding to each leaf node afterwards according to access structure is 1, classifies to each leaf node, and further according to the difference of father node type, classify to the set that the threshold value of father node is the leaf node of 1, afterwards according to classification results to session key to obtain session key ciphertext, afterwards by session key ciphertext and encryption after data upload to high in the clouds.
When sharing users is from high in the clouds downloading data, sharing users running client 12, from high in the clouds download session key ciphertext and corresponding shared data, and when the attribute be associated with own user private key meet access structure set time, obtain session key by session key decrypt ciphertext, utilize the shared data of deciphering the session key deciphering correspondence obtained afterwards.
Cloud based on form attributes provided by the invention stores in ciphertext access control system, data owner is in ciphering process, whether the threshold value setting father node corresponding to each leaf node upper according to access structure is 1, classifies to each leaf node, and further according to the difference of father node type, classify to the set that the threshold value of father node is the leaf node of 1, be uploaded to high in the clouds according to classification results to after data encryption afterwards.Like this, the ciphertext length that data owner obtains, the deciphering amount of calculation of computation degree and follow-up sharing users with father node threshold value be not all only 1 community set relevant, and in access structure tree, threshold value is 1 corresponding or door, otherwise corresponding and door, therefore can say, overhead is relevant with the community set of door with father node, when access structure tree in or door increase time, relative to existing CP-ABE scheme, the calculation cost of system and communication overhead will greatly reduce, thus secret protection can be provided for user more efficiently, data sharing and access control service.
Fig. 2 shows the flow process that the cloud based on form attributes provided by the invention stores the access control method of ciphertext access control system, comprises the following steps:
S1: authentication center's operational management end 11, generation system PKI and main private key, be uploaded to high in the clouds by system PKI.
Further, the step of generation system PKI and main private key can comprise the following steps again:
S11: definition
the Bilinear Groups of prime number p that to be rank be, g is
generator.Definition bilinear map e:
it is a hash function.The attribute space of define system
for
with community set S, community set
definition Lagrange coefficient
S12: input security parameter λ, select random number
and calculate h=g
β, u=g
αwith v=e (g, g)
α, and then according to formula
obtain system PKI PK, and obtain main private key MK according to formula MK=(β, u).
S2: authentication center's operational management end 11, joins request according to the system that user sends, whether authenticated user is validated user, and when user is validated user, calculates the private key for user of user, and be distributed to user.
Further, the step calculating the private key for user of user comprises the following steps again:
S21: authentication center utilizes attribute space U, according to role or the identity of user, for user distributes corresponding community set S, community set
S22: the community set S inputting main private key MK and user, for user chooses random number
and choose random number for each attribute j ∈ S in community set S
private key for user SK is calculated according to following formula:
SK=(D=g
(α+r)/β,
Wherein, type (j) is the form class at attribute j place, and D is Bilinear Groups
on element, D
jfor Bilinear Groups
on element,
for Bilinear Groups
on element, D'
jfor Bilinear Groups
on element.
S3: data owner running client 12, the data decimation session key that need upload is encrypted, whether the threshold value setting father node corresponding to each leaf node afterwards according to access structure is 1, classifies to each leaf node, and further according to the difference of father node type, classify to the set that the threshold value of father node is the leaf node of 1, afterwards according to classification results to session key to obtain session key ciphertext, afterwards by session key ciphertext and encryption after data upload to high in the clouds.
Further, step S3 comprises the following steps again:
S31: data owner running client 12, chooses session key ck, and adopts symmetric encipherment algorithm to encrypt the data M that need upload, and obtains the data E after encrypting
ck(M).
S32: input system PKI PK, session key ck and access structure are set
access structure is set
in each node x, arranging its child nodes number is num
x, arranging its threshold value is t
x, and have 0 < t
x≤ num
x, defining polynomial q
xdegree be d
x, and d
x=t
xthe child nodes of-1, node x successively marking serial numbers is 1 ..., num
xindex (x) is the sequence number of return node x, att (x) is for returning the attribute be associated with node x, and the form class that type (att (x)) is return attribute att (x) place, sets for access structure afterwards
root node, choose random number
and set q
r(0)=s, further Stochastic choice d
rindividual child node carrys out complete definition multinomial q
r, access structure is set
other node x except root node, setting q
x(0)=q
parent(index (x)), further Stochastic choice d
xindividual child node carrys out complete definition multinomial q
x.Wherein the PKI PK of system is downloaded from high in the clouds by data owner and obtains.
S33: access structure is set
leaf node x, if the threshold value t of father node parent (x) of leaf node x
parent (x)=1, then q
x(0)=q
parent (x)(0), Y is made
1for access structure tree
in the set of such leaf node, Y
2it is access structure tree
the set of the leaf node of middle remainder, and further according to Y
1in the difference of father node type of each leaf node, by Y
1be divided into Y
11, Y
12...
S34: according to following formula to session key, calculates session key ciphertext CT:
Wherein,
for the calculating to session key, C is the calculating to root node, C
yfor the calculating to property value corresponding to attribute y, C'
yfor the calculating to attribute y place form class.Especially, Y
1iin all leaf nodes there is identical C
yif the attribute of different leaf node belongs to identical type, then they have identical C'
y.
S35: by the data E after session key ciphertext CT and encryption
ck(M) high in the clouds is uploaded to.
S4: sharing users running client 12, from high in the clouds download session key ciphertext and corresponding shared data, and when the attribute be associated with own user private key meet access structure set time, obtain session key by session key decrypt ciphertext, utilize the shared data of deciphering the session key deciphering correspondence obtained afterwards.
Further, step S4 can comprise the following steps again:
S41: sharing users running client 12, from high in the clouds download session key ciphertext CT and corresponding shared data E
ck, and the private key SK corresponding to community set S that has of input system PKI PK, user (M)
s, and key ciphertext CT.
S42: sharing users calls predefined recursive function
if the community set S of sharing users meets access structure tree
then secure processing device encrypts information A is:
In the present invention, recursive function DecryptNode (CT, SK, x) is defined as follows:
If a node x is leaf node, and the threshold value k of its father node
x> 1, then define:
If b node x is leaf node, and the threshold value k of its father node
x=1, then define:
If c node x is non-leaf nodes, F is exported to all child node z of node x, recursive call DecryptNode (CT, SK, z)
z.Definition S
xany t
xthe set of individual node z, and F
z≠ ⊥, calculates F according to following formula
xif can not find the S satisfied condition
xset, then F
x=⊥:
S43: according to following formula, session key ciphertext CT is deciphered, obtain session key ck:
S44: according to deciphering the session key ck and shared data E that obtain
ck(M), deciphering obtains data M.
The efficiency below above-mentioned cloud based on form attributes being stored to the access control method of ciphertext access control system is analyzed:
Definition
with
represent the point multiplication operation on group, C
erepresent Bilinear map computing.Order
with
middle length of element is respectively
with
it is finite field
the length of upper element.Definition A
cthe property set that ciphertext c comprises, A
c1to be father node threshold value be the property set of 1 and N is the father node number satisfied condition, A
c2the property set that father node threshold value is greater than 1, so have | A
c|=| A
c1|+| A
c2|.Definition A
ube user property collection, S represents that the minimal attribute set meeting access structure closes.The efficiency comparative of the present invention and classical BSW07 scheme is analyzed as follows shown in table 2:
Table 2
According to as above table 2, contrast BSW07 scheme and the present invention, private key length of the present invention is slightly long.But, the ciphertext length in BSW07 scheme, computation degree all with | A
c| relevant, and the ciphertext length of institute of the present invention extracting method, computation degree, deciphering amount of calculation all with | A
c2| relevant, due to | A
c| > | A
c2|, so the present invention significantly improves communication and the computational efficiency of ciphertext access control method.
If data owner adopts access structure tree as shown in Figure 3 to perform ciphering process, the ciphertext length of BSW07 scheme is
computation degree is
the ciphertext length of the inventive method is
computation degree is
meanwhile, access structure tree in or the more efficiency improvements of door more remarkable.
In sum, cloud based on form attributes provided by the invention stores in ciphertext access control system and access control method thereof, data owner is in ciphering process, whether the threshold value setting father node corresponding to each leaf node upper according to access structure is 1, classifies to each leaf node, and further according to the difference of father node type, classify to the set that the threshold value of father node is the leaf node of 1, be uploaded to high in the clouds according to classification results to after data encryption afterwards.Like this, the ciphertext length that data owner obtains, the deciphering amount of calculation of computation degree and follow-up sharing users with father node threshold value be not all only 1 community set relevant, and in access structure tree, threshold value is 1 corresponding or door, otherwise corresponding and door, therefore can say, overhead is relevant with the community set of door with father node, when access structure tree in or door increase time, relative to existing CP-ABE scheme, the calculation cost of system and communication overhead will greatly reduce, thus secret protection can be provided for user more efficiently, data sharing and access control service.
One of ordinary skill in the art will appreciate that all or part of step realized in above-described embodiment method is that the hardware that can control to be correlated with by program completes, described program can be stored in a computer read/write memory medium, described storage medium, as ROM/RAM, disk, CD etc.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (6)
1. the cloud based on form attributes stores a ciphertext access control system, and it is characterized in that, described system comprises:
The management end run by authentication center, for generate and to each validated user dispatch user private key, described private key for user is associated with the attribute of respective user;
The client run by user, for when uploading data to high in the clouds, the data decimation session key that need upload is encrypted, whether the threshold value setting father node corresponding to each leaf node afterwards according to access structure is 1, each leaf node is classified, and further according to the difference of father node type, the set that the threshold value of father node is the leaf node of 1 is classified, afterwards according to classification results to described session key to obtain session key ciphertext, afterwards by described session key ciphertext and encryption after data upload to high in the clouds, also for when from high in the clouds downloading data, from high in the clouds download session key ciphertext and corresponding shared data, and when the attribute be associated with own user private key meet access structure set time, session key is obtained by session key decrypt ciphertext, utilize afterwards and decipher the shared data that the described session key obtained deciphers described correspondence.
2., as claimed in claim 1 based on an access control method for the cloud storage ciphertext access control system of form attributes, it is characterized in that, described method comprises:
Authentication center's operational management end, generation system PKI and main private key, be uploaded to high in the clouds by described system PKI;
Authentication center's operational management end, joins request according to the system that user sends, and whether authenticated user is validated user, and when user is validated user, calculates the private key for user of user, and be distributed to user;
Data owner running client, the data decimation session key that need upload is encrypted, whether the threshold value setting father node corresponding to each leaf node afterwards according to access structure is 1, classifies to each leaf node, and further according to the difference of father node type, classify to the set that the threshold value of father node is the leaf node of 1, afterwards according to classification results to described session key to obtain session key ciphertext, afterwards by described session key ciphertext and encryption after data upload to high in the clouds;
Sharing users running client, from high in the clouds download session key ciphertext and corresponding shared data, and when the attribute be associated with own user private key meet access structure set time, obtain session key by session key decrypt ciphertext, utilize afterwards and decipher the shared data that the described session key obtained deciphers described correspondence.
3., as claimed in claim 2 based on the access control method of the cloud storage ciphertext access control system of form attributes, it is characterized in that, the step of described generation system PKI and main private key comprises the following steps:
Definition
the Bilinear Groups of prime number p that to be rank be, g is
generator, definition bilinear map
a hash function, the attribute space U={U of define system
1..., U
m, for
with community set S, described community set
definition Lagrange coefficient
Input security parameter λ, selects random number
and calculate h=g
β, u=g
αwith v=e (g, g)
α, and then according to formula
obtain system PKI PK, and obtain main private key MK according to formula MK=(β, u).
4., as claimed in claim 3 based on the access control method of the cloud storage ciphertext access control system of form attributes, it is characterized in that, the step of the private key for user of described calculating user comprises the following steps:
Authentication center utilizes described attribute space U, according to role or the identity of user, for user distributes corresponding community set S, and described community set
Input the community set S of main private key MK and user, for user chooses random number
and choose random number for each attribute j ∈ S' in community set S
private key for user SK is calculated according to following formula:
Wherein, type (j) is the form class at attribute j place, and D is Bilinear Groups
on element, D
jfor Bilinear Groups
on element,
for Bilinear Groups
on element, D'
jfor Bilinear Groups
on element.
5. as claimed in claim 4 based on the access control method of the cloud storage ciphertext access control system of form attributes, it is characterized in that, described data owner running client, the data decimation session key that need upload is encrypted, whether the threshold value setting father node corresponding to each leaf node afterwards according to access structure is 1, each leaf node is classified, and further according to the difference of father node type, the set that the threshold value of father node is the leaf node of 1 is classified, afterwards according to classification results to described session key to obtain session key ciphertext, afterwards the step of the data upload after described session key ciphertext and encryption to high in the clouds is comprised the following steps:
Data owner running client, chooses session key ck, and adopts symmetric encipherment algorithm to encrypt the data M that need upload, and obtains the data E after encrypting
ck(M);
Input system PKI PK, session key ck and access structure are set
access structure is set
in each node x, arranging its child nodes number is num
x, arranging its threshold value is t
x, and have 0 < t
x≤ num
x, defining polynomial q
xdegree be d
x, and d
x=t
xthe child nodes of-1, node x successively marking serial numbers is 1 ..., num
xindex (x) is the sequence number of return node x, att (x) is for returning the attribute be associated with node x, and the form class that type (att (x)) is return attribute att (x) place, sets for access structure afterwards
root node, choose random number
and set q
r(0)=s, further Stochastic choice d
rindividual child node carrys out complete definition multinomial q
r, access structure is set
other node x except root node, setting q
x(0)=q
parent(index (x)), further Stochastic choice d
xindividual child node carrys out complete definition multinomial q
x;
Access structure is set
leaf node x, if the threshold value t of father node parent (x) of leaf node x
parent (x)=1, then q
x(0)=q
parent (x)(0), Y is made
1for access structure tree
in the set of such leaf node, Y
2it is access structure tree
the set of the leaf node of middle remainder, and further according to Y
1in the difference of father node type of each leaf node, by Y
1be divided into Y
11, Y
12,
According to following formula to session key, calculate session key ciphertext CT:
Wherein,
for the calculating to session key, C is the calculating to root node, C
yfor the calculating to property value corresponding to attribute y, C'
yfor the calculating to attribute y place form class;
By the data E after session key ciphertext CT and encryption
ck(M) high in the clouds is uploaded to.
6. as claimed in claim 5 based on the access control method of the cloud storage ciphertext access control system of form attributes, it is characterized in that, described sharing users running client, from high in the clouds download session key ciphertext and corresponding shared data, and when the attribute be associated with own user private key meet access structure set time, obtain session key by session key decrypt ciphertext, the step that the described session key utilizing deciphering to obtain afterwards deciphers the shared data of described correspondence comprises the following steps:
Sharing users running client, from high in the clouds download session key ciphertext CT and corresponding shared data E
ck, and the private key SK corresponding to community set S that has of input system PKI PK, user (M)
s, and key ciphertext CT;
Sharing users calls predefined recursive function
if the community set S of sharing users meets access structure tree
then secure processing device encrypts information A is:
According to following formula, session key ciphertext CT is deciphered, obtains session key ck:
According to deciphering the session key ck and shared data E that obtain
ck(M), deciphering obtains data M.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510326052.2A CN105141574B (en) | 2015-06-12 | 2015-06-12 | A kind of cloud storage ciphertext access control system and method based on form attributes |
PCT/CN2016/081386 WO2016197769A1 (en) | 2015-06-12 | 2016-05-09 | Cloud storage ciphertext access control system based on table attributes |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510326052.2A CN105141574B (en) | 2015-06-12 | 2015-06-12 | A kind of cloud storage ciphertext access control system and method based on form attributes |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105141574A true CN105141574A (en) | 2015-12-09 |
CN105141574B CN105141574B (en) | 2018-02-23 |
Family
ID=54726783
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510326052.2A Active CN105141574B (en) | 2015-06-12 | 2015-06-12 | A kind of cloud storage ciphertext access control system and method based on form attributes |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN105141574B (en) |
WO (1) | WO2016197769A1 (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105790929A (en) * | 2016-04-19 | 2016-07-20 | 清华大学 | High-efficient access control method based on rule redundancy elimination in encryption environment |
WO2016197769A1 (en) * | 2015-06-12 | 2016-12-15 | 深圳大学 | Cloud storage ciphertext access control system based on table attributes |
WO2018165835A1 (en) * | 2017-03-14 | 2018-09-20 | 深圳大学 | Cloud ciphertext access control method and system |
CN109347833A (en) * | 2018-10-24 | 2019-02-15 | 中国科学院信息工程研究所 | The access control method and system being used under machine learning environment based on encryption attribute |
CN111563529A (en) * | 2020-03-31 | 2020-08-21 | 中国科学院信息工程研究所 | Data category attribute representation method and access control method |
CN111970296A (en) * | 2020-08-25 | 2020-11-20 | 福建师范大学 | Efficient file hierarchical attribute-based encryption method and system |
CN112069513A (en) * | 2020-08-12 | 2020-12-11 | 福建师范大学 | Encryption method and system capable of sharing decryption |
US11316662B2 (en) * | 2018-07-30 | 2022-04-26 | Koninklijke Philips N.V. | Method and apparatus for policy hiding on ciphertext-policy attribute-based encryption |
CN116910788A (en) * | 2023-08-15 | 2023-10-20 | 广州粤建三和软件股份有限公司 | Searchable encryption management method and device for service data and storage medium |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111106936B (en) * | 2019-11-27 | 2023-04-21 | 国家电网有限公司 | SM 9-based attribute encryption method and system |
CN112291053B (en) * | 2020-11-06 | 2022-10-25 | 中国科学院重庆绿色智能技术研究院 | Lattice and basic access tree based CP-ABE method |
CN112580072B (en) * | 2020-12-09 | 2021-07-30 | 深圳前海微众银行股份有限公司 | Data set intersection method and device |
CN113438236B (en) * | 2021-06-24 | 2022-11-18 | 国网河南省电力公司 | Data full link tracing monitoring method |
CN113708917B (en) * | 2021-08-18 | 2022-12-09 | 上海应用技术大学 | APP user data access control system and method based on attribute encryption |
CN114205379A (en) * | 2021-11-26 | 2022-03-18 | 江苏大学 | CP-ABE outsourcing decryption result reusing method based on NDN |
CN114218604B (en) * | 2021-12-14 | 2024-07-12 | 华南农业大学 | Attribute-based encryption method, device and medium with hierarchical extensible access policy |
CN115189903B (en) * | 2022-02-22 | 2023-09-15 | 西安电子科技大学 | Distributed access control method supporting privacy protection in Internet of vehicles |
CN114567500A (en) * | 2022-03-04 | 2022-05-31 | 南京联成科技发展股份有限公司 | Encryption method for data transmission of centralized control center |
CN114978578B (en) * | 2022-04-06 | 2023-09-19 | 中债金科信息技术有限公司 | Data unauthorized access control method and device based on attribute key derivation |
CN115859339B (en) * | 2023-02-08 | 2023-05-02 | 支付宝(杭州)信息技术有限公司 | Encryption and decryption method, device, medium and equipment for cloud storage data |
CN115834062B (en) * | 2023-02-20 | 2023-04-25 | 浙江奥鑫云科技有限公司 | Enterprise data transmission encryption method for data hosting service |
CN115982746B (en) * | 2023-03-17 | 2023-06-27 | 南京信息工程大学 | Block chain-based data sharing method |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102624522A (en) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | Key encryption method based on file attribution |
CN103297428A (en) * | 2013-05-20 | 2013-09-11 | 南京邮电大学 | Method for protecting data of cloud storage system |
CN103618729A (en) * | 2013-09-03 | 2014-03-05 | 南京邮电大学 | Multi-mechanism hierarchical attribute-based encryption method applied to cloud storage |
US20140325363A1 (en) * | 2013-04-30 | 2014-10-30 | Splunk Inc. | Proactive monitoring tree with node pinning |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105141574B (en) * | 2015-06-12 | 2018-02-23 | 深圳大学 | A kind of cloud storage ciphertext access control system and method based on form attributes |
-
2015
- 2015-06-12 CN CN201510326052.2A patent/CN105141574B/en active Active
-
2016
- 2016-05-09 WO PCT/CN2016/081386 patent/WO2016197769A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102624522A (en) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | Key encryption method based on file attribution |
US20140325363A1 (en) * | 2013-04-30 | 2014-10-30 | Splunk Inc. | Proactive monitoring tree with node pinning |
CN103297428A (en) * | 2013-05-20 | 2013-09-11 | 南京邮电大学 | Method for protecting data of cloud storage system |
CN103618729A (en) * | 2013-09-03 | 2014-03-05 | 南京邮电大学 | Multi-mechanism hierarchical attribute-based encryption method applied to cloud storage |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016197769A1 (en) * | 2015-06-12 | 2016-12-15 | 深圳大学 | Cloud storage ciphertext access control system based on table attributes |
CN105790929A (en) * | 2016-04-19 | 2016-07-20 | 清华大学 | High-efficient access control method based on rule redundancy elimination in encryption environment |
CN105790929B (en) * | 2016-04-19 | 2018-12-28 | 清华大学 | Access control method in a kind of encryption environment that rule-based redundancy is eliminated |
WO2018165835A1 (en) * | 2017-03-14 | 2018-09-20 | 深圳大学 | Cloud ciphertext access control method and system |
US11316662B2 (en) * | 2018-07-30 | 2022-04-26 | Koninklijke Philips N.V. | Method and apparatus for policy hiding on ciphertext-policy attribute-based encryption |
CN109347833A (en) * | 2018-10-24 | 2019-02-15 | 中国科学院信息工程研究所 | The access control method and system being used under machine learning environment based on encryption attribute |
CN111563529A (en) * | 2020-03-31 | 2020-08-21 | 中国科学院信息工程研究所 | Data category attribute representation method and access control method |
CN112069513A (en) * | 2020-08-12 | 2020-12-11 | 福建师范大学 | Encryption method and system capable of sharing decryption |
CN112069513B (en) * | 2020-08-12 | 2022-09-27 | 福建师范大学 | Encryption method and system capable of sharing decryption |
CN111970296A (en) * | 2020-08-25 | 2020-11-20 | 福建师范大学 | Efficient file hierarchical attribute-based encryption method and system |
CN116910788A (en) * | 2023-08-15 | 2023-10-20 | 广州粤建三和软件股份有限公司 | Searchable encryption management method and device for service data and storage medium |
CN116910788B (en) * | 2023-08-15 | 2024-06-11 | 广州粤建三和软件股份有限公司 | Searchable encryption management method and device for service data and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN105141574B (en) | 2018-02-23 |
WO2016197769A1 (en) | 2016-12-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105141574A (en) | Cloud storage cipher text access control system based on table attributes | |
Aujla et al. | SecSVA: secure storage, verification, and auditing of big data in the cloud environment | |
US10491576B1 (en) | System and method for security breach response using hierarchical cryptographic key management | |
US9646168B2 (en) | Data access control method in cloud | |
CN111523133B (en) | Block chain and cloud data collaborative sharing method | |
CN105025012A (en) | An access control system and an access control method thereof oriented towards a cloud storage service platform | |
CN104521178A (en) | Method and system for secure multiparty cloud computation | |
Hao et al. | Secure and fine-grained self-controlled outsourced data deletion in cloud-based IoT | |
CN104883254A (en) | Cloud computing platform oriented cryptograph access control system and access control method thereof | |
WO2018165835A1 (en) | Cloud ciphertext access control method and system | |
Huang et al. | FSSR: Fine-grained EHRs sharing via similarity-based recommendation in cloud-assisted eHealthcare system | |
Jyoti et al. | A blockchain and smart contract-based data provenance collection and storing in cloud environment | |
CN110611662A (en) | Attribute-based encryption-based fog collaborative cloud data sharing method | |
CN105721146B (en) | A kind of big data sharing method towards cloud storage based on SMC | |
CN106888213B (en) | Cloud ciphertext access control method and system | |
WO2021098152A1 (en) | Blockchain-based data processing method, device, and computer apparatus | |
Ying et al. | Reliable policy updating under efficient policy hidden fine-grained access control framework for cloud data sharing | |
Kotha et al. | A comprehensive review on secure data sharing in cloud environment | |
Arvind et al. | Secure data classification using superior naive classifier in agent based mobile cloud computing | |
Singh et al. | Security enhancement of the cloud paradigm using a novel optimized crypto mechanism | |
Byun et al. | Efficient homomorphic encryption framework for privacy-preserving regression | |
Jaithunbi et al. | Preservation of data integrity in public cloud using enhanced vigenere cipher based obfuscation | |
Syed et al. | Dickson polynomial-based secure group authentication scheme for Internet of Things | |
Zhang et al. | Secure deduplication based on Rabin fingerprinting over wireless sensing data in cloud computing | |
Mubarak | Design of a secure virtual file storage system on cloud using hybrid cryptography |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |