CN105790929A - High-efficient access control method based on rule redundancy elimination in encryption environment - Google Patents
High-efficient access control method based on rule redundancy elimination in encryption environment Download PDFInfo
- Publication number
- CN105790929A CN105790929A CN201610245485.XA CN201610245485A CN105790929A CN 105790929 A CN105790929 A CN 105790929A CN 201610245485 A CN201610245485 A CN 201610245485A CN 105790929 A CN105790929 A CN 105790929A
- Authority
- CN
- China
- Prior art keywords
- node
- secret
- leaf
- algorithm
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
A high-efficient access control method based on rule redundancy elimination in an encryption environment is disclosed. In a cryptograph construction process, secret of each left is determined according to the attributes of each leaf node, and secrets of non-leaf nodes are constructed from leaves upwards according to a tree construction, so that all nodes secrets can be determined to prevent redundant calculation through recursion construction. Elimination of redundant data and calculation is realized during cryptograph construction according to access control rules under a cloud storage access control situation based on attribute-based encryption, thereby reducing calculating and storage consumption. Compared with the prior art, the method greatly reduces calculating and storage consumption during encryption and decryption processes. The method is a general solution and is applicable to attribute-based encryption schemes of different kinds.
Description
Technical field
The invention belongs to Internet technical field and technical field of data security, particularly relate to user to carry out the scene of data interaction with incomplete credible cloud service, for efficient access control method in the encryption environment that a kind of rule-based redundancy eliminates, by utilizing NETCONF agreement in 4over6 Access Network interim network scene so that Virtual network operator can forward Policy Table's item in Remote configuration transitional facility.
Background technology
Along with the high speed development of the Internet, user data gets more and more, and cloud service becomes more and more important, and increasing user selects that the data of oneself are put into high in the clouds and stores.And high in the clouds is as the third-party server not controlled by oneself, safety and privacy are not readily available guarantee.Major part cloud service is half credible cloud service, and they can provide correct service logic, but is meanwhile likely to steal a glance at user data, and reveals privacy.
In this case, in an encrypted form data are stored on cloud to be following development trend, and on this basis, how to continue to provide usual service to become new problem.Access control is a service common in cloud storage service, for the access control problem adding ciphertext data, Waters et al. proposes attribute base encryption technology, in the attribute base encryption technology of ciphertext, each user will be assigned to several attributes, a data will define an access control rule being made up of each attribute when uploading, and data will be encrypted based on this rule and upload.After user downloads data, the attribute of and if only if user self with access rule meet time, could correctly decipher this data, reach to access the purpose controlled with this.Specifically, attribute base encrypted packet is containing following components.
Attribute certification authority: attribute certification authority is a believable authoritative institution, belongs to PKI infrastructure, it according to the attribute base scheme specifically chosen, can generate suitable parameter, and generate PKI for the community set in system, encrypt for data owner.It is for the community set of each different user simultaneously, generates the private key that each user is corresponding, solves ciphertext data for visitor.
Cloud Server: Cloud Server provides uploading and download function of data, it is considered as half believable, that is, Cloud Server can verily upload and download according to the flow performing of regulation, but it is likely to the leaking data of user to assailant, therefore the data uploaded up itself need to ensure confidentiality, but need not be anti-tamper.
Data owner: data owner is desirable to the user that data sharing is gone out, the PKI of his first reading attributes certification authority, then for his each number evidence, he will set an access control rule, then the algorithm specified according to scheme performs encryption, then the ciphertext after encryption is uploaded to Cloud Server.
Data user: data user is the user reading the data that owner shares out, first they can take, from attribute certification authority, the private key that their attribute is corresponding, when they need to read data, the data that owner uploads will be downloaded from Cloud Server, then ciphertext is decrypted by the private key of oneself according to corresponding rule, when the community set of and if only if user meets access control rule, user could decipher these data.
Fig. 1 illustrates the overall workflow of this framework, and under this framework, the encryption of attribute base mainly comprises following key algorithm:
System initialization: algorithm by attribute certification authority in initial execution, input for attribute complete or collected works U, is output as PKI PK corresponding for U and master key MK, and wherein PKI PK can be disclosed in system all members, master key MK is the private information of attribute certification authority, need to ensure safety.After step (1) namely calls initialization algorithm in figure, system PKI is issued data owner.
Key generates: algorithm is performed by attribute certification authority, the community set S that input is some user and the master key MK of generation in initialization procedure, it is output as property set S correspondence private key for user SK, this algorithm is in certain user's addition system, perform during attribute certification authority distribution key, then SK will be sent to corresponding user privately, and user need to ensure the confidentiality of SK.In step (2), attribute certification authority generates private key according to the community set of data user, is then issued to user.
Encryption: AES is performed by data owner, inputs as PKI PK, message M to be encrypted and access control rule A, is output as ciphertext CT.In step (3), the regular A that data owner sets M by performing this algorithm according to him is encrypted, and after obtaining ciphertext CT, uploads it to Cloud Server and accesses for other users.
Deciphering: decipherment algorithm is performed by data user, inputs as ciphertext CT, PKI PK and private key for user SK.In step (4), the ciphertext that data user uploads data owner from Cloud Server downloads, then pass through public information and the private key of oneself is attempted ciphertext CT is decrypted, algorithm need to ensure that and if only if when community set S corresponding for private key SK meets access control rule A corresponding for ciphertext CT, and algorithm could correctly be deciphered these data and obtain original plaintext M.
By above structure, a complete access controls system and namely can erect, and data correctly can be shared with other users according to rule by data owner.
In attribute base encryption technology, the specific configuration scheme of enciphering and deciphering algorithm is: for an access control rule (AANDB) OR (CANDDANDE), first scheme will construct a secret s.According to the expression that rule is concrete, it is secret that s will be split into many height, each entry (A, B, C, D, E) in corresponding rule so that a few row secrets satisfied condition just can re-construct s.Finally, each height is secret to be encrypted PKI relevant for the attribute using each row corresponding respectively, forms final ciphertext.
For each group of be-encrypted data and access control rule, he can individually construct a secret and construct corresponding ciphertext, and ciphertext data volume is relatively big, when be-encrypted data is more, huge storage overhead can be produced, when calculating, also can produce huge computing cost.
Summary of the invention
For the shortcoming overcoming above-mentioned prior art, it is an object of the invention to provide efficient access control method in the encryption environment that a kind of rule-based redundancy eliminates, for having more number according to when to be encrypted, suitable method is used to find out the redundancy section in the middle of access control rule, and redesign enciphering and deciphering algorithm, redundancy in eliminating ciphertext storage and calculating, thus reaching to reduce the purpose of storage and computing cost.
To achieve these goals, the technical solution used in the present invention is:
Efficient access control method in the encryption environment that a kind of rule-based redundancy eliminates, in ciphertext constructs, the secret of each leaf is first determined according to leaf node attribute, up construct the secret of non-leaf nodes again from leaf by tree construction, so that it is determined that the secret of all nodes, then recurrence Construction prevents redundant computation from occurring.
Before determining the secret of each leaf, access can be first carried out and control tree construction adjustment algorithm, corresponding for the access control rule of input access is controlled the structure that tree is adjusted to unified, differs preventing the access control structure of identical table Danone power to be judged as, it is ensured that the accuracy of judgement.
Described control tree construction adjustment algorithm is from accessing the recursive algorithm that control root vertex starts to perform, comprising the steps:
Step 1: judge to be currently entered node N (being initially root node) whether as AND node or OR node, if it is not, go to step 5;
Step 2: initializing child nodes set S is empty set, and node set S ' to be tested is all child nodes being currently entered node N;
All child nodes of N ' if node type is identical with being currently entered node N, are then added in node set S ' to be tested by step 3: the node N ' in cyclic access node set S ' to be tested, and N ' otherwise directly puts into child nodes set S;
Step 4: set up filiation for all nodes in present node N and child nodes set S so that in set S, all nodes all become the child nodes of N;
Step 5: all child nodes these algorithms of recursive call to present node.
The described secret method determining each leaf according to leaf node attribute is to randomly select some secrets according to leaf node attribute, is then assigned to leaf node, specifically includes following two step:
Step 1. takes out whole community set, for each attribute, randomly selects the numerical value secret as it, and ith attribute obtains secret s [i];
Step 2. traversal accesses all leaf nodes controlling tree, for node N, secret corresponding for the attribute of N is assigned to N, that is, it is assumed that the attribute of N is A (N), then s [N]=s [A (N)].
After leaf node secret is determined, performing non-leaf nodes secret construction algorithm, make non-leaf nodes by being constructed the secret of each node toward root from leaf by the mode of recurrence, ultimately generate the secret of each file, the root that namely corresponding access controls to set is secret.
Described non-leaf nodes secret construction algorithm is the recursive algorithm started from root node, comprises the steps:
Step 1: call redundancy decision algorithm, if being currently entered node N is the redundant node occurred, then directly accesses corresponding secret, otherwise goes to step 2;
Step 2: all child nodes of all N are called node secret construction algorithm by recurrence, obtain the secret of each child nodes;
Step 3: if being currently entered node N is AND node, directly uses Lagrange's interpolation to generate the secret of present node, goes to step 5, otherwise go to step 4;
Step 4: be currently entered the non-AND node of node N, then first randomly select the secret secret value as N, and the new secret of each child node of correspondence is calculated by Lagrange's interpolation, to each child node, generate extraneous information, safeguard the secret of child node itself with harsh become new secret between contact, preserve this extraneous information;
Step 5: the secret being currently entered node N and its correspondence is stored in redundancy Hash table.
Further, the unnecessary non-leaf nodes that ability to express is identical can be merged so that originally structure is different but some rules that ability to express is identical will be adjusted to consistent structure.
By introducing redundancy decision algorithm so that calculating process is avoided the structure occurred by double counting, simultaneously by introducing extraneous information so that the process of de-redundancy can guarantee that the correctness of algorithm.When certain node of recursive calculation secret, perform to access and control subtree redundancy decision algorithm, first carry out a redundancy and judge, then decide whether to be calculated, reuse and double counting to prevent from accessing the ciphertext controlling two identical nodes of sub-tree structure.
The described core controlling subtree redundancy decision algorithm that accesses is to generate to access the cryptographic Hash controlling subtree, and the algorithm that Hash generates is a recursive algorithm by root node, comprises the steps:
Step 1: call this algorithm, generates each child node cryptographic Hash of present node;
Step 2: all child node cryptographic Hash are pressed lexcographical order sequence, obtains Hash sequence { H1,H2,…}
Step 3: using this node type and above-mentioned Hash sequence as input, calls a hash function accepting random length input, obtains present node cryptographic Hash.
Simultaneously by introducing extraneous information so that the process of de-redundancy can guarantee that the correctness of algorithm.
The present invention passes through recursive call self on each leaf node, and form leaf node Hash sequence, then own type is put in Hash evaluation process so that the different access that structure is identical controls subtree one and obtains identical cryptographic Hash surely, and complexity is linear.
Note: in rooted tree structure, for any one node, the node being connected with it up is father's node, and all nodes being connected with it in lower section are his child nodes.Root node is positioned at the top, it does not have father's node.Leaf node is positioned at lowermost end, it does not have child nodes.Node outside disleaf child node is non-leaf nodes.Referring to textbook " graph theory and Algebraic Structure ".
The present invention accesses in the cloud storage encrypted based on attribute base and controls under scene, it is achieved that when constructing ciphertext according to access control rule, and the elimination to redundant data and calculating reaches to reduce the purpose calculated with storage overhead.
Compared with prior art, have an advantage in that: computing cost that one has been greatly decreases in encryption process and storage overhead;Two is him is a general solution, it is possible to suitable in different types of attribute base encipherment scheme.
Accompanying drawing explanation
Fig. 1 is attribute-based encryption system block schematic illustration.
Fig. 2 accesses in the embodiment of the present invention to control tree schematic diagram.
Fig. 3 is secret organigram in the embodiment of the present invention.
Detailed description of the invention
Embodiments of the present invention are described in detail below in conjunction with drawings and Examples.
Access control rule generally can be write as accesses the pattern controlling tree, as shown in Figure 1, rule respectively " (department of computer science AND student) OR (Department of Electronics AND student) " that two files are corresponding and " teacher OR (department of computer science AND student) ", and the attribute base AES on basis choose secret s will to respectively two files0With s1, then it is split to respectively on the leaf node of each rule, and is encrypted.
The secret of each leaf node, in ciphering process, not in use by first choosing the secret means split again on root, and in turn by each attribute, is first chosen according to attribute, is more up constructed the secret of non-leaf nodes in order by the scheme that the present invention proposes.Under such premise, the secret that identical minor structure obtains must be identical, then in encryption process, the part of redundancy can be eliminated originally.
Specifically, technical scheme comprises following main flow:
Access and control tree construction adjustment: the access corresponding firstly for the access control rule of input controls tree, differ to prevent the access control structure of identical ability to express to be judged as, all of access controls tree will be adjusted to unified structure, it is ensured that the accuracy of judgement;
Leaf node secret constructs: in each Classification Documents construction process, scheme is firstly the need of the secret determining all leaf nodes, due to a leaf node necessarily corresponding attribute, scheme each distributes a secret by first giving the attribute on all leaves, each leaf then directly uses the secret that its attribute is corresponding so that the duplicate attribute on leaf can avoid redundancy;
Non-leaf nodes secret constructs: after leaf node secret is determined, non-leaf nodes will construct the secret of each node by the mode of recurrence from leaf toward root, is ultimately generated the secret (namely the corresponding root secret accessing control tree) of each file by such flow process.
Access and control the judgement of subtree redundancy: in non-leaf nodes secret construction process, need to prevent accessing the ciphertext controlling two identical nodes of sub-tree structure to reuse and double counting, therefore when certain node of recursive calculation secret, need first to carry out a redundancy to judge, then decide whether to be calculated.
Being embedded in the enciphering and deciphering algorithm of attribute base encryption by above four flow processs present invention comprised, the redundancy that namely can realize attribute base encrypted cipher text eliminates.
Accessing control tree construction adjustment algorithm is that main algorithm step is as follows from accessing the recursive algorithm that control root vertex starts to perform:
Step 1: judge to be currently entered node N (being initially root node) whether as AND node or OR node, if it is not, go to step 5;
Step 2: initializing child nodes set S is empty set, and node set S ' to be tested is all child nodes being currently entered node N;
All child nodes of N ' if node type is identical with being currently entered node N, are then added in node set S ' to be tested by step 3: the node N ' in cyclic access node set S ' to be tested, and N ' otherwise directly puts into child nodes set S;
Step 4: set up filiation for all nodes in present node N and child nodes set S so that in set S, all nodes all become the child nodes of N;
Step 5: all child nodes these algorithms of recursive call to present node.
Non-leaf nodes secret construction algorithm is similarly the recursive algorithm started from root node, and algorithm steps is as follows:
Step 1: call redundancy decision algorithm, if being currently entered node N is the redundant node occurred, then directly accesses corresponding secret, otherwise goes to step 2;
Step 2: all child nodes of all N are called node secret construction algorithm by recurrence, obtain the secret of each child nodes;
Step 3: if being currently entered node N is AND node, directly uses Lagrange's interpolation to generate the secret of present node, goes to step 5, otherwise go to step 4;
Step 4: be currently entered the non-AND node of node N, then first randomly select the secret secret value as N, and the new secret of each child node of correspondence is calculated by Lagrange's interpolation, to each child node, generate extraneous information, safeguard the secret of child node itself with harsh become new secret between contact, preserve this extraneous information;
Step 5: the secret being currently entered node N and its correspondence is stored in redundancy Hash table.
In redundancy determination flow, the technical thought of core is to set up a redundancy Hash table, to control minor structure one cryptographic Hash of generation for each access, then cryptographic Hash is put into this Hash table with corresponding secret value, then judge to have only in inquiry Hash table whether existence is worth.
Therefore the core that redundancy judges is to generate to access the cryptographic Hash controlling subtree, and the algorithm that Hash generates is a recursive algorithm by root node equally, comprises the steps of.
Step 1: call this algorithm, generates each child node cryptographic Hash of present node
Step 2: all child node Hash are pressed lexcographical order sequence, obtains Hash sequence { H1,H2,…}
Step 3: using this node type and above-mentioned Hash sequence as input, calls a hash function accepting random length input, obtains present node cryptographic Hash.
What Fig. 3 provided is one exemplary embodiment of the present invention, two files and two rules accessing control tree representation are had when initially entering, step (1) is called access and is controlled tree construction adjustment algorithm, the AND node controlled in tree that accesses making two files all adjusts consistent structure, step (2) carries out leaf node secret structure afterwards, obtain the secret value that each attribute is corresponding, then step (3), (4) represent that calling non-leaf nodes secret constructs and redundancy decision algorithm, according to order from bottom to top, calculate the secret value of each node, and obtain the secret value s of two files0With s1。
This flow process calls when encryption, and after having called, AES is encrypted with traditional attribute base encipherment scheme further according to the secret value of each node, can obtain final ciphertext.
To sum up, the present invention, in encryption cloud storage, uses the encryption of attribute base to realize accessing under the scene controlled, by the access control rule of comparison difference file, and revises original ciphertext Constructing Policy, it is achieved attribute base encrypted cipher text partial redundance eliminates.The present invention is amendment and the extension of enciphering and deciphering algorithm in original attribute base encryption technology, and the core concept of the present invention is reuse part identical in different access rule.
Claims (10)
1. efficient access control method in the encryption environment of a rule-based redundancy elimination, it is characterized in that, in ciphertext constructs, the secret of each leaf is first determined according to leaf node attribute, up construct the secret of non-leaf nodes again from leaf by tree construction, so that it is determined that the secret of all nodes, then recurrence Construction prevents redundant computation from occurring.
2. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 1, it is characterized in that, before determining the secret of each leaf, first carry out access and control tree construction adjustment algorithm, corresponding for the access control rule of input accessing is controlled the structure that tree is adjusted to unified, differ preventing the access control structure of identical table Danone power to be judged as, it is ensured that the accuracy of judgement.
3. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 2, it is characterised in that it is from accessing the recursive algorithm that control root vertex starts to perform, comprising the steps: that described access controls tree construction adjustment algorithm
Step 1: judge to be currently entered node N whether as AND node or OR node, if it is not, go to step 5;
Step 2: initializing child nodes set S is empty set, and node set S ' to be tested is all child nodes being currently entered node N;
All child nodes of N ' if node type is identical with being currently entered node N, are then added in node set S ' to be tested by step 3: the node N ' in cyclic access node set S ' to be tested, and N ' otherwise directly puts into child nodes set S;
Step 4: set up filiation for all nodes in present node N and child nodes set S so that in set S, all nodes all become the child nodes of N;
Step 5: all child nodes these algorithms of recursive call to present node.
4. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 1, it is characterized in that, the described secret method determining each leaf according to leaf node attribute is to randomly select some secrets according to leaf node attribute, then it is assigned to leaf node, specifically includes following two step:
Step 1. takes out whole community set, for each attribute, randomly selects the numerical value secret as it, and ith attribute obtains secret s [i];
Step 2. traversal accesses all leaf nodes controlling tree, for node N, secret corresponding for the attribute of N is assigned to N, that is, it is assumed that the attribute of N is A (N), then s [N]=s [A (N)].
5. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 4, after leaf node secret is determined, perform non-leaf nodes secret construction algorithm, make non-leaf nodes will be constructed the secret of each node toward root from leaf by the mode of recurrence, ultimately generate the secret of each file, i.e. the corresponding root secret accessing control tree.
6. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 5, it is characterised in that described non-leaf nodes secret construction algorithm is the recursive algorithm started from root node, comprises the steps:
Step 1: call redundancy decision algorithm, if being currently entered node N is the redundant node occurred, then directly accesses corresponding secret, otherwise goes to step 2;
Step 2: all child nodes of all N are called node secret construction algorithm by recurrence, obtain the secret of each child nodes;
Step 3: if being currently entered node N is AND node, directly uses Lagrange's interpolation to generate the secret of present node, goes to step 5, otherwise go to step 4;
Step 4: be currently entered the non-AND node of node N, then first randomly select the secret secret value as N, and the new secret of each child node of correspondence is calculated by Lagrange's interpolation, to each child node, generate extraneous information, safeguard the secret of child node itself with harsh become new secret between contact, preserve this extraneous information;
Step 5: the secret being currently entered node N and its correspondence is stored in redundancy Hash table.
7. efficient access control method in the encryption environment that rule-based redundancy according to claim 1 or 5 or 6 eliminates, it is characterised in that the unnecessary non-leaf nodes that ability to express is identical is merged.
8. efficient access control method in the encryption environment that rule-based redundancy according to claim 5 or 6 eliminates, it is characterized in that, when certain node of recursive calculation secret, perform to access and control subtree redundancy decision algorithm, first carry out a redundancy to judge, decide whether again to be calculated, to prevent the ciphertext accessing two identical nodes of control sub-tree structure from reusing and double counting.
9. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 8, it is characterized in that, the described core controlling subtree redundancy decision algorithm that accesses is to generate to access the cryptographic Hash controlling subtree, the algorithm that Hash generates is a recursive algorithm by root node, comprises the steps:
Step 1: call this algorithm, generates each child node cryptographic Hash of present node;
Step 2: all child node cryptographic Hash are pressed lexcographical order sequence, obtains Hash sequence { H1,H2,…}
Step 3: using this node type and above-mentioned Hash sequence as input, calls a hash function accepting random length input, obtains present node cryptographic Hash.
10. efficient access control method in the encryption environment that rule-based redundancy eliminates according to claim 1, it is characterised in that
By introducing redundancy decision algorithm so that calculating process is avoided the structure occurred by double counting, simultaneously by introducing extraneous information so that the process of de-redundancy can guarantee that the correctness of algorithm;
By recursive call self on each leaf node, and form leaf node Hash sequence, then own type is put in Hash evaluation process so that the different access that structure is identical controls subtree one and obtains identical cryptographic Hash surely, and complexity is linear.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610245485.XA CN105790929B (en) | 2016-04-19 | 2016-04-19 | Access control method in a kind of encryption environment that rule-based redundancy is eliminated |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610245485.XA CN105790929B (en) | 2016-04-19 | 2016-04-19 | Access control method in a kind of encryption environment that rule-based redundancy is eliminated |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105790929A true CN105790929A (en) | 2016-07-20 |
CN105790929B CN105790929B (en) | 2018-12-28 |
Family
ID=56397968
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610245485.XA Active CN105790929B (en) | 2016-04-19 | 2016-04-19 | Access control method in a kind of encryption environment that rule-based redundancy is eliminated |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105790929B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110378109A (en) * | 2019-06-26 | 2019-10-25 | 中国科学院信息工程研究所 | Reduce the method and system of chain type Hash stack performance loss |
CN110445793A (en) * | 2019-08-13 | 2019-11-12 | 四川长虹电器股份有限公司 | A kind of analysis method for the analysis engine possessing the irredundant calculating of node thread rank |
CN110647322A (en) * | 2019-08-15 | 2020-01-03 | 北京三快在线科技有限公司 | List rendering method and device, electronic equipment and computer readable medium |
CN112565167A (en) * | 2019-09-26 | 2021-03-26 | 华为数字技术(苏州)有限公司 | Method for detecting access control list ACL and network equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102810141A (en) * | 2011-06-01 | 2012-12-05 | 哈尔滨市和协岛数码科技有限公司 | Software lease authorization method based on attribute encryption |
CN103220291A (en) * | 2013-04-09 | 2013-07-24 | 电子科技大学 | Access control method base on attribute encryption algorithm |
CN104572430A (en) * | 2013-10-24 | 2015-04-29 | 腾讯科技(深圳)有限公司 | Method, device and system for testing terminal application interface |
CN105141574A (en) * | 2015-06-12 | 2015-12-09 | 深圳大学 | Cloud storage cipher text access control system based on table attributes |
-
2016
- 2016-04-19 CN CN201610245485.XA patent/CN105790929B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102810141A (en) * | 2011-06-01 | 2012-12-05 | 哈尔滨市和协岛数码科技有限公司 | Software lease authorization method based on attribute encryption |
CN103220291A (en) * | 2013-04-09 | 2013-07-24 | 电子科技大学 | Access control method base on attribute encryption algorithm |
CN104572430A (en) * | 2013-10-24 | 2015-04-29 | 腾讯科技(深圳)有限公司 | Method, device and system for testing terminal application interface |
CN105141574A (en) * | 2015-06-12 | 2015-12-09 | 深圳大学 | Cloud storage cipher text access control system based on table attributes |
Non-Patent Citations (1)
Title |
---|
SHUCHENG YU ETC.: "Achieving Secure,Scalable,and Fine-grained Data Access Control in cloud Computing", 《IEEE》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110378109A (en) * | 2019-06-26 | 2019-10-25 | 中国科学院信息工程研究所 | Reduce the method and system of chain type Hash stack performance loss |
CN110445793A (en) * | 2019-08-13 | 2019-11-12 | 四川长虹电器股份有限公司 | A kind of analysis method for the analysis engine possessing the irredundant calculating of node thread rank |
CN110647322A (en) * | 2019-08-15 | 2020-01-03 | 北京三快在线科技有限公司 | List rendering method and device, electronic equipment and computer readable medium |
CN112565167A (en) * | 2019-09-26 | 2021-03-26 | 华为数字技术(苏州)有限公司 | Method for detecting access control list ACL and network equipment |
Also Published As
Publication number | Publication date |
---|---|
CN105790929B (en) | 2018-12-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112019591B (en) | Cloud data sharing method based on block chain | |
CN105871543B (en) | Multiple key cipher text retrieval method under more data owner's backgrounds based on attribute | |
CN114065265B (en) | Fine-grained cloud storage access control method, system and equipment based on blockchain technology | |
CN105100083B (en) | A kind of secret protection and support user's revocation based on encryption attribute method and system | |
CN109120639A (en) | A kind of data cloud storage encryption method and system based on block chain | |
CN103618729A (en) | Multi-mechanism hierarchical attribute-based encryption method applied to cloud storage | |
CN108833393A (en) | A kind of revocable data sharing method calculated based on mist | |
CN107395568A (en) | A kind of cipher text retrieval method of more data owner's certifications | |
CN103731432A (en) | Multi-user supported searchable encryption system and method | |
US20150207621A1 (en) | Method for creating asymmetrical cryptographic key pairs | |
CN107276766B (en) | Multi-authorization attribute encryption and decryption method | |
CN113411323B (en) | Medical record data access control system and method based on attribute encryption | |
CN105790929A (en) | High-efficient access control method based on rule redundancy elimination in encryption environment | |
CN115296817A (en) | Data access control method based on block chain technology and attribute encryption | |
CN107302524A (en) | A kind of ciphertext data-sharing systems under cloud computing environment | |
CN107634830B (en) | The revocable attribute base encryption method of server- aided, apparatus and system | |
CN106888213B (en) | Cloud ciphertext access control method and system | |
CN110599376A (en) | Course selection system based on attribute password | |
CN114143072A (en) | CP-ABE-based attribute revocation optimization method and system | |
CN108763944A (en) | Multicenter large attribute Domain Properties base encryption method can be revoked safely in calculating in mist | |
CN107659567A (en) | The ciphertext access control method and system of fine granularity lightweight based on public key cryptosyst | |
CN109347833B (en) | Access control method and system used in machine learning environment based on attribute encryption | |
Nayudu et al. | Dynamic Time and Location Information in Ciphertext-Policy Attribute-Based Encryption with Multi-Authorization. | |
CN106549758B (en) | Support the encryption method based on attribute of non-monotonic access structure | |
KR102381389B1 (en) | System and Method for Controlling Multi Factor Access Prioritized |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |