CN106612325A - Method for data authenticity verification under authority management in cloud storage - Google Patents
Method for data authenticity verification under authority management in cloud storage Download PDFInfo
- Publication number
- CN106612325A CN106612325A CN201610836998.8A CN201610836998A CN106612325A CN 106612325 A CN106612325 A CN 106612325A CN 201610836998 A CN201610836998 A CN 201610836998A CN 106612325 A CN106612325 A CN 106612325A
- Authority
- CN
- China
- Prior art keywords
- signature
- user
- file
- access
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method for data authenticity verification under authority management in cloud storage. The method adopts the technical scheme that a data owner generates a signature from data information and sends the signature to all users; encryption is carried out through the attribute-based encryption method, so that the users obtain different access authorities; according to a signature interception method designed by the method, a part of the signature is intercepted and used as information for verifying information completeness and authenticity; and the users with the different authorities can only intercept part of the information from the signature according to the corresponding authorities to verify whether the received data is complete and authentic or not, and overall verification is not required. The method has the advantages that the users with the different authorities can verify the received data according to the uniform data signature, so that especially in case of a high updating frequency and a large number of the users, the operation complexity and the system and time costs can be greatly reduced.
Description
Technical field
The present invention relates to cloud storage in field of cloud calculation, information security, integrality authenticity verification field.
Background technology
Cloud storage and cloud information sharing have become data storage today and the hot topic propagated, and either enterprise is also individual
People, increasingly tends to store data in high in the clouds, in the hope of saving local resource and realizing that data are shared at any time.As user gets over
Come more, then safety problem also becomes one of factor of restriction development.
Documentation is uploaded to high in the clouds by data owner, it is allowed to hold the user accesses data of legal licensing, in order to protect
Card data can only be that authorized user could access, and can adopt based on the encryption method of attribute base, and each user has different authorities,
The different data of integrated degree can be had access to.
But, now again a problem is faced, it is exactly how user determines that had access to information is exactly by data owner
Send, do not changed by invaderThat is how user is able to verify that had access to data are exactly under data owner
Reach!Often, data can be sent jointly to user by user together with the electronic signature of data, but if number of visitors is more,
Authority differs, then how checking information simply could be sent jointly to the user that specifies by data ownerTraditional method
It is aiming at each user, there is provided the electronic signature to be accessed content, but so operation, and to data, owner causes pole
Big burden.The workload of sharer is not only increased, is lost time, while also increase overhead, particularly customer volume
Huge, authority is different, and again in the case of Jing often renewals, data owner will be absorbed in undying according to different rights generation data
Then different checking informations are sent to successively each user.
The content of the invention
For the above-mentioned deficiency of prior art, the data validity that the present invention is proposed in cloud storage under a kind of rights management is tested
Card method.
To solve the above problems, the present invention proposes technical scheme below:
Data owner produces data message after one signature, all users is sent to, then with attribute base encryption method
Encryption, is that user obtains different access authority, and then the signature intercept method according to designed by method intercepts in signature
The information for checking information integrality and authenticity is allocated as, and the user of different rights can only be from signature according to the authority of oneself
Intercept partial information to verify received data whether completely and truly and without global checking.Comprise the following steps that:
Step 1:The digital signature that generation can be split.
Step 2:Access privilege control encrypts file.
Step 3:Signature is intercepted.
Step 4:Signature verification.
The invention has the beneficial effects as follows:
The different user of authority can verify to received data according to unified data signature, particularly update frequently
Rate is high, when number of users is big, can greatly save complexity, overhead, the time-consuming expense of operation.
Specific embodiment
Step 1:The digital signature that generation can be split
For file F, it includes many subfiles, and the subfile that the user of different rights can access is different, if:
F=(F1, F2..., Fn)
Footmark n represents the numbering of subfile, for user Ux, the subfile that he can access is Fu=(Fi, Fj), i, j ∈
{n}.So need to be intercepted out from the digital signature of file F long to be able to verify that FuSignature section.
1.1 generate signature key
In a Bilinear map, if p is a Big prime,It is to generate unit, H (*) is Hash letter
Number, randomly selectsCalculate v=ga(mod p) then:
Public key PKsig={ p, g, v };
Private key SKsig=a;
PKsigAnd SKsigFor generating the public key and private key of signature.
1.2 file content extraction signatures are generated
F is the file to be signed, FiBe numbering be i subfile, while i also illustrates that i-th subfile;1≤i≤n,
CeasFor contents interception access structure, he represents user UxThe label of the file sub-block that can be accessed, such as Cead={ 1,3, i } represents to be used
Family can access and be numbered 1,2, the subfile of i, CI (F ') represents the label for intercepting subfile, then hasDefining T is
CeasMark (Ceas- Tags) length be 80bit.
1) randomly selectCalculate r=gk(mod p);
2) to each sub- message F of file Fi, calculate hi=H (Fi||Ceas||i||T;H (*) is hash function;
3) sub- message F is calculatediSignature (Sig, signature):
Sigi=(hi-a·r)·k-1mod(p-1)
Wherein 1≤i≤n;
4) global signature of calculation document F:
SigF=(Ceas||T||Sig1||Sig2||...||Sign)
Step 2:Access privilege control encrypts file
The signature for intercepting of file has, and then according to the authority of user, using ABE algorithms, generates access structure control
System, defining user can decrypt and access the authority of subfile.
2.1 and for the PK of signaturesigAnd SKsigEqually, main key MK of encryption of file is generated using Bilinear mapF,
Public key PKF:
PKF=(G0, g, gβ, e (g, g)α);
2.2 formulate access structure control
If P=is { P1, P2... PnBe all users community set, wherein user Pi={ δm, Ceas, that is to say, that will
User accesses parameter C of file sub-blockeasIn being added to user authority management.T is access structure, is { P1, P2... PnOne
Individual nonvoid subset, that is, which attribute file can be just accessed with.
2.3 access keys key for calculating user ii=KeyGen (MK, T, Pi), using AES in ABE algorithms
Encrypt (PK, F, T) is to file F=(F1, F2..., Fn) be encrypted, ciphertext is obtained for CF:
Then by data ciphertext CF, global signature SigFCloud Server is sent to, user's key is distributed to into user, signed
Key also issues user.
Step 3:Signature is intercepted
When arbitrarily user conducts interviews the data in access rights, need to verify that whether complete data are true, first
The part signature for checking is intercepted from global signature according to authority.
F ' represents the sub- message that user receives, the set that CI (F ') is made up of the index of the sub- message included in F '.
First according to CeasConstruction intercepts subset CI (F ');CheckingSet up, then signature is true, is continued
It is follow-up to calculate, being false failure of then return;
According to CI (F '), generate and intercept sub- message F '={ Fi|i∈CI(F‘)};
To each i ∈ CI (F '), from SigFMiddle taking-up Sigi;
Generate and intercept signature:
Sigi=(Ceas||CI(F‘)||T||Sigi1||Sigi2||...||Sigif)
SigijFor the signature of corresponding sub- message in CI (F '), i, j ∈ CI (F ').
Step 4:Signature verification
User when conducting interviews to the file in authority, according to ABE algorithms, utilizes according to the access key of oneself
keyiThe file that decryption can be accessed, the subset of the file for obtaining is F ';It is first in order to determine whether accessed file is authentic and valid
First to be verified.
User's checkingWhether set up, establishment then performs following steps, being false failure of then return;So
Afterwards for user UiSubfile F '={ the F being had access toi, 1≤i≤n calculates the cryptographic Hash of each subfile:
Then signature private key SK is usedsig, by the signature Sig being truncated toi,
Sigi=(Ceas||CI(F‘)||T||Sigi1||Sigi2||...||Sigif) be decrypted, obtain cryptographic Hash
hi=H (Fi||Ceas||i||T)
Then contrastWith hi, that is, if checking is unanimously, illustrates FiBe it is authentic and valid, it is otherwise invalid, then
All of { F is verified successivelyi, check user UiWhether the file sub-block that can be accessed is all authentic and valid.
Claims (5)
1. the data validity checking in cloud storage under a kind of rights management, the present invention relates to cloud storage in field of cloud calculation, letter
Breath safety, integrality authenticity verification field, is characterized in that, comprise the steps:
Step 1:The digital signature that generation can be split
Step 2:Access privilege control encrypts file
Step 3:Signature is intercepted
Step 4:Signature verification.
2. verified according to the data validity under a kind of rights management in the cloud storage described in claim 1, be it is characterized in that, with
Concrete calculating process in the upper step 1 is as follows:
Step 1:The digital signature that generation can be split
For file F, it includes many subfiles, and the subfile that the user of different rights can access is different, if:
Footmark n represents the numbering of subfile, for userThe subfile that he can access is,
So need to be intercepted out from the digital signature of file F long to be able to verify thatSignature section
1.1 generate signature key
In a Bilinear map, if p is a Big prime,It is to generate unit, H(*)For hash function,
Randomly selectCalculateThen:
Public key
Private key
WithFor generating the public key and private key of signature
1.2 file content extraction signatures are generated
F is the file to be signed,Be numbering be i subfile, while i also illustrates that i-th subfile;For contents interception access structure, he represents userThe label of the file sub-block that can be accessed, such asRepresent user can access be numbered 1,2, the subfile of i,Represent the mark for intercepting subfile
Number, then have ,Defining T isMarkLength is 80 bit
1)Randomly selectCalculate
2)The each sub- message to file FCalculate
3)Calculate sub- messageSignature(Sig, signature):
Wherein
4)The global signature of calculation document F:
。
3. verified according to the data validity under a kind of rights management in the cloud storage described in claim 1, be it is characterized in that, with
Concrete calculating process in the upper step 2 is as follows:
Step 2:Access privilege control encrypts file
The signature for intercepting of file has, and then according to the authority of user, using ABE algorithms, generates access structure control, fixed
Adopted user can decrypt and access the authority of subfile
2.1 and for signatureWithEqually, the main key of encryption of file is generated using Bilinear map
Public key
2.2 formulate access structure control
IfIt is the community set of all users, wherein userThat is
User is accessed into the parameter of file sub-blockIn being added to user authority management, T is access structure, isA nonvoid subset, that is, which attribute can just access file with
The 2.3 access keys for calculating user iEncrypt using in ABE algorithms
AlgorithmTo fileIt is encrypted, obtaining ciphertext is
Then by data ciphertextGlobal signatureCloud Server is sent to, user's key is distributed to into user, signed secret
Key also issues user.
4. verified according to the data validity under a kind of rights management in the cloud storage described in claim 1, be it is characterized in that, with
Concrete calculating process in the upper step 3 is as follows:
Step 3:Signature is intercepted
When arbitrarily user conducts interviews the data in access rights, need to verify that whether complete data are true, be first according to
Authority intercepts the part signature for checking from global signature
The sub- message that user receives is represented,ForIn the set that constituted of the index of sub- message that includes
Basis firstConstruction intercepts subset;CheckingSet up, then signature is true, is continued
It is follow-up to calculate, being false failure of then return;
According to, generate and intercept sub- message
To each, fromMiddle taking-up
Generate and intercept signature:
ForIn corresponding sub- message signature, i,。
5. verified according to the data validity under a kind of rights management in the cloud storage described in claim 1, be it is characterized in that, with
Concrete calculating process in the upper step 4 is as follows:
Step 4:Signature verification
User when conducting interviews to the file in authority, according to ABE algorithms, utilizes according to the access key of oneselfSolution
The close file that can be accessed, the subset of the file for obtaining is;In order to determine whether accessed file is authentic and valid, first has to
Verified
User's checkingWhether set up, establishment then performs following steps, being false failure of then return;Then
For userCalculate the cryptographic Hash of each subfile:
Then signature private key is usedBy the signature being truncated to
It is decrypted, obtains cryptographic Hash
Then contrastWithIf namely verifying consistent, illustrateIt is authentic and valid, otherwise invalid, Ran Houyi
Secondary checking is all ofCheck userWhether the file sub-block that can be accessed is all authentic and valid.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2016105809609 | 2016-07-21 | ||
CN201610580960 | 2016-07-21 |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106612325A true CN106612325A (en) | 2017-05-03 |
Family
ID=58615189
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610836998.8A Pending CN106612325A (en) | 2016-07-21 | 2016-09-21 | Method for data authenticity verification under authority management in cloud storage |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106612325A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107508801A (en) * | 2017-08-04 | 2017-12-22 | 安徽智圣通信技术股份有限公司 | A kind of file tamper-proof method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103699851A (en) * | 2013-11-22 | 2014-04-02 | 杭州师范大学 | Remote data completeness verification method facing cloud storage |
CN104301119A (en) * | 2014-11-05 | 2015-01-21 | 中国建设银行股份有限公司 | Data signature method, signature verification method, data signature equipment and verification server |
CN105515778A (en) * | 2015-12-25 | 2016-04-20 | 河南城建学院 | Cloud storage data integrity service signature method |
-
2016
- 2016-09-21 CN CN201610836998.8A patent/CN106612325A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103699851A (en) * | 2013-11-22 | 2014-04-02 | 杭州师范大学 | Remote data completeness verification method facing cloud storage |
CN104301119A (en) * | 2014-11-05 | 2015-01-21 | 中国建设银行股份有限公司 | Data signature method, signature verification method, data signature equipment and verification server |
CN105515778A (en) * | 2015-12-25 | 2016-04-20 | 河南城建学院 | Cloud storage data integrity service signature method |
Non-Patent Citations (1)
Title |
---|
王彩芬 等: "基于可截取签名和属性加密的云存储访问控制方案", 《计算机工程与科学》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107508801A (en) * | 2017-08-04 | 2017-12-22 | 安徽智圣通信技术股份有限公司 | A kind of file tamper-proof method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109040045B (en) | Cloud storage access control method based on ciphertext policy attribute-based encryption | |
CN109614818B (en) | Authorized identity-based keyword search encryption method | |
CN113918981B (en) | Attribute-based encryption method and system | |
US7688975B2 (en) | Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure | |
Tao et al. | Secure data sharing and search for cloud-edge-collaborative storage | |
CN100586065C (en) | CPK credibility authorization system | |
CN104901942A (en) | Distributed access control method for attribute-based encryption | |
CN102075544A (en) | Encryption system, encryption method and decryption method for local area network shared file | |
Guo et al. | Using blockchain to control access to cloud data | |
Ghanmi et al. | A secure data storage in multi-cloud architecture using blowfish encryption algorithm | |
Suveetha et al. | Ensuring confidentiality of cloud data using homomorphic encryption | |
CN117335989A (en) | Safety application method in internet system based on national cryptographic algorithm | |
CN110519040B (en) | Anti-quantum computation digital signature method and system based on identity | |
CN111914270A (en) | Programmable authentication service method and system based on block chain technology | |
Lei et al. | A cloud data access authorization update scheme based on blockchain | |
CN106612325A (en) | Method for data authenticity verification under authority management in cloud storage | |
CN112671729B (en) | Internet of vehicles oriented anonymous key leakage resistant authentication method, system and medium | |
Jyoti et al. | Achieving cloud security using hybrid cryptography algorithm | |
CN112069487B (en) | Intelligent equipment network communication safety implementation method based on Internet of things | |
Khobragade et al. | High security mechanism: fragmentation and replication in the cloud with auto update in the system | |
Singh et al. | Role based security for cloud based data with data reliability | |
Ghorpade et al. | Notice of Violation of IEEE Publication Principles: Towards Achieving Efficient and Secure Way to Share the Data | |
CN116599757B (en) | Decentralizing forward security identity base encryption method and system | |
CN116155496B (en) | National soil transformation investigation data transmission method and device based on national secret algorithm | |
Karani et al. | Secure File Storage Using Hybrid Cryptography |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170503 |
|
WD01 | Invention patent application deemed withdrawn after publication |