CN109327448B - Cloud file sharing method, device, equipment and storage medium - Google Patents
Cloud file sharing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN109327448B CN109327448B CN201811251351.4A CN201811251351A CN109327448B CN 109327448 B CN109327448 B CN 109327448B CN 201811251351 A CN201811251351 A CN 201811251351A CN 109327448 B CN109327448 B CN 109327448B
- Authority
- CN
- China
- Prior art keywords
- file
- access
- key
- ciphertext
- lsss
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 24
- 238000011217 control strategy Methods 0.000 claims abstract description 22
- 230000006870 function Effects 0.000 claims description 35
- 230000005540 biological transmission Effects 0.000 claims description 29
- 239000011159 matrix material Substances 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 16
- 238000005457 optimization Methods 0.000 claims description 13
- 238000006243 chemical reaction Methods 0.000 claims description 9
- 238000010276 construction Methods 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 abstract description 2
- 239000013598 vector Substances 0.000 description 15
- 238000010586 diagram Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- 238000013478 data encryption standard Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention is suitable for the technical field of ciphertext access control, and provides a cloud file sharing method, a device, equipment and a storage medium, wherein the method comprises the following steps: when a file sharing request sent by a file owner is received, a symmetric encryption algorithm is used for encrypting a file set to be shared according to a content key set to obtain a file ciphertext set, an encryption calculation function is used for encrypting the content key set according to public parameters and an LSSS access control strategy to obtain a key ciphertext set corresponding to the content key set, and the file ciphertext set and the key ciphertext set are uploaded to a cloud server to realize cloud file sharing.
Description
Technical Field
The invention belongs to the technical field of ciphertext access control, and particularly relates to a cloud file sharing method, device, equipment and storage medium.
Background
With the development of cloud computing and the gradual increase of the use scale of big data, data becomes the most valuable information, people tend to store own data on a cloud server, and the use and sharing of cloud data bring convenience to the life and work of people and bring unprecedented data security risks, so how to realize the controlled sharing of cloud data becomes a problem to be solved urgently.
In order to solve the problem of controlled sharing of cloud data and avoid stealing of private data, a conventional method is to encrypt data to be shared by a user and transmit the encrypted data to a cloud server in a form of a ciphertext, the method of distributing the encrypted data to users of a specific group by using an encryption scheme is very inefficient and cannot ensure that the data is completely safe, if the security of the data is to be ensured, the security can be realized by designing access control of an encryption mechanism, wherein the access control is a first security defense line for preventing unauthorized users from accessing the private data at the cloud end, and therefore, the access control technology is particularly important.
In order to avoid that a privileged user illegally accesses sensitive data of the user, and meanwhile fine-grained access control in a cloud storage environment can be realized, Sahai et al put forward an Attribute Based Encryption (ABE) concept in 2005, ABE can perform fine-grained control on shared data and reduce the workload of private key storage and distribution, but basic ABE cannot support a flexible access control strategy. Therefore, Bethencount et al proposes a Ciphertext Policy Attribute Based Encryption (CP-ABE) mechanism suitable for access control type applications, and the CP-ABE ensures that an encrypting party does not need to know specific who to decrypt information through a flexible access Policy, and a decrypting party can decrypt the information only by meeting corresponding conditions. Many scholars at home and abroad research the CP-ABE algorithm, and although many achievements are obtained, a concrete implementation model combined with practical application has many problems to be researched urgently, such as how to construct an access control structure easy to maintain, how to enhance the expression capacity of access control, and the like.
Disclosure of Invention
The invention aims to provide a cloud file sharing method, a cloud file sharing device, cloud file sharing equipment and a storage medium, and aims to solve the problem that the security of shared data is low because an effective access control method cannot be provided in the prior art.
In one aspect, the present invention provides a cloud file sharing method, including the following steps:
when a file sharing request sent by a file owner is received, encrypting a file set to be shared by using a symmetric encryption algorithm according to a preset content key set to obtain a file ciphertext set;
encrypting the content key set by using a preset encryption function according to a pre-generated public parameter and a pre-constructed LSSS access control strategy to obtain a key ciphertext set corresponding to the content key set, wherein the key ciphertext set comprises the LSSS access control strategy;
and uploading the file ciphertext set and the key ciphertext set to a cloud server to realize cloud file sharing.
In another aspect, the present invention provides a cloud file sharing apparatus, including:
the system comprises a first encryption unit, a second encryption unit and a third encryption unit, wherein the first encryption unit is used for encrypting a to-be-shared file set by using a symmetric encryption algorithm according to a preset content key set when a file sharing request sent by a file owner is received to obtain a file ciphertext set;
the second encryption unit is used for encrypting the content key set by using a preset encryption function according to a pre-generated public parameter and a pre-constructed LSSS access control strategy to obtain a key ciphertext set corresponding to the content key set, wherein the key ciphertext set comprises the LSSS access control strategy; and
and the ciphertext uploading unit is used for uploading the file ciphertext set and the key ciphertext set to a cloud server so as to realize cloud file sharing.
In another aspect, the present invention further provides a computing device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the cloud file sharing method when executing the computer program.
In another aspect, the present invention further provides a computer-readable storage medium, where a computer program is stored, and when executed by a processor, the computer program implements the steps of the cloud file sharing method.
When a file sharing request sent by a file owner is received, a symmetric encryption algorithm is used for encrypting a file set to be shared according to a content key set to obtain a file ciphertext set, a preset encryption function is used for encrypting the content key set according to a public parameter and an LSSS access control strategy to obtain a key ciphertext set corresponding to the content key set, and the file ciphertext set and the key ciphertext set are uploaded to a cloud server to realize cloud file sharing.
Drawings
Fig. 1 is a flowchart illustrating an implementation of a cloud file sharing method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an implementation of a cloud file sharing method according to a second embodiment of the present invention;
fig. 3 is a schematic view of a file access tree constructed in the cloud file sharing method according to the second embodiment of the present invention;
fig. 4 is a schematic diagram illustrating optimization of a file access tree in the cloud file sharing method according to the second embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a conversion of an optimized file access tree into an LSSS matrix in the cloud file sharing method according to the second embodiment of the present invention;
fig. 6 is a schematic structural diagram of a cloud file sharing device according to a third embodiment of the present invention;
fig. 7 is a schematic structural diagram of a cloud file sharing apparatus according to a fourth embodiment of the present invention; and
fig. 8 is a schematic structural diagram of a computing device according to a fifth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The following detailed description of specific implementations of the present invention is provided in conjunction with specific embodiments:
the first embodiment is as follows:
fig. 1 shows an implementation flow of a cloud file sharing method provided in an embodiment of the present invention, and for convenience of description, only parts related to the embodiment of the present invention are shown, which are detailed as follows:
in step S101, when a file sharing request sent by a file owner is received, a set of files to be shared is encrypted by using a symmetric encryption algorithm according to a preset content key set, so as to obtain a file ciphertext set.
Embodiments of the present invention are applicable to data processing platforms, devices, or servers, such as personal computing devices, servers, and the like. The embodiment of the invention mainly comprises four entities, namely a file owner, a file visitor, an attribute authorization center and a cloud server, wherein the file owner can encrypt a large number of files at one time and store encrypted ciphertext into the cloud server to realize multi-file sharing; a file accessor accesses a file stored in the cloud server according to the access authority of the file accessor; the attribute authorization center is responsible for defining a system attribute set besides key management, is completely trusted, and has the main functions of accepting user registration, key distribution, user authentication, managing an attribute domain and the like; the cloud server mainly functions to provide storage and file transmission services of the ciphertext.
In the embodiment of the invention, when a file sharing request sent by a file owner is received, a set ck ═ ck { ck } is set according to a content key preset by the file owner1,......,ckkAnd encrypting the set of files to be shared by adopting a symmetric Encryption algorithm (for example, Data Encryption Standard (DES), Advanced Encryption Standard (AES) and the like) to obtain a file ciphertext set
WhereinThe file set to be shared comprises one or more files to be shared, and the content key set ck ═ ck { (ck) } is used for sharing the file set to be shared1,......,ckkThe kth content key ck inkA secret key when a symmetric encryption algorithm is adopted for the kth file to be shared in the file set to be shared,
and the file ciphertext corresponding to the kth file to be shared.
Before encrypting the set of files to be shared by using a symmetric encryption algorithm, preferably, the control attribute authorization center generates a public parameter (public key) PK and a master private key MSK through a system initialization function Setup (λ), so as to improve the trust of the public parameter and the master private key. Wherein λ is a preset safety parameter.
When the control attribute authority generates the public parameter (public key) PK and the master private key MSK through the system initialization function Setup (λ), the following steps are preferably implemented:
1) selecting a bilinear group G with prime order p0、GTBilinear mapping e: G0×G0→GTAnd selecting bilinear group G0A generator g;
2) defining a Hash function H: {0,1}*→G0And in ZpTwo elements α and β are randomly selected in the {0, 1., p-1} domain;
3) by the formula PK ═ G0,p,g,e(g,g)α,h=gβ) Calculating the common parameter PK by the formula MSK ═ gαβ) calculates the master private key MSK, PK being open to the outside as the public key, MSK being kept by the attribute authority as the master key.
Therefore, the public parameter PK and the master private key MSK are generated through the steps 1) to 3), and the trust degrees of the public parameter and the master private key are further improved.
In step S102, a content key set is encrypted using a preset encryption function according to a pre-generated public parameter and a pre-established LSSS access control policy, so as to obtain a key ciphertext set corresponding to the content key set.
In an embodiment of the present invention, the file owner sets the public parameter PK, content key set ck ═ ck { ck } for the file owner1,......,ckkThe LSSS access control policy (M, ρ) { (M, ρ)) is input to an encryption function CT ═ Encrypt (PK, ck, (M, ρ)), and the content key set is encrypted by the encryption function to obtain a key ciphertext set CT corresponding to the content key set, and the key ciphertext set CT includes the LSSS access control policy (M, ρ) { (M, ρ))1,ρ),(M2,ρ),...,(Mkρ), M in the LSSS access control policy (M, ρ) is a matrix l × n, l is the number of ciphertext attributes, each sub-access policy (M, ρ)i,ρ)(i∈[1,k]) Function of the middle function ρ is to divide the matrix MiEach row in (1) is mapped one-to-one with the attributes.
When encrypting the content key set using the encryption function CT ═ Encrypt (PK, ck, (M, ρ)), the encryption of the content key set is preferably achieved by:
1) at ZpSelect k random numbers s in the {0, 1.,. p-1} field1、s2、...、skAs the encryption index secret value, C is calculated for all i 1,2iAnd Ci′:
2) Selecting a set of random vector sets
Wherein,
each sub-access policy (M) in the LSSS access control policyj,ρ)(j∈[1,k]) And random vector
Corresponding to, y2,...,ynIs thatShare the secret value s of the encryption indexi(i∈[1,k]);
3) Computing
And in ZpI random numbers λ are selected from {0, 1.,. p-1} fields1′,j、λ2′,j、...、λl′,jAs an attribute mask, where i ∈ [1, l],j∈[1,k],Mi,jIs the jth matrix MjThe number of the ith row of (a),
for a set of random vectors
The jth vector of (1);
4) for i ∈ [1, l]Calculating C1,iAnd C2,i:
C2,i=λi,j-λi′,j;
5) According to the ciphertext formula
And calculating a key ciphertext set CT.
Therefore, the file ciphertext set is encrypted through the steps 1) to 5), a key ciphertext set corresponding to the file set to be shared is obtained, and the efficiency and the safety degree of encrypting the shared file are improved.
In step S103, the file ciphertext set and the key ciphertext set are uploaded to a cloud server, so as to implement cloud file sharing.
In the embodiment of the invention, the file owner collects the file ciphertext EckAnd (M) uploading the key ciphertext set CT corresponding to the file ciphertext set to a cloud server so that a file visitor can access the corresponding file in the cloud server, and therefore cloud file sharing is achieved.
In the embodiment of the invention, when a file sharing request sent by a file owner is received, a symmetric encryption algorithm is used for encrypting a file set to be shared according to a content key set to obtain a file ciphertext set, encrypting the content key set by using an encryption function according to the public parameters and the LSSS access control strategy to obtain a key ciphertext set corresponding to the content key set, uploading the file ciphertext set and the key ciphertext set to a cloud server to realize cloud file sharing, therefore, the access control strategy of the LSSS of the invention meets the access tree structure of an AND gate, an OR gate and a threshold, realizes flexible fine-grained access control, and the storage overhead, the communication overhead and the decryption computation complexity of the ciphertext are reduced, and the encryption efficiency, the decryption efficiency and the security degree of the shared data are improved.
Example two:
fig. 2 shows an implementation flow of the cloud file sharing method provided in the second embodiment of the present invention, and for convenience of description, only the relevant portions in the second embodiment of the present invention are shown, which are detailed as follows:
in step S201, when a file sharing request sent by a file owner is received, the file owner is controlled to construct a corresponding file access tree for each file in a to-be-shared file set according to a preset system attribute set.
In the embodiment of the invention, when a file sharing request sent by a file owner is received, the file owner constructs a corresponding file access tree for each file in a file set to be shared one by one according to a system attribute set defined by an attribute authorization center, namely different files have different access strategies.
As an example, a file owner would like to set the set of files M to { M ═ M1,m2,m3Encrypting and uploading the file to a cloud server, and firstly, aligning a file M according to a system attribute set Y ═ E, H, I, M, N, O, P, Q, R, S and T }1Constructing a file access tree T1To file m2Constructing a file access tree T2To file m3Constructing a file access tree T3FIG. 3 shows a file access tree T1File access tree T2And a file access tree T3,T1Attribute set Y of corresponding access policy1={E,H,I,M,N,O,P,Q,R,S,T},T2Attribute set Y of corresponding access policy2={H,M,N},T3Attribute set Y of corresponding access policy3={M,N}。
In step S202, transmission node optimization is performed on each file access tree according to a preset transmission node optimization rule.
In the embodiment of the present invention, when transmission node optimization is performed on each file access tree according to a preset transmission node optimization rule, preferably, traversal is performed from a root node of each file access tree in a top-down manner, and when it is traversed that a transmission node in the file access tree is not a hierarchical node and all child nodes under the transmission node do not include a hierarchical node or the transmission node and its child nodes do not carry any hierarchical node information, a corresponding transmission node sub-tree is deleted to optimize the file access tree, thereby reducing child nodes (attributes), avoiding subsequent unnecessary encryption operation and data storage, improving encryption efficiency, and reducing data storage overhead.
As an example, fig. 4 shows a hierarchical access tree T defined by a data owner according to a system attribute set, where the hierarchical access tree T includes four level nodes (i.e. four access levels (x1, y1), (x2, y2), (x3, y3) and (x4, y4)), the system attribute set is S ═ E, H, I, K, N, O, P, Q, R, S, T }, and the threshold set node is T ═ R, a, B, C, D, F, G, J, L, M }, where the transmission nodes are { R, a, B, C, D, F, G }, however, none of the transmission nodes B, D, F carry level information, and therefore, the transmission nodes B, D, F are deleted from the corresponding transmission node subtrees, resulting in an optimized hierarchical access tree T' as shown in fig. 4.
In step S203, all the optimized file access trees are converted into corresponding sub LSSS matrices according to a preset matrix conversion rule.
In the embodiment of the present invention, when all optimized file access trees are converted into corresponding sub LSSS matrices according to preset matrix conversion rules, preferably, a global counter variable c is initialized to 1, after the file access trees are traversed, c is the longest length of a vector, then, nodes of the file access trees are marked from top to bottom, when a parent node marked as a vector v is an "OR" gate, the child nodes are also marked as v (the variable c is unchanged), when the parent node marked as the vector v is an "AND" gate, one child node is marked as a vector v |1 (parent node | child node connection) allocated by the parent node, AND the other child node of the parent node is marked as a vector (0., 0) | -1, wherein (0., 0) indicates that the length of the vector is 0, AND finally, once the marking of the whole tree is completed, leaf nodes (namely attributes) of the vector mark are converted into each row in the LSSS matrix, if the lengths of the vectors are different, a vector 0 is filled at the tail part of the vector to achieve the same vector length, so that unnecessary child nodes (attributes) are not subjected to encryption calculation and data storage through the sub LSSS matrix, the efficiency of encrypting the shared file is improved, and the storage overhead of a ciphertext is reduced.
By way of example, FIG. 5 illustrates a file access tree T to be optimized1′、T2' and T3Respectively converting the LSSS matrixes into corresponding sub LSSS matrixes M according to a matrix conversion rule1、M2And M3。
In step S204, an LSSS access control policy of the file set to be shared is constructed by using the sub access policies corresponding to all the sub LSSS matrices.
In the embodiment of the invention, according to the file set M to be shared, { M ═ M1,......,mkThe number of files in the array generates a corresponding number of sub LSSS matrices M1、M2、...、MkEach sub-LSSS matrix Mj(j∈[1,k]) Corresponding to a sub-access policy (M)jρ), the LSSS access control policy of the file set to be shared is a set of sub-access policies, that is, the LSSS access control policy is (M, ρ) { (M)1,ρ),(M2,ρ),...,(Mkρ) }, and a sub-LSSS matrix M1The relationship between attributes comprising all access policies, i.e. attributes in the sub-LSSS matrix, exists:
in step S205, according to a preset content key set, a symmetric encryption algorithm is used to encrypt a set of files to be shared, so as to obtain a set of file ciphertexts.
In step S206, the content key set is encrypted by using a preset encryption function according to the public parameter and the LSSS access control policy, so as to obtain a key ciphertext set corresponding to the content key component set.
In step S207, the file ciphertext set and the key ciphertext set are uploaded to a cloud server, so as to implement cloud file sharing.
In the implementation of the present invention, the detailed implementation of step S205 to step S207 can refer to the description of step S101 to step S103 in the first embodiment, and will not be described herein again.
In step S208, when receiving a file access request sent by a file visitor, the file visitor is controlled to obtain a user private key of the file visitor from the attribute authorization center, where the user private key includes a user attribute set corresponding to the file visitor.
In the embodiment of the invention, when a file access request sent by a file visitor is received, the attribute authorization center takes the master private key MSK and the user attribute set corresponding to the file visitor as input according to the file access request, and generates the user private key of the file visitor through a key generation function KeyGen (MSK, S).
Before the file visitor sends the file access request, the file visitor preferably registers in the attribute authorization center, the attribute authorization center verifies the validity of the identity of the file visitor during registration, and after the verification is passed, a user attribute set is distributed to the file visitor, so that the security of cloud file access is improved.
When the user private key of the file visitor is generated through the key generation function KeyGen (MSK, S), it is preferable to pass the formula after the validity verification of the file visitor identity passes
Computing filesUser private key of visitor, wherein K0=gαhr,K1=gr,
r is ZpA random element in {0, 1., p-1} field, user attribute set S ═ a ·1,...,Ax},AxAnd the attribute is the x-th attribute in the S, so that the access security of the cloud file is further improved.
In step S209, a preset decryption function is used to decrypt the key ciphertext set in the cloud server according to the public parameter and the user private key, so as to obtain an access content key set corresponding to the user attribute set.
In the embodiment of the invention, a file visitor inputs a public parameter PK, a user private key SK and a key ciphertext set CT into a decryption function Decrypt (PK, CT, SK), and decrypts the key ciphertext set CT in a cloud server through the decryption function to obtain an access content key set corresponding to a user attribute set.
In decrypting the key ciphertext set, preferably, the decryption of the key ciphertext set is achieved by:
1) and acquiring a file access strategy meeting the user attribute set according to the LSSS access control strategy.
In the embodiment of the present invention, when obtaining a file access policy that satisfies a user attribute set, it is preferably determined whether the user attribute set S satisfies an LSSS access control policy (M, ρ) { (M)1,ρ),(M2,ρ),...,(Mkρ) }, if so, the sub-access policy (M) to be satisfiedj,ρ)(j∈[1,k]) And setting the file access policy, otherwise, the file visitor does not have the authority of accessing the shared file, namely, the access of the shared file fails.
Firstly, a data user obtains a private key SK from an attribute authorization center, and if an attribute set S of the user and an access policy (M, rho) { (M)1,ρ),...,(Mkρ) } does not match, the user does not have access right, i.e. decryption fails; otherwise, the tableThe user is shown to have access rights and can decrypt to obtain corresponding plaintext data. If the access policy (M) is satisfied1ρ), all content keys ck can be obtained through decryption, and finally all files are obtained; due to the design of the access policy, the access policy (M)1ρ) is defined as the maximum access right, i.e. it includes all the attributes of the whole access policy, and so on, the user can obtain the plaintext data within the scope of his access right.
2) And decrypting the corresponding access content key set according to the file access policy.
In the embodiment of the invention, the sub access policy (M) is designed when the access policy is designed1ρ) is defined as the maximum access right, i.e. it includes all the attributes of the entire access policy, so when the file access policy is (M)1ρ), then all content keys ck can be obtained by decryption, and finally all files are obtained, and so on, the file visitor can decrypt the content keys within the access authority range to access the corresponding plaintext data.
Upon decryption of the corresponding access content key set according to the file access policy, the access content key set is preferably encrypted, preferably,
first, pass through ∑i∈Sωi·Mi,jCalculate ω (1, 0.., 0) ═ ciAnd make ωi∈ZpWherein M isi,jIs a matrix MjLine i of (1), then by formula
Calculate the ith user attribute AiAnd finally, by the formula
Corresponding access content keys are calculated to form an access content key set by the access content keys.
Through the steps, the adaptability and the credibility of the decrypted access content key can be improved.
In step S210, according to the access content key set, the file ciphertext set in the cloud server is decrypted by using a symmetric decryption algorithm, so as to obtain an access file plaintext set corresponding to the access content key set.
In the embodiment of the invention, a symmetric decryption algorithm is adopted to carry out E set on file ciphertext in the cloud server according to the access content key setck(M) decrypting to obtain the access file plaintext set corresponding to the access content key set, for example, if the access content key set decrypted according to the user attribute set is ck ═ cki,cki+1,......,ckkAnd decrypting by adopting a symmetric decryption algorithm according to the access content key set, so that the obtained access file plaintext set is M-Mi,mi+1,...,mk}。
In the embodiment of the invention, during file sharing, irrelevant attributes in a file access tree of each file to be shared are removed, each file access tree is converted into a sub LSSS matrix, a plurality of sub LSSS matrices are used as access structures in a ciphertext, and during file access, a file access strategy meeting user attributes carried by a file visitor is obtained from LSSS access control strategies, a corresponding content key is decrypted according to the file access strategy, and a corresponding file is obtained through symmetric decryption.
Example three:
fig. 6 shows a structure of a cloud file sharing apparatus according to a third embodiment of the present invention, and for convenience of description, only a part related to the third embodiment of the present invention is shown, where the structure includes:
the first encryption unit 61 is configured to encrypt a to-be-shared file set by using a symmetric encryption algorithm according to a preset content key set when receiving a file sharing request sent by a file owner, so as to obtain a file ciphertext set;
the second encryption unit 62 is configured to encrypt the content key set by using a preset encryption function according to a pre-generated public parameter and a pre-established LSSS access control policy, so as to obtain a key ciphertext set corresponding to the content key set; and
and the ciphertext uploading unit 63 is configured to upload the file ciphertext set and the key ciphertext set to the cloud server, so as to implement cloud file sharing.
In the embodiment of the present invention, each unit of the cloud file sharing apparatus may be implemented by a corresponding hardware or software unit, and each unit may be an independent software or hardware unit, or may be integrated into a software or hardware unit, which is not limited herein. Specifically, the implementation of each unit can refer to the description of the first embodiment, and is not repeated herein.
Example four:
fig. 7 shows a structure of a cloud file sharing apparatus according to a fourth embodiment of the present invention, and for convenience of description, only parts related to the embodiment of the present invention are shown, where the parts include:
the access tree constructing unit 70 is used for controlling the file owner to construct a corresponding file access tree for each file in the file set to be shared according to a preset system attribute set when receiving a file sharing request sent by the file owner;
a node optimization unit 71, configured to perform transmission node optimization on each file access tree according to a preset transmission node optimization rule;
a matrix conversion unit 72, configured to convert all optimized file access trees into corresponding sub LSSS matrices according to a preset matrix conversion rule;
an access policy construction unit 73, configured to construct an LSSS access control policy of the file set to be shared according to the sub access policies corresponding to all the sub LSSS matrices;
the first encryption unit 74 is configured to encrypt the set of files to be shared by using a symmetric encryption algorithm according to a preset content key set, so as to obtain a file ciphertext set;
a second encryption unit 75, configured to encrypt the content key set by using a preset encryption function according to the public parameter and the LSSS access control policy, to obtain a key ciphertext set corresponding to the content key set;
a ciphertext uploading unit 76, configured to upload the file ciphertext set and the key ciphertext set to a cloud server, so as to implement cloud file sharing;
a user private key obtaining unit 77, configured to, when receiving a file access request sent by a file visitor, control the file visitor to obtain a user private key of the file visitor from an attribute authorization center, where the user private key includes a user attribute set corresponding to the file visitor; and
the key ciphertext decryption unit 78 is configured to decrypt, according to the public parameter and the user private key, the key ciphertext set in the cloud server by using a preset decryption function, so as to obtain an access content key set corresponding to the user attribute set; and
and the file ciphertext decryption unit 79 is configured to decrypt the file ciphertext set in the cloud server by using a symmetric decryption algorithm according to the access content key set, so as to obtain an access file plaintext set corresponding to the access content key set.
Preferably, the key ciphertext decryption unit 78 includes:
an access policy acquisition unit 781, configured to acquire a file access policy that satisfies the user attribute set according to the LSSS access control policy; and
and a content key decryption unit 782, configured to decrypt a corresponding access content key set according to the file access policy.
In the embodiment of the present invention, each unit of the cloud file sharing apparatus may be implemented by a corresponding hardware or software unit, and each unit may be an independent software or hardware unit, or may be integrated into a software or hardware unit, which is not limited herein. Specifically, the implementation of each unit can refer to the description of the foregoing method embodiment, and is not repeated herein.
Example five:
fig. 8 shows a structure of a computing device according to a fifth embodiment of the present invention, and for convenience of description, only a part related to the embodiment of the present invention is shown.
The computing device 8 of an embodiment of the present invention comprises a processor 80, a memory 81, and a computer program 82 stored in the memory 81 and operable on the processor 80. The processor 80 executes the computer program 82 to implement the steps in the above-mentioned cloud file sharing method embodiment, such as steps S101 to S103 shown in fig. 1. Alternatively, the processor 80, when executing the computer program 82, implements the functions of the units in the above-described apparatus embodiments, such as the functions of the units 61 to 63 shown in fig. 6.
In the embodiment of the invention, when a file sharing request sent by a file owner is received, a symmetric encryption algorithm is used for encrypting a file set to be shared according to a content key set to obtain a file ciphertext set, encrypting the content key set by using an encryption function according to the public parameters and the LSSS access control strategy to obtain a key ciphertext set corresponding to the content key set, uploading the file ciphertext set and the key ciphertext set to a cloud server to realize cloud file sharing, therefore, the access control strategy of the LSSS of the invention meets the access tree structure of an AND gate, an OR gate and a threshold, realizes flexible fine-grained access control, and the storage overhead, the communication overhead and the decryption computation complexity of the ciphertext are reduced, and the encryption efficiency, the decryption efficiency and the security degree of the shared data are improved.
The computing device of the embodiment of the invention can be a personal computing device and a server. The steps of the method for implementing the cloud file sharing when the processor 80 executes the computer program 82 in the computing device 8 may refer to the description of the foregoing method embodiments, and are not described herein again.
Example six:
in an embodiment of the present invention, a computer-readable storage medium is provided, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements the steps in the cloud file sharing method embodiment, for example, the steps S101 to S103 shown in fig. 1. Alternatively, the computer program may be adapted to perform the functions of the units of the above-described device embodiments, such as the functions of the units 61 to 63 shown in fig. 6, when executed by the processor.
In the embodiment of the invention, when a file sharing request sent by a file owner is received, a symmetric encryption algorithm is used for encrypting a file set to be shared according to a content key set to obtain a file ciphertext set, encrypting the content key set by using an encryption function according to the public parameters and the LSSS access control strategy to obtain a key ciphertext set corresponding to the content key set, uploading the file ciphertext set and the key ciphertext set to a cloud server to realize cloud file sharing, therefore, the access control strategy of the LSSS of the invention meets the access tree structure of an AND gate, an OR gate and a threshold, realizes flexible fine-grained access control, and the storage overhead, the communication overhead and the decryption computation complexity of the ciphertext are reduced, and the encryption efficiency, the decryption efficiency and the security degree of the shared data are improved.
The computer readable storage medium of the embodiments of the present invention may include any entity or device capable of carrying computer program code, a recording medium, such as a ROM/RAM, a magnetic disk, an optical disk, a flash memory, or the like.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (8)
1. A cloud file sharing method is characterized by comprising the following steps:
when a file sharing request sent by a file owner is received, encrypting a file set to be shared by using a symmetric encryption algorithm according to a preset content key set to obtain a file ciphertext set;
encrypting the content key set by using a preset encryption function according to a pre-generated public parameter and a pre-constructed LSSS access control strategy to obtain a key ciphertext set corresponding to the content key set, wherein the key ciphertext set comprises the LSSS access control strategy;
uploading the file ciphertext set and the key ciphertext set to a cloud server to realize cloud file sharing;
before the step of encrypting the set of files to be shared by a symmetric encryption algorithm, the method further comprises:
controlling the file owner to construct a corresponding file access tree for each file in the file set to be shared one by one according to a preset system attribute set;
carrying out transmission node optimization on each file access tree according to a preset transmission node optimization rule;
converting all the optimized file access trees into corresponding sub LSSS matrixes according to a preset matrix conversion rule;
constructing an LSSS access control strategy of the file set to be shared according to all sub-access strategies corresponding to the sub-LSSS matrixes;
and optimizing the transmission nodes of each file access tree according to a preset transmission node optimization rule, specifically:
and traversing from the root node of each file access tree according to a top-down mode, and deleting the corresponding transmission node subtree to optimize the file access tree when the transmission node in the file access tree is traversed to be not the level node and all the child nodes under the transmission node do not contain the level node or the transmission node and the child nodes do not carry any level node information.
2. The method of claim 1, wherein after the step of uploading the set of file ciphertexts and the set of key ciphertexts to a cloud server, the method further comprises:
when a file access request sent by a file visitor is received, controlling the file visitor to obtain a user private key of the file visitor from an attribute authorization center, wherein the user private key comprises a user attribute set corresponding to the file visitor;
decrypting the key ciphertext set in the cloud server by using a preset decryption function according to the public parameter and the user private key to obtain an access content key set corresponding to the user attribute set;
and decrypting the file ciphertext set in the cloud server by using a symmetric decryption algorithm according to the access content key set to obtain an access file plaintext set corresponding to the access content key set.
3. The method of claim 2, wherein decrypting the set of key ciphertexts in the cloud server using a preset decryption function comprises:
acquiring a file access strategy meeting the user attribute set according to the LSSS access control strategy;
and decrypting the corresponding access content key set according to the file access policy.
4. A cloud file sharing apparatus, the apparatus comprising:
the system comprises a first encryption unit, a second encryption unit and a third encryption unit, wherein the first encryption unit is used for encrypting a to-be-shared file set by using a symmetric encryption algorithm according to a preset content key set when a file sharing request sent by a file owner is received to obtain a file ciphertext set;
the second encryption unit is used for encrypting the content key set by using a preset encryption function according to a pre-generated public parameter and a pre-constructed LSSS access control strategy to obtain a key ciphertext set corresponding to the content key set, wherein the key ciphertext set comprises the LSSS access control strategy; and
the ciphertext uploading unit is used for uploading the file ciphertext set and the key ciphertext set to a cloud server so as to realize cloud file sharing;
the device further comprises:
the access tree construction unit is used for controlling the file owner to construct a corresponding file access tree for each file in the file set to be shared according to a preset system attribute set;
the node optimization unit is used for optimizing transmission nodes of each file access tree according to a preset transmission node optimization rule;
the matrix conversion unit is used for converting all the optimized file access trees into corresponding sub LSSS matrixes according to a preset matrix conversion rule; and
the access strategy construction unit is used for constructing the LSSS access control strategy of the file set to be shared through all the sub access strategies corresponding to the sub LSSS matrix;
and when the transmission nodes in the file access tree are traversed out not to be grade nodes and all the child nodes under the transmission nodes do not contain the grade nodes or the transmission nodes and the child nodes do not carry any grade node information, deleting the corresponding transmission node subtrees to optimize the file access tree.
5. The apparatus of claim 4, wherein the apparatus further comprises:
the file access control system comprises a user private key acquisition unit, a file access authorization center and a user private key acquisition unit, wherein the user private key acquisition unit is used for controlling a file visitor to acquire a user private key of the file visitor from the attribute authorization center when receiving a file access request sent by the file visitor, and the user private key comprises a user attribute set corresponding to the file visitor;
the key ciphertext decryption unit is used for decrypting the key ciphertext set in the cloud server by using a preset decryption function according to the public parameter and the user private key to obtain an access content key set corresponding to the user attribute set; and
and the file ciphertext decryption unit is used for decrypting the file ciphertext set in the cloud server by using a symmetric decryption algorithm according to the access content key set to obtain an access file plaintext set corresponding to the access content key set.
6. The apparatus of claim 5, wherein the key ciphertext decryption unit comprises:
an access policy obtaining unit, configured to obtain, according to the LSSS access control policy, a file access policy that satisfies the user attribute set; and
and the content key decryption unit is used for decrypting the corresponding access content key set according to the file access strategy.
7. A computing device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any of claims 1 to 3 when executing the computer program.
8. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 3.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811251351.4A CN109327448B (en) | 2018-10-25 | 2018-10-25 | Cloud file sharing method, device, equipment and storage medium |
| PCT/CN2019/079646 WO2020082688A1 (en) | 2018-10-25 | 2019-03-26 | Cloud-end file sharing method and apparatus, and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811251351.4A CN109327448B (en) | 2018-10-25 | 2018-10-25 | Cloud file sharing method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109327448A CN109327448A (en) | 2019-02-12 |
| CN109327448B true CN109327448B (en) | 2020-10-09 |
Family
ID=65261812
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811251351.4A Active CN109327448B (en) | 2018-10-25 | 2018-10-25 | Cloud file sharing method, device, equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN109327448B (en) |
| WO (1) | WO2020082688A1 (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109617855B (en) * | 2018-10-25 | 2020-10-09 | 深圳技术大学(筹) | File sharing method, device, equipment and medium based on CP-ABE layered access control |
| CN109327448B (en) * | 2018-10-25 | 2020-10-09 | 深圳技术大学(筹) | Cloud file sharing method, device, equipment and storage medium |
| CN110888853A (en) * | 2019-11-26 | 2020-03-17 | 廊坊新奥燃气有限公司 | Data management system and method |
| CN112559468B (en) * | 2021-02-26 | 2021-07-06 | 中关村科学城城市大脑股份有限公司 | Data sharing method and system based on urban brain |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8559631B1 (en) * | 2013-02-09 | 2013-10-15 | Zeutro Llc | Systems and methods for efficient decryption of attribute-based encryption |
| CN104022868A (en) * | 2014-02-18 | 2014-09-03 | 杭州师范大学 | Outsourcing decryption method of attribute-based encryption based on ciphertext policy |
| WO2014174045A1 (en) * | 2013-04-24 | 2014-10-30 | Nec Europe Ltd. | Method and system for enforcing access control policies on data |
| CN104883254A (en) * | 2015-06-12 | 2015-09-02 | 深圳大学 | Cloud computing platform oriented cryptograph access control system and access control method thereof |
| CN106411962A (en) * | 2016-12-15 | 2017-02-15 | 中国科学技术大学 | Data storage method combining user side access control and cloud access control |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104036050A (en) * | 2014-07-04 | 2014-09-10 | 福建师范大学 | Complex query method for encrypted cloud data |
| CN105897812B (en) * | 2015-04-10 | 2019-04-23 | 杭州远眺科技有限公司 | It is a kind of suitable for mixing the data safety sharing method under cloud environment |
| CN105406967B (en) * | 2015-12-10 | 2018-10-19 | 西安电子科技大学 | A kind of hierarchical attribute encipherment scheme |
| CN105991278B (en) * | 2016-07-11 | 2019-06-28 | 河北省科学院应用数学研究所 | A kind of ciphertext access control method based on CP-ABE |
| CN109327448B (en) * | 2018-10-25 | 2020-10-09 | 深圳技术大学(筹) | Cloud file sharing method, device, equipment and storage medium |
-
2018
- 2018-10-25 CN CN201811251351.4A patent/CN109327448B/en active Active
-
2019
- 2019-03-26 WO PCT/CN2019/079646 patent/WO2020082688A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8559631B1 (en) * | 2013-02-09 | 2013-10-15 | Zeutro Llc | Systems and methods for efficient decryption of attribute-based encryption |
| WO2014174045A1 (en) * | 2013-04-24 | 2014-10-30 | Nec Europe Ltd. | Method and system for enforcing access control policies on data |
| CN104022868A (en) * | 2014-02-18 | 2014-09-03 | 杭州师范大学 | Outsourcing decryption method of attribute-based encryption based on ciphertext policy |
| CN104883254A (en) * | 2015-06-12 | 2015-09-02 | 深圳大学 | Cloud computing platform oriented cryptograph access control system and access control method thereof |
| CN106411962A (en) * | 2016-12-15 | 2017-02-15 | 中国科学技术大学 | Data storage method combining user side access control and cloud access control |
Non-Patent Citations (2)
| Title |
|---|
| "Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud";Kan Yang等;《IEEE Transactions on Parallel and Distributed Systems》;20141218;第26卷(第12期);第3461-3470页 * |
| "基于属性加密算法的云存储研究";吴杰铭;《中国优秀硕士学位论文全文数据库 信息科技辑》;20170715;第7-48页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109327448A (en) | 2019-02-12 |
| WO2020082688A1 (en) | 2020-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110099043B (en) | Multi-authorization-center access control method supporting policy hiding and cloud storage system | |
| Cui et al. | AKSER: Attribute-based keyword search with efficient revocation in cloud computing | |
| Jung et al. | Control cloud data access privilege and anonymity with fully anonymous attribute-based encryption | |
| Teng et al. | Attribute-based access control with constant-size ciphertext in cloud computing | |
| Miao et al. | m 2-ABKS: Attribute-based multi-keyword search over encrypted personal health records in multi-owner setting | |
| CN114065265B (en) | Fine-grained cloud storage access control method, system and equipment based on blockchain technology | |
| CN109327448B (en) | Cloud file sharing method, device, equipment and storage medium | |
| WO2018045568A1 (en) | Access control method oriented to cloud storage service platform and system thereof | |
| WO2016197680A1 (en) | Access control system for cloud storage service platform and access control method therefor | |
| CN114039790B (en) | Fine-grained cloud storage security access control method based on blockchain | |
| Zaghloul et al. | P-MOD: Secure privilege-based multilevel organizational data-sharing in cloud computing | |
| CN105049430B (en) | A kind of ciphertext policy ABE base encryption method with efficient user revocation | |
| CN109617855B (en) | File sharing method, device, equipment and medium based on CP-ABE layered access control | |
| CN108111540A (en) | The hierarchical access control system and method for data sharing are supported in a kind of cloud storage | |
| Xu et al. | Enabling authorized encrypted search for multi-authority medical databases | |
| Xiong et al. | A secure re‐encryption scheme for data services in a cloud computing environment | |
| Fugkeaw | A fine-grained and lightweight data access control model for mobile cloud computing | |
| Deng et al. | Tracing and revoking leaked credentials: accountability in leaking sensitive outsourced data | |
| Chaudhary et al. | RMA-CPABE: A multi-authority CPABE scheme with reduced ciphertext size for IoT devices | |
| Zhang et al. | A dynamic cryptographic access control scheme in cloud storage services | |
| Liu et al. | Dynamic attribute-based access control in cloud storage systems | |
| CN106612175A (en) | Proxy re-encryption algorithm for multi-element access control in mobile cloud | |
| CN113055164A (en) | Cipher text strategy attribute encryption algorithm based on state cipher | |
| Wang et al. | Research on Ciphertext‐Policy Attribute‐Based Encryption with Attribute Level User Revocation in Cloud Storage | |
| WO2020082692A1 (en) | Cp-abe-based policy update method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |