CN109525388B - Combined encryption method and system with separated keys - Google Patents
Combined encryption method and system with separated keys Download PDFInfo
- Publication number
- CN109525388B CN109525388B CN201710848067.4A CN201710848067A CN109525388B CN 109525388 B CN109525388 B CN 109525388B CN 201710848067 A CN201710848067 A CN 201710848067A CN 109525388 B CN109525388 B CN 109525388B
- Authority
- CN
- China
- Prior art keywords
- data
- key
- ciphertext
- user terminal
- plaintext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a combined encryption method and a system with separated keys, which relate to the technical field of data security and computer networks, and the method comprises the following steps: the user terminal divides the data into a first data part and a second data part, and encrypts the first data part by using a terminal key acquired from a key distribution center KDC to obtain a first data part ciphertext; and the user terminal sends the first part of the data cipher text and the second part of the data to a server side, so that the server side encrypts the second part of the data by using a server side secret key acquired from the KDC to obtain a second part of the data cipher text.
Description
Technical Field
The invention relates to the technical field of data security and computer networks, in particular to a combined encryption method and a combined encryption system with separated keys.
Background
With the rapid development of mobile internet and wireless network technologies, a large amount of digitized data is generated every day, people pay more and more attention to the privacy security of the data, and data encryption is one of the main means for protecting privacy. On one hand, in order to ensure data security, encryption algorithms and keys used for encryption are more and more complex, and especially when the computing capacity of equipment is limited, such as a mobile phone, a set-top box and the like, the time consumed for encryption and decryption is long, and the experience is affected; on the other hand, currently, encryption is generally performed by setting a key by a party, then encrypting a file, and then storing the encrypted data and the key on a server side or a set top box, but when the key is obtained by a hacker, sensitive information of a user will be leaked, and in addition, the requirement on the computing performance of an encryption party is high. Therefore, in order to protect privacy and improve encryption and decryption efficiency, a trend is to participate in key generation and data encryption and decryption by multiple parties.
With the development of mobile internet, mobile phones are more and more popular, and people can take pictures, shop and the like through the mobile phones. However, when people want to store live infusion or photos on a server (e.g., a network set-top box or a cloud server), in order to protect privacy, currently existing methods are divided into two categories, i.e., 1, encryption is performed on a mobile phone and then uploaded to the server for storage, and 2, data is transmitted to the server and encrypted for storage on the server. However, both of the above methods involve one party in the encryption and decryption of files, especially the first one has high requirements on the performance of the mobile phone, and when the key of the party is lost, the private information will be leaked, and the second one needs strong computing performance of the server side, but in the mobile internet environment, the computing performance of the user terminal and the server side (not limited to the set-top box) is not very high. Further, when a user wants to share encrypted data with other users, one method is to send a key to the other users, but the risk of leakage increases, and another method is to re-encrypt a document using a new key, but the storage space increases.
Disclosure of Invention
The technical problem solved by the scheme provided by the embodiment of the invention is that a server side with limited computing and storage capacity has data security and privacy disclosure risks and limited storage.
The combined encryption method for key separation provided by the embodiment of the invention comprises the following steps:
a user terminal divides data into a first data part and a second data part, and encrypts the first data part by using a terminal Key acquired from a Key Distribution Center (KDC) to obtain a first data part ciphertext;
and the user terminal sends the first part of the data cipher text and the second part of the data to a server side, so that the server side encrypts the second part of the data by using a server side secret key acquired from the KDC to obtain a second part of the data cipher text.
Preferably, before encrypting the first part of the data by using the terminal key obtained from the key distribution center KDC, the method further includes:
and the user terminal receives a terminal key returned by the KDC according to the registration request by sending the registration request containing the server-side information to the KDC.
Preferably, the dividing, by the user terminal, the data into a first data part and a second data part, and encrypting the first data part by using a terminal key obtained from the key distribution center KDC to obtain a first data part ciphertext includes:
The user terminal randomly divides the data to obtain a first data part, a second data part and data division information;
and the user terminal encrypts the first part of the data by using the terminal key to obtain a first part of data ciphertext.
Preferably, the method further comprises the following steps:
when the data is viewed, the first part of the data ciphertext and the second part of the data are decrypted by respectively using the terminal key and the server key, and the decrypted plaintext is spliced by using the data segmentation information, so that the data is recovered.
Preferably, when the user terminal views the data, decrypting a first part ciphertext and a second part ciphertext of the data by using the terminal key and the server key respectively, and splicing the decrypted plaintext by using the data splitting information, the recovering the data includes:
the user terminal receives a plaintext second part obtained by decrypting the data second part ciphertext by the server side through the server side secret key;
after receiving the second part of the plaintext, the user terminal decrypts the ciphertext of the first part of the data by using the terminal key to obtain a first part of the plaintext;
And the user terminal splices the obtained second part of the plaintext and the first part of the plaintext by using the data segmentation information to recover the data.
The combined encryption method for key separation provided by the embodiment of the invention comprises the following steps:
the server receives a first part of data ciphertext, a second part of data and data segmentation information sent by the user terminal, and encrypts the second part of the data in the ciphertext assembly by using a server key acquired from the KDC to obtain a second part of data ciphertext;
and the server side stores the received data first part ciphertext, the data segmentation information and the obtained data second part ciphertext.
According to the combined encryption system with separated keys provided by the embodiment of the invention, the combined encryption system comprises:
the system comprises a user terminal, a server and a key distribution center KDC, wherein the user terminal is used for dividing data into a first data part and a second data part, encrypting the first data part by using a terminal key acquired from the key distribution center KDC to obtain a first data part ciphertext, and then sending the first data part ciphertext and the second data part to the server;
and the server side is used for encrypting the second part of the data by using the server side key acquired from the KDC to obtain a second part of data ciphertext.
Preferably, the user terminal includes:
the data dividing unit is used for randomly dividing the data to obtain a first data part, a second data part and data dividing information;
and the encryption unit is used for encrypting the first part of the data by using a terminal key returned by sending a registration request containing the server-side information to the KDC by the user terminal to obtain a first part ciphertext of the data.
According to an embodiment of the present invention, there is provided a key-separated combined encryption device, including: a processor, and a memory coupled to the processor; the memory having stored thereon a key-separated, combined, encrypted program executable on the processor, the key-separated, combined, encrypted program when executed by the processor implementing a method comprising:
dividing the data into a first data part and a second data part, and encrypting the first data part by using a terminal key acquired from a key distribution center KDC to obtain a first data part ciphertext;
and sending the first part of the data cipher text and the second part of the data to a server side so that the server side encrypts the second part of the data by using a server side secret key acquired from the KDC to obtain a second part of the data cipher text.
According to an embodiment of the present invention, a computer storage medium is provided, in which a key-separated combined encryption program is stored, and the key-separated combined encryption program is implemented to include:
receiving a data first part ciphertext, a data second part and data segmentation information sent by a user terminal, and encrypting the data second part in the ciphertext assembly by using a server-side key acquired from the KDC to obtain a data second part ciphertext;
and storing the received data first part ciphertext, the data segmentation information and the obtained data second part ciphertext.
According to the scheme provided by the embodiment of the invention, when data are encrypted, the user terminal and the server participate in data encryption at the same time, so that the encryption and decryption efficiency can be effectively improved. By adding the access control strategy in the ciphertext component, a plurality of users are allowed to access the same encrypted data on the premise of not sharing a secret key, so that the storage capacity of the server can be reduced.
Drawings
Fig. 1 is a flowchart of a key separation combined encryption method provided in an embodiment of the present invention;
FIG. 2 is a schematic diagram of a key-separated combined encryption system according to an embodiment of the present invention;
FIG. 3 is a block diagram of an embodiment of the present invention;
FIG. 4 is a block diagram of a decryption process model for key separation according to an embodiment of the present invention;
FIG. 5 is a flowchart of a method for key separation according to an embodiment of the present invention;
FIG. 6 is a flow chart of a data encryption method with key separation according to an embodiment of the present invention;
FIG. 7 is a flowchart of a method for generating a user key with key separation according to an embodiment of the present invention;
fig. 8 is a flowchart of a method for accessing data with separated keys according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings, and it should be understood that the preferred embodiments described below are only for the purpose of illustrating and explaining the present invention, and are not to be construed as limiting the present invention.
Fig. 1 is a flowchart of a key-separated combined encryption method according to an embodiment of the present invention, as shown in fig. 1, including:
step S101: the user terminal divides the data into a first data part and a second data part, and encrypts the first data part by using a terminal key acquired from a key distribution center KDC to obtain a first data part ciphertext;
step S102: and the user terminal sends the first part of the data ciphertext and the second part of the data to a server side, so that the server side encrypts the second part of the data by using a server side secret key acquired from the KDC to obtain a second part of the data ciphertext.
Before encrypting the first part of the data by using the terminal key obtained from the key distribution center KDC, the method further includes: and the user terminal receives a terminal key returned by the KDC according to the registration request by sending the registration request containing the server-side information to the KDC.
The method comprises the following steps that the user terminal divides data into a first data part and a second data part, and encrypts the first data part by using a terminal key acquired from a key distribution center KDC to obtain a first data part ciphertext: the user terminal randomly divides the data to obtain a first part of the data, a second part of the data and data division information; and the user terminal encrypts the first part of the data by using the terminal secret key to obtain a first part of data ciphertext.
The embodiment of the invention also comprises the following steps: and when the data is checked, decrypting a first part of the data ciphertext and a second part of the data by respectively using the terminal key and the server-side key, and splicing the decrypted plaintext by using the data segmentation information to recover the data.
When the user terminal views the data, decrypting a first part of ciphertext and a second part of the data by respectively using the terminal key and the server key, and splicing the decrypted plaintext by using the data segmentation information to recover the data comprises: the user terminal receives a plaintext second part obtained by the server side decrypting the ciphertext of the data second part by using the server side secret key; after receiving the second part of the plaintext, the user terminal decrypts the ciphertext of the first part of the data by using the terminal key to obtain a first part of the plaintext; and the user terminal splices the obtained second part of the plaintext and the first part of the plaintext by using the data segmentation information to recover the data.
The combined encryption method for key separation provided by the embodiment of the invention comprises the following steps:
the server receives a first part of data ciphertext, a second part of data and data segmentation information sent by the user terminal, and encrypts the second part of the data in the ciphertext assembly by using a server key acquired from the KDC to obtain a second part of data ciphertext;
and the server side stores the received data first part ciphertext, the data segmentation information and the obtained data second part ciphertext.
Fig. 2 is a schematic diagram of a key-separated combined encryption system according to an embodiment of the present invention, as shown in fig. 2, including: the user terminal 201 is used for dividing the data into a first data part and a second data part, encrypting the first data part by using a terminal key acquired from a key distribution center KDC to obtain a first data part ciphertext, and then sending the first data part ciphertext and the second data part to the server side; and the server 202 is configured to encrypt the second part of the data by using the server key obtained from the KDC, so as to obtain a second part cipher text of the data.
Wherein, the user terminal 201 comprises: the segmentation unit is used for randomly segmenting the data to obtain a first data part, a second data part and data segmentation information; and the encryption unit is used for encrypting the first part of the data by the user terminal by using a terminal key returned by sending a registration request containing the server-side information to the KDC to obtain a first part ciphertext of the data.
According to an embodiment of the present invention, there is provided a key-separated combined encryption device, including: a processor, and a memory coupled to the processor; the memory having stored thereon a key-separated, combined, encrypted program executable on the processor, the key-separated, combined, encrypted program when executed by the processor implementing a method comprising:
dividing the data into a first data part and a second data part, and encrypting the first data part by using a terminal key acquired from a key distribution center KDC to obtain a first data part ciphertext;
and sending the first part of the data ciphertext and the second part of the data to a server side so that the server side encrypts the second part of the data by using a server side secret key acquired from the KDC to obtain a second part of the data ciphertext.
According to an embodiment of the present invention, there is provided a computer storage medium storing a key-separated combined encryption program, which when executed by a processor implements a method including:
receiving a first data part ciphertext, a second data part and data segmentation information sent by a user terminal, and encrypting the second data part in the ciphertext component by using a server-side key acquired from the KDC to obtain a second data part ciphertext;
And storing the received data first part ciphertext, the data segmentation information and the obtained data second part ciphertext.
Fig. 3 is an encryption flow model diagram of key separation according to an embodiment of the present invention, as shown in fig. 3, including: (1) a user terminal registers KDC and requests a secret key; (2) KDC distributes the key; (3) uploading a part of encrypted ciphertext components; (4) the server requests the key; (5) the KDC distributes the keys.
Fig. 4 is a model diagram of a decryption process of key separation according to an embodiment of the present invention, as shown in fig. 3, including: (1) the user terminal (ciphertext owner) requests ciphertext access; (2) the server returns a part of decrypted ciphertext components; (3) the terminal authorizes the user to request the key; (4) the KDC distributes a secret key; (5) the terminal authorizes the user (ciphertext visitor) to request ciphertext access; (6) the server sends a ciphertext access strategy; (7) the KDC returns the cipher text owner key to generate an intermediate value; (8) and the server returns plaintext data to the terminal authorized user.
The system proposed by the invention comprises components: the system comprises a user terminal, an authorization terminal, a server terminal and a KDC. The user terminal comprises an encryption and decryption module and an access strategy generation module; the authorization terminal is called when the user terminal does not participate in the encryption and access strategy generation process and only participates in the decryption process; the server side comprises an encryption and decryption module and an access strategy management module; the KDC includes a key management module and an access policy management module.
Fig. 5 is a flowchart of a method for key separation according to an embodiment of the present invention, as shown in fig. 5, including:
s1, initializing the system, generating a ciphertext access strategy by the user terminal, and sending the ciphertext access strategy and the application key to the KDC;
s2: the KDC firstly generates a user terminal key and sends the user terminal key to the KDC, then a ciphertext access strategy sent by the user terminal is used for generating a user key to generate an intermediate value, and the KDC only stores the user key to generate the intermediate value;
s3: the user terminal splits plaintext data, encrypts part of plaintext by using a key distributed by KDC to generate a ciphertext, and then sends data segmentation information, an access strategy, the ciphertext part and the plaintext part to the server side by the user, wherein the user needs to store the key;
s4: the server receives the ciphertext component sent by the user and then applies for a secret key to the KDC;
s5: KDC receives the key application requested by the server, then generates a key for the server and sends the key to the server;
s6: the server side receives the key distributed by the KDC, encrypts a plaintext part in the ciphertext component, stores the ciphertext component containing the data segmentation information, the ciphertext and the access strategy to the server side, and stores the key of the server side;
S7: when the user terminal sends a decryption request, the server firstly judges whether the user is a ciphertext owner, if so, the S8 is carried out, and if the access user is not the ciphertext owner, the S9-S11 is carried out;
s8: the server side decrypts the encrypted ciphertext part by using the key owned by the server side, then sends the ciphertext component to the user terminal, and then the user terminal decrypts the encrypted part by using the key owned by the user terminal and merges and recovers the data according to the data segmentation information;
s9: an authorized user firstly applies a secret key to a KDC, when the authorized user sends a decryption request, a server side firstly confirms whether the authorized user meets an access strategy of a ciphertext, if the authorized user does not meet the access strategy of the ciphertext, the access is refused, and if the authorized user meets the access strategy of the ciphertext, the authorized user sends the secret key to the server side;
s10: the server side receives the key of the authorized user, the key of the authorized user and the ciphertext access strategy are sent to the KDC, the KDC finds out the ciphertext owner key corresponding to the authorized user according to the ciphertext access strategy to generate an intermediate value, and then the intermediate value is sent to the server side;
s11: and the server side receives the intermediate value, generates a middleware decryption ciphertext by using the key owned by the server side, the authorized user key and the ciphertext owner key, merges and restores plaintext data according to the data segmentation information, and then sends the plaintext data to the authorized user.
Fig. 6 is a flowchart of a data encryption method based on key separation according to an embodiment of the present invention, as shown in fig. 6, during encryption, both a user terminal (not limited to a mobile phone) and a server side (not limited to a set-top box) with low performance participate in encryption, and a KDC performs key distribution. KDC sends a secret key to the user terminal and the server respectively, the user terminal divides data, then uses the secret key owned by the user terminal to encrypt, then sends the ciphertext and the plaintext to the server, the server uses the secret key owned by the server to encrypt the plaintext, then stores the plaintext, and the two parties are required to participate in decryption at the same time to decrypt correctly. Therefore, encryption and decryption are performed by two parties, so that not only is the efficiency improved, but also the system security weakness caused by the fact that the secret key is stored by one party is prevented, and the security is improved. In addition, when a user encrypts data, an access control strategy can be set for the data, the access control mechanism is managed by the server and the KDC, the user submits the set access control strategy when applying a key to the KDC, the key distribution module generates a corresponding key according to the access strategy to generate an intermediate value, when an authorized user needs to access an encrypted file, the server applies the corresponding key to the KDC according to the access strategy to generate the intermediate value and the key of the authorized user to decrypt a ciphertext, plaintext data are sent to the authorized user, and therefore the server can be guaranteed to store only one ciphertext.
The technical content of the embodiment of the present invention is described in detail below with reference to fig. 6 to 8: application scenarios: and (4) safely sharing photos (files) of the network set top box.
Key generation, as shown in fig. 7:
firstly, the system is initialized, and a user terminal (comprising a set-top box, a mobile phone and the like) registers to a key distribution center KDC and requests a key.
Encryption, as shown in fig. 6:
a user A is ready to upload photos to a set top box by using a mobile phone for encryption storage, the user obtains a key Ka from the KDC, a user (comprising the set top box) list registered on the set top box is obtained from a key distribution center, the user A formulates an access strategy of the photos according to the user list (the user in the access strategy can access the photos encrypted by the user A and is called an authorized user), and then the user A sends the access strategy to the KDC to generate a Ka generation intermediate value for each user in the access strategy, and the Ka generation intermediate value is stored by the KDC. Then the user randomly divides the picture file into 2 parts, namely PT1 and PT2, and keeps division information, encrypts a part of plaintext data PT1 by using Ka and an encryption algorithm (not limited to AES, DES and the like) to generate a ciphertext CT1, and then the user A sends a ciphertext component (comprising the ciphertext CT1, the plaintext PT2, the division and encryption information, the encryption algorithm, the access strategy and a user A mark) to the set top box. The set top box receives a ciphertext component sent by the user A, encrypts a plaintext PT2 according to the segmentation information to generate a ciphertext CT2, and finally the ciphertext component, which stores the picture of the user A, at the set top box end comprises a ciphertext CT1, a ciphertext CT2, segmentation and encryption information, an encryption algorithm, an access strategy and a user A mark.
Access data, as shown in fig. 8:
1. the user A checks the encrypted photo CT stored on the set-top box on the mobile phone of the user A:
the user A sends a photo access request to the set-top box, the set-top box firstly judges whether the identity mark of the user A is the same as the owner mark in the ciphertext, if so, the user A is proved, then the set-top box firstly decrypts the encrypted part according to the segmentation and encryption information, then the set-top box sends the partially decrypted ciphertext component to the user A, then the user A decrypts the remaining ciphertext according to the segmentation and encryption information and splices the two plaintext components, and finally the photo is recovered and displayed on a mobile phone client.
2. Viewing encrypted photos CT stored by user a on a set-top box
If the access policy in the ciphertext component includes the set-top box, the picture can be viewed as long as the corresponding key is input on the set-top box, and the process is as follows: the set-top box decrypts the encrypted ciphertext part firstly, then sends the key and the access strategy to the KDC, the KDC generates the key of the user A according to the access strategy and the key of the set-top box, then sends the key to the set-top box, the set-top box decrypts the residual ciphertext components by using the key of the user A, and finally obtains the picture uploaded by the user A and displays the picture on the set-top box.
3. User B views the encrypted photograph CT stored by user A on the set-top box
The user B sends a request to the set-top box to access the encrypted photo CT of the user A, the set-top box firstly judges whether the user B is in an access strategy in the CT, if not, the set-top box refuses the access of the user B, if the user B is in the access strategy, the user B sends a key to the set-top box, the set-top box simultaneously sends the key of the user B and the access strategy to the KDC, then the KDC generates the key of the user A according to an intermediate value and sends the key to the set-top box, the set-top box decrypts by using the key owned by the set-top box, the key of the user A and the segmentation and encryption information to obtain a plain text photo, and sends the plain text photo to the user B, and finally the user B can check the photo on a terminal.
In the case of decryption 2,3, the keys of the user a generated on the set-top box are all temporary and are not stored, when the authorized user wants to access the encrypted photo of the user a, the set-top box is selected to fully undertake the decryption task in order to ensure that the keys of the user a are not shared with the authorized user and better ensure the privacy of the user a, and in the case of decryption 1, the set-top box and the user a are selected to participate in decryption at the same time in order to improve the decryption efficiency and reduce the burden of both parties under the condition of ensuring the security.
According to the scheme provided by the embodiment of the invention, the user terminal and the server terminal are separated by the key to carry out encryption cooperatively, and a ciphertext component and an access strategy are used, so that access to different users can be realized under the condition that the ciphertext does not share the key, and the storage overhead of the set top box and the calculation burden of the two parties are reduced on the premise of ensuring the security.
Although the present invention has been described in detail, the present invention is not limited thereto, and those skilled in the art can make various modifications according to the principle of the present invention. Thus, modifications made in accordance with the principles of the present invention should be understood to fall within the scope of the invention.
Claims (8)
1. A key-separated combined encryption and decryption method comprises the following steps:
the user terminal randomly divides the data to obtain a first part of the data, a second part of the data and data division information, and encrypts the first part of the data by using a terminal key obtained from a key distribution center KDC to obtain a first part of data ciphertext;
the user terminal sends the first part of data cipher text, the second part of data and the data segmentation information to a server side, so that the server side encrypts the second part of data by using a server side key acquired from the KDC to obtain a second part of data cipher text;
When the user terminal needs to check the data, receiving a second part of a plaintext obtained by decrypting a second part of the ciphertext of the data by using the server key by the server;
after receiving the second part of the plaintext, the user terminal decrypts the ciphertext of the first part of the data by using the terminal secret key to obtain a first part of the plaintext; and also,
and splicing the obtained second part of the plaintext and the first part of the plaintext by using the data segmentation information to recover the data.
2. The method according to claim 1, further comprising, before encrypting the first part of the data with the terminal key obtained from the key distribution center KDC:
and the user terminal sends a registration request containing server side information to the KDC and receives a terminal key returned by the KDC according to the registration request.
3. The method of claim 2, wherein the user terminal splits the data into a first portion of data and a second portion of data, and the encrypting the first portion of data using a terminal key obtained from a key distribution center KDC to obtain a first portion of data ciphertext comprises:
the user terminal randomly divides the data to obtain a first data part, a second data part and data division information;
And the user terminal encrypts the first part of the data by using the terminal key to obtain a first part of data ciphertext.
4. A key-separated combined encryption and decryption method, comprising:
the server side receives a first part of data ciphertext, a second part of data and data segmentation information sent by the user terminal, and encrypts the second part of data by using a server side key acquired from the KDC to obtain a second part of data ciphertext;
the server side stores the received first part of data cipher text, the data segmentation information and the obtained second part of data cipher text;
when the server side receives the data checking request of the user terminal, the server side key is used for decrypting the second part of the data ciphertext, the decrypted second part of the data plaintext, the first part of the data ciphertext and the data segmentation information are sent to the user terminal, so that the user terminal can obtain the first part of the plaintext after decrypting the first part of the data ciphertext through the terminal key, and the decrypted second part of the plaintext and the decrypted first part of the plaintext are spliced through the data segmentation information to restore the data.
5. A key-separated combined encryption and decryption system comprising:
the user terminal is used for obtaining a first data part, a second data part and data segmentation information by randomly segmenting data, encrypting the first data part by utilizing a terminal key obtained from a key distribution center KDC to obtain a first data part ciphertext, then sending the first data part ciphertext, the second data part and the data segmentation information to a server end, receiving a second plaintext part obtained by the server end through decrypting the second data part ciphertext by utilizing the server end key when the user terminal needs to check the data, decrypting the first data part ciphertext by utilizing the terminal key after receiving the second plaintext part to obtain a first plaintext part, and splicing the obtained second plaintext part and the first plaintext part by utilizing the data segmentation information, recovering the data;
and the server side is used for encrypting the second part of the data by using the server side key acquired from the KDC to obtain a second part of data ciphertext, decrypting the second part of data ciphertext by using the server side key, and sending the decrypted second part of data plaintext to the user terminal.
6. The system of claim 5, the user terminal comprising:
the data dividing unit is used for randomly dividing the data to obtain a first data part, a second data part and data dividing information;
and the encryption unit is used for encrypting the first part of the data by using a terminal key returned by sending a registration request containing the server-side information to the KDC by the user terminal to obtain a first part ciphertext of the data.
7. A key-separated combination encryption and decryption apparatus, the apparatus comprising: a processor, and a memory coupled to the processor; the memory stores a key-separated combined encryption and decryption program which can run on the processor, and when executed by the processor, the key-separated combined encryption and decryption program realizes the key-separated combined encryption and decryption method according to any one of claims 1 to 3.
8. A computer storage medium storing a key-separated combined encryption and decryption program that realizes the key-separated combined encryption and decryption method according to any one of claims 1 to 3 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710848067.4A CN109525388B (en) | 2017-09-19 | 2017-09-19 | Combined encryption method and system with separated keys |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710848067.4A CN109525388B (en) | 2017-09-19 | 2017-09-19 | Combined encryption method and system with separated keys |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109525388A CN109525388A (en) | 2019-03-26 |
| CN109525388B true CN109525388B (en) | 2022-07-15 |
Family
ID=65769397
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710848067.4A Active CN109525388B (en) | 2017-09-19 | 2017-09-19 | Combined encryption method and system with separated keys |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109525388B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109977919B (en) * | 2019-04-10 | 2022-03-04 | 厦门一通灵信息科技有限公司 | Data processing method, medium, equipment and device based on face recognition |
| CN112187757A (en) * | 2020-09-21 | 2021-01-05 | 上海同态信息科技有限责任公司 | Multilink privacy data circulation system and method |
| CN112866288B (en) * | 2021-03-01 | 2022-09-06 | 上海海事大学 | Data symmetric encryption method for double-plaintext transmission |
| CN114285609B (en) * | 2021-12-10 | 2024-02-13 | 中国联合网络通信集团有限公司 | Encryption method, device, equipment and storage medium |
| CN116599768B (en) * | 2023-07-13 | 2023-09-26 | 北京奇立软件技术有限公司 | Data encryption method for private data |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101471942A (en) * | 2007-12-26 | 2009-07-01 | 冲电气工业株式会社 | Encryption device and medium, decryption device and method, data delivery device, data receiving device, and data delivery system |
| CN102611711A (en) * | 2012-04-09 | 2012-07-25 | 中山爱科数字科技股份有限公司 | Cloud data safe storing method |
| CN102664928A (en) * | 2012-04-01 | 2012-09-12 | 南京邮电大学 | Data secure access method used for cloud storage and user terminal system |
| EP2165284A4 (en) * | 2007-05-25 | 2012-12-19 | Splitstreem Oy | Method and apparatus for securing data in memory device |
| CN104182697A (en) * | 2014-08-15 | 2014-12-03 | 小米科技有限责任公司 | File encryption method and device |
| CN104901942A (en) * | 2015-03-10 | 2015-09-09 | 重庆邮电大学 | Distributed access control method for attribute-based encryption |
| CN106713508A (en) * | 2017-02-24 | 2017-05-24 | 重庆第二师范学院 | Data access method and system based on cloud server |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685162A (en) * | 2012-09-05 | 2014-03-26 | ***通信集团公司 | File storing and sharing method |
| CN103595793B (en) * | 2013-11-13 | 2017-01-25 | 华中科技大学 | Cloud data safe deleting system and method without support of trusted third party |
-
2017
- 2017-09-19 CN CN201710848067.4A patent/CN109525388B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2165284A4 (en) * | 2007-05-25 | 2012-12-19 | Splitstreem Oy | Method and apparatus for securing data in memory device |
| CN101471942A (en) * | 2007-12-26 | 2009-07-01 | 冲电气工业株式会社 | Encryption device and medium, decryption device and method, data delivery device, data receiving device, and data delivery system |
| CN102664928A (en) * | 2012-04-01 | 2012-09-12 | 南京邮电大学 | Data secure access method used for cloud storage and user terminal system |
| CN102611711A (en) * | 2012-04-09 | 2012-07-25 | 中山爱科数字科技股份有限公司 | Cloud data safe storing method |
| CN104182697A (en) * | 2014-08-15 | 2014-12-03 | 小米科技有限责任公司 | File encryption method and device |
| CN104901942A (en) * | 2015-03-10 | 2015-09-09 | 重庆邮电大学 | Distributed access control method for attribute-based encryption |
| CN106713508A (en) * | 2017-02-24 | 2017-05-24 | 重庆第二师范学院 | Data access method and system based on cloud server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109525388A (en) | 2019-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11146391B2 (en) | Orthogonal access control for groups via multi-hop transform encryption | |
| CN109525388B (en) | Combined encryption method and system with separated keys | |
| CN106664202B (en) | Method, system and computer readable medium for providing encryption on multiple devices | |
| US9703965B1 (en) | Secure containers for flexible credential protection in devices | |
| CN105245328B (en) | It is a kind of that management method is generated based on the key of third-party user and file | |
| CN108768951B (en) | Data encryption and retrieval method for protecting file privacy in cloud environment | |
| US20210119781A1 (en) | Systems and methods for re-using cold storage keys | |
| US9461821B1 (en) | System and method for key material protection on devices using a secret sharing scheme | |
| US20140112470A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
| CN111448779A (en) | System, device and method for hybrid secret sharing | |
| CN103763319A (en) | Method for safely sharing mobile cloud storage light-level data | |
| CN103237040A (en) | Storage method, storage server and storage client | |
| CN104917759A (en) | Third-party-based safety file storage and sharing system and method | |
| US10887085B2 (en) | System and method for controlling usage of cryptographic keys | |
| CN107113314B (en) | Method and device for heterogeneous data storage management in cloud computing | |
| CN104065680A (en) | Information processing method and apparatus, information retrieval method and apparatus, user terminal and server | |
| US20220014367A1 (en) | Decentralized computing systems and methods for performing actions using stored private data | |
| CN103812927A (en) | Storage method | |
| CN110032874A (en) | A kind of date storage method, device and equipment | |
| CN111970114A (en) | File encryption method, system, server and storage medium | |
| CN116244750A (en) | Secret-related information maintenance method, device, equipment and storage medium | |
| CN113761594B (en) | Three-party authenticatable key negotiation and data sharing method based on identity | |
| KR20210058313A (en) | Data access control method and system using attribute-based password for secure and efficient data sharing in cloud environment | |
| CN114117406A (en) | Data processing method, device, equipment and storage medium | |
| KR102269753B1 (en) | Method for performing backup and recovery private key in consortium blockchain network, and device using them |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |