CN111885154B - Distributed data security sharing method and system based on certificate chain - Google Patents

Distributed data security sharing method and system based on certificate chain Download PDF

Info

Publication number
CN111885154B
CN111885154B CN202010710360.6A CN202010710360A CN111885154B CN 111885154 B CN111885154 B CN 111885154B CN 202010710360 A CN202010710360 A CN 202010710360A CN 111885154 B CN111885154 B CN 111885154B
Authority
CN
China
Prior art keywords
user
certificate
data
key
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010710360.6A
Other languages
Chinese (zh)
Other versions
CN111885154A (en
Inventor
苏放
杨舒
段成睿
姚宇星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202010710360.6A priority Critical patent/CN111885154B/en
Publication of CN111885154A publication Critical patent/CN111885154A/en
Application granted granted Critical
Publication of CN111885154B publication Critical patent/CN111885154B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a distributed data security sharing method and system based on a certificate chain. The user role identity is given through a method of data classification and user role division, and the access control of the user on the data is realized; dividing user roles at child nodes based on a certificate chain model; the digital certificate is used for endowing a user role identity, the user needs to apply for the digital certificate to the cloud center node, and the sub-node certificate is used for signing a user certificate; and the user applies for data access to the cloud center node, uploads the user certificate and verifies the access authority of the user at the cloud center node. According to the invention, the access control of the user to the data is realized through data classification and user role division, and the user identity is authenticated by using the data certificate based on the certificate chain model, so that the management problem of the user role and the network trust problem are solved, the role distribution is more accurate and flexible, the pressure of the cloud center node on role distribution is relieved, and the trust problem between the cloud center node and the user is effectively solved.

Description

Distributed data security sharing method and system based on certificate chain
Technical Field
The invention relates to a data sharing method and a data sharing system, in particular to a certificate chain-based distributed data security sharing method and a certificate chain-based distributed data security sharing system. The invention belongs to the technical field of data security application.
Background
In the current era of network interconnection and big data, sharing and application of data have become an important data application mode. Different from a traditional data local application system, more and more distributed computing scenarios often require multiple nodes to perform data aggregation and sharing application. From the aspect of data security application, the main challenges faced by such multi-node data collection sharing application are: in the data sharing application, clear data source, clear responsibility and high application degree are ensured, and legal sharing and use of data are guaranteed.
At present, the method for solving the distributed data security sharing application is as follows: and realizing access control on the users by using a data grading mode, namely, the users of a certain level only have the right to access the data of the certain level corresponding to the users. The disadvantages are that: in a distributed system, if a user's rank is divided only according to the data security hierarchy, all data of that rank can be accessed for users having the same level of access rights. In the actual application environment, because the user sources in the sub-nodes are different, the departments in which the user sources are located are different, and the user roles have diversity, the data in the same level is not accessed by all the users with the data level authority, and the single mode of classifying the user access authority by using the data in a grading way obviously cannot meet the actual requirements. In addition, most users are distributed in each child node, and a trust problem also exists between the cloud center node and the users.
Disclosure of Invention
In view of the foregoing, it is an object of the present invention to provide a distributed data secure sharing method and system based on certificate chain. The method not only solves the problems of data access control of the user and trust between the user and the cloud center node, but also solves the problems of allocation and management of user roles, the role allocation is more accurate and flexible, and the pressure of the cloud center node in allocating roles is relieved.
In order to achieve the purpose, the invention adopts the following technical scheme: a distributed data security sharing method based on certificate chain includes the following steps:
s1: grading the distributed data, endowing the distributed data with user roles for accessing data of different levels, and binding access authority with the roles to realize the access control of the users on the data;
s2: based on a certificate chain model, dividing roles of the users at each child node, and acquiring access rights by the users through allocating the roles;
s3: the digital certificate is used for endowing a user role identity, the user applies for the digital certificate to the cloud center node, and the sub-node certificate is used for signing the user digital certificate;
s4: the user applies for data access to the cloud center node, uploads the user digital certificate, verifies the access authority of the user at the cloud center node, and accesses the related data after the verification is passed.
Further, in step S2, based on the certificate chain model, the specific method for role division of the user at each child node is as follows:
s2.1, the cloud center node informs the child nodes of the data authority owned by each child node, and stores the data authority distributed to each child node in a database;
s2.2, dividing role authorities of the child nodes, and storing dividing results in a cloud center node database;
if the service of the child node is complex, the child node can issue the authority for continuously dividing the role to a subordinate node under the child node; after the authority is issued to the subordinate node, the authority can be issued again according to the actual requirement to form a chain type role division system;
and S2.3, if the data authority needs to be updated, repeating the step S2.1 and the step S2.2.
Further, in step S3, the user role identity is given by using the digital certificate, the user applies for the digital certificate from the cloud center node, and the user digital certificate is signed by using the child node certificate, which includes:
s3.1, submitting personal information to the child node by the user;
s3.2, the child nodes check personal information submitted by the user, the child nodes give user role identities after verification is passed, and the user personal information and the given user role identities are digitally signed and then sent to a certificate authentication center (CA for short) of the cloud center node; otherwise, return to step S3.1;
s3.3, after receiving the information sent by the child node, the CA of the cloud center node performs data signature verification to ensure that the data is not tampered, and after the verification is passed, the CA applies for a user key to a key management center (KMC for short) to sign and issue a user digital certificate, wherein the digital certificate contains personal information of the user, a role owned by the user and a user public key, and uses the CA certificate to perform signature, and the user certificate and a user private key are signed and then sent to the corresponding child node; otherwise, return to step S3.2;
s3.4, after receiving the user certificate and the user private key sent back by the cloud center node CA, the child node performs data signature verification, after the verification is passed, the child node certificate is used for signing the user certificate, and then the user certificate and the user private key are sent to the corresponding user; otherwise, return to step S3.3.
Further, in step S4, the user applies for data access to the cloud center node, uploads the user certificate, and the cloud center node verifies the access authority of the user, and after the verification is passed, the user can access the relevant data, which includes the following specific processes:
s4.1, a user logs in the system, inputs a user name and a password and uploads a certificate owned by the user;
if the user does not have the certificate, firstly, the certificate is required to be applied to a CA;
s4.2, after the user logs in successfully, applying for data needing to be accessed from the cloud center node;
s4.3, verifying the access authority of the user by the CA of the cloud center node;
firstly, a certificate verification module verifies whether a user certificate is signed and issued by a CA (certificate authority) through the CA signature on the user certificate, so that the trust problem between a user and a cloud center node is solved, and the legality of the user is ensured; then, the authority verification module determines the child node to which the user belongs by using the signature of the child node on the user certificate, searches role authority division of the child node to which the user belongs in a role authority database, and verifies whether the user has corresponding data access authority;
if the user right verification fails, returning to the step S4.2; if the verification is passed, step S4.4 is executed;
s4.5, a decryption module of the encryption/decryption center firstly decrypts the data accessed by the user, and the encryption module encrypts the data by using a public key in a user certificate and then sends the encrypted data to the user, so that the safety of data storage and the safety of data transmission are ensured;
meanwhile, the access application of the user is recorded by the user access information recording center so as to be used for the user to access and trace.
The invention also discloses a distributed data security sharing system based on the certificate chain, which comprises:
the data grading encryption module: grading and encrypting the data, and endowing the data with user roles for accessing different levels of data;
a role division module: dividing roles of the users at each child node, binding the roles with the data access permissions, wherein one user can distribute a plurality of roles, one role can be distributed to a plurality of users, one role corresponds to a plurality of data access permissions, and one permission can be owned by a plurality of roles;
digital certificate generation/authentication module: and generating a user digital certificate, authenticating the user digital certificate, and verifying the user access authority.
Further, the digital certificate generation/authentication module comprises a certificate authentication center CA, a key management center KMC, an encryption/decryption center and a user authority verification center;
the certificate authority CA includes: the certificate signing module applies for a secret key to the KMC, receives a pair of secret keys transmitted from the KMC, puts a public key, user personal information and a user role into a user digital certificate, uses the public key of the CA to sign the certificate, and stores the certificate in a certificate directory server; meanwhile, the user digital certificate is transmitted to the applied child node in a data signature mode; the certificate logout module is used for removing the certificate to be logout from the directory server; the certificate updating module is used for canceling the certificate when the role of the user is changed and the certificate is required to be updated, and other updating processes are the same as the certificate issuing process; the signature verification module verifies the CA signature in the user certificate through the CA private key and judges whether the certificate is valid;
the key management center: key management for use in a certificate chain, comprising: the key generation module generates a key, and the generated key is unique and is stored in the key storage center; the key distribution module extracts the key of the key storage center and distributes the key to the CA, the key can not be used repeatedly, and the key is distributed in a data signature mode to ensure the safety of the key in the transmission process; the key storage module is used for storing the generated key, needs to be encrypted and stored in the key storage center, and only the KMC can be used for the encrypted key; the key revocation module deletes the key to be revoked in the key storage center; the key updating module is used for updating the key in the certificate, firstly, the old key needs to be revoked, and a new key is distributed for the certificate to use;
the encryption/decryption center: aiming at the grades of different data, a corresponding encryption algorithm is adopted for data encryption, so that the grading requirement and the storage safety of the data are ensured; decrypting data information which is stored at a cloud center node and has authority to be accessed by a user;
the user authority verification center: the method is used for authenticating whether the certificate of the user is valid or not and verifying the data access authority of the user, and comprises the following steps: the certificate verification module is used for checking whether the certificate uploaded by the user is signed by a CA (certificate Authority), searching the certificate in the certificate directory server and confirming whether the certificate is valid at present; and the authority verification module determines the child node from which the user comes through the signature of the child node on the certificate, then searches the role authority of the corresponding child node by the role authority database, and judges whether the role of the user can access the applied data.
Further, the distributed data security sharing system based on the certificate chain further comprises a user access information recording center, which is used for recording all access information of the user to the data and ensuring traceability of user access
Based on a certificate chain model, the method combines data classification and user role classification to realize the access control of the user to the data; the role distribution management is carried out on each child node, so that the role distribution is more accurate and flexible, the role distribution pressure of the cloud center node is relieved, and the practicability is better; the digital certificate is used for endowing the user identity information, the safety of the role identity of the user is ensured, the identity is prevented from being falsely used, and the trust problem between the cloud center node and the user is solved through the authentication of the digital certificate.
Drawings
FIG. 1 is a flowchart of a distributed data security sharing method based on certificate chain according to the present invention;
FIG. 2 is a schematic diagram of the data hierarchy and user role division of the present invention;
FIG. 3 is a schematic diagram of a relationship between child nodes and cloud nodes according to the present invention;
FIG. 4 is a diagram illustrating a certificate system of a user role based on a certificate chain model according to the present invention;
FIG. 5 is a flowchart illustrating a process of a user applying for a certificate according to the present invention;
FIG. 6 is a flow chart of a user accessing data according to the present invention;
FIG. 7 is a diagram of the architecture of the data security sharing system of the present invention.
Detailed Description
The structure and features of the present invention will be described in detail below with reference to the accompanying drawings and examples. It should be noted that various modifications can be made to the embodiments disclosed herein, and therefore, the embodiments disclosed in the specification should not be construed as limiting the present invention, but merely as exemplifications of embodiments thereof, which are intended to make the features of the present invention obvious.
As shown in fig. 1, the distributed data security sharing method based on certificate chain disclosed by the present invention is:
s1: grading the distributed data, endowing the distributed data with user roles for accessing data of different levels, and binding access authority with the roles to realize the access control of the users on the data;
s2: based on a certificate chain model, dividing roles of the users at each child node, and acquiring access rights by the users through allocating the roles;
s3: the digital certificate is used for endowing a user role identity, the user needs to apply for the digital certificate to the cloud center node, and the sub-node certificate is used for signing a user certificate;
s4: the user applies for data access to the cloud center node, uploads the user certificate, verifies the access authority of the user at the cloud center node, and accesses the related data after the verification is passed.
Further, as shown in fig. 2, according to the GB/T34080.2-2017 data security protection classification method, the present invention performs security classification on distributed data of cloud center nodes, and different levels of data are encrypted using different encryption algorithms, so as to ensure security of the data during storage.
In order to control the access of users to data, the invention provides the grouping access control based on roles on the basis of data classification, the access authority is bound with the roles, and the users acquire the access authority by distributing the roles.
A role is an operation set of a set of data permissions, and if a user is given a certain role identity, the user has the data access permission corresponding to the role. One role generally corresponds to a plurality of data access rights, and one data right can be owned by a plurality of roles; one user may be assigned multiple roles and one role may be assigned to multiple users. When the authority of the data changes, the role authority in the database is directly updated to meet the requirement, flexible division of user authority can be realized based on role access control, the operation is convenient and fast, and the problem of data sharing on demand caused by more users due to department dispersion in a distributed data security integration application system is efficiently solved.
As shown in fig. 2, in the embodiment of the present invention, the data security level is divided into 4 levels, where 1 level is the highest level data, 2 levels are the second level data, 3 levels are the second level data, and 4 levels are the public data. On the basis of data grade division, roles are divided according to the actual application requirements, and the roles are essentially divided by data permission. After the role division is carried out, if a user is endowed with a certain role identity, the user has the data access authority corresponding to the role, and the data information corresponding to the role can be accessed.
The abstract representation of role division shown in fig. 2 shows that data access permissions corresponding to different roles can be given according to actual requirements. For example, in a distributed internet of things terminal test platform, 2-level data is divided into a role D, namely a tester, and a role E, namely a security worker according to roles, an operation data authority set of the tester is { test1, test2}, an operation data authority set of the security worker is { test1, security1, security2}, and if an employee is newly added and the role of the employee is given as the tester, the employee can access two data, namely test1 and test 2; if the roles assigned to the employee are tester and security personnel, then the employee has access to the data test1, test2, security1, security 2. The division of the roles is flexibly processed according to the requirements of actual application scenes.
After the distributed data in the system is divided into security levels and user roles for accessing data with different security levels are given, the roles of the users of each child node are divided. In order to reduce the pressure of the cloud center node, and because the cloud center node does not know the specific user service roles of the child nodes well, and the roles in the child nodes are changed according to the requirements, the roles of the users are divided more accurately. As shown in fig. 3, the specific division process is as follows:
s2.1, the cloud center node informs the child nodes of the data authority owned by each child node, and stores the data authority distributed to each child node in a database;
s2.2, dividing role authorities of the child nodes, and storing dividing results in a cloud center node database;
for the specific division of roles, no uniform standard exists, and the division is required according to the actual application scene requirements. When the role is divided, the child nodes endow the data information which can be accessed by the role, namely the data access authority corresponding to the role; the access rights for certain data between different roles may overlap, i.e. one data right may be owned by multiple roles.
If the service of the child node is complex, the child node can issue the authority for continuously dividing the role to a subordinate node under the child node; after the authority is issued to the subordinate node, the authority can still be issued according to the actual requirement, and a chain type role division system is formed.
And S2.3, if the data authority needs to be updated, repeating the step S2.1 and the step S2.2.
According to the invention, each child node is used for dividing the role of the node independently and then is uniformly stored in the role authority database of the cloud center node. If the service of the child node is complex, in order to further relieve the pressure of dividing roles and improve the accuracy of role division, the child node can also issue the permission of continuously dividing roles to the node below the child node; after the authority is issued to the nodes, the authority can be issued according to actual requirements to form a chained role division system, the business pressure of the cloud center nodes is reduced by the division mode, the nodes can be better understood by the division mode, the nodes for dividing roles can be derived downwards according to the actual requirements, and the division accuracy, flexibility and practicability are guaranteed.
In order to ensure the safe sharing and application of data, not only the data needs to be subjected to security level division and user access authority control, but also the user identity needs to be confirmed. As shown in fig. 4, the invention uses the child node certificate signature for the user certificate, and uses the child node data signature to mark the node to which the user belongs, so that the cloud center node can conveniently search the authority corresponding to the child node user in the role authority database, and a user role certificate system based on a certificate chain model is formed.
As shown in fig. 5 and 6, the specific steps are as follows:
s3.1, submitting personal information to the child node by the user;
s3.2, the child nodes check personal information submitted by the user, the child nodes give user role identities after verification is passed, and the user personal information and the given user role identities are digitally signed and then sent to a certificate authentication center (CA for short) of the cloud center node; otherwise, return to step S3.1;
s3.3, after receiving the information sent by the child node, the CA of the cloud center node performs data signature verification to ensure that the data is not tampered, and after the verification is passed, the CA applies for a user key to a key management center (KMC for short) to sign and issue a user digital certificate, wherein the digital certificate contains personal information of the user, a role owned by the user and a user public key, and uses the CA certificate to perform signature, and the user certificate and a user private key are signed and then sent to the corresponding child node; otherwise, return to step S3.2;
s3.4, after receiving the user certificate and the user private key sent back by the CA of the cloud center node, the child node performs data signature verification, after the verification is passed, the child node certificate is used for signing the user certificate, and then the user certificate and the user private key are sent to the corresponding user; otherwise, return to step S3.3.
The certificate issuing of the child node and the user certificate issuing are similar in flow. After the CA signs the user certificate, the user certificate is sent to the child node, and then the user certificate is sent to the user after the child node signs the user certificate, and any link in figure 5 is wrong, which causes the error of the user certificate application.
The invention uses the child node certificate to sign, and has the advantages that: 1. the authority responsibility involved in the issuance of the user certificate is smaller, when personal information and role distribution of the user are in trouble or the user performs wrong operation on data, the child node certificate signature can enable related responsible persons to be more definite, the corresponding management responsible persons can be quickly traced, and the authority responsibility can be conveniently traced; 2. when a user accesses data, the signature of the child node is used for searching the corresponding authority of the cloud center node in the user role authority database.
When a user accesses the distributed data, the user needs to apply for data access to the cloud center node and upload a user certificate, the cloud center node verifies the access authority of the user, and after the verification is passed, the user side can access the related data. As shown in fig. 6, the specific process is as follows:
s4.1, the user logs in the system, and the user needs to input a user name and a password and upload a certificate owned by the user.
If the user does not have a certificate, the user first needs to apply for the certificate to the CA.
And S4.2, after the user logs in successfully, applying for the data needing to be accessed from the cloud center node.
S4.3, verifying the access authority of the user by a user authority verification center CA;
firstly, a certificate verification module verifies whether a user certificate is signed and issued by a CA (certificate authority) through the CA signature on the user certificate, so that the trust problem between a user and a cloud center node is solved, and the legality of the user is ensured; then, the authority verification module determines the sub-node to which the user belongs by using the signature of the sub-node on the user certificate, searches the role authority division of the sub-node to which the user belongs in a role authority database, and verifies whether the user has the corresponding data access authority.
If the user right verification fails, returning to the step S4.2; if the verification passes, step S4.4 is performed.
S4.5, the decryption module of the encryption/decryption center firstly decrypts the data accessed by the user, and the encryption module encrypts the data by using the public key in the user certificate and then sends the encrypted data to the user, so that the safety of data storage and the safety of data transmission are ensured.
Meanwhile, the access application of the user is recorded by the user access information recording center so as to be used for the user to access and trace.
Fig. 7 is an architecture diagram of a data security sharing system designed in the present invention, as shown in fig. 7, showing the data security sharing system, according to the functional division:
(1) certificate authority CA: the absolutely trusted authority is the basis of the certificate chain.
And (3) certificate issuing: the CA firstly applies for a key from a key management center KMC, receives a pair of keys transmitted from the KMC, puts a public key, user personal information and a user role into a certificate, uses the public key of the CA to sign the certificate, and stores the certificate in a certificate directory server. Meanwhile, the certificate is transmitted to the applied child node in a data signature mode.
Certificate revocation: the certificate that needs to be revoked is removed from the directory server.
And (3) certificate updating: when the role of the user is changed, the certificate is required to be updated, the certificate is firstly cancelled, and other updating processes are the same as the certificate issuing process.
Signature verification: and verifying the CA signature in the user certificate through the CA private key, and judging whether the certificate is valid.
(2) Key management center KMC: for key management in certificate chains.
And (3) key generation: the key is generated by three algorithms of RSA, SM2 and SMAE, and the generated key has uniqueness and is stored in a key storage center.
Key distribution: the key of the key storage center is extracted and distributed to the CA, the key can not be used repeatedly, and the security of the key in the transmission process is ensured by using a data signature mode during key distribution.
And (3) key storage: the generated key is stored in a key storage center in an encrypted manner, and only the KMC is available for the encrypted key. The key store has two uses: when the private key of the user is lost, the user can apply for obtaining again; the key can be generated and stored in idle time, and the concurrent pressure of the system due to certificate application is relieved.
And (3) key revocation: the keys in the key storage center that need to be revoked are deleted.
And (3) key updating: for updating the keys in the certificate, the old keys need to be revoked first, and the new keys are distributed for use by the certificate.
(3) Encryption/decryption center: data stored in the consolidated data storage cloud platform is encrypted/decrypted.
The decryption module is used for decrypting the data information which the user has the authority to access, and only the user having the authority to access can decrypt the corresponding data.
The encryption module has two purposes, one is to adopt the corresponding encryption algorithm to encrypt the data aiming at the grades of different data, so as to ensure the grading requirement and the storage safety of the data; the other method is to encrypt the data by using a public key in a certificate of an access user, and when the encrypted data is transmitted to the user, the data can be decrypted only by a private key corresponding to the user, so that the data is ensured not to be stolen in the transmission process.
(4) The user authority verification center: and (4) identifying whether the certificate of the user is valid or not, and verifying the data access authority of the user.
A certificate verification module: firstly, whether the certificate uploaded by the user is signed by a CA is checked, then the certificate is searched in a certificate directory server, and whether the certificate is valid at present is confirmed.
An authority verification module: and determining the child node from which the user comes through the signature of the child node on the certificate, then searching the role authority of the corresponding child node by the role authority database, and judging whether the role of the user can access the applied data.
(5) The user accesses the information recording center: and recording the access information of the user, and ensuring the traceability of the user access.
All access information of the user to the data is recorded, the operation of the user is convenient to trace, and the non-repudiation of the user to the data operation is ensured.
The invention has the advantages that:
1. the method realizes the access control of the user to the data based on the data classification and the user role division, realizes the access control with finer grains, solves the problem of difficult data sharing in a distributed system, and has higher safety and strong practicability.
2. Based on the certificate chain model, the roles of the user are managed, the roles of the user are divided by using the child nodes, the burden of the cloud center node on dividing the roles of the user is relieved, and the child nodes can be derived downwards according to actual requirements due to the fact that the child nodes know the role composition of the node, and the accuracy, flexibility and practicability of division are guaranteed.
3. The digital certificate is used for endowing the user role identity, so that the trust problem between the cloud center node and the user is solved, the security of the user role identity is improved, and the potential data safety hazard caused by identity misuse is greatly reduced.
Finally, it should be noted that: the above-mentioned embodiments are only used for illustrating the technical solution of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (4)

1. A distributed data security sharing method based on certificate chain is characterized in that: it comprises the following steps:
s1: grading the distributed data, endowing the distributed data with user roles for accessing data of different levels, and binding access authority with the roles to realize the access control of the users on the data;
s2: based on a certificate chain model, dividing roles of the users at each child node, and acquiring access rights by the users through allocating the roles;
s3: the digital certificate is used for endowing a user role identity, the user applies for the digital certificate to the cloud center node, and the sub-node certificate is used for signing the user digital certificate; the specific method comprises the following steps:
s3.1, submitting personal information to the child node by the user;
s3.2, the child nodes check personal information submitted by the user, the child nodes give user role identities after verification is passed, and the user personal information and the given user role identities are digitally signed and then sent to a certificate authentication center (CA for short) of the cloud center node; otherwise, return to step S3.1;
s3.3, after receiving the information sent by the child node, the CA of the cloud center node performs data signature verification to ensure that the data is not tampered, and after the verification is passed, the CA applies for a user key to a key management center (KMC for short) to sign and issue a user digital certificate, wherein the digital certificate contains personal information of the user, a role owned by the user and a user public key, and uses the CA certificate to perform signature, and the user certificate and a user private key are signed and then sent to the corresponding child node; otherwise, return to step S3.2;
s3.4, after receiving the user certificate and the user private key sent back by the cloud center node CA, the child node performs data signature verification, after the verification is passed, the child node certificate is used for signing the user certificate, and then the user certificate and the user private key are sent to the corresponding user; otherwise, return to step S3.3;
s4: the method comprises the steps that a user applies for data access to a cloud center node, uploads a user digital certificate, verifies the access authority of the user at the cloud center node, and accesses related data after verification is passed; the specific method comprises the following steps:
s4.1, a user logs in the system, inputs a user name and a password and uploads a certificate owned by the user;
if the user does not have the certificate, firstly, the certificate is required to be applied to a CA;
s4.2, after the user logs in successfully, applying for data needing to be accessed from the cloud center node;
s4.3, verifying the access authority of the user by the CA of the cloud center node;
firstly, a certificate verification module verifies whether a user certificate is signed and issued by a CA (certificate authority) through the CA signature on the user certificate, so that the trust problem between a user and a cloud center node is solved, and the legality of the user is ensured; then, the authority verification module determines the child node to which the user belongs by using the signature of the child node on the user certificate, searches role authority division of the child node to which the user belongs in a role authority database, and verifies whether the user has corresponding data access authority;
if the user right verification fails, returning to the step S4.2; if the verification is passed, step S4.4 is executed;
s4.4, a decryption module of the encryption/decryption center firstly decrypts the data accessed by the user, and the encryption module encrypts the data by using a public key in a user certificate and then sends the encrypted data to the user, so that the safety of data storage and the safety of data transmission are ensured;
meanwhile, the access application of the user is recorded by the user access information recording center so as to be used for the user to access and trace.
2. The certificate chain-based distributed data secure sharing method according to claim 1, wherein: the step S2 is based on the certificate chain model, and the specific method for dividing the role of the user at each child node is as follows:
s2.1, the cloud center node informs the child nodes of the data authority owned by each child node, and stores the data authority distributed to each child node in a database;
s2.2, dividing role authorities of the child nodes, and storing dividing results in a cloud center node database;
if the service of the child node is complex, the child node can issue the authority for continuously dividing the role to a subordinate node under the child node; after the authority is issued to the subordinate node, the authority can be issued again according to the actual requirement to form a chain type role division system;
and S2.3, if the data authority needs to be updated, repeating the step S2.1 and the step S2.2.
3. A distributed data security sharing system based on certificate chain is characterized in that: it includes:
the data grading encryption module: grading and encrypting the data, and endowing the data with user roles for accessing different levels of data;
a role division module: dividing roles of the users at each child node, binding the roles with the data access permissions, wherein one user can distribute a plurality of roles, one role can be distributed to a plurality of users, one role corresponds to a plurality of data access permissions, and one permission can be owned by a plurality of roles;
digital certificate generation/authentication module: generating a user digital certificate, authenticating the user digital certificate, and verifying the user access authority;
the digital certificate generating/authenticating module comprises a certificate authentication center CA, a key management center KMC, an encryption/decryption center and a user authority verification center;
the certificate authority CA includes: the certificate signing module applies for a secret key to the KMC, receives a pair of secret keys transmitted from the KMC, puts a public key, user personal information and a user role into a user digital certificate, uses the public key of the CA to sign the certificate, and stores the certificate in a certificate directory server; meanwhile, the user digital certificate is transmitted to the applied child node in a data signature mode; the certificate logout module is used for removing the certificate to be logout from the directory server; the certificate updating module is used for canceling the certificate when the role of the user is changed and the certificate is required to be updated, and other updating processes are the same as the certificate issuing process; the signature verification module verifies the CA signature in the user certificate through the CA private key and judges whether the certificate is valid;
the key management center: key management for use in a certificate chain, comprising: the key generation module generates a key, and the generated key is unique and is stored in the key storage center; the key distribution module extracts the key of the key storage center and distributes the key to the CA, the key can not be used repeatedly, and the key is distributed in a data signature mode to ensure the safety of the key in the transmission process; the key storage module is used for storing the generated key, needs to be encrypted and stored in the key storage center, and only the KMC can be used for the encrypted key; the key revocation module deletes the key to be revoked in the key storage center; the key updating module is used for updating the key in the certificate, firstly, the old key needs to be revoked, and a new key is distributed for the certificate to use;
the encryption/decryption center: aiming at the grades of different data, a corresponding encryption algorithm is adopted for data encryption, so that the grading requirement and the storage safety of the data are ensured; decrypting data information which is stored at a cloud center node and has authority to be accessed by a user;
the user authority verification center: the method is used for authenticating whether the certificate of the user is valid or not and verifying the data access authority of the user, and comprises the following steps: the certificate verification module is used for checking whether the certificate uploaded by the user is signed by a CA (certificate Authority), searching the certificate in the certificate directory server and confirming whether the certificate is valid at present; and the authority verification module determines the child node from which the user comes through the signature of the child node on the certificate, then searches the role authority of the corresponding child node by the role authority database, and judges whether the role of the user can access the applied data.
4. The certificate chain-based distributed data secure sharing system according to claim 3, wherein: the system also comprises a user access information recording center which is used for recording all access information of the user to the data and ensuring the traceability of the user access.
CN202010710360.6A 2020-07-22 2020-07-22 Distributed data security sharing method and system based on certificate chain Active CN111885154B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010710360.6A CN111885154B (en) 2020-07-22 2020-07-22 Distributed data security sharing method and system based on certificate chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010710360.6A CN111885154B (en) 2020-07-22 2020-07-22 Distributed data security sharing method and system based on certificate chain

Publications (2)

Publication Number Publication Date
CN111885154A CN111885154A (en) 2020-11-03
CN111885154B true CN111885154B (en) 2021-10-29

Family

ID=73156361

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010710360.6A Active CN111885154B (en) 2020-07-22 2020-07-22 Distributed data security sharing method and system based on certificate chain

Country Status (1)

Country Link
CN (1) CN111885154B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112751867B (en) * 2020-12-31 2022-07-05 南京航空航天大学 Access control authorization method based on logic unit and trust evaluation
CN112925766B (en) * 2021-03-01 2024-02-20 北京滴普科技有限公司 Data security management and control device, system and method and readable storage medium thereof
CN113779095B (en) * 2021-11-11 2022-04-01 江苏荣泽信息科技股份有限公司 Job title rating electronic certificate supervision system based on block chain technology

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780175A (en) * 2015-04-24 2015-07-15 广东电网有限责任公司信息中心 Hierarchical classification access authorization management method based on roles
CN107426157A (en) * 2017-04-21 2017-12-01 杭州趣链科技有限公司 A kind of alliance's chain authority control method based on digital certificate and ca authentication system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101321063A (en) * 2008-07-17 2008-12-10 上海众恒信息产业有限公司 System user access management system and method based on digital certificate technique
US10581829B1 (en) * 2017-05-31 2020-03-03 Cisco Technology, Inc. Certificate-based call identification and routing
CN109818757A (en) * 2019-03-18 2019-05-28 广东工业大学 Cloud storage data access control method, Attribute certificate awarding method and system
CN111079136B (en) * 2019-11-07 2022-02-11 北京科技大学 Fog computing intrusion detection feature sharing system based on block chain technology

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780175A (en) * 2015-04-24 2015-07-15 广东电网有限责任公司信息中心 Hierarchical classification access authorization management method based on roles
CN107426157A (en) * 2017-04-21 2017-12-01 杭州趣链科技有限公司 A kind of alliance's chain authority control method based on digital certificate and ca authentication system

Also Published As

Publication number Publication date
CN111885154A (en) 2020-11-03

Similar Documents

Publication Publication Date Title
US11005653B2 (en) Integrated method and device for storing and sharing data
US20230269100A1 (en) Systems and methods for notary agent for public key infrastructure names
CN111885154B (en) Distributed data security sharing method and system based on certificate chain
US20100005318A1 (en) Process for securing data in a storage unit
CN108933667B (en) Management method and management system of public key certificate based on block chain
US8856530B2 (en) Data storage incorporating cryptographically enhanced data protection
US11050745B2 (en) Information processing apparatus, authentication method, and recording medium for recording computer program
CN107465681B (en) Cloud computing big data privacy protection method
KR20080106532A (en) Generation of electronic signatures
US20150207621A1 (en) Method for creating asymmetrical cryptographic key pairs
CN111010430B (en) Cloud computing security data sharing method based on double-chain structure
US11604888B2 (en) Digital storage and data transport system
CN112632639B (en) Distributed trusted log management method based on blockchain
CN109858259A (en) The data protection of community health service alliance and sharing method based on HyperLedger Fabric
JP2018529299A (en) Biometric protocol standard system and method
CN114257376B (en) Digital certificate updating method, device, computer equipment and storage medium
Win et al. Privacy enabled digital rights management without trusted third party assumption
CN112202713B (en) User data security protection method in Kubernetes environment
Fugkeaw Achieving privacy and security in multi-owner data outsourcing
CN115964751A (en) Data security storage and access control method based on attribute classification and grading
US20160335453A1 (en) Managing Data
CN111212026A (en) Data processing method and device based on block chain and computer equipment
US20220284087A1 (en) Authorized encryption
CN107395609B (en) Data encryption method
CN117454440A (en) Technology archive authentication method and intelligent management system based on traceable digital signature technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant