[go: up one dir, main page]

CN103227789B - The fine-grained access control method of lightweight under a kind of cloud environment - Google Patents

The fine-grained access control method of lightweight under a kind of cloud environment Download PDF

Info

Publication number
CN103227789B
CN103227789B CN201310138434.3A CN201310138434A CN103227789B CN 103227789 B CN103227789 B CN 103227789B CN 201310138434 A CN201310138434 A CN 201310138434A CN 103227789 B CN103227789 B CN 103227789B
Authority
CN
China
Prior art keywords
data
user
authorization
private key
control node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310138434.3A
Other languages
Chinese (zh)
Other versions
CN103227789A (en
Inventor
彭智勇
程芳权
王书林
宋伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN201310138434.3A priority Critical patent/CN103227789B/en
Publication of CN103227789A publication Critical patent/CN103227789A/en
Application granted granted Critical
Publication of CN103227789B publication Critical patent/CN103227789B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

A kind of fine-grained access control method of lightweight under the present invention relates to cloud storage environment, belongs to secure cloud field of storage, comprises the following steps: 1. data upload; 2. the mandate of data; 3. the access of data; 4. authorize and cancel; 5. Data Update; The invention provides a kind of lightweight, fine-grained access control method, build data image and control of authority layer, effectively can realize sharing without copy data and the control of fine-grained data access, and guarantee the fail safe of data encryption key.

Description

一种云环境下轻量级的细粒度访问控制方法A lightweight fine-grained access control method in cloud environment

技术领域technical field

本发明属于安全云存储领域,特别是涉及到隐私数据轻量级、细粒度、灵活的数据访问控制方法。The invention belongs to the field of secure cloud storage, and in particular relates to a lightweight, fine-grained and flexible data access control method for private data.

背景技术Background technique

云计算作为一种新的网络计算模型一经提出,便得到了学术界,工业界的极大关注。云存储服务以其特有的良好扩展性、便捷的部署以及低廉的成本迅速得到发展,无论学术界还是工业界都取得了显著的成果。As a new network computing model, cloud computing has attracted great attention from academia and industry as soon as it was proposed. Cloud storage service has developed rapidly with its unique good scalability, convenient deployment and low cost, and both academia and industry have achieved remarkable results.

尽管云存储服务在如此短的时间内取得如此多显著成果,但其在发展过程中所面临的问题依然制约着云存储的进一步发展,而目前公认的制约云存储服务发展的瓶颈便是数据安全问题,尽管目前有很多安全技术来保证数据安全,但大部分的技术更多关注的是来自外部的威胁,而针对云存储提供商的内部威胁并没有得到有效关注。Although cloud storage services have achieved so many remarkable results in such a short period of time, the problems they face in the development process still restrict the further development of cloud storage, and the currently recognized bottleneck restricting the development of cloud storage services is data security. The problem is that although there are many security technologies to ensure data security, most of the technologies pay more attention to external threats, while internal threats to cloud storage providers have not received effective attention.

目前的主要通过对数据的本地加解密技术来抵御来自云存储提供商的内部攻击。尽管目前的本地加解密技术有效的抵御了来自云服务提供商内部以及网络中的攻击,但却极大的影响了数据在不同用户之间的共享。尽管密钥协商机制可以解决密文数据的共享,但该机制会导致每次数据授权的高计算成本,以及无法有效的进行授权撤销或更新,而只能通过对数据重新加密的方式进行授权撤销或更新。At present, the internal attacks from the cloud storage provider are mainly defended by the local encryption and decryption technology of the data. Although the current local encryption and decryption technology effectively resists attacks from within the cloud service provider and in the network, it greatly affects the sharing of data among different users. Although the key agreement mechanism can solve the sharing of ciphertext data, this mechanism will lead to high computing costs for each data authorization, and cannot effectively revoke or update the authorization, but can only revoke the authorization by re-encrypting the data or update.

针对当前的密文数据访问控制方法进行分析发现,当前的密文数据访问控制方法存在以下主要问题:According to the analysis of the current ciphertext data access control method, it is found that the current ciphertext data access control method has the following main problems:

1.在保证数据安全的前提,没有一个有效的机制来解决无副本的密文数据共享。1. On the premise of ensuring data security, there is no effective mechanism to solve the ciphertext data sharing without copy.

2.目前的数据授权大部分都是基于静态的角色或者属性划分,无法针对数据进行灵活的,细粒度的数据授权。2. Most of the current data authorization is based on static role or attribute division, and it is impossible to perform flexible and fine-grained data authorization for data.

3.一旦对密文进行数据授权后,尤其是针对同一数据进行多次授权后,不能有效的针对数据进行授权撤销,目前大部分采用对数据进行重加密机制,大大加重了计算代价并且会导致其他可访问用户的密钥更换。3. Once the ciphertext is authorized for data, especially after multiple authorizations for the same data, the authorization cannot be effectively revoked for the data. At present, most of the data are re-encrypted, which greatly increases the calculation cost and will lead to Key replacement for other accessible users.

发明内容Contents of the invention

为解决上述问题,本发明提供了一种云环境下轻量级的细粒度访问控制方法,包括以下步骤:In order to solve the above problems, the present invention provides a lightweight fine-grained access control method in a cloud environment, comprising the following steps:

步骤1:上传数据及初始化,其实现方式为:Step 1: Upload data and initialize, the implementation method is:

一方面,数据拥有者通过自己的公钥本地加密所要上传的明文数据,得到密文数据;然后将所述的密文数据上传至云端;On the one hand, the data owner locally encrypts the plaintext data to be uploaded with his own public key to obtain the ciphertext data; then uploads the ciphertext data to the cloud;

另一方面,根据数据拥有者的访问控制需求,构造相应的权限控制节点层;On the other hand, according to the access control requirements of the data owner, construct the corresponding authority control node layer;

步骤2:数据的授权,其实现方式包括如下步骤:Step 2: Authorization of data, the implementation method includes the following steps:

步骤2.1:确定授权数据,针对每个所要授权的数据,生成一个对应的数据镜像,如果所述的数据需要被多次授权,则相应生成多个镜像,所述的数据拥有者为所述的每个镜像生成一个公私钥对;Step 2.1: Determine the authorization data, and generate a corresponding data image for each data to be authorized. If the data needs to be authorized multiple times, generate multiple images accordingly. The data owner is the Each image generates a public-private key pair;

步骤2.2:计算所述的数据与其镜像之间的代理重加密密钥,存储在云端;Step 2.2: Calculate the proxy re-encryption key between the data and its image, and store it in the cloud;

步骤2.3:计算会话密钥,对于每一个被授权用户,所述的数据拥有者通过自己的私钥与所述的授权用户的公钥及公开参数构造出一个会话密钥,所述的用户指一个单用户或者一个用户群组;Step 2.3: Calculate the session key. For each authorized user, the data owner constructs a session key through his private key, public key and public parameters of the authorized user, and the user refers to A single user or a user group;

步骤2.4:通过所述的会话密钥对所述的镜像的私钥进行加密,将加密后的密文存储于所述的权限控制节点,同时更新所述的权限控制节点中所述的授权用户信息;Step 2.4: Encrypt the private key of the image with the session key, store the encrypted ciphertext in the authority control node, and update the authorized user in the authority control node at the same time information;

步骤3:数据的读取:Step 3: Reading of data:

所述的用户请求读取所述的某个数据,系统首先根据所述的权限控制节点判断所述的当前用户是否拥有该数据访问权限,如果有,则将所述的用户请求的数据经过镜像的重加密以及其权限控制节点中加密的镜像私钥发送给所述的用户,所述的用户在客户端则通过第一轮解密获得所述的镜像私钥,然后利用该私钥进行第二轮解密并最终获得所述的明文数据;否则,拒绝所述的用户请求;The user requests to read the certain data, the system first judges whether the current user has the data access authority according to the authority control node, and if so, mirrors the data requested by the user The re-encryption and the encrypted mirror private key in its authority control node are sent to the user, and the user obtains the mirror private key through the first round of decryption on the client side, and then uses the private key for the second Rounds of decryption and finally obtain the plaintext data; otherwise, reject the user request;

步骤4:授权撤销:Step 4: Authorization revocation:

所述的被授权用户被请求撤销授权,系统判断所述的被授权用户与所述的数据之间是否存在访问路径,如果不存在,拒绝所述的请求;如果存在,系统判断所述的权限控制节点是否存在该用户信息,如果有:The authorized user is requested to revoke the authorization, the system judges whether there is an access path between the authorized user and the data, if not, rejects the request; if exists, the system judges the permission Whether the user information exists in the control node, if so:

如果所述的数据只对应一个镜像,则直接从云端删除该数据镜像,并清空其权限控制节点信息;If the data described only corresponds to one image, delete the data image directly from the cloud, and clear its authority control node information;

如果所述的数据只对应一个镜像,但是只针对部分用户执行授权撤销,则首先清空权限控制节点中的对应用户信息,其次对当前镜像重新生成公私钥对,并生成以该公私钥对为目标的重加密密钥,以及加密处理其私钥,最后更新权限控制节点中的用户授权信息为加密后的镜像私钥;If the data described only corresponds to one image, but authorization revoking is only performed for some users, first clear the corresponding user information in the authority control node, and then regenerate the public-private key pair for the current image, and generate the public-private key pair as the target The re-encryption key and its private key are encrypted and processed, and finally the user authorization information in the authority control node is updated to the encrypted mirror private key;

如果所述的数据对应于多个镜像,且需要对所有镜像执行授权撤销,则删除对应镜像,并更新权限控制节点中的被授权用户信息;If the data corresponds to multiple images, and authorization revocation needs to be performed on all images, then delete the corresponding image, and update the authorized user information in the authority control node;

如果所述的数据对应于多个镜像,但是执行多镜像中部分用户的授权撤销,则针对相关的每一个镜像,首先清空权限控制节点中的对应用户信息,其次对当前镜像重新生成公私钥对,并生成以该公私钥对为目标的重加密密钥,以及加密处理其私钥,最后更新权限控制节点中的用户授权信息为加密后的镜像私钥;If the data described corresponds to multiple images, but the authorization revoking of some users in the multiple images is performed, then for each relevant image, first clear the corresponding user information in the authority control node, and then regenerate the public-private key pair for the current image , and generate a re-encryption key targeting the public-private key pair, and encrypt its private key, and finally update the user authorization information in the authority control node to the encrypted mirror private key;

否则,拒绝所述的请求;Otherwise, deny said request;

步骤5:数据更新,当对云端的某些所述的数据进行更新后,Step 5: data update, after updating some of the data in the cloud,

如果是对其访问授权保持不变,则不执行任何操作;If its access authorization remains unchanged, do nothing;

如果需要撤销某些所述的授权,则按照所述的步骤4中的授权撤销执行;If it is necessary to revoke some of the above-mentioned authorizations, follow the authorization revocation in step 4;

如果需要新增访问授权,则按照所述的步骤2中的数据授权执行。If new access authorization is required, execute according to the data authorization in step 2 described above.

作为优选,步骤1中所述的构造相应的权限控制节点层,所述的每个节点被赋予被授权用户的相关信息。Preferably, the corresponding authority control node layer is constructed in step 1, and each node is endowed with relevant information of authorized users.

作为优选,随着系统的运行,以及权限的变更,可以对所述的权限控制节点进行动态更新。Preferably, with the operation of the system and the change of the authority, the authority control node can be dynamically updated.

本发明与现有的授权访问控制相比具有以下优点:Compared with the existing authorized access control, the present invention has the following advantages:

1.通过数据镜像实现无副本的数据多次授权,轻量级数据共享;1. Realize multi-authorization of data without copies through data mirroring, and lightweight data sharing;

2.按照需求灵活数据授权。用户不但可以根据组划分,还可以根据组内不同的角色再次进行划分,并且可以针对临时用户进行短暂性授权;2. Flexible data authorization according to needs. Users can be divided not only according to groups, but also according to different roles in the group, and temporary authorization can be performed for temporary users;

3.便捷的授权撤销。根据需求,通过调整数据镜像以及权限控制节点值,来执行访问权限的回收。3. Convenient authorization revocation. According to the requirements, the recovery of access rights is performed by adjusting the value of data mirroring and authority control nodes.

附图说明Description of drawings

图1:本发明的支持轻量级、细粒度的数据访问控制层次结构图。Figure 1: A hierarchical structure diagram of the present invention supporting lightweight and fine-grained data access control.

图2:本发明的数据上传及初始化流程图。Fig. 2: Data upload and initialization flow chart of the present invention.

图3:本发明具体实施例的细粒度权限控制节点数据结构图。Fig. 3: a data structure diagram of a fine-grained authority control node according to a specific embodiment of the present invention.

图4:本发明的数据授权流程图。Fig. 4: Data authorization flow chart of the present invention.

图5:本发明的数据读取流程图。Fig. 5: Data reading flow chart of the present invention.

图6:本发明的授权撤销流程图。Fig. 6: Flowchart of authorization revocation in the present invention.

具体实施方式Detailed ways

下面结合具体的实例和附图对本发明做进一步说明。The present invention will be further described below in conjunction with specific examples and accompanying drawings.

本发明提供了一种云环境下轻量级的细粒度访问控制方法,包括以下步骤:The present invention provides a lightweight fine-grained access control method in a cloud environment, comprising the following steps:

步骤1:上传数据及初始化,其实现方式为:Step 1: Upload data and initialize, the implementation method is:

一方面,数据拥有者通过自己的公钥本地加密所要上传的明文数据,得到密文数据;然后将密文数据上传至云端;On the one hand, the data owner locally encrypts the plaintext data to be uploaded with his own public key to obtain the ciphertext data; then uploads the ciphertext data to the cloud;

另一方面,根据数据拥有者的访问控制需求,构造相应的权限控制节点层,每个节点被赋予被授权用户的相关信息,随着系统的运行,以及权限的变更,可以对权限控制节点进行动态更新;On the other hand, according to the access control requirements of the data owner, the corresponding authority control node layer is constructed, and each node is given the relevant information of the authorized user. With the operation of the system and the change of authority, the authority control node can be controlled dynamic update;

步骤2:数据的授权,其实现方式包括如下步骤:Step 2: Authorization of data, the implementation method includes the following steps:

步骤2.1:确定授权数据,针对每个所要授权的数据,生成一个对应的数据镜像,如果数据需要被多次授权,则相应生成多个镜像,数据拥有者为每个镜像生成一个公私钥对;Step 2.1: Determine the authorization data, and generate a corresponding data image for each data to be authorized. If the data needs to be authorized multiple times, generate multiple images accordingly, and the data owner generates a public-private key pair for each image;

步骤2.2:计算数据与其镜像之间的代理重加密密钥,存储在云端;Step 2.2: Calculate the proxy re-encryption key between the data and its mirror image, and store it in the cloud;

步骤2.3:计算会话密钥,对于每一个被授权用户,数据拥有者通过自己的私钥与授权用户的公钥及公开参数构造出一个会话密钥,用户指一个单用户或者一个用户群组;Step 2.3: Calculate the session key. For each authorized user, the data owner constructs a session key through his own private key, the authorized user's public key and public parameters. A user refers to a single user or a user group;

步骤2.4:通过会话密钥对镜像的私钥进行加密,将加密后的密文存储于权限控制节点,同时更新权限控制节点中授权用户信息;Step 2.4: Encrypt the mirrored private key with the session key, store the encrypted ciphertext in the authority control node, and update the authorized user information in the authority control node;

步骤3:数据的读取:Step 3: Reading of data:

用户请求读取某个数据,系统首先根据权限控制节点判断当前用户是否拥有该数据访问权限,如果有,则将用户请求的数据经过镜像的重加密以及其权限控制节点中加密的镜像私钥发送给用户,用户在客户端则通过第一轮解密获得镜像私钥,然后利用该私钥进行第二轮解密并最终获得明文数据;否则,拒绝用户请求;When a user requests to read a certain data, the system first judges whether the current user has access to the data according to the authority control node. If so, the data requested by the user is re-encrypted by the mirror and the mirror private key encrypted in the authority control node is sent to For the user, the user obtains the image private key through the first round of decryption on the client side, and then uses the private key to perform the second round of decryption and finally obtains the plaintext data; otherwise, reject the user's request;

步骤4:授权撤销:Step 4: Authorization revocation:

被授权用户被请求撤销授权,系统判断被授权用户与数据之间是否存在访问路径,如果不存在,拒绝请求;如果存在,系统判断权限控制节点是否存在该用户信息,如果有:When an authorized user is requested to revoke the authorization, the system judges whether there is an access path between the authorized user and the data, and if not, rejects the request; if it exists, the system judges whether the user information exists in the authority control node, and if so:

如果数据只对应一个镜像,则直接从云端删除该数据镜像,并清空其权限控制节点信息;If the data corresponds to only one mirror, delete the data mirror directly from the cloud, and clear its authority control node information;

如果数据只对应一个镜像,但是只针对部分用户执行授权撤销,则首先清空权限控制节点中的对应用户信息,其次对当前镜像重新生成公私钥对,并生成以该公私钥对为目标的重加密密钥,以及加密处理其私钥,最后更新权限控制节点中的用户授权信息为加密后的镜像私钥;If the data only corresponds to one image, but authorization revocation is only performed for some users, first clear the corresponding user information in the authority control node, and then regenerate the public-private key pair for the current image, and generate re-encryption targeting the public-private key pair key, and encrypt its private key, and finally update the user authorization information in the authority control node to the encrypted mirror private key;

如果数据对应于多个镜像,且需要对所有镜像执行授权撤销,则删除对应镜像,并更新权限控制节点中的被授权用户信息;If the data corresponds to multiple images, and authorization revocation needs to be performed on all images, delete the corresponding image, and update the authorized user information in the authority control node;

如果数据对应于多个镜像,但是执行多镜像中部分用户的授权撤销,则针对相关的每一个镜像,首先清空权限控制节点中的对应用户信息,其次对当前镜像重新生成公私钥对,并生成以该公私钥对为目标的重加密密钥,以及加密处理其私钥,最后更新权限控制节点中的用户授权信息为加密后的镜像私钥;If the data corresponds to multiple images, but the authorization revocation of some users in the multiple images is performed, for each relevant image, first clear the corresponding user information in the authority control node, and then regenerate the public-private key pair for the current image, and generate Re-encrypt the key with the public-private key pair as the target, and encrypt and process its private key, and finally update the user authorization information in the authority control node to the encrypted mirror private key;

否则,拒绝请求;Otherwise, deny the request;

步骤5:数据更新,当对云端的某些数据进行更新后,Step 5: Data update, when some data in the cloud is updated,

如果是对其访问授权保持不变,则不执行任何操作;If its access authorization remains unchanged, do nothing;

如果需要撤销某些授权,则按照步骤4中的授权撤销执行;If some authorization needs to be revoked, follow the authorization revocation in step 4;

如果需要新增访问授权,则按照步骤2中的数据授权执行。If new access authorization is required, follow the data authorization in step 2.

请见图1,为本发明的支持轻量级、细粒度的数据访问控制层次结构图,包括物理层、数据镜像层、权限控制层、用户层。Please refer to FIG. 1 , which is a hierarchical structure diagram supporting lightweight and fine-grained data access control in the present invention, including a physical layer, a data mirroring layer, an authority control layer, and a user layer.

请见图2,为数据提交及初始化过程流程图,数据拥有者(data owner)首先在本地通过自己的公钥对数据f1~f6进行加密,具体而言,这里采用非对称的RSA加密算法对数据进行加密。首先根据系统的安全性参数λ确定系统参数SP:={p,q,n},这里n=pq,并且p,q是满足系统安全性参数λ的两个大素数。当用户注册时,系统为每个用户分配一对公私钥(ek,dk)=(<e,n>,<d,n>),这里e是中随机选出,其中然后根据e计算相应的其中<e,n>为公钥,<d,n>为私钥。假设明文为m,则加密后的密文为c=me·mod·n。Please see Figure 2, which is a flow chart of the data submission and initialization process. The data owner (data owner) first encrypts the data f1~f6 locally with his own public key. Specifically, the asymmetric RSA encryption algorithm is used here to encrypt Data is encrypted. First, determine the system parameter SP:={p,q,n} according to the system security parameter λ, where n=pq, and p,q are two large prime numbers that satisfy the system security parameter λ. When a user registers, the system assigns each user a pair of public and private keys (ek,dk)=(<e,n>,<d,n>), where e is randomly selected from among Then calculate the corresponding Where <e,n> is the public key, and <d,n> is the private key. Assuming that the plaintext is m, the encrypted ciphertext is c=m e · mod · n.

然后将加密后的数据上传至云端。按照系统需求,对访问权限进行划分,即构造图1中的权限控制层中的权限控制节点。请见图3,为权限控制节点具体数据结构图,记录相关用户授权信息。随着系统的运行,以及权限的变更等需求,可以对权限控制节点进行动态更新,借此实现细粒度的数据访问控制。Then upload the encrypted data to the cloud. According to system requirements, the access rights are divided, that is, the authority control nodes in the authority control layer in Fig. 1 are constructed. Please see Figure 3, which is a specific data structure diagram of the authority control node, and records relevant user authorization information. With the operation of the system and the change of permissions, the permission control nodes can be dynamically updated to achieve fine-grained data access control.

请见图4,为数据授权过程流程图,这里以将数据f1授权给U1,U3为例。首先数据拥有者确定将要授权的数据为f1,系统为f1生成相应镜像,数据拥有者为每个镜像生成一个公私钥对(ek1,dk1),待生成完毕,图1中数据镜像层中对应f1的镜像生成完毕,然后计算f1到其对应镜像的代理重加密密钥,具体计算如下:这里设用户密钥对为(eui,dui)=(<eui,n>,<dui,n>),对应的镜像密钥对为(euj,duj)=(<euj,n>,<duj,n>),那么相应的重加密密钥为并将相应的重加密密钥rki-j上传至云端存储在镜像节点中。然后分别根据授权用户U1,U3的公钥eu1,eu2,作为会话密钥,利用会话密钥加密镜像私钥duj,具体计算如下: c eu 1 = ( du j ) eu 1 mod n , c eu 3 = ( du j ) eu 3 mod n . 并将加密后的私钥存储在相应的权限控制节点中。Please refer to FIG. 4 , which is a flow chart of the data authorization process. Here, the authorization of data f1 to U1 and U3 is taken as an example. First, the data owner determines that the data to be authorized is f1, and the system generates a corresponding image for f1. The data owner generates a public-private key pair (ek1, dk1) for each image. After the generation is completed, the data image layer in Figure 1 corresponds to f1 After the mirror image of is generated, then calculate the proxy re-encryption key from f1 to its corresponding mirror image. The specific calculation is as follows: Here, the user key pair is (eu i , du i )=(<eu i , n>,<du i , n>), the corresponding image key pair is (eu j , du j )=(<eu j ,n>,<du j ,n>), then the corresponding re-encryption key is And the corresponding re-encryption key rk ij is uploaded to the cloud and stored in the mirror node. Then, according to the public keys eu 1 and eu 2 of the authorized users U1 and U3 respectively, as the session key, use the session key to encrypt the image private key du j , the specific calculation is as follows: c eu 1 = ( du j ) eu 1 mod no , c eu 3 = ( du j ) eu 3 mod no . and the encrypted private key Stored in the corresponding authority control node.

请见图5,为数据读取过程流程图,首先用户U1发出访问数据f1请求,系统判断U1与f1之间是否存在访问路径,如果存在,则去查找当前路径上的权限控制节点,判断U1是否具有f1的授权访问。如果具有,则云端利用镜像中重加密密钥对数据f1进行重加密得到F1,连同权限控制节点中U1相应的加密后的私钥发送给用户U1。用户U1利用自己的私钥首先解密f1镜像对应私钥的密文,然后利用解密出来的镜像私钥duj解密数据F1得到数据明文f1。否则,拒绝访问。Please see Figure 5, which is the flow chart of the data reading process. First, the user U1 sends a request to access data f1, and the system judges whether there is an access path between U1 and f1. If it exists, it searches for the authority control node on the current path and judges U1 Do you have authorized access to f1. If so, the cloud uses the re-encryption key in the image to re-encrypt the data f1 to obtain F1, together with the corresponding encrypted private key of U1 in the authority control node sent to user U1. User U1 uses its own private key to first decrypt the ciphertext corresponding to the private key of the f1 image , and then use the decrypted image private key du j to decrypt the data F1 to obtain the data plaintext f1. Otherwise, access is denied.

请见图6,为授权撤销具体过程流程图,参照图1如果我们撤销f1对U1的授权,我们首先清空路径f1到U1路径上的权限控制节点中U1的相关授权信息,然后为f1的镜像生成新的公私钥对,并以其计算新的代理重加密密钥,最后将镜像的新私钥通过数据拥有者和授权用户计算的会话密钥加密,更新权限控制节点中其他用户的信息。至此,针对U1的授权撤销完毕,并且对其他用户没有任何影响。如果撤销f7针对U8的授权,我们将f7对应的镜像删除,并清空该路径上权限控制节点中U8相应授权信息。Please see Figure 6, which is the flow chart of the specific process of authorization revocation. Referring to Figure 1, if we revoke the authorization of f1 to U1, we first clear the relevant authorization information of U1 in the authority control node on the path from f1 to U1, and then create a mirror image of f1 Generate a new public-private key pair, and use it to calculate a new proxy re-encryption key, and finally encrypt the mirrored new private key with the session key calculated by the data owner and authorized user, and update the information of other users in the authority control node. So far, the authorization for U1 has been revoked without any impact on other users. If the authorization of f7 for U8 is revoked, we delete the image corresponding to f7 and clear the corresponding authorization information of U8 in the authority control node on the path.

以上内容是结合最佳实施方案对本发明所做的进一步详细说明,不能认定本发明的具体实施只限于这些说明。本领域的技术人员应该理解,在不脱离由所附权利要求书限定的情况下,可以在细节上进行各种修改,都应当视为属于本发明的保护范围。The above content is a further detailed description of the present invention in combination with the best embodiments, and it cannot be assumed that the specific implementation of the present invention is limited to these descriptions. Those skilled in the art should understand that without departing from the conditions defined by the appended claims, various modifications can be made in the details, which should be regarded as belonging to the protection scope of the present invention.

Claims (3)

1.  一种云环境下轻量级的细粒度访问控制方法,其特征在于,包括以下步骤: 1. A lightweight fine-grained access control method in a cloud environment, characterized in that it comprises the following steps: 步骤1:上传数据及初始化,其实现方式为: Step 1: Upload data and initialize, the implementation method is: 一方面,数据拥有者通过自己的公钥本地加密所要上传的明文数据,得到密文数据;然后将所述的密文数据上传至云端; On the one hand, the data owner locally encrypts the plaintext data to be uploaded with his own public key to obtain the ciphertext data; then uploads the ciphertext data to the cloud; 另一方面,根据数据拥有者的访问控制需求,构造相应的权限控制节点层; On the other hand, according to the access control requirements of the data owner, construct the corresponding authority control node layer; 步骤2:数据的授权,其实现方式包括如下步骤: Step 2: Authorization of data, the implementation method includes the following steps: 步骤2.1:确定授权数据,针对每个所要授权的数据,生成一个对应的数据镜像,如果所述的数据需要被多次授权,则相应生成多个镜像,所述的数据拥有者为所述的每个镜像生成一个公私钥对; Step 2.1: Determine the authorization data, and generate a corresponding data image for each data to be authorized. If the data needs to be authorized multiple times, generate multiple images accordingly. The data owner is the Each image generates a public-private key pair; 步骤2.2:计算所述的数据与其镜像之间的代理重加密密钥,存储在云端; Step 2.2: Calculate the proxy re-encryption key between the data and its image, and store it in the cloud; 步骤2.3:计算会话密钥,对于每一个被授权用户,所述的数据拥有者通过自己的私钥与所述的授权用户的公钥及公开参数构造出一个会话密钥,所述的用户指一个单用户或者一个用户群组; Step 2.3: Calculate the session key. For each authorized user, the data owner constructs a session key through his private key, public key and public parameters of the authorized user, and the user refers to A single user or a user group; 步骤2.4:通过所述的会话密钥对所述的镜像的私钥进行加密,将加密后的密文存储于所述的权限控制节点,同时更新所述的权限控制节点中所述的授权用户信息; Step 2.4: Encrypt the private key of the image with the session key, store the encrypted ciphertext in the authority control node, and update the authorized user in the authority control node at the same time information; 步骤3:数据的读取: Step 3: Reading of data: 所述的用户请求读取某个数据,系统首先根据所述的权限控制节点判断当前用户是否拥有该数据访问权限,如果有,则将所述的用户请求的数据经过镜像的重加密以及其权限控制节点中加密的镜像私钥发送给所述的用户,所述的用户在客户端则通过第一轮解密获得所述的镜像私钥,然后利用该私钥进行第二轮解密并最终获得所述的明文数据;否则,拒绝所述的用户请求; When the user requests to read certain data, the system first judges whether the current user has the data access authority according to the authority control node, and if so, re-encrypts the data requested by the user and its authority The encrypted image private key in the control node is sent to the user, and the user obtains the image private key through the first round of decryption on the client side, and then uses the private key to perform the second round of decryption and finally obtains the the above plaintext data; otherwise, reject the user request; 步骤4:授权撤销: Step 4: Authorization revocation: 所述的被授权用户被请求撤销授权,系统判断所述的被授权用户与所述的数据之间是否存在访问路径,如果不存在,拒绝所述的请求;如果存在,系统判断所述的权限控制节点是否存在该用户信息,如果有: The authorized user is requested to revoke the authorization, the system judges whether there is an access path between the authorized user and the data, if not, rejects the request; if exists, the system judges the permission Whether the user information exists in the control node, if so: 如果所述的数据只对应一个镜像,则直接从云端删除该数据镜像,并清空其权限控制节点信息; If the data described only corresponds to one image, delete the data image directly from the cloud, and clear its authority control node information; 如果所述的数据只对应一个镜像,但是只针对部分用户执行授权撤销,则首先清空权限控制节点中的对应用户信息,其次对当前镜像重新生成公私钥对,并生成以该公私钥对为目标的重加密密钥,以及加密处理其私钥,最后更新权限控制节点中的用户授权信息为加密后的镜像私钥; If the data described only corresponds to one image, but authorization revoking is only performed for some users, first clear the corresponding user information in the authority control node, and then regenerate the public-private key pair for the current image, and generate the public-private key pair as the target The re-encryption key and its private key are encrypted and processed, and finally the user authorization information in the authority control node is updated to the encrypted mirror private key; 如果所述的数据对应于多个镜像,且需要对所有镜像执行授权撤销,则删除对应镜像,并更新权限控制节点中的被授权用户信息; If the data corresponds to multiple images, and authorization revocation needs to be performed on all images, then delete the corresponding image, and update the authorized user information in the authority control node; 如果所述的数据对应于多个镜像,但是执行多镜像中部分用户的授权撤销,则针对相关的每一个镜像,首先清空权限控制节点中的对应用户信息,其次对当前镜像重新生成公私钥对,并生成以该公私钥对为目标的重加密密钥,以及加密处理其私钥,最后更新权限控制节点中的用户授权信息为加密后的镜像私钥; If the data described corresponds to multiple images, but the authorization revoking of some users in the multiple images is performed, then for each relevant image, first clear the corresponding user information in the authority control node, and then regenerate the public-private key pair for the current image , and generate a re-encryption key targeting the public-private key pair, and encrypt its private key, and finally update the user authorization information in the authority control node to the encrypted mirror private key; 否则,拒绝所述的请求; Otherwise, deny said request; 步骤5:数据更新,当对云端的某些所述的数据进行更新后, Step 5: data update, after updating some of the data in the cloud, 如果是对其访问授权保持不变,则不执行任何操作; If its access authorization remains unchanged, do nothing; 如果需要撤销某些所述的授权,则按照所述的步骤4中的授权撤销执行; If it is necessary to revoke some of the above-mentioned authorizations, follow the authorization revocation in step 4; 如果需要新增访问授权,则按照所述的步骤2中的数据授权执行。 If new access authorization is required, execute according to the data authorization in step 2 described above. 2.  根据权利要求1所述的云环境下轻量级的细粒度访问控制方法,其特征在于:步骤1中所述的构造相应的权限控制节点层,所述的每个节点被赋予被授权用户的相关信息。 2. The light-weight fine-grained access control method under the cloud environment according to claim 1, characterized in that: the corresponding authority control node layer is constructed as described in step 1, and each node is given authorized Information about the user. 3.  根据权利要求1所述的云环境下轻量级的细粒度访问控制方法,其特征在于:随着系统的运行,以及权限的变更,可以对所述的权限控制节点进行动态更新。 3. The light-weight fine-grained access control method in the cloud environment according to claim 1, characterized in that: along with the operation of the system and the change of authority, the authority control node can be dynamically updated.
CN201310138434.3A 2013-04-19 2013-04-19 The fine-grained access control method of lightweight under a kind of cloud environment Active CN103227789B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310138434.3A CN103227789B (en) 2013-04-19 2013-04-19 The fine-grained access control method of lightweight under a kind of cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310138434.3A CN103227789B (en) 2013-04-19 2013-04-19 The fine-grained access control method of lightweight under a kind of cloud environment

Publications (2)

Publication Number Publication Date
CN103227789A CN103227789A (en) 2013-07-31
CN103227789B true CN103227789B (en) 2015-09-16

Family

ID=48838050

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310138434.3A Active CN103227789B (en) 2013-04-19 2013-04-19 The fine-grained access control method of lightweight under a kind of cloud environment

Country Status (1)

Country Link
CN (1) CN103227789B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104980477B (en) * 2014-04-14 2019-07-09 航天信息股份有限公司 Data access control method and system under cloud storage environment
CN104009987B (en) * 2014-05-21 2017-02-22 南京邮电大学 Fine-grained cloud platform security access control method based on user identity capacity
CN105072180B (en) * 2015-08-06 2018-02-09 武汉科技大学 A kind of cloud storage data safety sharing method for having permission time control
CN106610839B (en) * 2015-10-21 2020-10-30 阿里巴巴集团控股有限公司 Method for issuing upgrade package, lightweight upgrade method, device and system
CN106788988B (en) * 2016-11-28 2019-09-17 暨南大学 Voidable key polymerize encryption method under cloud environment
CN107370595A (en) * 2017-06-06 2017-11-21 福建中经汇通有限责任公司 One kind is based on fine-grained ciphertext access control method
CN107659567A (en) * 2017-09-19 2018-02-02 北京许继电气有限公司 The ciphertext access control method and system of fine granularity lightweight based on public key cryptosyst
CN109614779A (en) * 2018-12-28 2019-04-12 北京航天数据股份有限公司 A kind of secure data operation method, device, equipment and medium
CN111083140A (en) * 2019-12-13 2020-04-28 北京网聘咨询有限公司 Data sharing method under hybrid cloud environment
CN111190738B (en) * 2019-12-31 2023-09-08 北京仁科互动网络技术有限公司 User mirroring method, device and system under multi-tenant system
KR102702029B1 (en) * 2022-11-25 2024-09-04 국민대학교산학협력단 Cloud data acquisition device and method through dpapi-based data regeneration

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739689A (en) * 2012-07-16 2012-10-17 四川师范大学 File data transmission device and method used for cloud storage system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8745384B2 (en) * 2011-08-11 2014-06-03 Cisco Technology, Inc. Security management in a group based environment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739689A (en) * 2012-07-16 2012-10-17 四川师范大学 File data transmission device and method used for cloud storage system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《一种在云计算下的细粒度数据访问控制算法》;韩德志等;《华中科技大学学报》;20121215;第40卷;1-4页 *

Also Published As

Publication number Publication date
CN103227789A (en) 2013-07-31

Similar Documents

Publication Publication Date Title
CN103227789B (en) The fine-grained access control method of lightweight under a kind of cloud environment
Zhang et al. Data security and privacy-preserving in edge computing paradigm: Survey and open issues
CN110099043B (en) Multi-authorization-center access control method supporting policy hiding and cloud storage system
CN114039790B (en) A fine-grained cloud storage security access control method based on blockchain
Yan et al. Heterogeneous data storage management with deduplication in cloud computing
CN103179114B (en) Data fine-grained access control method during a kind of cloud stores
Xu et al. Dynamic user revocation and key refreshing for attribute-based encryption in cloud storage
CN104468615B (en) file access and modification authority control method based on data sharing
CN108111540B (en) Hierarchical access control system and method supporting data sharing in cloud storage
Li et al. A distributed publisher-driven secure data sharing scheme for information-centric IoT
CN106797316B (en) Router, data equipment, the method and system for distributing data
Tassanaviboon et al. Oauth and abe based authorization in semi-trusted cloud computing: aauth
Liu et al. LVAP: Lightweight V2I authentication protocol using group communication in VANET s
Tu et al. A secure, efficient and verifiable multimedia data sharing scheme in fog networking system
Yan et al. Controlling cloud data access based on reputation
Deng et al. Tracing and revoking leaked credentials: accountability in leaking sensitive outsourced data
CN117240452A (en) A blockchain-based secure sharing method for plateau data
CN104935588B (en) A kind of hierarchical encryption management method of safe cloud storage system
CN114826702B (en) Database access password encryption method and device and computer equipment
CN110933052A (en) A time domain-based encryption and its policy update method in edge environment
CN113055164A (en) Cipher text strategy attribute encryption algorithm based on state cipher
CN111083140A (en) Data sharing method under hybrid cloud environment
CN104135495B (en) The attribute base encryption method of the ciphertext policy of the without authority with secret protection
Eissa et al. A fine grained access control and flexible revocation scheme for data security on public cloud storage services
Alston Attribute-based encryption for attribute-based authentication, authorization, storage, and transmission in distributed storage systems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant