[go: up one dir, main page]

CN116566663A - Threat data dynamic processing and efficient sharing method suitable for industrial control system - Google Patents

Threat data dynamic processing and efficient sharing method suitable for industrial control system Download PDF

Info

Publication number
CN116566663A
CN116566663A CN202310463402.4A CN202310463402A CN116566663A CN 116566663 A CN116566663 A CN 116566663A CN 202310463402 A CN202310463402 A CN 202310463402A CN 116566663 A CN116566663 A CN 116566663A
Authority
CN
China
Prior art keywords
data
file
sensitive
visitor
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310463402.4A
Other languages
Chinese (zh)
Other versions
CN116566663B (en
Inventor
丁勇
卢洁
梁海
杨昌松
李春海
李振宇
罗得寸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guilin University of Electronic Technology
Original Assignee
Guilin University of Electronic Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guilin University of Electronic Technology filed Critical Guilin University of Electronic Technology
Priority to CN202310463402.4A priority Critical patent/CN116566663B/en
Publication of CN116566663A publication Critical patent/CN116566663A/en
Application granted granted Critical
Publication of CN116566663B publication Critical patent/CN116566663B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种适用于工业控制系统的威胁数据动态处理与高效共享方法,包括如下步骤:1)定义数据共享系统模型;2)共享数据预处理;3)敏感关键词搜索;4)数据脱敏与共享。这种方法具有隐私保护、敏感关键词安全、陷门验证、敏感数据动态处理的功能。

The invention discloses a method for dynamic processing and efficient sharing of threat data suitable for industrial control systems, comprising the following steps: 1) defining a data sharing system model; 2) preprocessing of shared data; 3) searching for sensitive keywords; 4) data Desensitization and sharing. This method has the functions of privacy protection, sensitive keyword security, trapdoor verification, and dynamic processing of sensitive data.

Description

适用于工业控制系统的威胁数据动态处理与高效共享方法Threat data dynamic processing and efficient sharing method suitable for industrial control system

技术领域technical field

本发明涉及数据共享技术领域,尤其涉及到工业控制系统威胁数据共享过程中实现基于访问者身份权限的密文数据动态处理和高效共享,具体是一种适用于工业控制系统的威胁数据动态处理与高效共享方法。The present invention relates to the technical field of data sharing, in particular to the realization of dynamic processing and efficient sharing of ciphertext data based on the identity and authority of visitors during the process of threat data sharing in industrial control systems. Efficient sharing method.

背景技术Background technique

随着工业化与信息化的不断融合,工业控制系统在得到开放式发展的同时,所面临的安全威胁也日益增加。威胁情报数据共享能够通过威胁数据联动、情报共享,增强不同组织间的安全防护能力和协同响应能力,已成为网络空间安全建设的热点话题之一。随着工业控制系统的持续运行和发展导致工控数据量不断增加,为缓解本地服务器的压力,用户通常会选择将数据存放在云服务器中,但是若直接存放明文数据,则存在半可信服务器泄露数据的风险。用户通常会选择将数据以密文的形式存放在云服务器中。由于共享数据中可能包含敏感的工业或个人信息,面对不同身份权限访问者,如何高效实现对数据的动态脱敏与共享成为一个难点。传统的脱敏共享方案主要有两种,第一种方式是将数据先脱敏再加密,然后上传至云服务器供其他用户访问,但是这种静态脱敏的方式无法实现根据不同用户的权限等级执行动态脱敏。第二种方式是将数据先加密再上传至共享系统,而此方式需要在密文的基础上实现脱敏,难度较高。现有研究中,密文检索技术能够直接对密文数据进行检索,为密文脱敏提供了条件。同态加密算法允许用户对加密后的数据进行计算,且结果与对明文进行计算后再加密得到的结果一样,但是此方式需要较高的计算成本。动态脱敏时采用差分隐私和匿名化处理,可能会影响数据的可用性。匿名化处理和添加噪音可能会导致数据失真或信息丢失,另外,为了保护隐私,需要在数据中添加随机噪音或进行一些复杂的运算,这可能会增加系统的运算成本。With the continuous integration of industrialization and informationization, while the industrial control system is developing openly, the security threats it faces are also increasing. Threat intelligence data sharing can enhance the security protection capabilities and collaborative response capabilities of different organizations through threat data linkage and intelligence sharing, and has become one of the hot topics in cyberspace security construction. With the continuous operation and development of industrial control systems, the amount of industrial control data continues to increase. In order to alleviate the pressure on local servers, users usually choose to store data in cloud servers, but if they directly store plaintext data, there will be semi-trusted server leaks. Data at risk. Users usually choose to store data in the cloud server in the form of ciphertext. Since shared data may contain sensitive industrial or personal information, how to efficiently implement dynamic desensitization and sharing of data has become a difficult point in the face of visitors with different identities and permissions. There are two traditional desensitization sharing schemes. The first method is to first desensitize and then encrypt the data, and then upload it to the cloud server for other users to access. However, this static desensitization method cannot be implemented according to the permission level of different users Perform dynamic desensitization. The second method is to encrypt the data first and then upload it to the sharing system. This method requires desensitization on the basis of ciphertext, which is more difficult. In existing research, ciphertext retrieval technology can directly retrieve ciphertext data, which provides conditions for ciphertext desensitization. The homomorphic encryption algorithm allows users to calculate the encrypted data, and the result is the same as the result obtained by calculating the plaintext and then encrypting it, but this method requires high calculation costs. Differential privacy and anonymization are used in dynamic desensitization, which may affect the availability of data. Anonymization processing and adding noise may lead to data distortion or information loss. In addition, in order to protect privacy, it is necessary to add random noise to the data or perform some complex calculations, which may increase the calculation cost of the system.

传统的云服务器采用中心化架构存在安全隐患,一旦服务器宕机或系统崩溃,可能导致关键数据丢失。此外,中心化服务器容易成为网络攻击的目标,进一步导致数据的可信度下降。相比之下,区块链具有去中心化和不可篡改的特点,能够有效解决因服务器故障或网络攻击带来的数据安全问题。Maw等提出了一种基于区块链的数据安全存储方案,旨在提高工业控制系统中操作数据的安全性和可溯源性,该方案采用区块链技术构建了一个去中心化的数据存储和管理系统,并通过智能合约实现对数据的访问控制和审计,为实现工业控制系统数据安全性和操作可溯源性提供了技术支持。Yang等针对异构工业网络之间共享设备数据过程中面临的安全挑战,提出了一种基于区块链的数据共享框架,该框架利用智能合约技术,实现了对不同级别数据的安全、高效访问控制,从而确保了数据的安全性和隐私性。但是,数据中存在部分敏感数据,这些数据涉及到数据共享者或用户的隐私,构成了数据安全的威胁。传统的静态数据脱敏方法已经无法应对日益复杂的网络环境和用户权限差异。相比之下,动态脱敏技术可以在用户访问数据时,根据不同的用户权限等级实时进行数据脱敏,从而保护数据隐私。然而,在不接触数据明文的情况下,完成对密文数据的动态脱敏是一个难题。为此,能够对密文数据执行动态脱敏的相关技术包括密文检索技术、同态加密技术、差分隐私和匿名化处理等,但是这些技术需要承担较高的计算成本或可能会影响数据的可用性。在威胁数据存储安全方面,传统的云服务器采用中心化架构存在安全隐患。一旦服务器宕机或系统崩溃,可能导致关键数据丢失。此外,中心化服务器容易成为网络攻击的目标,进一步导致数据的可信度下降。The centralized architecture of traditional cloud servers has potential security risks. Once the server goes down or the system crashes, key data may be lost. In addition, centralized servers are easy to become the target of network attacks, which further leads to a decline in the credibility of data. In contrast, the blockchain has the characteristics of decentralization and non-tampering, which can effectively solve data security problems caused by server failures or network attacks. Maw et al. proposed a blockchain-based data security storage scheme, aiming to improve the security and traceability of operational data in industrial control systems. This scheme uses blockchain technology to build a decentralized data storage and Management system, and realize access control and audit of data through smart contracts, providing technical support for data security and operational traceability of industrial control systems. Aiming at the security challenges faced in the process of sharing device data between heterogeneous industrial networks, Yang et al. proposed a data sharing framework based on blockchain, which uses smart contract technology to achieve safe and efficient access to different levels of data control, thereby ensuring data security and privacy. However, there are some sensitive data in the data, which involves the privacy of data sharers or users, and constitutes a threat to data security. The traditional static data desensitization method has been unable to cope with the increasingly complex network environment and user authority differences. In contrast, dynamic desensitization technology can desensitize data in real time according to different user permission levels when users access data, thereby protecting data privacy. However, it is a difficult problem to complete the dynamic desensitization of ciphertext data without touching the plaintext of the data. For this reason, related technologies that can perform dynamic desensitization on ciphertext data include ciphertext retrieval technology, homomorphic encryption technology, differential privacy, and anonymization processing, etc., but these technologies need to bear high computing costs or may affect data security. availability. In terms of threats to data storage security, the traditional cloud server adopts a centralized architecture, which has security risks. Once the server goes down or the system crashes, critical data may be lost. In addition, centralized servers are easy to become the target of network attacks, which further leads to a decline in the credibility of data.

发明内容Contents of the invention

本发明的目的是针对现有技术的不足,而提供一种适用于工业控制系统的威胁数据动态处理与高效共享方法。这种方法具有隐私保护、敏感关键词安全、陷门验证、敏感数据动态处理的功能。The purpose of the present invention is to provide a method for dynamic processing and efficient sharing of threat data suitable for industrial control systems against the deficiencies of the prior art. This method has the functions of privacy protection, sensitive keyword security, trapdoor verification, and dynamic processing of sensitive data.

实现本发明目的的技术方案是:The technical scheme that realizes the object of the present invention is:

一种适用于工业控制系统的威胁数据动态处理与高效共享方法,包括如下步骤:A method for dynamic processing and efficient sharing of threat data suitable for industrial control systems, comprising the following steps:

1)定义数据共享系统模型:假设数据共享系统中有数据拥有者A、数据访问者B和云存储中心三个主体,数据拥有者A和数据访问者B是威胁数据共享系统的成员,所有成员加入共享系统之前,都需要经过严格的用户注册登录和授权准入流程,云存储中心是由云服务器和区块链节点构建而成的可信网络,主要执行数据存储、敏感文件搜索与数据共享操作,其中:1) Define the data sharing system model: Assume that there are three subjects in the data sharing system: data owner A, data visitor B, and cloud storage center. Data owner A and data visitor B are members of the threat data sharing system. All members Before joining the sharing system, it is necessary to go through strict user registration, login and authorization access procedures. The cloud storage center is a trusted network built by cloud servers and blockchain nodes, which mainly performs data storage, sensitive file search and data sharing. operation, where:

数据拥有者A作为数据的提供方,首先从共享文件中提取敏感关键词,然后采用公钥加密算法对共享文件进行加密生成密文C,对敏感关键词进行可搜索加密生成PEKS(PK,W),将C和PEKS(PK,W)上传至云存储中心,当数据访问者B在访问数据拥有者A上传的数据前,需要先向数据拥有者A申请访问凭证,数据拥有者A根据数据访问者B的身份权限选取敏感关键词并生成陷门,将陷门发送给数据访问者B作为访问凭证,当接收到云存储中心发出的脱敏请求时,需要对指定的敏感文件进行脱敏并加密,然后发送给对应数据访问者;Data owner A, as the data provider, first extracts sensitive keywords from shared files, then uses public key encryption algorithm to encrypt shared files to generate ciphertext C, and performs searchable encryption on sensitive keywords to generate PEKS(PK, W ), upload C and PEKS (PK, W) to the cloud storage center, when the data visitor B needs to apply for an access credential from the data owner A before accessing the data uploaded by the data owner A, the data owner A according to the data The identity authority of visitor B selects sensitive keywords and generates trapdoors, and sends the trapdoors to data visitor B as access credentials. When receiving the desensitization request from the cloud storage center, the specified sensitive files need to be desensitized and encrypted, and then sent to the corresponding data visitor;

数据访问者B访问数据拥有者A的共享数据前需要向数据拥有者A申请访问凭证,然后携带凭证向云存储中心发起访问数据的请求,此时数据访问者B可能会收到来自数据拥有者A和云存储中心两方的文件数据,直接从数据拥有者A处获得的内容是经过了脱敏并使用公钥PKB加密过的文件,数据访问者B直接使用私钥SKB解密获取脱敏后的文件明文,而从云存储中心获取的内容,由于经过了代理重加密的转换,数据访问者B同样采用私钥SKB即可解密成功得到明文;Before accessing the shared data of data owner A, data visitor B needs to apply for an access credential from data owner A, and then initiate a data access request to the cloud storage center with the credential. At this time, data visitor B may receive The file data of A and the cloud storage center, the content obtained directly from the data owner A is a file that has been desensitized and encrypted with the public key PK B , and the data visitor B directly uses the private key SK B to decrypt and obtain the desensitized file. The plaintext of the encrypted file, and the content obtained from the cloud storage center, due to the transformation of proxy re-encryption, the data visitor B can also use the private key SK B to successfully decrypt and obtain the plaintext;

云存储中心:当数据拥有者A上传共享数据密文和关键词密文后,云存储中心首先为上传内容生成数据ID,然后调用智能合约对数据ID、用户身份ID、共享数据密文、关键词密文、时间戳关键信息进行链上存储,当接收到数据访问者B的访问请求时,首先会对数据访问者B携带的访问凭证进行验证,若未通过则拒绝访问,若验证通过则对访问的所有文件进行敏感关键词搜索,接着将所有包含敏感信息的文件发送给数据拥有者A,由数据拥有者A执行脱敏与共享的操作;对于不包含敏感信息的文件,则直接由云存储中心对其执行代理重加密,转换为数据访问者B能够解密的形式,最后将经过二次加密的文件送给数据访问者B;Cloud storage center: When the data owner A uploads the shared data ciphertext and keyword ciphertext, the cloud storage center first generates a data ID for the uploaded content, and then calls the smart contract to generate data ID, user ID, shared data ciphertext, key The key information of word ciphertext and time stamp is stored on the chain. When the access request of data visitor B is received, the access credentials carried by data visitor B will be verified first. If the access is not passed, the access will be rejected. Search for sensitive keywords on all files accessed, and then send all files containing sensitive information to data owner A, who will perform desensitization and sharing operations; for files that do not contain sensitive information, directly by The cloud storage center performs proxy re-encryption on it, converts it into a form that data visitor B can decrypt, and finally sends the twice-encrypted file to data visitor B;

2)共享数据预处理:数据拥有者A上传共享数据的过程中可能会被中间人窃听或劫持,数据存储在共享系统中时也可能会被半可信的服务器泄露,因此,在数据上传之前需要对数据进行加密,保证数据在传输和存储过程中都呈密文状态,采用可搜索加密对共享数据进行处理,防止数据在传输和存储过程发生泄露,同时也能支持密文状态下的搜索功能,设数据拥有者A的共享数据文件集为M={M1,M2,M3,...,Mn},则对共享数据预处理过程如下:2) Shared data preprocessing: data owner A may be eavesdropped or hijacked by an intermediary during the process of uploading shared data, and may be leaked by a semi-trusted server when the data is stored in the shared system. Therefore, before uploading data, it is necessary to Encrypt the data to ensure that the data is in the state of cipher text during transmission and storage, and use searchable encryption to process the shared data to prevent data leakage during transmission and storage, and also support the search function in the state of cipher text , assuming that the shared data file set of the data owner A is M={M 1 , M 2 , M 3 ,...,M n }, the preprocessing process of the shared data is as follows:

2-1)生成ECC非对称密钥对(PKA,SKA):首先选择一条安全椭圆曲线Ep(a,b),然后从曲线上选取一点作为基点G,于是:2-1) Generate an ECC asymmetric key pair (PK A , SK A ): first select a secure elliptic curve Ep(a, b), and then select a point from the curve as the base point G, then:

(PKA,SKA)=KeyGenECC(Ep(a,b),G);(PK A , SK A ) = KeyGen ECC (Ep(a, b), G);

2-2)分别从每个文件中提取出敏感数据关键词,生成敏感关键词列表:Wi=(wi1,wi2,wi3,...,wik),其中1≤i≤n,wij∈Mi,k为文件Mi中的敏感关键词个数,为Wi中每个敏感关键词生成公钥可搜索加密密钥对(Apubi,Aprivi),其中,Apubi={Pubi1,Pubi2,Pubi3,...,Pubik},Aprivi={Privi1,Privi2,Privi3,...,Privik};2-2) Extract sensitive data keywords from each file respectively, and generate a list of sensitive keywords: W i = (w i1 , w i2 , w i3 , ..., w ik ), where 1≤i≤n , w ij ∈ M i , k is the number of sensitive keywords in file M i , generate a public key searchable encryption key pair (A pubi , A privi ) for each sensitive keyword in W i , where A pubi = {Pub i1 , Pub i2 , Pub i3 , ..., Pub ik }, A privi = {Priv i1 , Priv i2 , Priv i3 , ..., Priv ik };

2-3)选取k个随机字符串(Qi1,Qi2,Qi3,...,Qik),将每个字符串与系统参数z进行异或,得到k个新的字符串(Si1,Si2,Si3,...,Sik)对敏感关键词进行可搜索加密得到密文CKi2-3) Select k random character strings (Q i1 , Q i2 , Q i3 , ..., Q ik ), XOR each character string with the system parameter z, and obtain k new character strings (S i1 , S i2 , S i3 ,..., S ik ) perform searchable encryption on sensitive keywords to obtain ciphertext CK i ,

CKi=PEKS(Apubi,Wi)CK i =PEKS(Apub i , W i )

=([Si1,Encrypt(Pubi1,Qi1)],([Si2,Encrypt(Pubi2,Qi2)],=([S i1 , Encrypt(Pub i1 , Q i1 )], ([S i2 , Encrypt(Pub i2 , Q i2 )],

[Si3,Encrypt(Pubi3,Qi3)],...,([Sik,Encrypt(Pubik,Qik)];[S i3 , Encrypt(Pub i3 , Q i3 )], ..., ([S ik , Encrypt(Pub ik , Q ik )];

2-4)对每个文件进行加密,则:2-4) Each file is encrypted, then:

Ci=EncryptECC(PKA,Mi);C i = Encrypt ECC (PK A , M i );

2-5)将所有文件密文及文件密文对应的敏感关键词密文上传至云存储中心,此时的密文只有用数据拥有者A的私钥SKA才能解密成功,云存储中心无法获取明文M,代理服务器调用智能合约对文件密文C=(C1,C2,C3,...,Cn)、关键词密文CK=(Ck1,CK2,CK3,...,CKn)、数据ID、数据拥有者身份ID、威胁数据类型、威胁数据描述以及威胁数据上传时间存储至区块链,云存储中心将上传的文件对应的dataID发送给数据拥有者;2-5) Upload all file ciphertexts and sensitive keyword ciphertexts corresponding to the file ciphertexts to the cloud storage center. At this time, the ciphertexts can only be decrypted successfully with the private key SK A of the data owner A, and the cloud storage center cannot To obtain the plaintext M, the proxy server calls the smart contract to file ciphertext C = (C 1 , C 2 , C 3 , ..., C n ), keyword ciphertext CK = (Ck 1 , CK 2 , CK 3 , . .., CK n ), data ID, data owner ID, threat data type, threat data description, and threat data upload time are stored in the blockchain, and the cloud storage center sends the dataID corresponding to the uploaded file to the data owner;

2-6)采用每个敏感关键词的私钥生成陷门:2-6) Use the private key of each sensitive keyword to generate a trapdoor:

Twij=Trapdoor(Aprivij,Wij),Tw ij =Trapdoor(Apriv ij ,W ij ),

3)敏感关键词搜索:为了更好地基于访问者身份权限实现对威胁数据的动态脱敏与高效共享,采用可搜索加密技术保障云存储中心在不接触明文的情况下完成对敏感文件的搜索,当数据访问者B需要访问数据拥有者A共享的数据时,首先向数据拥有者A申请关键词陷门,数据拥有者A根据数据访问者B的身份(如:授权安全分析师、运维人员、外部用户等)判断所有敏感关键词中哪些是数据访问者B不可见的敏感数据,接着生成陷门列表Twb并对陷门列表Twb进行签名得到St,然后采用代理服务器的公钥PKC对St进行加密得到Ct,将Ct返回给B,搜索过程如下:3) Sensitive keyword search: In order to better realize dynamic desensitization and efficient sharing of threat data based on the identity and authority of the visitor, searchable encryption technology is used to ensure that the cloud storage center can complete the search for sensitive files without touching the plaintext , when the data visitor B needs to access the data shared by the data owner A, he first applies to the data owner A for a keyword trapdoor, and the data owner A according to the identity of the data visitor B (such as: authorized security analyst, operation and maintenance personnel, external users, etc.) to judge which of all the sensitive keywords are sensitive data invisible to the data visitor B, then generate the trapdoor list Tw b and sign the trapdoor list Tw b to obtain S t , and then use the proxy server’s public The key PK C encrypts S t to obtain C t , and returns C t to B. The search process is as follows:

3-1)数据访问者B携带陷门Ct和dataID_B向云存储中心发出数据访问请求,其中,dataID_B是数据访问者B想要访问的所有文件对应的dataID列表,共享中心首先对数据访问者B的身份进行认证,通过后对目标数据进行关键词搜索,首先采用私钥SKC对陷门Ct进行解密得到签名St,接着对签名进行验证,最后获得敏感关键词陷门列表,则:St=DecryptECC(SKC,ct),3-1) Data visitor B sends a data access request to the cloud storage center with trapdoor C t and dataID_B, where dataID_B is the list of dataIDs corresponding to all the files that data visitor B wants to access, and the sharing center first requests the data visitor The identity of B is authenticated, and after passing the keyword search for the target data, first use the private key SK C to decrypt the trapdoor C t to obtain the signature S t , then verify the signature, and finally obtain the trapdoor list of sensitive keywords, then : S t = Decrypt ECC (SK C , c t ),

3-2)接着调用智能合约,根据dataID_B读取到数据访问者B申请访问的文件密文集合C’和对应的敏感关键词密文CK’,其中,C’和CK′分别是C和CK的子集;3-2) Then call the smart contract, and read the file ciphertext set C' and the corresponding sensitive keyword ciphertext CK' that data visitor B applied for access according to dataID_B, where C' and CK' are C and CK respectively subset of

3-3)对集合C′中每个文件密文C′i进行敏感关键词搜索,判断该文件中是否存在敏感信息,设C′i对应的敏感关键词密文为CK’ij遍历TWb中每一个陷门t,使用t对CK’ij的第1个元素进行解密得到:3-3) Search for sensitive keywords for each file ciphertext C′ i in the set C′ to determine whether there is sensitive information in the file, and set the sensitive keyword ciphertext corresponding to C′ i as CK′ ij to traverse TW b For each trapdoor t in , use t to decrypt the first element of CK' ij to get:

s=Decrypt(CK’ij[1],t),s = Decrypt(CK' ij [1], t),

接着将s与系统参数Z进行异或得到s’,若s’=CK’ij[0],若两者相等则匹配成功,说明该文件中存在敏感关键词,将对应的dataID加入到sensitiveIDs集合中,当Twb中所有陷门与该文件每一个关键词密文都匹配失败时,说明该文件中不存在敏感关键词,将其dataID加入到securityIDs集合中;Then XOR s with the system parameter Z to get s', if s'=CK' ij [0], if the two are equal, the match is successful, indicating that there are sensitive keywords in the file, and the corresponding dataID is added to the sensitiveIDs set , when all trapdoors in Tw b fail to match each keyword ciphertext of the file, it means that there is no sensitive keyword in the file, and its dataID is added to the securityIDs collection;

4)数据脱敏与共享:经过对敏感关键词的搜索,云存储中心已经识别出数据访问者B申请访问的每个文件中是否包含敏感信息,采用sensitiveIDs记录所有包含敏感信息的文件对应的dataID,securityIDs记录所有不包含敏感信息的文件对应的dataID,由于包含敏感信息的文件未经过脱敏,因此云服务器需要先将sensitiveIDs对应的文件发送给数据拥有者A,由数据拥有者A对数据进行脱敏后再分享给数据访问者B;而对于不存在敏感信息的文件,可由云服务器使用代理重加密技术直接交付给数据访问者B,其中:4) Data desensitization and sharing: After searching for sensitive keywords, the cloud storage center has identified whether each file that data visitor B applies for access contains sensitive information, and uses sensitiveIDs to record the corresponding dataIDs of all files containing sensitive information , securityIDs records the dataIDs corresponding to all files that do not contain sensitive information. Since the files containing sensitive information have not been desensitized, the cloud server needs to send the files corresponding to sensitiveIDs to data owner A, and data owner A will perform data processing on the data. Desensitized and then shared with data visitor B; for files without sensitive information, the cloud server can use proxy re-encryption technology to directly deliver to data visitor B, where:

4-1)敏感文件处理:云代理服务器首先使用私钥SKC对数据访问者B的身份信息进行签名,然后将签名S=Sign(SKC,userIdB)和sensitiveIDs中记录的文件密文Csst发送给A:4-1) Sensitive file processing: the cloud proxy server first uses the private key SK C to sign the identity information of the data visitor B, and then signs S=Sign(SK C , userIdB) and the file ciphertext C sst recorded in sensitiveIDs Send to A:

S||(Csst1,Csst2,...,Csstd),S||(C sst1 , C sst2 , ..., C sstd ),

数据拥有者A对文件的处理过程如下:Data owner A processes the file as follows:

4-1-1)数据拥有者A首先对签名S进行验证,输入签名和云代理服务器的公钥PKC,则验签的结果为:4-1-1) The data owner A first verifies the signature S, and inputs the signature and the public key PK C of the cloud proxy server, then the signature verification result is:

4-1-2)验证通过后,对包含敏感信息的文件进行解密,然后根据数据访问者B的身份权限选取脱敏策略R并执行脱敏操作:4-1-2) After the verification is passed, decrypt the file containing sensitive information, and then select the desensitization strategy R according to the identity authority of the data visitor B and perform the desensitization operation:

Msst=(Msst1,Msst2,...,Msstd)M sst = (M sst1 , M sst2 , . . . , M sstd )

=(DecryptECC(SKA,Csst1),DecryptECC(SKA,Csst2),...,DecryptECC(SKA,Csstd))=(Decrypt ECC (SK A , C sst1 ), Decrypt ECC (SK A , C sst2 ), . . . , Decrypt ECC (SK A , C sstd ))

D=(D1,D2,...,Dd)D=(D 1 , D 2 , . . . , D d )

=(dataMask(R,Msst1),dataMask(R,Msst2),...,dataMask(R,Msstd));=(dataMask(R, M sst1 ), dataMask(R, M sst2 ), . . . , dataMask(R, M sstd ));

4-1-3)完成脱敏后,使用数据访问者B的公钥对数据进行加密后发送给数据访问者B:4-1-3) After desensitization is completed, use the public key of data visitor B to encrypt the data and send it to data visitor B:

CD=EncryptECC(SKB,D);C D = Encrypt ECC (SK B , D);

4-2)非敏感文件处理:由于securityIDs对于的文件不含敏感信息,因此可由云代理服务器直接交给数据访问者B,但此时的文件密文由数据拥有者A公钥加密而成,为了使数据访问者B能够成功解密获得最终的数据,代理服务器还需要对密文进行重加密,得到密文C*,其中,代理重加密的密钥KAtoB由数据拥有者A的私钥和数据访问者B的公钥生成:4-2) Non-sensitive file processing: Since the files for which securityIDs contain no sensitive information, the cloud proxy server can directly deliver them to the data visitor B, but at this time the file ciphertext is encrypted by the public key of the data owner A, In order for the data visitor B to successfully decrypt the final data, the proxy server also needs to re-encrypt the ciphertext to obtain the ciphertext C * , where the proxy re-encryption key K AtoB is composed of the private key of the data owner A and Public key generation of data visitor B:

KAtoB=GetRekey(SKA,PKB),K AtoB = GetRekey(SK A , PK B ),

C*=PreReEncrypt(KAtoB,Csec);C * = PreReEncrypt(K AtoB , C sec );

4-3)数据解密:当数据访问者B访问成功时,会分别从数据拥有者A和云代理服务器得到CD和C*,其中,CD是由数据拥有者A对文件脱敏后直接使用数据访问者B的公钥加密而生成,数据访问者B可以使用私钥成功解密,获取到经过脱敏的明文数据,由于C*依次经历了数据拥有者A的公钥SKA和代理重加密密钥KAtoB的加密,而代理重加密密钥KAtoB是由SKA和数据访问者B的公钥PKB运算生成,因此,数据访问者B同样能够使用私钥进行解密:4-3) Data decryption: When the data visitor B accesses successfully, it will obtain CD and C * from the data owner A and the cloud proxy server respectively, where CD is directly decrypted by the data owner A after desensitizing the file. It is generated by encrypting with the public key of data visitor B, and data visitor B can successfully decrypt it with the private key and obtain the desensitized plaintext data. The encryption key K AtoB is encrypted, and the proxy re-encryption key K AtoB is generated by the operation of SK A and the public key PK B of data visitor B. Therefore, data visitor B can also use the private key to decrypt:

MD=GetDecryptedData(SKB,CD),M D = GetDecryptedData(SK B , C D ),

M*=PreReDecrypt(SKB,C*)。M * = PreReDecrypt(SK B , C * ).

本技术方案支持数据拥有者对敏感文件实现基于访问者身份的动态脱敏:数据访问者向云存储中心请求威胁数据时,需要携带陷门Twb,Twb是由数据拥有者根据数据访问者的身份权限生成,云存储中心使用Twb搜索出对应敏感文件密文,然后将敏感文件密文以及数据访问者的身份信息签名发送给数据拥有者,由数据拥有者对敏感文件密文执行解密、脱敏与共享的操作。This technical solution supports the data owner to implement dynamic desensitization based on the identity of the visitor to the sensitive files: when the data visitor requests the threat data from the cloud storage center, he needs to carry the trapdoor Tw b , and Tw b is determined by the data owner according to the data visitor’s The cloud storage center uses Tw b to search out the ciphertext of the corresponding sensitive file, and then sends the ciphertext of the sensitive file and the identity information signature of the data visitor to the data owner, and the data owner decrypts the ciphertext of the sensitive file , desensitization and sharing operations.

本技术方案支持非敏感文件的“一对多”高效共享:云存储中心使用Twb搜索出对应非敏感文件密文,由于非敏感文件中不包含敏感的信息,不需要经过数据拥有者执行脱敏操作,面对不同访问者的数据请求,云存储中心使用数据拥有者提供的重加密密钥对非敏感文件进行二次加密,将其转换为被授权的访问者可以解密的形式,实现“一对多”高效共享。This technical solution supports the "one-to-many" efficient sharing of non-sensitive files: the cloud storage center uses Tw b to search out the ciphertext of the corresponding non-sensitive files. Sensitive operation, in the face of data requests from different visitors, the cloud storage center uses the re-encryption key provided by the data owner to re-encrypt non-sensitive files and convert them into a form that authorized visitors can decrypt to achieve "One-to-many" efficient sharing.

本技术方案能够有效地保护威胁数据隐私:云存储中心和非授权访问者无法对密文进行解密,且云存储中心无法通过关键词密文和陷门计算出敏感关键词本身,恶意访问者也无法通过伪造陷门以非法获取数据。This technical solution can effectively protect the privacy of threat data: the cloud storage center and unauthorized visitors cannot decrypt the ciphertext, and the cloud storage center cannot calculate the sensitive keywords themselves through keyword ciphertext and trapdoors, and malicious visitors cannot Data cannot be obtained illegally by forging trapdoors.

本技术方案有以下优点:1)隐私保护:这种方法能够确保威胁数据的隐私性,保障只有被授权的数据访问者才能成功解密并获取到威胁数据的明文内容,避免数据隐私泄露;This technical solution has the following advantages: 1) Privacy protection: this method can ensure the privacy of threat data, and ensure that only authorized data visitors can successfully decrypt and obtain the plaintext content of threat data, avoiding data privacy leakage;

2)敏感关键词安全:这种方法为每个敏感关键词选择一个随机字符串,通过对该随机数的加密和验证以实现对敏感关键词的搜索。云存储中心只能接触到随机字符串,且不知道随机字符串对应的敏感关键词,从而确保了敏感关键词的安全性;2) Security of sensitive keywords: This method selects a random string for each sensitive keyword, and realizes the search for sensitive keywords by encrypting and verifying the random number. The cloud storage center can only access random strings, and does not know the sensitive keywords corresponding to random strings, thus ensuring the security of sensitive keywords;

3)陷门验证:本方法中,云存储中心需要对访问者的陷门来源进行验证,防止了恶意数据访问者伪造陷门以非法获取数据的情况;3) Trapdoor verification: In this method, the cloud storage center needs to verify the source of the visitor's trapdoor, preventing malicious data visitors from forging trapdoors to obtain data illegally;

4)敏感数据动态处理:本方法能够确保数据拥有者能够基于访问者的身份权限对威胁数据密文进行动态处理和安全共享。4) Dynamic processing of sensitive data: This method can ensure that the data owner can dynamically process and securely share the threat data ciphertext based on the identity and authority of the visitor.

这种方法具有隐私保护、敏感关键词安全、陷门验证、敏感数据动态处理的功能。This method has the functions of privacy protection, sensitive keyword security, trapdoor verification, and dynamic processing of sensitive data.

附图说明Description of drawings

图1为实施例中系统结构示意图;Fig. 1 is the system structure schematic diagram in the embodiment;

图2为实施例中系统功能模块划分图;Fig. 2 is the partition diagram of system function modules in the embodiment;

图3为实施例中系统层次架构示意图。Fig. 3 is a schematic diagram of the system hierarchy in the embodiment.

具体实施方式Detailed ways

下面结合附图和实施例对本发明的内容做进一步的阐述,但不是对本发明的限定。The content of the present invention will be further described below in conjunction with the accompanying drawings and embodiments, but the present invention is not limited.

实施例:Example:

一种适用于工业控制系统的威胁数据动态处理与高效共享方法,包括如下步骤:A method for dynamic processing and efficient sharing of threat data suitable for industrial control systems, comprising the following steps:

1)定义数据共享系统模型:如图1所示,假设数据共享系统中有数据拥有者A、数据访问者B和云存储中心三个主体,数据拥有者A和数据访问者B是威胁数据共享系统的成员,所有成员加入共享系统之前,都需要经过严格的用户注册登录和授权准入流程,云存储中心是由云服务器和区块链节点构建而成的可信网络,主要执行数据存储、敏感文件搜索与数据共享操作,其中:1) Define the data sharing system model: As shown in Figure 1, suppose there are three subjects in the data sharing system: data owner A, data visitor B, and cloud storage center. Data owner A and data visitor B are threats to data sharing. Members of the system, all members need to go through strict user registration and login and authorization access procedures before joining the shared system. The cloud storage center is a trusted network built by cloud servers and blockchain nodes, which mainly performs data storage, Sensitive file search and data sharing operations, where:

数据拥有者A为工控漏洞、攻击者手段、攻击路径等威胁数据文件的共享方,首先从共享文件中提取敏感关键词,然后采用公钥加密算法对共享文件进行加密生成密文C,对敏感关键词进行可搜索加密生成PEKS(PK,W),将C和PEKS(PK,W)上传至云存储中心,当数据访问者B在访问数据拥有者A上传的数据前,需要先向数据拥有者A申请访问凭证,数据拥有者A根据数据访问者B的身份权限选取敏感关键词并生成陷门,将陷门发送给数据访问者B作为访问凭证,当接收到云存储中心发出的脱敏请求时,需要对指定的敏感文件进行脱敏并加密,然后发送给对应数据访问者;Data owner A is the sharing party of threat data files such as industrial control vulnerabilities, attacker means, and attack paths. First, he extracts sensitive keywords from the shared files, and then uses public key encryption algorithm to encrypt the shared files to generate ciphertext C. Keywords are searchable and encrypted to generate PEKS (PK, W), and C and PEKS (PK, W) are uploaded to the cloud storage center. When data visitor B accesses the data uploaded by data owner A, he needs to first submit Data owner A applies for an access credential. Data owner A selects sensitive keywords based on the identity authority of data visitor B and generates a trapdoor, and sends the trapdoor to data visitor B as an access credential. When receiving the desensitization issued by the cloud storage center When requesting, the specified sensitive file needs to be desensitized and encrypted, and then sent to the corresponding data visitor;

数据访问者B代表工控安全工程师、运维人员、外部用户等身份权限不同的访问者,数据访问者B访问数据拥有者A的共享数据前需要向数据拥有者A申请访问凭证,然后携带凭证向云存储中心发起访问数据的请求,此时数据访问者B可能会收到来自数据拥有者A和云存储中心两方的文件数据,直接从数据拥有者A处获得的内容是经过了脱敏并使用公钥PKB加密过的文件,数据访问者B直接使用私钥SKB解密获取脱敏后的文件明文,而从云存储中心获取的内容,由于经过了代理重加密的转换,数据访问者B同样采用私钥SKB即可解密成功得到明文;Data visitor B represents visitors with different identities and permissions, such as industrial control security engineers, operation and maintenance personnel, and external users. Before accessing the shared data of data owner A, data visitor B needs to apply for access credentials from data owner A, and then bring the credentials to The cloud storage center initiates a data access request. At this time, the data visitor B may receive file data from both the data owner A and the cloud storage center. The content obtained directly from the data owner A is desensitized and desensitized. For files encrypted with the public key PK B , the data visitor B directly uses the private key SK B to decrypt the plaintext of the desensitized file, and the content obtained from the cloud storage center, due to the transformation of the proxy re-encryption, the data visitor B B also uses the private key SK B to successfully decrypt and obtain the plaintext;

云存储中心:当数据拥有者A上传共享数据密文和关键词密文后,云存储中心首先为上传内容生成数据ID,然后调用智能合约对数据ID、用户身份ID、共享数据密文、关键词密文、时间戳关键信息进行链上存储,当接收到数据访问者B的访问请求时,首先会对数据访问者B携带的访问凭证进行验证,若未通过则拒绝访问,若验证通过则对访问的所有文件进行敏感关键词搜索,接着将所有包含敏感信息的文件发送给数据拥有者A,由数据拥有者A执行脱敏与共享的操作;对于不包含敏感信息的文件,则直接由云存储中心对其执行代理重加密,转换为数据访问者B能够解密的形式,最后将经过二次加密的文件送给数据访问者B;Cloud storage center: When the data owner A uploads the shared data ciphertext and keyword ciphertext, the cloud storage center first generates a data ID for the uploaded content, and then calls the smart contract to generate data ID, user ID, shared data ciphertext, key The key information of word ciphertext and time stamp is stored on the chain. When the access request of data visitor B is received, the access credentials carried by data visitor B will be verified first. If the access is not passed, the access will be rejected. Search for sensitive keywords on all files accessed, and then send all files containing sensitive information to data owner A, who will perform desensitization and sharing operations; for files that do not contain sensitive information, directly by The cloud storage center performs proxy re-encryption on it, converts it into a form that data visitor B can decrypt, and finally sends the twice-encrypted file to data visitor B;

2)划分系统功能模块和层次结构:实施例中的应用系统结构示意图如图2所示,结合工控威胁数据共享过程中的的需求和具体业务主要功能进行模块化设计,具体地,包括用户身份管理、威胁数据上传、威胁数据搜索和威胁数据查询4个模块,实施例中系统层次架构示意图如图3所示,系统架构划分为5层:前端层、后端层、中间层、持久层以及采集层;2) Divide the system function modules and hierarchical structure: the schematic diagram of the application system structure in the embodiment is shown in Figure 2, and the modular design is carried out in combination with the requirements in the industrial control threat data sharing process and the main functions of the specific business, specifically, including the user identity There are four modules: management, threat data upload, threat data search, and threat data query. The schematic diagram of the system hierarchy architecture in the embodiment is shown in Figure 3. The system architecture is divided into 5 layers: front-end layer, back-end layer, middle layer, persistence layer and collection layer;

3)共享数据预处理:数据拥有者A上传共享数据的过程中可能会被中间人窃听或劫持,数据存储在共享系统中时也可能会被半可信的服务器泄露,因此,在数据上传之前对数据进行加密,保证数据在传输和存储过程中都呈密文状态,采用可搜索加密对共享数据进行处理,防止数据在传输和存储过程发生泄露,同时也能支持密文状态下的搜索功能,设数据拥有者A的共享数据文件集为M={M1,M2,M3,...,Mn},则对共享数据预处理过程如下:3) Shared data preprocessing: data owner A may be eavesdropped or hijacked by an intermediary during the process of uploading shared data, and may be leaked by a semi-trusted server when the data is stored in the shared system. The data is encrypted to ensure that the data is in the state of ciphertext during transmission and storage, and the shared data is processed with searchable encryption to prevent data leakage during transmission and storage. At the same time, it can also support the search function in the state of ciphertext. Assuming that the shared data file set of data owner A is M={M 1 , M 2 , M 3 ,...,M n }, the preprocessing process of the shared data is as follows:

3-1)生成ECC非对称密钥对(PKA,SKA):首先选择一条安全椭圆曲线Ep(a,b),然后从曲线上选取一点作为基点G,于是:3-1) Generate an ECC asymmetric key pair (PK A , SK A ): first select a secure elliptic curve Ep(a, b), and then select a point from the curve as the base point G, then:

(PKA,SKA)=KeyGenECC(Ep(a,b),G);(PK A , SK A ) = KeyGen ECC (Ep(a, b), G);

3-2)分别从每个文件中提取出敏感数据关键词,生成敏感关键词列表:Wi=(wi1,wi2,wi3,...,wik),其中1≤i≤n,wij∈Mi,k为文件Mi中的敏感关键词个数,为Wi中每个敏感关键词生成公钥可搜索加密密钥对(Apubi,Aprivi),其中,Apubi={Pubi1,Pubi2,Pubi3,...,Pubik},Aprivi={Privi1,Privi2,privi3,...,Privik};3-2) Extract sensitive data keywords from each file respectively, and generate a list of sensitive keywords: W i = (w i1 , w i2 , w i3 , ..., w ik ), where 1≤i≤n , w ij ∈ M i , k is the number of sensitive keywords in file M i , generate a public key searchable encryption key pair (A pubi , A privi ) for each sensitive keyword in W i , where A pubi = {Pub i1 , Pub i2 , Pub i3 , . . . , Pub ik }, A privi = {Priv i1 , Priv i2 , priv i3 , . . . , Priv ik };

3-3)选取k个随机字符串(Qi1,Qi2,Qi3,...,Qik),将每个字符串与系统参数Z进行异或,得到k个新的字符串(Si1,Si2,Si3,...,Sik)对敏感关键词进行可搜索加密得到密文CKi3-3) Select k random character strings (Q i1 , Q i2 , Q i3 , ..., Q ik ), XOR each character string with the system parameter Z, and obtain k new character strings (S i1 , S i2 , S i3 ,..., S ik ) perform searchable encryption on sensitive keywords to obtain ciphertext CK i ,

CKi=PEKS(Apubi,Wi)CK i =PEKS(Apub i , W i )

=([Si1,Encrypt(Pubi1,Qi1)],([Si2,Encrypt(Pubi2,Qi2)],=([S i1 , Encrypt(Pub i1 , Q i1 )], ([S i2 , Encrypt(Pub i2 , Q i2 )],

[Si3,Encrypt(Pubi3,Qi3)]...,([Sik,Encrypt(Pubik,Qik)];[S i3 , Encrypt(Pub i3 , Q i3 )]..., ([S ik , Encrypt(Pub ik , Q ik )];

3-4)对每个文件进行加密,则:3-4) Each file is encrypted, then:

Ci=EncryptECC(PKA,Mi);C i = Encrypt ECC (PK A , M i );

3-5)将所有文件密文及文件密文对应的敏感关键词密文上传至云存储中心,此时的密文只有用数据拥有者A的私钥SKA才能解密成功,云存储中心无法获取明文M,代理服务器调用智能合约对文件密文C=(C1,C2,C3,...,Cn)、关键词密文CK=(CK1,CK2,CK3,...,CKn)、数据ID、数据拥有者身份ID、威胁数据类型、威胁数据描述以及威胁数据上传时间存储至区块链,云存储中心将上传的文件对应的dataID发送给数据拥有者;3-5) Upload all file ciphertexts and sensitive keyword ciphertexts corresponding to the file ciphertexts to the cloud storage center. At this time, the ciphertexts can only be decrypted successfully with the private key SK A of the data owner A, and the cloud storage center cannot To obtain the plaintext M, the proxy server calls the smart contract to file ciphertext C = (C 1 , C 2 , C 3 , ..., C n ), keyword ciphertext CK = (CK 1 , CK 2 , CK 3 , . .., CK n ), data ID, data owner ID, threat data type, threat data description, and threat data upload time are stored in the blockchain, and the cloud storage center sends the dataID corresponding to the uploaded file to the data owner;

3-6)采用每个敏感关键词的私钥生成陷门:3-6) Use the private key of each sensitive keyword to generate a trapdoor:

Twij=Trapdoor(Aprivij,Wij);Tw ij = Trapdoor(Apriv ij , W ij );

4)敏感关键词搜索:为了更好地基于访问者身份权限实现对威胁数据的动态脱敏与高效共享,采用可搜索加密技术保障云存储中心在不接触明文的情况下完成对敏感文件的搜索,当数据访问者B需要访问数据拥有者A共享的数据时,首先向数据拥有者A申请关键词陷门,数据拥有者A根据数据访问者B的身份,判断所有敏感关键词中哪些是数据访问者B不可见的敏感数据,接着生成陷门列表Twb并对陷门列表Twb进行签名得到St,然后采用代理服务器的公钥PKC对St进行加密得到Ct,将Ct返回给B,搜索过程如下:4) Sensitive keyword search: In order to better realize dynamic desensitization and efficient sharing of threat data based on the identity and authority of the visitor, searchable encryption technology is used to ensure that the cloud storage center can complete the search for sensitive files without touching the plaintext , when data visitor B needs to access the data shared by data owner A, he first applies to data owner A for a keyword trapdoor, and data owner A judges which of all sensitive keywords are data based on the identity of data visitor B Sensitive data invisible to visitor B, then generate trapdoor list Tw b and sign trapdoor list Tw b to get S t , then use proxy server’s public key PK C to encrypt S t to get C t , and C t Back to B, the search process is as follows:

4-1)数据访问者B携带陷门Ct和dataID_B向云存储中心发出数据访问请求,其中,dataID_B是数据访问者B想要访问的所有文件对应的dataID列表,共享中心首先对数据访问者B的身份进行认证,通过后对目标数据进行关键词搜索,首先采用私钥SKC对陷门Ct进行解密得到签名St,接着对签名进行验证,最后获得敏感关键词陷门列表,则:St=DecryptECC(SKC,ct),4-1) Data visitor B carries the trapdoor C t and dataID_B to send a data access request to the cloud storage center, where dataID_B is the list of dataIDs corresponding to all the files that data visitor B wants to access, and the sharing center first requests the data visitor The identity of B is authenticated, and after passing the keyword search for the target data, first use the private key SK C to decrypt the trapdoor C t to obtain the signature S t , then verify the signature, and finally obtain the trapdoor list of sensitive keywords, then : S t = Decrypt ECC (SK C , c t ),

{Twb,⊥}=Verify(PKA,St);{Tw b , ⊥}=Verify(PK A , S t );

4-2)接着调用智能合约,根据dataID_B读取到数据访问者B申请访问的文件密文集合C’和对应的敏感关键词密文CK’,其中,C’和CK’分别是C和CK的子集;4-2) Then call the smart contract, and read the file ciphertext set C' and the corresponding sensitive keyword ciphertext CK' that data visitor B applied for access according to dataID_B, where C' and CK' are C and CK respectively subset of

4-3)对集合C’中每个文件密文C’i进行敏感关键词搜索,判断该文件中是否存在敏感信息,设C’i对应的敏感关键词密文为CK’ij遍历Twb中每一个陷门t,使用t对CK’ij的第1个元素进行解密得到:4-3) Search for sensitive keywords for each file ciphertext C' i in the set C', and determine whether there is sensitive information in the file, and set the sensitive keyword ciphertext corresponding to C' i as CK' ij traversal Tw b For each trapdoor t in , use t to decrypt the first element of CK' ij to get:

s=Decrypt(CK’ij[1],t),s = Decrypt(CK' ij [1], t),

接着将s与系统参数Z进行异或得到s’,若s’=CK’ij[0],若两者相等则匹配成功,说明该文件中存在敏感关键词,将对应的dataID加入到sensitiveID□集合中,当Twb中所有陷门与该文件每一个关键词密文都匹配失败时,说明该文件中不存在敏感关键词,将其dataID加入到securityIDs集合中;Then XOR s with the system parameter Z to get s', if s'=CK' ij [0], if the two are equal, the match is successful, indicating that there are sensitive keywords in the file, and the corresponding dataID is added to sensitiveID□ In the collection, when all the trapdoors in Tw b fail to match each keyword ciphertext of the file, it means that there is no sensitive keyword in the file, and its dataID is added to the securityIDs collection;

5)数据脱敏与共享:经过对敏感关键词的搜索,云存储中心已经识别出数据访问者B申请访问的每个文件中是否包含敏感信息,采用sensitiveIDs记录所有包含敏感信息的文件对应的dataID,securityIDs记录所有不包含敏感信息的文件对应的dataID。由于包含敏感信息的文件未经过脱敏,因此云服务器需要先将sensitiveIDs对应的文件发送给数据拥有者A,由数据拥有者A对数据进行脱敏后再分享给数据访问者B;而对于不存在敏感信息的文件,可由云服务器使用代理重加密技术直接交付给数据访问者B,其中:5) Data desensitization and sharing: After searching for sensitive keywords, the cloud storage center has identified whether each file that data visitor B applies for access contains sensitive information, and uses sensitiveIDs to record the dataIDs corresponding to all files containing sensitive information , securityIDs records the dataIDs corresponding to all files that do not contain sensitive information. Since the files containing sensitive information have not been desensitized, the cloud server needs to send the files corresponding to sensitiveIDs to data owner A first, and data owner A desensitizes the data before sharing it with data visitor B; Files with sensitive information can be directly delivered to data visitor B by the cloud server using proxy re-encryption technology, where:

5-1)敏感文件处理:云代理服务器首先使用私钥SKc对数据访问者B的身份信息进行签名,然后将签名s=Sign(SKc,userIdB)和sensitivrIDs中记录的文件密文Csst发送给A:5-1) Sensitive file processing: the cloud proxy server first uses the private key SK c to sign the identity information of the data visitor B, and then signs s=Sign(SK c , userIdB) and the file ciphertext C sst recorded in sensitivrIDs Send to A:

S||(Csst1,Csst2,...,Csstd),数据拥有者A对文件的处理过程如下:S||(C sst1 , C sst2 , ..., C sstd ), data owner A processes the file as follows:

5-1-1)数据拥有者A首先对签名S进行验证,输入签名和云代理服务器的公钥PKc,则验签的结果为:5-1-1) The data owner A first verifies the signature S, and inputs the signature and the public key PK c of the cloud proxy server, then the signature verification result is:

{userIdB,⊥}=Verify(PKc,S);{userIdB, ⊥} = Verify(PK c , S);

5-1-2)验证通过后,对包含敏感信息的文件进行解密,然后根据数据访问者B的身份权限选取脱敏策略R并执行脱敏操作:5-1-2) After the verification is passed, decrypt the file containing sensitive information, and then select the desensitization strategy R according to the identity authority of the data visitor B and perform the desensitization operation:

Msst=(Msst1,Msst2,...,Msstd)M sst = (M sst1 , M sst2 , . . . , M sstd )

=(DecryptECC(SKA,Csst1),DecryptECC(SKA,Csst2),...,DecryptECC(SKA,Csstd))=(Decrypt ECC (SK A , C sst1 ), Decrypt ECC (SK A , C sst2 ), . . . , Decrypt ECC (SK A , C sstd ))

D=(D1,D2,...,Dd)D=(D 1 , D 2 , . . . , D d )

=(dataMask(R,Msst1),dataMask(R,Msst2),...,dataMask(R,Msstd));=(dataMask(R, M sst1 ), dataMask(R, M sst2 ), . . . , dataMask(R, M sstd ));

5-1-3)完成脱敏后,使用数据访问者B的公钥对数据进行加密后发送给数据访问者B:5-1-3) After desensitization is completed, use the public key of data visitor B to encrypt the data and send it to data visitor B:

CD=EncryptECC(SKB,D);C D = Encrypt ECC (SK B , D);

5-2)非敏感文件处理:由于securityIDs对于的文件不含敏感信息,因此可由云代理服务器直接交给数据访问者B,但此时的文件密文由数据拥有者A公钥加密而成,为了使数据访问者B能够成功解密获得最终的数据,代理服务器还对密文进行重加密,得到密文C*,其中,代理重加密的密钥KAtoB由数据拥有者A的私钥和数据访问者B的公钥生成:5-2) Non-sensitive file processing: Since the files for which securityIDs contain no sensitive information, the cloud proxy server can directly deliver them to the data visitor B, but the ciphertext of the file at this time is encrypted by the public key of the data owner A. In order to enable data visitor B to successfully decrypt and obtain the final data, the proxy server also re-encrypts the ciphertext to obtain the ciphertext C * , where the proxy re-encryption key K AtoB is obtained from the private key of the data owner A and the data The public key of visitor B is generated:

KAtoB=GetRekey(SKA,PKB),K AtoB = GetRekey(SK A , PK B ),

C*=PreReEncrypt(KAtoB,Csec);C * = PreReEncrypt(K AtoB , C sec );

5-3)数据解密:当数据访问者B访问成功时,会分别从数据拥有者A和云代理服务器得到CD和C*,其中,CD是由数据拥有者A对文件脱敏后直接使用数据访问者B的公钥加密而生成,数据访问者B使用私钥成功解密,获取到经过脱敏的明文数据,由于C*依次经历了数据拥有者A的公钥SKA和代理重加密密钥KAtoB的加密,而代理重加密密钥KAtoB是由SKA和数据访问者B的公钥PKB运算生成,数据访问者B同样能够使用私钥进行解密:5-3) Data decryption: When the data visitor B accesses successfully, it will obtain CD and C * from the data owner A and the cloud proxy server respectively. Among them, CD is directly decrypted by the data owner A after desensitizing the file. It is generated by encrypting with the public key of data visitor B. Data visitor B successfully decrypts with the private key and obtains the desensitized plaintext data. Since C * has successively experienced data owner A’s public key SK A and proxy re-encryption The key K AtoB is encrypted, and the proxy re-encryption key K AtoB is generated by the operation of SK A and the public key PK B of the data visitor B, and the data visitor B can also use the private key to decrypt:

MD=GetDecryptedData(SKB,CD),M D = GetDecryptedData(SK B , C D ),

M*=PreReDecrypt(SKB,C*)。M * = PreReDecrypt(SK B , C * ).

Claims (1)

1. the threat data dynamic processing and efficient sharing method suitable for the industrial control system is characterized by comprising the following steps of:
1) Defining a data sharing system model: assuming that three main bodies of a data owner A, a data visitor B and a cloud storage center exist in the data sharing system, the data owner A and the data visitor B are members threatening the data sharing system, and before all members join the sharing system, strict user registration login and authorization admission flow are needed, the cloud storage center is a trusted network constructed by a cloud server and a blockchain node, and mainly performs data storage, sensitive file searching and data sharing operations, wherein:
the data owner A is used as a data provider, sensitive keywords are firstly extracted from a shared file, then a public key encryption algorithm is adopted to encrypt the shared file to generate ciphertext C, searchable encryption is carried out on the sensitive keywords to generate PEKS (PK, W), the C and the PEKS (PK, W) are uploaded to a cloud storage center, before a data visitor B accesses data uploaded by the data owner A, the data owner A needs to apply for an access certificate, the data owner A selects the sensitive keywords according to the identity authority of the data visitor B and generates a trapdoor, the trapdoor is sent to the data visitor B to serve as the access certificate, and when a desensitization request sent by the cloud storage center is received, the designated sensitive file needs to be desensitized and encrypted, and then the designated sensitive file needs to be sent to a corresponding data visitor;
before the data visitor B accesses the shared data of the data owner A, the data visitor B needs to apply for access credentials to the data owner A, then initiates a request for accessing the data to the cloud storage center with the credentials, at this time, the data visitor B may receive file data from both the data owner A and the cloud storage center, and the content obtained directly from the data owner A is desensitized and uses the public key PK B Encrypted file, data visitor B directly uses private key SK B Decrypting to obtain the desensitized file plaintext, and obtaining the content from the cloud storage center, wherein the data visitor B adopts the private key SK as the content is subjected to the conversion of proxy re-encryption B The plaintext can be successfully obtained after decryption;
cloud storage center: when a data owner A uploads a shared data ciphertext and a keyword ciphertext, a cloud storage center firstly generates a data ID for uploading content, then invokes an intelligent contract to store the data ID, a user identity ID, the shared data ciphertext, the keyword ciphertext and time stamp key information on a chain, when an access request of a data visitor B is received, firstly, the access credential carried by the data visitor B is verified, if the access credential does not pass, access is refused, if the access credential passes, sensitive keyword search is carried out on all accessed files, then all files containing sensitive information are sent to the data owner A, and the data owner A executes desensitization and sharing operations; for files which do not contain sensitive information, directly performing agent re-encryption on the files by a cloud storage center, converting the files into a form which can be decrypted by a data visitor B, and finally sending the files subjected to secondary encryption to the data visitor B;
2) Shared data preprocessing: the data owner A encrypts the data before uploading the data, adopts searchable encryption to process the shared data, and sets the shared data file set of the data owner A as M= { M 1 ,M 2 ,M 3 ,…,M n The shared data preprocessing procedure is as follows:
2-1) Generation of ECC asymmetric Key Pairs (PKs) A ,SK A ): firstly, a safe elliptic curve Ep (d, b) is selected, then a point is selected from the curve as a base point G, and then:
(PK A ,SK A )=KeyGen ECC (Ep(a,b),G);
2-2) extracting sensitive data keywords from each file respectively to generate a sensitive keyword list: w (W) i =(w i1 ,w i2 ,w i3 ,…,w ik ) Wherein i is more than or equal to 1 and less than or equal to n, w ij ∈M i K is the file M i The number of sensitive keywords in the Chinese character is W i Generates a public key searchable encryption key pair (a pubi ,A privi ) Wherein A is pubi ={Pub i1 ,Pub i2 ,Pub i3 ,…,Pub ik },A privi ={Priv i1 ,Priv i2 ,Priv i3 ,…,Priv ik };
2-3) selecting k random strings (Q) i1 ,Q i2 ,Q i3 ,…,Q ik ) Each character string is exclusive-ored with the system parameter Z to obtain k new character strings (S i1 ,S i2 ,S i4 ,…,S ik ) The sensitive keywords are subjected to searchable encryption to obtain ciphertext CK i
CK i =PEKS(Apub i ,W i )
=([S i1 ,Encrypt(Pub i1 ,Q i1 )],([S i2 ,Encrypt(Pub i2 ,Q i2 )],[S i3 ,Encrypt(Pub i3 ,Q i3 )],...,([S ik ,Encrypt(Pub ik ,Q ik )];
2-4) encrypt each file, then:
C i =Encrypt ECC (PK A ,M i );
2-5) uploading all file ciphertexts and sensitive keyword ciphertexts corresponding to the file ciphertexts to a cloud storage center, wherein the ciphertexts only use the private key SK of the data owner A A Can the decryption succeed, the cloud storage center cannot acquire the plaintext M, and the proxy server calls the intelligent contract to document ciphertext c= (C) 1 ,C 2 ,C 3 ,...,C n ) Keyword ciphertext Ck= (CK) 1 ,CK 2 ,CK 3 ,…,CK n ) The cloud storage center sends the dataID corresponding to the uploaded file to the data owner;
2-6) generating trapdoors using the private key of each sensitive keyword:
3) Sensitive keyword search: adopting a searchable encryption technology to ensure that a cloud storage center is sensitive under the condition of not contacting with plaintextSearching files, when a data visitor B needs to access data shared by a data owner A, firstly applying a keyword trapdoor to the data owner A, judging which of all sensitive keywords are invisible sensitive data of the data visitor B according to the identity of the data visitor B, and then generating a trapdoor list Tw b And for trapdoor list Tw b Signing to obtain S t Public key PK of proxy server is then adopted C For S t Encryption is carried out to obtain C t C is carried out by t Returning to B, the search process is as follows:
3-1) data visitor B carries trapdoor C t The data access request is sent to the cloud storage center by the data ID_B, wherein the data ID_B is a data ID list corresponding to all files which the data visitor B wants to access, the sharing center firstly authenticates the identity of the data visitor B, performs keyword search on target data after passing the identity authentication, and firstly adopts a private key SK C Opposite trap door C t Decryption is carried out to obtain signature S t And then verifying the signature, and finally obtaining a sensitive keyword trapdoor list, wherein:
S t =Decrypt ECC (SK C ,c t ),
{Tw b ,⊥}=Verify(PK A ,S t );
3-2) then calling an intelligent contract, and reading a file ciphertext set C 'and a corresponding sensitive keyword ciphertext CK' which are applied to be accessed by a data visitor B according to the dataID_B, wherein C 'and CK' are subsets of C and CK respectively;
3-3) ciphertext C 'for each file in collection C' i Searching sensitive keywords, judging whether sensitive information exists in the file, and setting C' i The corresponding sensitive keyword ciphertext is CK' ij Traversal Tw b T pairs of CK 'are used for each trapdoor t' ij Decryption of element 1 of (c):
s=Decrypt(CK’ ij [1],t),
then, s is exclusive-ored with the system parameter Z to obtain s ', if s' =CK '' ij [0]If the two are equal, the matching is successful, which indicates that the file existsSensitive keywords, adding corresponding dataID into the set of sendeids, when Tw b When all trapdoors in the file fail to be matched with each keyword ciphertext of the file, indicating that no sensitive keywords exist in the file, and adding the dataID of the sensitive keywords into a security ids set;
4) Data desensitization and sharing: after searching the sensitive keywords, the cloud storage center already recognizes whether each file which is applied to be accessed by the data visitor B contains sensitive information, dataID, securityIDs which is corresponding to all files containing the sensitive information is recorded by adopting sendeids, dataIDs which are corresponding to all files not containing the sensitive information are recorded, the files corresponding to the sendeids are sent to the data owner A, and the data owner A desensitizes the data and then shares the data to the data visitor B; for files without sensitive information, the files can be directly delivered to the data visitor B by a cloud server through a proxy re-encryption technology, wherein:
4-1) sensitive file processing: the cloud proxy server first uses the private key SK C Signing the identity information of the data visitor B, and then signing s=sign (SK C userIdB) and file ciphertext C recorded in sendiiids sst And (3) sending the data to A:
S||(C sst1 ,C sst2 ,…,C sstd ),
the data owner a processes the file as follows:
4-1-1) data owner A first verifies signature S, inputs signature and public key PK of cloud proxy server C The result of the signature verification is:
{userIdB,⊥}=Verify(PK C ,S);
4-1-2) after verification, decrypting the file containing the sensitive information, then selecting a desensitization strategy R according to the identity authority of the data visitor B and executing desensitization operation:
M sst =(M ss21 ,M sst2 ,…,M sstd )
=(Decrypt ECC (SK A ,C sst1 ),Decrypt ECC (SK A ,C sst2 ),...,Decrypt ECC (SK A ,C sstd ))
D=(D 1 ,D 2 ,...,D d )
=(dataMask(R,M sst1 ),dataMask(R,M sst2 ),…,dataMask(R,M sstd ));
4-1-3) after the desensitization is finished, encrypting the data by using the public key of the data visitor B and then sending the encrypted data to the data visitor B: c (C) D =Encrypt ECC (SK B ,D);
4-2) non-sensitive file processing: the cloud proxy server directly gives the file ciphertext to the data visitor B, but the file ciphertext is encrypted by the public key of the data owner A, and the proxy server further re-encrypts the ciphertext to obtain ciphertext C * Wherein the proxy re-encrypts the key K AtoB Generated by the private key of data owner a and the public key of data visitor B:
K AtoB =GetRekey(SK A ,PK B ),
C * =PreReEncrypt(K AtoB ,C sec );
4-3) data decryption: when the data visitor B accesses successfully, C is obtained from the data owner A and the cloud proxy server respectively D And C * Wherein C D Is generated by the data owner A directly encrypting the file by using the public key of the data visitor B after desensitizing the file, the data visitor B successfully decrypts by using the private key, and the desensitized plaintext data is obtained, because of C * Which in turn goes through the public key SK of the data owner a A And proxy re-encryption key K AtoB While the proxy re-encrypts the key K AtoB Is made of SK A And public key PK of data visitor B B The operation generation, the data visitor B can also decrypt using the private key:
M D =GetDecryptedData(SK B ,C D ),
M * =PreReDecrypt(SK B ,C * )。
CN202310463402.4A 2023-04-26 2023-04-26 Threat data dynamic processing and efficient sharing method suitable for industrial control system Active CN116566663B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310463402.4A CN116566663B (en) 2023-04-26 2023-04-26 Threat data dynamic processing and efficient sharing method suitable for industrial control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310463402.4A CN116566663B (en) 2023-04-26 2023-04-26 Threat data dynamic processing and efficient sharing method suitable for industrial control system

Publications (2)

Publication Number Publication Date
CN116566663A true CN116566663A (en) 2023-08-08
CN116566663B CN116566663B (en) 2025-07-22

Family

ID=87485463

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310463402.4A Active CN116566663B (en) 2023-04-26 2023-04-26 Threat data dynamic processing and efficient sharing method suitable for industrial control system

Country Status (1)

Country Link
CN (1) CN116566663B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118400207A (en) * 2024-07-01 2024-07-26 福建船政交通职业学院 Data management method and system for coping with cloud computing network threats
CN119324838A (en) * 2024-12-18 2025-01-17 江苏华鲲振宇智能科技有限责任公司 Secure access method and system for server

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835500A (en) * 2020-07-08 2020-10-27 浙江工商大学 A secure sharing method of searchable encrypted data based on homomorphic encryption and blockchain
CN114598472A (en) * 2022-03-04 2022-06-07 浙江科技学院 Conditional-hidden searchable agent re-encryption method based on block chain and storage medium
US20220255739A1 (en) * 2021-02-10 2022-08-11 Huazhong University Of Science And Technology Method and system for ensuring search completeness of searchable public key encryption
CN115801276A (en) * 2022-11-28 2023-03-14 北京航空航天大学 Automobile network threat information security sharing method, system and storage medium
CN115834200A (en) * 2022-11-23 2023-03-21 南京邮电大学 Blockchain-based attribute-based searchable encrypted data sharing method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835500A (en) * 2020-07-08 2020-10-27 浙江工商大学 A secure sharing method of searchable encrypted data based on homomorphic encryption and blockchain
US20220255739A1 (en) * 2021-02-10 2022-08-11 Huazhong University Of Science And Technology Method and system for ensuring search completeness of searchable public key encryption
CN114598472A (en) * 2022-03-04 2022-06-07 浙江科技学院 Conditional-hidden searchable agent re-encryption method based on block chain and storage medium
CN115834200A (en) * 2022-11-23 2023-03-21 南京邮电大学 Blockchain-based attribute-based searchable encrypted data sharing method
CN115801276A (en) * 2022-11-28 2023-03-14 北京航空航天大学 Automobile network threat information security sharing method, system and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘格昌;李强;: "基于可搜索加密的区块链数据隐私保护机制", 计算机应用, no. 2, 30 December 2019 (2019-12-30) *
卢洁: "面向工业控制系统的成员认证与数据共享技术研究", 《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》, 15 June 2024 (2024-06-15) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118400207A (en) * 2024-07-01 2024-07-26 福建船政交通职业学院 Data management method and system for coping with cloud computing network threats
CN119324838A (en) * 2024-12-18 2025-01-17 江苏华鲲振宇智能科技有限责任公司 Secure access method and system for server

Also Published As

Publication number Publication date
CN116566663B (en) 2025-07-22

Similar Documents

Publication Publication Date Title
CN106529327B9 (en) Data access system and method for encrypted database in hybrid cloud environment
Zhou et al. EverSSDI: blockchain-based framework for verification, authorisation and recovery of self-sovereign identity using smart contracts
Namasudra et al. Data accessing based on the popularity value for cloud computing
CN113541935B (en) An encrypted cloud storage method, system, device and terminal supporting key escrow
Darwish et al. Decentralizing privacy implementation at cloud storage using blockchain-based hybrid algorithm
Gajmal et al. Blockchain-based access control and data sharing mechanism in cloud decentralized storage system
CN108400871B (en) In conjunction with the searching ciphertext system and method for identity and the support proxy re-encryption of attribute
CN112037870B (en) Double-server light-weight searchable encryption method and system supporting data partitioning
CN118260264A (en) A user-friendly encrypted storage system and method for distributed file systems
Kumar et al. Data outsourcing: A threat to confidentiality, integrity, and availability
CN116566663B (en) Threat data dynamic processing and efficient sharing method suitable for industrial control system
Said et al. A multi-factor authentication-based framework for identity management in cloud applications
Abed The Techniques of authentication in the Context of Cloud Computing
CN114826702B (en) Database access password encryption method, device and computer equipment
Adlam et al. Applying blockchain technology to security-related aspects of electronic healthcare record infrastructure
CN119995935A (en) A privacy-enhanced access control method for industrial Internet of Things
Shahin et al. Big data platform privacy and security, a review
Gong et al. Toward Secure Data Storage in Web 3.0: Ciphertext-Policy Attribute-Based Encryption
Rastogi et al. Secured identity management system for preserving data privacy and transmission in cloud computing
Sumathi et al. Secure blockchain based data storage and integrity auditing in cloud
Murthy Cryptographic secure cloud storage model with anonymous authentication and automatic file recovery
Tian et al. A trusted control model of cloud storage
Yingkai et al. A kind of identity authentication under cloud computing environment
Manimuthu et al. RETRACTED ARTICLE: An enhanced approach on distributed accountability for shared data in cloud
Kumari et al. A Review on Challenges of Security for Secure Data Storage in Cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant