[go: up one dir, main page]

CN109525388B - Combined encryption method and system with separated keys - Google Patents

Combined encryption method and system with separated keys Download PDF

Info

Publication number
CN109525388B
CN109525388B CN201710848067.4A CN201710848067A CN109525388B CN 109525388 B CN109525388 B CN 109525388B CN 201710848067 A CN201710848067 A CN 201710848067A CN 109525388 B CN109525388 B CN 109525388B
Authority
CN
China
Prior art keywords
data
key
ciphertext
user terminal
plaintext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710848067.4A
Other languages
Chinese (zh)
Other versions
CN109525388A (en
Inventor
王明昕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201710848067.4A priority Critical patent/CN109525388B/en
Publication of CN109525388A publication Critical patent/CN109525388A/en
Application granted granted Critical
Publication of CN109525388B publication Critical patent/CN109525388B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a combined encryption method and a system with separated keys, which relate to the technical field of data security and computer networks, and the method comprises the following steps: the user terminal divides the data into a first data part and a second data part, and encrypts the first data part by using a terminal key acquired from a key distribution center KDC to obtain a first data part ciphertext; and the user terminal sends the first part of the data cipher text and the second part of the data to a server side, so that the server side encrypts the second part of the data by using a server side secret key acquired from the KDC to obtain a second part of the data cipher text.

Description

一种密钥分离的组合加密方法及系统A combined encryption method and system for key separation

技术领域technical field

本发明涉及数据安全和计算机网络技术领域,特别涉及一种密钥分离的组合加密方法及系统。The invention relates to the technical field of data security and computer network, in particular to a combined encryption method and system for key separation.

背景技术Background technique

随着移动互联网和无线网络技术的快速发展,每天都会产生大量数字化的数据,人们对数据的隐私安全越来越关注,数据加密是保护隐私的主要手段之一。一方面,为了保证数据安全,加密使用的加密算法和密钥越来越复杂,尤其当设备计算能力有限时,例如手机,机顶盒等,加解密耗时会很长,影响体验;另一方面,目前加密通常是一方设置一个密钥然后对文件进行加密,然后把加密后的数据和密钥存储到服务器端或者机顶盒上,但是当密钥被黑客获取时,用户的敏感信息将会泄露,另外对加密方的计算性能要求很高。因此,为了保护隐私和提升加解密效率,多方参与密钥生成和数据加解密将成为趋势。With the rapid development of mobile Internet and wireless network technologies, a large amount of digital data is generated every day, and people pay more and more attention to the privacy and security of data. Data encryption is one of the main means to protect privacy. On the one hand, in order to ensure data security, the encryption algorithms and keys used for encryption are becoming more and more complex, especially when the computing power of the device is limited, such as mobile phones, set-top boxes, etc., the encryption and decryption will take a long time and affect the experience; on the other hand, At present, encryption usually means that one party sets a key and then encrypts the file, and then stores the encrypted data and key on the server or set-top box. However, when the key is obtained by hackers, the user's sensitive information will be leaked. The computational performance requirements of the encryption party are very high. Therefore, in order to protect privacy and improve encryption and decryption efficiency, multi-party participation in key generation and data encryption and decryption will become a trend.

随着移动互联网的发展,手机越来越普及,人们可以通过手机进行拍照、购物等。但是当人们想要在服务器端上(例如网络机顶盒或者云服务器端等)保存生活点滴或者照片时,为了保护隐私,目前已有的方法分为两类,1、在手机上进行加密,然后上传到服务器端上存储,2、把数据传输到服务器端上,服务器端进行加密存储。但是上述两种方法都是一方参与文件的加解密,尤其第一种,对手机性能要求很高,而且当这一方密钥丢了,那么隐私信息将会被泄露,第二种则需要服务器端计算性能很强,但是在移动互联网环境中,用户终端和服务器端(不限于机顶盒)的计算性能都不是很高。此外,当用户想与其他用户分享加密数据时,一种方法就是把密钥发给其他用户,但是会增加泄露风险,另一种方法就是使用新的密钥重新加密文档,但是就会增加存储空间。With the development of the mobile Internet, mobile phones are becoming more and more popular, and people can take pictures, shop and so on through mobile phones. But when people want to save life moments or photos on the server (such as network set-top box or cloud server, etc.), in order to protect privacy, the existing methods are divided into two categories: 1. Encrypt on the mobile phone, and then upload 2. Transfer the data to the server side, and the server side performs encrypted storage. However, both of the above two methods involve one party involved in the encryption and decryption of files, especially the first one, which requires high performance of the mobile phone, and when the key of this party is lost, the private information will be leaked, and the second one requires the server side The computing performance is very strong, but in the mobile Internet environment, the computing performance of the user terminal and the server side (not limited to the set-top box) is not very high. In addition, when a user wants to share encrypted data with other users, one way is to send the key to other users, but it increases the risk of leakage, and another way is to re-encrypt the document with the new key, but it increases storage space.

发明内容SUMMARY OF THE INVENTION

根据本发明实施例提供的方案解决的技术问题是计算和存储能力有限的服务器端存在数据安全隐私泄露风险和存储有限。The technical problem solved by the solution provided according to the embodiment of the present invention is that the server with limited computing and storage capabilities has the risk of data security and privacy leakage and limited storage.

根据本发明实施例提供的一种密钥分离的组合加密方法,包括:A combined encryption method for key separation provided according to an embodiment of the present invention includes:

用户终端将数据分割成数据第一部分和数据第二部分,并利用从密钥分发中心KDC(Key Distribution Center,密钥分发中心)获取的终端密钥对数据第一部分进行加密,得到数据第一部分密文;The user terminal divides the data into the first part of the data and the second part of the data, and encrypts the first part of the data with the terminal key obtained from the key distribution center KDC (Key Distribution Center, key distribution center), and obtains the first part of the data. arts;

所述用户终端将所述数据第一部分密文和所述数据第二部分发送给服务器端,以便服务器端利用从所述KDC获取的服务器端密钥对所述数据第二部分进行加密,得到数据第二部分密文。The user terminal sends the ciphertext of the first part of the data and the second part of the data to the server, so that the server encrypts the second part of the data by using the server key obtained from the KDC to obtain the data The second part of the ciphertext.

优选地,在利用从密钥分发中心KDC获取的终端密钥对数据第一部分进行加密之前,还包括:Preferably, before using the terminal key obtained from the key distribution center KDC to encrypt the first part of the data, the method further includes:

所述用户终端通过向KDC发送包含服务器端信息的注册请求,接收所述KDC根据所述注册请求返回的终端密钥。The user terminal receives the terminal key returned by the KDC according to the registration request by sending a registration request including server-side information to the KDC.

优选地,所述用户终端将数据分割成数据第一部分和数据第二部分,并利用从密钥分发中心KDC获取终端密钥对数据第一部分进行加密,得到数据第一部分密文包括:Preferably, the user terminal divides the data into the first part of the data and the second part of the data, and uses the terminal key obtained from the key distribution center KDC to encrypt the first part of the data, and the obtained ciphertext of the first part of the data includes:

所述用户终端通过对数据进行随机分割,得到数据第一部分、数据第二部分以及数据分割信息;The user terminal obtains the first part of the data, the second part of the data and the data division information by randomly dividing the data;

所述用户终端利用所述终端密钥对数据第一部分进行加密,得到数据第一部分密文。The user terminal encrypts the first part of the data by using the terminal key to obtain the ciphertext of the first part of the data.

优选地,还包括:Preferably, it also includes:

在查看所述数据时,通过分别利用所述终端密钥和所述服务端密钥对数据第一部分密文和数据第二部分进行解密,并利用所述数据分割信息将解密后的明文进行拼接,恢复出所述数据。When viewing the data, decrypt the first part of the ciphertext and the second part of the data by using the terminal key and the server key respectively, and use the data segmentation information to splicing the decrypted plaintext , recover the data.

优选地,在所述用户终端查看所述数据时,通过分别利用所述终端密钥和所述服务端密钥对数据第一部分密文和数据第二部分进行解密,并利用所述数据分割信息将解密后的明文进行拼接,恢复出所述数据包括:Preferably, when the user terminal views the data, the ciphertext of the first part of the data and the second part of the data are decrypted by using the terminal key and the server key respectively, and the data segmentation information is used to decrypt the data. The decrypted plaintext is spliced to recover the data including:

所述用户终端接收所述服务器端利用所述服务端密钥对所述数据第二部分密文进行解密所得到明文第二部分;The user terminal receives the second part of plaintext obtained by decrypting the ciphertext of the second part of the data by the server using the server key;

所述用户终端接收到所述明文第二部分后,利用所述终端密钥对所述数据第一部分密文进行解密,得到明文第一部分;After receiving the second part of the plaintext, the user terminal decrypts the ciphertext of the first part of the data by using the terminal key to obtain the first part of the plaintext;

所述用户终端利用所述数据分割信息对所得到的明文第二部分和明文第一部分进行拼接,恢复出所述数据。The user terminal uses the data division information to splicing the obtained second part of the plaintext and the first part of the plaintext to recover the data.

根据本发明实施例提供的一种密钥分离的组合加密方法,包括:A combined encryption method for key separation provided according to an embodiment of the present invention includes:

服务器端接收用户终端发送的数据第一部分密文、数据第二部分以及数据分割信息,并利用从所述KDC获取的服务器端密钥对所述密文组件中的数据第二部分进行加密,得到数据第二部分密文;The server side receives the ciphertext of the first part of the data, the second part of the data and the data segmentation information sent by the user terminal, and encrypts the second part of the data in the ciphertext component by using the server-side key obtained from the KDC, to obtain The ciphertext of the second part of the data;

服务器端将所接收的数据第一部分密文、数据分割信息以及所得到的数据第二部分密文进行保存。The server side stores the ciphertext of the first part of the received data, the data segmentation information, and the ciphertext of the second part of the obtained data.

根据本发明实施例提供的一种密钥分离的组合加密系统,包括:A combined encryption system with key separation provided according to an embodiment of the present invention includes:

用户终端,用于将数据分割成数据第一部分和数据第二部分,并利用从密钥分发中心KDC获取终端密钥对数据第一部分进行加密,得到数据第一部分密文后,将所述数据第一部分密文和所述数据第二部分发送给服务器端;The user terminal is used to divide the data into the first part of the data and the second part of the data, and use the terminal key obtained from the key distribution center KDC to encrypt the first part of the data, and after the ciphertext of the first part of the data is obtained, the first part of the data is encrypted. A part of the ciphertext and the second part of the data are sent to the server;

服务器端,用于利用从所述KDC获取的服务器端密钥对所述数据第二部分进行加密,得到数据第二部分密文。The server side is configured to encrypt the second part of the data by using the server-side key obtained from the KDC to obtain the ciphertext of the second part of the data.

优选地,所述用户终端包括:Preferably, the user terminal includes:

分割单元,用于通过对数据进行随机分割,得到数据第一部分、数据第二部分以及数据分割信息;a dividing unit, configured to randomly divide the data to obtain the first part of the data, the second part of the data and the data division information;

加密单元,用于所述用户终端利用通过向KDC发送包含服务器端信息的注册请求而返回的终端密钥对数据第一部分进行加密,得到数据第一部分密文。The encryption unit is used for the user terminal to encrypt the first part of the data by using the terminal key returned by sending the registration request including the server-side information to the KDC to obtain the ciphertext of the first part of the data.

根据本发明实施例提供的一种密钥分离的组合加密设备,所述设备包括:处理器,以及与所述处理器耦接的存储器;所述存储器上存储有可在所述处理器上运行的密钥分离的组合加密的程序,所述密钥分离的组合加密的程序被所述处理器执行时实现包括:According to an embodiment of the present invention, a combined encryption device for key separation is provided. The device includes: a processor, and a memory coupled to the processor; The program for combined encryption of key separation, which is implemented when the program for combined encryption of key separation is executed by the processor includes:

将数据分割成数据第一部分和数据第二部分,并利用从密钥分发中心KDC获取的终端密钥对数据第一部分进行加密,得到数据第一部分密文;Divide the data into the first part of the data and the second part of the data, and encrypt the first part of the data with the terminal key obtained from the key distribution center KDC to obtain the ciphertext of the first part of the data;

将所述数据第一部分密文和所述数据第二部分发送给服务器端,以便服务器端利用从所述KDC获取的服务器端密钥对所述数据第二部分进行加密,得到数据第二部分密文。Send the ciphertext of the first part of the data and the second part of the data to the server, so that the server encrypts the second part of the data with the server-side key obtained from the KDC, and obtains the second part of the data encrypted. arts.

根据本发明实施例提供的一种计算机存储介质,存储有密钥分离的组合加密的程序,所述密钥分离的组合加密的程序被处理器执行时实现包括:According to a computer storage medium provided by an embodiment of the present invention, a program for combined encryption of key separation is stored, and the implementation of the combined encryption program for key separation when executed by a processor includes:

接收用户终端发送的数据第一部分密文、数据第二部分以及数据分割信息,并利用从所述KDC获取的服务器端密钥对所述密文组件中的数据第二部分进行加密,得到数据第二部分密文;Receive the ciphertext of the first part of the data, the second part of the data and the data segmentation information sent by the user terminal, and encrypt the second part of the data in the ciphertext component by using the server-side key obtained from the KDC to obtain the first part of the data. Two-part ciphertext;

将所接收的数据第一部分密文、数据分割信息以及所得到的数据第二部分密文进行保存。The ciphertext of the first part of the received data, the data division information and the ciphertext of the second part of the obtained data are stored.

根据本发明实施例提供的方案,在数据加密时,由用户终端和服务器同时参与数据加密,可以有效提高加解密效率。通过在密文组件中增加访问控制策略,在不需要共享密钥的前提下,允许多个用户访问同一个加密数据,这样可以减轻服务器的存储能力。According to the solution provided by the embodiment of the present invention, during data encryption, the user terminal and the server participate in the data encryption at the same time, which can effectively improve the encryption and decryption efficiency. By adding an access control policy to the ciphertext component, multiple users are allowed to access the same encrypted data without sharing keys, which can reduce the storage capacity of the server.

附图说明Description of drawings

图1是本发明实施例提供的一种密钥分离的组合加密方法流程图;1 is a flowchart of a combined encryption method for key separation provided by an embodiment of the present invention;

图2是本发明实施例提供的一种密钥分离的组合加密系统示意图;2 is a schematic diagram of a combined encryption system for key separation provided by an embodiment of the present invention;

图3是本发明实施例提供的密钥分离的加密流程模型图;Fig. 3 is the encryption flow model diagram of the key separation provided by the embodiment of the present invention;

图4是本发明实施例提供的密钥分离的解密流程模型图;Fig. 4 is the decryption flow model diagram of the key separation provided by the embodiment of the present invention;

图5是本发明实施例提供的密钥分离的方法流程图;5 is a flowchart of a method for key separation provided by an embodiment of the present invention;

图6是本发明实施例提供的密钥分离的数据加密方法流程图;6 is a flowchart of a data encryption method for key separation provided by an embodiment of the present invention;

图7是本发明实施例提供的密钥分离的用户密钥生成方法流程图;7 is a flowchart of a method for generating a user key for key separation provided by an embodiment of the present invention;

图8是本发明实施例提供的密钥分离的访问数据方法流程图。FIG. 8 is a flowchart of a method for accessing data with key separation provided by an embodiment of the present invention.

具体实施方式Detailed ways

以下结合附图对本发明的优选实施例进行详细说明,应当理解,以下所说明的优选实施例仅用于说明和解释本发明,并不用于限定本发明。The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be understood that the preferred embodiments described below are only used to illustrate and explain the present invention, but not to limit the present invention.

图1是本发明实施例提供的一种密钥分离的组合加密方法流程图,如图1所示,包括:FIG. 1 is a flowchart of a combined encryption method for key separation provided by an embodiment of the present invention, as shown in FIG. 1 , including:

步骤S101:用户终端将数据分割成数据第一部分和数据第二部分,并利用从密钥分发中心KDC获取的终端密钥对数据第一部分进行加密,得到数据第一部分密文;Step S101: the user terminal divides the data into the first part of the data and the second part of the data, and encrypts the first part of the data with the terminal key obtained from the key distribution center KDC to obtain the ciphertext of the first part of the data;

步骤S102:所述用户终端将所述数据第一部分密文和所述数据第二部分发送给服务器端,以便服务器端利用从所述KDC获取的服务器端密钥对所述数据第二部分进行加密,得到数据第二部分密文。Step S102: the user terminal sends the ciphertext of the first part of the data and the second part of the data to the server, so that the server encrypts the second part of the data by using the server key obtained from the KDC , to get the ciphertext of the second part of the data.

其中,在利用从密钥分发中心KDC获取的终端密钥对数据第一部分进行加密之前,还包括:所述用户终端通过向KDC发送包含服务器端信息的注册请求,接收所述KDC根据所述注册请求返回的终端密钥。Wherein, before using the terminal key obtained from the key distribution center KDC to encrypt the first part of the data, it also includes: the user terminal sends a registration request including server-side information to the KDC, and receives the KDC according to the registration request. The terminal key returned by the request.

其中,所述用户终端将数据分割成数据第一部分和数据第二部分,并利用从密钥分发中心KDC获取终端密钥对数据第一部分进行加密,得到数据第一部分密文包括:所述用户终端通过对数据进行随机分割,得到数据第一部分、数据第二部分以及数据分割信息;所述用户终端利用所述终端密钥对数据第一部分进行加密,得到数据第一部分密文。Wherein, the user terminal divides the data into the first part of the data and the second part of the data, and encrypts the first part of the data by using the terminal key obtained from the key distribution center KDC to obtain the ciphertext of the first part of the data, including: the user terminal By randomly dividing the data, the first part of the data, the second part of the data and the data division information are obtained; the user terminal encrypts the first part of the data by using the terminal key to obtain the ciphertext of the first part of the data.

本发明实施例还包括:在查看所述数据时,通过分别利用所述终端密钥和所述服务端密钥对数据第一部分密文和数据第二部分进行解密,并利用所述数据分割信息将解密后的明文进行拼接,恢复出所述数据。The embodiment of the present invention further includes: when viewing the data, decrypting the ciphertext of the first part of the data and the second part of the data by using the terminal key and the server key respectively, and using the data segmentation information The decrypted plaintext is spliced to recover the data.

其中,在所述用户终端查看所述数据时,通过分别利用所述终端密钥和所述服务端密钥对数据第一部分密文和数据第二部分进行解密,并利用所述数据分割信息将解密后的明文进行拼接,恢复出所述数据包括:所述用户终端接收所述服务器端利用所述服务端密钥对所述数据第二部分密文进行解密所得到明文第二部分;所述用户终端接收到所述明文第二部分后,利用所述终端密钥对所述数据第一部分密文进行解密,得到明文第一部分;所述用户终端利用所述数据分割信息对所得到的明文第二部分和明文第一部分进行拼接,恢复出所述数据。Wherein, when the user terminal views the data, the ciphertext of the first part of the data and the second part of the data are decrypted by using the terminal key and the server key respectively, and the data segmentation information is used to decrypt the data. Splicing the decrypted plaintext to recover the data includes: receiving, by the user terminal, the second part of the plaintext obtained by decrypting the ciphertext of the second part of the data by the server using the server key; the After receiving the second part of the plaintext, the user terminal uses the terminal key to decrypt the ciphertext of the first part of the data to obtain the first part of the plaintext; the user terminal uses the data segmentation information to decrypt the obtained first part of the plaintext. The second part is spliced with the first part of the plaintext to recover the data.

根据本发明实施例提供的一种密钥分离的组合加密方法,包括:A combined encryption method for key separation provided according to an embodiment of the present invention includes:

服务器端接收用户终端发送的数据第一部分密文、数据第二部分以及数据分割信息,并利用从所述KDC获取的服务器端密钥对所述密文组件中的数据第二部分进行加密,得到数据第二部分密文;The server side receives the ciphertext of the first part of the data, the second part of the data and the data segmentation information sent by the user terminal, and encrypts the second part of the data in the ciphertext component by using the server-side key obtained from the KDC, to obtain The ciphertext of the second part of the data;

服务器端将所接收的数据第一部分密文、数据分割信息以及所得到的数据第二部分密文进行保存。The server side stores the ciphertext of the first part of the received data, the data segmentation information, and the ciphertext of the second part of the obtained data.

图2是本发明实施例提供的一种密钥分离的组合加密系统示意图,如图2所示,包括:用户终端201,用于将数据分割成数据第一部分和数据第二部分,并利用从密钥分发中心KDC获取终端密钥对数据第一部分进行加密,得到数据第一部分密文后,将数据第一部分密文和所述数据第二部分发送给服务器端;服务器端202,用于利用从所述KDC获取的服务器端密钥对所述数据第二部分进行加密,得到数据第二部分密文。FIG. 2 is a schematic diagram of a combined encryption system with key separation provided by an embodiment of the present invention. As shown in FIG. 2 , the system includes: a user terminal 201 for dividing data into a first part of data and a second part of data, and using a The key distribution center KDC obtains the terminal key to encrypt the first part of the data, and after obtaining the ciphertext of the first part of the data, sends the ciphertext of the first part of the data and the second part of the data to the server; The server-side key obtained by the KDC encrypts the second part of the data to obtain the ciphertext of the second part of the data.

其中,所述用户终端201包括:分割单元,用于通过对数据进行随机分割,得到数据第一部分、数据第二部分以及数据分割信息;加密单元,用于所述用户终端利用通过向KDC发送包含服务器端信息的注册请求而返回的终端密钥对数据第一部分进行加密,得到数据第一部分密文。Wherein, the user terminal 201 includes: a dividing unit for randomly dividing the data to obtain the first part of the data, the second part of the data and the data division information; The terminal key returned from the server-side information registration request encrypts the first part of the data to obtain the ciphertext of the first part of the data.

根据本发明实施例提供的一种密钥分离的组合加密设备,所述设备包括:处理器,以及与所述处理器耦接的存储器;所述存储器上存储有可在所述处理器上运行的密钥分离的组合加密的程序,所述密钥分离的组合加密的程序被所述处理器执行时实现包括:According to an embodiment of the present invention, a combined encryption device for key separation is provided. The device includes: a processor, and a memory coupled to the processor; The program for combined encryption of key separation, which is implemented when the program for combined encryption of key separation is executed by the processor includes:

将数据分割成数据第一部分和数据第二部分,并利用从密钥分发中心KDC获取的终端密钥对数据第一部分进行加密,得到数据第一部分密文;Divide the data into the first part of the data and the second part of the data, and encrypt the first part of the data with the terminal key obtained from the key distribution center KDC to obtain the ciphertext of the first part of the data;

将所述数据第一部分密文和所述数据第二部分发送给服务器端,以便服务器端利用从所述KDC获取的服务器端密钥对所述数据第二部分进行加密,得到数据第二部分密文。Send the ciphertext of the first part of the data and the second part of the data to the server, so that the server encrypts the second part of the data with the server-side key obtained from the KDC, and obtains the second part of the data encrypted. arts.

根据本发明实施例提供的一种计算机存储介质,存储有密钥分离的组合加密的程序,所述密钥分离的组合加密的程序被处理器执行时实现包括:According to a computer storage medium provided by an embodiment of the present invention, a program for combined encryption of key separation is stored, and the implementation of the combined encryption program for key separation when executed by a processor includes:

接收用户终端发送的数据第一部分密文、数据第二部分以及数据分割信息,并利用从所述KDC获取的服务器端密钥对所述密文组件中的数据第二部分进行加密,得到数据第二部分密文;Receive the ciphertext of the first part of the data, the second part of the data and the data segmentation information sent by the user terminal, and encrypt the second part of the data in the ciphertext component by using the server-side key obtained from the KDC to obtain the first part of the data. Two-part ciphertext;

将所接收的数据第一部分密文、数据分割信息以及所得到的数据第二部分密文进行保存。The ciphertext of the first part of the received data, the data division information and the ciphertext of the second part of the obtained data are stored.

图3是本发明实施例提供的密钥分离的加密流程模型图,如图3所示,包括:(1)用户终端注册KDC并请求密钥;(2)KDC分发密钥;(3)上传部分加密后的密文组件;(4)服务器请求密钥;(5)KDC分发密钥。Fig. 3 is an encryption flow model diagram of key separation provided by an embodiment of the present invention, as shown in Fig. 3, including: (1) a user terminal registers a KDC and requests a key; (2) KDC distributes a key; (3) uploads Partially encrypted ciphertext components; (4) the server requests the key; (5) the KDC distributes the key.

图4是本发明实施例提供的密钥分离的解密流程模型图,如图3所示,包括:(1)用户终端(密文所有者)请求密文访问;(2)服务器返回部分解密后的密文组件;(3)终端授权用户请求密钥;(4)KDC分发密钥;(5)终端授权用户(密文访问者)请求密文访问;(6)服务器发送密文访问策略;(7)KDC返回密文所有者密钥生成中间值;(8)服务器返回明文数据给终端授权用户。Fig. 4 is a decryption process model diagram of key separation provided by an embodiment of the present invention, as shown in Fig. 3, including: (1) the user terminal (ciphertext owner) requests ciphertext access; (2) the server returns after partial decryption (3) the terminal authorizes the user to request the key; (4) the KDC distributes the key; (5) the terminal authorizes the user (ciphertext visitor) to request the ciphertext access; (6) the server sends the ciphertext access policy; (7) The KDC returns the ciphertext owner key to generate the intermediate value; (8) The server returns the plaintext data to the terminal authorized user.

本发明提出的系统包含组件:用户终端、授权终端、服务器端以及KDC。其中,用户终端包括加解密模块、访问策略生成模块;授权终端,用户终端不参与加密和访问策略生成过程时,只参与解密过程时,则被称为授权终端;服务器端包括加解密模块、访问策略管理模块;KDC包括密钥管理模块以及访问策略管理模块。The system proposed by the present invention includes components: user terminal, authorization terminal, server and KDC. Among them, the user terminal includes an encryption and decryption module and an access policy generation module; an authorized terminal, when the user terminal does not participate in the encryption and access policy generation process, and only participates in the decryption process, it is called an authorized terminal; the server side includes an encryption and decryption module, an access policy Policy management module; KDC includes key management module and access policy management module.

图5是本发明实施例提供的密钥分离的方法流程图,如图5所示,包括:FIG. 5 is a flowchart of a method for key separation provided by an embodiment of the present invention, as shown in FIG. 5 , including:

S1:系统初始化,用户终端生成密文访问策略,并向KDC发送密文访问策略和申请密钥;S1: System initialization, the user terminal generates the ciphertext access policy, and sends the ciphertext access policy and application key to the KDC;

S2:KDC首先生成用户终端密钥,并发送给用户终端,然后利用用户终端发送的密文访问策略生成用户密钥生成中间值,KDC只保存用户密钥生成中间值;S2: KDC first generates the user terminal key and sends it to the user terminal, and then uses the ciphertext access policy sent by the user terminal to generate the user key to generate an intermediate value, and the KDC only saves the user key to generate the intermediate value;

S3:用户终端把明文数据进行拆分,使用KDC分发的密钥对部分明文进行加密生成密文,然后用户把数据分割信息、访问策略、密文部分以及明文部分一起发送给服务器端,用户需要保存密钥;S3: The user terminal splits the plaintext data, uses the key distributed by the KDC to encrypt part of the plaintext to generate ciphertext, and then the user sends the data segmentation information, access policy, ciphertext part and plaintext part to the server side together. The user needs to save the key;

S4:服务器端收到用户发送的密文组件,然后向KDC申请密钥;S4: The server receives the ciphertext component sent by the user, and then applies to the KDC for a key;

S5:KDC收到服务器端请求的密钥申请,然后给服务器端生成密钥并发送给服务器端;S5: KDC receives the key application requested by the server, and then generates a key for the server and sends it to the server;

S6:服务器端收到KDC分发的密钥,对密文组件中的明文部分进行加密,然后把包含数据分割信息、密文以及访问策略的密文组件存储到服务器端上,另外服务器端需要保存其密钥;S6: The server side receives the key distributed by the KDC, encrypts the plaintext part of the ciphertext component, and then stores the ciphertext component containing the data segmentation information, ciphertext and access policy on the server side, and the server side needs to save its key;

S7:当用户终端发送解密请求时,服务器端首先判断该用户是否为密文所有者,若是,则走S8,若访问用户不是密文所有者,则走S9-S11;S7: When the user terminal sends a decryption request, the server first determines whether the user is the owner of the ciphertext, if so, go to S8, and if the accessing user is not the owner of the ciphertext, go to S9-S11;

S8:服务器端使用其拥有的密钥解密其加密的密文部分,然后把密文组件发送给用户终端,然后用户终端使用其拥有的密钥对其加密的部分进行解密,然后按照数据分割信息对数据进行合并复原;S8: The server uses its own key to decrypt its encrypted ciphertext part, and then sends the ciphertext component to the user terminal, and then the user terminal uses its own key to decrypt the encrypted part, and then divides the information according to the data merge and restore data;

S9:授权用户首先向KDC申请密钥,当授权用户发送解密请求时,服务器端首先确认授权用户是否满足密文的访问策略,若不满足,则拒接访问,若满足密文的访问策略,则授权用户把其密钥发送给服务器端;S9: The authorized user first applies for a key to the KDC. When the authorized user sends a decryption request, the server first confirms whether the authorized user satisfies the access policy of the ciphertext. Then the authorized user sends his key to the server;

S10:服务器端收到授权用户的密钥,则把授权用户密钥和密文访问策略发送给KDC,KDC根据密文访问策略找到该授权用户对应的密文所有者密钥生成中间值,然后把该值发送给服务器端;S10: After receiving the key of the authorized user, the server sends the authorized user key and the ciphertext access policy to the KDC. The KDC finds the ciphertext owner key corresponding to the authorized user according to the ciphertext access policy to generate an intermediate value, and then Send the value to the server;

S11:服务器端收到该中间值,则利用其拥有的密钥、授权用户密钥以及密文所有者密钥生成中间件解密密文,然后根据数据分割信息合并复原明文数据,然后发送给授权用户。S11: When the server receives the intermediate value, it uses its own key, authorized user key and ciphertext owner key to generate the middleware to decrypt the ciphertext, and then combine and restore the plaintext data according to the data segmentation information, and then send it to the authorized user.

图6是本发明实施例提供的密钥分离的数据加密方法流程图,如图6所示,在加密时,用户终端(不限于手机)和性能不高的服务器端(不限于机顶盒)都参与加密,由一个KDC进行密钥分发。KDC给用户终端和服务器端分别发送一个密钥,用户终端对数据进行分割,然后使用其拥有的密钥进行加密,然后把密文以及明文部分发给服务器端,服务器端再使用其拥有的密钥对明文部分进行加密,然后存储,解密时需要两方同时参与才能正确解密。这样加解密由两方参与,不仅提高了效率,还防止密钥由一方存储会导致出现系统安全弱点,提高了安全性。此外,用户在进行数据加密时,可以对数据设置访问控制策略,访问控制机制交由服务器端和KDC管理,用户向KDC申请密钥时提交其所设置的访问控制策略,密钥分发模块根据该访问策略生成对应的密钥生成中间值,当授权用户需要访问加密文件时,服务器端根据访问策略向KDC申请对应的密钥生成中间值和授权用户的密钥进行密文解密,并把明文数据发送给授权用户,这样就可以保证服务器端只存储一个密文。FIG. 6 is a flowchart of a data encryption method for key separation provided by an embodiment of the present invention. As shown in FIG. 6 , during encryption, both a user terminal (not limited to a mobile phone) and a server with low performance (not limited to a set-top box) participate in the encryption. Encryption, key distribution by a KDC. The KDC sends a key to the user terminal and the server respectively. The user terminal divides the data, encrypts it with the key it owns, and sends the ciphertext and plaintext to the server, and the server uses the secret key it has. The key is used to encrypt the plaintext part and then store it. During decryption, both parties are required to participate in the correct decryption. In this way, two parties participate in encryption and decryption, which not only improves the efficiency, but also prevents system security weaknesses from being stored by one party and improves security. In addition, when users encrypt data, they can set an access control policy for the data, and the access control mechanism is managed by the server and KDC. When the user applies for a key to the KDC, the user submits the set access control policy. The access policy generates the corresponding key generation intermediate value. When the authorized user needs to access the encrypted file, the server applies to the KDC for the corresponding key generation intermediate value and the authorized user's key according to the access policy to decrypt the ciphertext and decrypt the plaintext data. Send it to authorized users, so that only one ciphertext is stored on the server side.

下面结合图6至图8对本发明实施例的技术内容进行详细的说明:应用场景:网络机顶盒照片(文件)安全分享。The technical contents of the embodiments of the present invention are described in detail below with reference to FIGS. 6 to 8 : Application scenario: secure sharing of photos (files) of network set-top boxes.

密钥生成,如图7所示:Key generation, as shown in Figure 7:

首先系统初始化,用户终端(包括机顶盒、手机等)向密钥分发中心KDC进行注册,并请求密钥。First, the system is initialized, and user terminals (including set-top boxes, mobile phones, etc.) register with the key distribution center KDC and request keys.

加密,如图6所示:encryption, as shown in Figure 6:

用户A准备使用手机上传照片到机顶盒上进行加密存储,用户从KDC获取密钥Ka,并从密钥分发中心获取该机顶盒上已经注册的用户(包括机顶盒)列表,用户A依据用户列表制定照片的访问策略(在访问策略中的用户才能访问用户A加密的照片,称为授权用户),接着用户A把访问策略发送给KDC,让其为访问策略中的每个用户生成一个Ka生成中间值,由KDC保存。然后用户对图片文件随机分割生成2部分分别为PT1和PT2,并保留分割信息,利用Ka和加密算法(不限于AES,DES等)对其中一部分明文数据PT1进行加密生成密文CT1,然后用户A把密文组件(包括密文CT1、明文PT2、分割和加密信息、加密算法、访问策略、用户A标志)发送给机顶盒。机顶盒收到用户A发送的密文组件,根据分割信息,对明文PT2进行加密生成密文CT2,最终机顶盒端存储用户A的照片的密文组件包括密文CT1、密文CT2、分割和加密信息、加密算法、访问策略、用户A标志。User A is going to upload photos to the set-top box using a mobile phone for encrypted storage. The user obtains the key Ka from the KDC, and obtains the list of registered users (including the set-top box) on the set-top box from the key distribution center. Access policy (only users in the access policy can access the photos encrypted by user A, called authorized users), then user A sends the access policy to the KDC to generate a Ka for each user in the access policy to generate an intermediate value, Saved by KDC. Then the user randomly divides the picture file to generate two parts, PT1 and PT2, and retains the segmentation information, and uses Ka and encryption algorithms (not limited to AES, DES, etc.) to encrypt part of the plaintext data PT1 to generate ciphertext CT1, and then user A Send the ciphertext components (including ciphertext CT1, plaintext PT2, segmentation and encryption information, encryption algorithm, access policy, user A flag) to the set-top box. The set-top box receives the ciphertext component sent by user A, and encrypts the plaintext PT2 to generate ciphertext CT2 according to the segmentation information. Finally, the ciphertext component that stores the photo of user A on the set-top box includes ciphertext CT1, ciphertext CT2, segmentation and encryption information. , encryption algorithm, access policy, user A logo.

访问数据,如图8所示:Access the data, as shown in Figure 8:

1、用户A在自己的手机上查看机顶盒上存储的加密照片CT:1. User A checks the encrypted photo CT stored on the set-top box on his mobile phone:

用户A向机顶盒发送照片访问请求,机顶盒首先判断用户A的身份标志是否与密文中的所有者标志相同,如果相同,则证明是用户A,接着机顶盒首先根据分割和加密信息解密其加密的部分,然后机顶盒把部分解密后的密文组件发送给用户A,然后用户A根据分割和加密信息对剩余的密文进行解密并拼接两个明文组件,最终恢复出照片并在手机客户端上显示。User A sends a photo access request to the set-top box. The set-top box first determines whether the identity mark of user A is the same as the owner mark in the ciphertext. If it is the same, it is proved to be user A. Then the set-top box first decrypts its encrypted part according to the segmentation and encryption information, Then the set-top box sends the partially decrypted ciphertext components to user A, and then user A decrypts the remaining ciphertext and splices two plaintext components according to the segmentation and encryption information, and finally restores the photo and displays it on the mobile phone client.

2、查看用户A在机顶盒上存储的加密照片CT2. View the encrypted photo CT stored by user A on the set-top box

如果密文组件中的访问策略中包含机顶盒,则只要在机顶盒上输入对应的密钥就可以查看图片,流程如下:机顶盒首先解密其加密的密文部分,然后其把密钥和访问策略发送给KDC,KDC根据访问策略和机顶盒的密钥生成用户A的密钥,然后发送给机顶盒,机顶盒使用用户A的密钥解密剩余密文组件,最终获取用户A上传的照片并在机顶盒上显示出来。If the access policy in the ciphertext component includes the set-top box, you can view the picture as long as you enter the corresponding key on the set-top box. The process is as follows: the set-top box first decrypts its encrypted ciphertext part, and then sends the key and access policy to the set-top box. KDC, KDC generates user A's key according to the access policy and the key of the set-top box, and then sends it to the set-top box. The set-top box decrypts the remaining ciphertext components using user A's key, and finally obtains the photo uploaded by user A and displays it on the set-top box.

3、用户B查看用户A在机顶盒上存储的加密照片CT3. User B views the encrypted photo CT stored by user A on the set-top box

用户B向机顶盒发送请求去访问用户A的加密照片CT,机顶盒首先判断用户B是否在CT中的访问策略中,如果不在,则机顶盒拒绝用户B的访问,如果用户B在访问策略中,用户B把密钥发送给机顶盒,机顶盒把用户B的密钥和访问策略同时发送给KDC,接着KDC根据中间值生成用户A的密钥发送给机顶盒,机顶盒利用其拥有的密钥、用户A的密钥以及分割和加密信息解密获得到明文照片,并发送给用户B,最终用户B可以在终端上查看照片。User B sends a request to the set-top box to access the encrypted photo CT of user A. The set-top box first determines whether user B is in the access policy in the CT. If not, the set-top box rejects the access of user B. If user B is in the access policy, user B Send the key to the set-top box, the set-top box sends the key of user B and the access policy to the KDC at the same time, and then the KDC generates the key of user A according to the intermediate value and sends it to the set-top box. The set-top box uses the key it has and the key of user A. And the split and encrypted information is decrypted to obtain a plaintext photo, which is sent to user B, and the end user B can view the photo on the terminal.

在解密2,3情况中,机顶盒上生成的用户A的密钥都是临时的,不进行存储,当是授权用户要访问用户A的加密照片时,选择让机顶盒完全承担解密任务,是为了保证用户A的密钥不与授权用户共享,较好地保证用户A的隐私性,而在解密1的情况中,选择由机顶盒与用户A同时参与解密,是为了在保证安全性的情况下,提高解密效率,减轻双方负担。In the case of decryption 2 and 3, the key of user A generated on the set-top box is temporary and not stored. When an authorized user wants to access the encrypted photos of user A, the set-top box is chosen to fully undertake the decryption task, in order to ensure User A's key is not shared with authorized users, which better guarantees user A's privacy. In the case of decryption 1, the set-top box and user A are selected to participate in decryption at the same time, in order to improve the security while ensuring security. Decryption efficiency reduces the burden on both parties.

根据本发明实施例提供的方案,通过密钥分离用户终端和服务器端协同进行加密,并使用密文组件和访问策略的方式,可以保证一份密文在不共享密钥的情况下实现给不同用户进行访问,并在保证安全性的前提下,降低了机顶盒的存储开销以及双方的计算负担。According to the solution provided by the embodiment of the present invention, the user terminal and the server side are encrypted by key separation, and the ciphertext component and the access policy are used to ensure that a ciphertext can be implemented for different users without sharing the key. Users can access, and on the premise of ensuring security, the storage overhead of the set-top box and the computational burden of both parties are reduced.

尽管上文对本发明进行了详细说明,但是本发明不限于此,本技术领域技术人员可以根据本发明的原理进行各种修改。因此,凡按照本发明原理所作的修改,都应当理解为落入本发明的保护范围。Although the present invention has been described in detail above, the present invention is not limited thereto, and various modifications can be made by those skilled in the art in accordance with the principles of the present invention. Therefore, all modifications made in accordance with the principles of the present invention should be understood as falling within the protection scope of the present invention.

Claims (8)

1. A key-separated combined encryption and decryption method comprises the following steps:
the user terminal randomly divides the data to obtain a first part of the data, a second part of the data and data division information, and encrypts the first part of the data by using a terminal key obtained from a key distribution center KDC to obtain a first part of data ciphertext;
the user terminal sends the first part of data cipher text, the second part of data and the data segmentation information to a server side, so that the server side encrypts the second part of data by using a server side key acquired from the KDC to obtain a second part of data cipher text;
When the user terminal needs to check the data, receiving a second part of a plaintext obtained by decrypting a second part of the ciphertext of the data by using the server key by the server;
after receiving the second part of the plaintext, the user terminal decrypts the ciphertext of the first part of the data by using the terminal secret key to obtain a first part of the plaintext; and also,
and splicing the obtained second part of the plaintext and the first part of the plaintext by using the data segmentation information to recover the data.
2. The method according to claim 1, further comprising, before encrypting the first part of the data with the terminal key obtained from the key distribution center KDC:
and the user terminal sends a registration request containing server side information to the KDC and receives a terminal key returned by the KDC according to the registration request.
3. The method of claim 2, wherein the user terminal splits the data into a first portion of data and a second portion of data, and the encrypting the first portion of data using a terminal key obtained from a key distribution center KDC to obtain a first portion of data ciphertext comprises:
the user terminal randomly divides the data to obtain a first data part, a second data part and data division information;
And the user terminal encrypts the first part of the data by using the terminal key to obtain a first part of data ciphertext.
4. A key-separated combined encryption and decryption method, comprising:
the server side receives a first part of data ciphertext, a second part of data and data segmentation information sent by the user terminal, and encrypts the second part of data by using a server side key acquired from the KDC to obtain a second part of data ciphertext;
the server side stores the received first part of data cipher text, the data segmentation information and the obtained second part of data cipher text;
when the server side receives the data checking request of the user terminal, the server side key is used for decrypting the second part of the data ciphertext, the decrypted second part of the data plaintext, the first part of the data ciphertext and the data segmentation information are sent to the user terminal, so that the user terminal can obtain the first part of the plaintext after decrypting the first part of the data ciphertext through the terminal key, and the decrypted second part of the plaintext and the decrypted first part of the plaintext are spliced through the data segmentation information to restore the data.
5. A key-separated combined encryption and decryption system comprising:
the user terminal is used for obtaining a first data part, a second data part and data segmentation information by randomly segmenting data, encrypting the first data part by utilizing a terminal key obtained from a key distribution center KDC to obtain a first data part ciphertext, then sending the first data part ciphertext, the second data part and the data segmentation information to a server end, receiving a second plaintext part obtained by the server end through decrypting the second data part ciphertext by utilizing the server end key when the user terminal needs to check the data, decrypting the first data part ciphertext by utilizing the terminal key after receiving the second plaintext part to obtain a first plaintext part, and splicing the obtained second plaintext part and the first plaintext part by utilizing the data segmentation information, recovering the data;
and the server side is used for encrypting the second part of the data by using the server side key acquired from the KDC to obtain a second part of data ciphertext, decrypting the second part of data ciphertext by using the server side key, and sending the decrypted second part of data plaintext to the user terminal.
6. The system of claim 5, the user terminal comprising:
the data dividing unit is used for randomly dividing the data to obtain a first data part, a second data part and data dividing information;
and the encryption unit is used for encrypting the first part of the data by using a terminal key returned by sending a registration request containing the server-side information to the KDC by the user terminal to obtain a first part ciphertext of the data.
7. A key-separated combination encryption and decryption apparatus, the apparatus comprising: a processor, and a memory coupled to the processor; the memory stores a key-separated combined encryption and decryption program which can run on the processor, and when executed by the processor, the key-separated combined encryption and decryption program realizes the key-separated combined encryption and decryption method according to any one of claims 1 to 3.
8. A computer storage medium storing a key-separated combined encryption and decryption program that realizes the key-separated combined encryption and decryption method according to any one of claims 1 to 3 when executed by a processor.
CN201710848067.4A 2017-09-19 2017-09-19 Combined encryption method and system with separated keys Active CN109525388B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710848067.4A CN109525388B (en) 2017-09-19 2017-09-19 Combined encryption method and system with separated keys

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710848067.4A CN109525388B (en) 2017-09-19 2017-09-19 Combined encryption method and system with separated keys

Publications (2)

Publication Number Publication Date
CN109525388A CN109525388A (en) 2019-03-26
CN109525388B true CN109525388B (en) 2022-07-15

Family

ID=65769397

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710848067.4A Active CN109525388B (en) 2017-09-19 2017-09-19 Combined encryption method and system with separated keys

Country Status (1)

Country Link
CN (1) CN109525388B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109977919B (en) * 2019-04-10 2022-03-04 厦门一通灵信息科技有限公司 Data processing method, medium, equipment and device based on face recognition
CN112187757A (en) * 2020-09-21 2021-01-05 上海同态信息科技有限责任公司 Multilink privacy data circulation system and method
CN112866288B (en) * 2021-03-01 2022-09-06 上海海事大学 A Symmetric Data Encryption Method for Double Plaintext Transmission
CN114285609B (en) * 2021-12-10 2024-02-13 中国联合网络通信集团有限公司 Encryption methods, devices, equipment and storage media
CN119070992A (en) * 2023-05-31 2024-12-03 京东方科技集团股份有限公司 Information publishing method and system, information issuing device, equipment, platform, medium
CN116599768B (en) * 2023-07-13 2023-09-26 北京奇立软件技术有限公司 Data encryption method for private data

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101471942A (en) * 2007-12-26 2009-07-01 冲电气工业株式会社 Encryption device and medium, decryption device and method, data delivery device, data receiving device, and data delivery system
CN102611711A (en) * 2012-04-09 2012-07-25 中山爱科数字科技股份有限公司 A cloud data security storage method
CN102664928A (en) * 2012-04-01 2012-09-12 南京邮电大学 Data secure access method used for cloud storage and user terminal system
EP2165284A4 (en) * 2007-05-25 2012-12-19 Splitstreem Oy Method and apparatus for securing data in memory device
CN104182697A (en) * 2014-08-15 2014-12-03 小米科技有限责任公司 File encryption method and device
CN104901942A (en) * 2015-03-10 2015-09-09 重庆邮电大学 A Distributed Access Control Method Based on Attribute Encryption
CN106713508A (en) * 2017-02-24 2017-05-24 重庆第二师范学院 Data access method and system based on cloud server

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685162A (en) * 2012-09-05 2014-03-26 中国移动通信集团公司 File storing and sharing method
CN103595793B (en) * 2013-11-13 2017-01-25 华中科技大学 Cloud data safe deleting system and method without support of trusted third party

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2165284A4 (en) * 2007-05-25 2012-12-19 Splitstreem Oy Method and apparatus for securing data in memory device
CN101471942A (en) * 2007-12-26 2009-07-01 冲电气工业株式会社 Encryption device and medium, decryption device and method, data delivery device, data receiving device, and data delivery system
CN102664928A (en) * 2012-04-01 2012-09-12 南京邮电大学 Data secure access method used for cloud storage and user terminal system
CN102611711A (en) * 2012-04-09 2012-07-25 中山爱科数字科技股份有限公司 A cloud data security storage method
CN104182697A (en) * 2014-08-15 2014-12-03 小米科技有限责任公司 File encryption method and device
CN104901942A (en) * 2015-03-10 2015-09-09 重庆邮电大学 A Distributed Access Control Method Based on Attribute Encryption
CN106713508A (en) * 2017-02-24 2017-05-24 重庆第二师范学院 Data access method and system based on cloud server

Also Published As

Publication number Publication date
CN109525388A (en) 2019-03-26

Similar Documents

Publication Publication Date Title
US11909868B2 (en) Orthogonal access control for groups via multi-hop transform encryption
CN109525388B (en) Combined encryption method and system with separated keys
TWI601405B (en) Method and apparatus for cloud-assisted cryptography
CN103763319B (en) Method for safely sharing mobile cloud storage light-level data
KR101985179B1 (en) Blockchain based id as a service
CN106797316B (en) Router, data device, method and system for distributing data
US20190109708A1 (en) Revocable stream ciphers for upgrading encryption in a shared resource environment
US10187360B2 (en) Method, system, server, client, and application for sharing digital content between communication devices within an internet network
US12058257B2 (en) Data storage method, data read method, electronic device, and program product
CN108810022A (en) A kind of encryption method, decryption method and device
TW202031010A (en) Data storage method and device, and apparatus
CN113609522A (en) Data authorization and data access method and device
Reshma et al. Pairing-free CP-ABE based cryptography combined with steganography for multimedia applications
US11290277B2 (en) Data processing system
CN114117406B (en) A data processing method, device, equipment and storage medium
CN113761594B (en) Three-party authenticatable key negotiation and data sharing method based on identity
Indu et al. Secure file sharing mechanism and key management for mobile cloud computing environment
CN113726772A (en) Method, device, equipment and storage medium for realizing on-line inquiry session
CN108881300A (en) A kind of file encryption that supporting mobile phone terminal security cooperation and sharing method and system
KR102269753B1 (en) Method for performing backup and recovery private key in consortium blockchain network, and device using them
CN116894268A (en) High-performance privacy exchange method, system and related equipment for mass data
CN112865968B (en) Data ciphertext hosting method and system, computer equipment and storage medium
KR101413248B1 (en) device for encrypting data in a computer and storage for storing a program encrypting data in a computer
Haridas et al. End-to-end data security with DMaya on IPFS: keyless secured private swarm for the closed user group
US20220337409A1 (en) System and method for data encryption using key derivation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant