CN118157943A - Access method, device, equipment and medium based on file access system - Google Patents

Abstract

The disclosure provides an access method based on a file access system, which can be applied to the technical field of information security. The method comprises the following steps: generating a first key pair in response to a data upload request from a first client; downloading the first key pair to a first client; generating a second key pair in response to an access request from a second client intended to access the first client data; downloading the second key pair to a second client; responding to the access request, and acquiring an initial ciphertext from a cloud server, wherein the initial ciphertext comprises: the first client encrypts plaintext data based on the first public key and then uploads the plaintext data to the cloud server to obtain plaintext data; forming a proxy key based on the first private key and the second public key; encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; and the proxy ciphertext is sent to a second client. The disclosure also provides an access device, equipment and medium based on the file access system.

Description

Access method, device, equipment and medium based on file access system

Technical Field

The present disclosure relates to the field of information security technologies, and in particular, to an access method, apparatus, device, and medium based on a file access system.

Background

With the rapid development of the internet and cloud computing technology, more and more enterprises and individuals choose to store data in the cloud, however, people can enjoy the convenience brought by cloud computing, and the security risks such as privacy disclosure, password theft, file loss and post denial are also borne. For safety, the data is encrypted and put on the cloud to obtain the ciphertext form, and meanwhile, the data on the cloud is authorized to be shared by other users, so that the other users can view the plaintext data, in the process, the transmission of the secret key is involved, and the secret key can be possibly intercepted by other people in the process of transmitting the secret key, so that the risk of data leakage exists.

Disclosure of Invention

In view of the foregoing, the present disclosure provides a file access system-based access method, apparatus, device, and medium that improve data confidentiality and security.

According to a first aspect of the present disclosure, there is provided an access method based on a file access system, the file access system comprising: the cloud service end, the authorization management center, the first client end and the second client end, wherein the method is applied to the authorization management center and comprises the following steps: generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key; downloading the first key pair to a first client; generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key; downloading the second key pair to a second client; responding to the access request, and acquiring an initial ciphertext from a cloud server, wherein the initial ciphertext comprises: the first client encrypts plaintext data based on the first public key and then uploads the plaintext data to the cloud server to obtain plaintext data; forming a proxy key based on the first private key and the second public key; encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; and sending the proxy ciphertext to a second client.

According to an embodiment of the disclosure, after the generating of the second key pair in response to the access request from the second client intended to access the first client data, before the forming of the proxy key based on the first private key and the second public key, the method further comprises: acquiring an intermediate key; downloading the intermediate key to a second client; after the initial ciphertext is encrypted based on the proxy key to obtain a proxy ciphertext, before the proxy ciphertext is sent to the second client, the method further comprises the following steps: and encrypting the proxy ciphertext based on the intermediate key to obtain an updated proxy ciphertext.

According to an embodiment of the disclosure, the downloading of the first key, the second key and the intermediate key is: based on preset protocol distribution rules and/or preset library distribution rules.

According to an embodiment of the disclosure, wherein the intermediate key is periodically updated.

According to an embodiment of the disclosure, the forming a proxy key based on the first private key and the second public key includes: based on a proxy re-encryption algorithm.

A second aspect of the present disclosure provides an access method based on a file access system, the file access system including: the cloud service end, the authorization management center, the first client end and the second client end, wherein the method is applied to the second client end and comprises the following steps: uploading an access request intended to access the first client data to an authorization management center; receiving a second key pair and a proxy ciphertext from an authorization management center, wherein the second key pair comprises a second public key and a second private key, the proxy ciphertext is obtained by the authorization management center through encryption of an initial ciphertext by the proxy key, the proxy key comprises encryption formed by the authorization center based on a first private key and the second public key, the initial ciphertext comprises encryption of plaintext data based on the first public key by a first client and is then sent to a cloud server, and the first private key and the first public key comprise encryption generated by the authorization management center and are sent to the first client; and decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

According to an embodiment of the disclosure, wherein the intermediate key is periodically updated.

According to an embodiment of the disclosure, the forming a proxy key based on the first private key and the second public key includes: based on a proxy re-encryption algorithm.

A third aspect of the present disclosure provides an access method based on a file access system, the file access system including: the method comprises the following steps of: by the rights management center: generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key; by the rights management center: downloading the first key pair to a first client; by the rights management center: generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key; by the rights management center: downloading the second key pair to a second client; by the rights management center: responding to the access request, and acquiring an initial ciphertext from a cloud server, wherein the initial ciphertext comprises: the first client encrypts plaintext data based on the first public key and then uploads the plaintext data to the cloud server to obtain plaintext data; by the rights management center: forming a proxy key based on the first private key and the second public key; and (c) by the entitlement management center: encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; by the rights management center: the proxy ciphertext is sent to a second client; by the second client: and decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

A fourth aspect of the present disclosure provides another method for providing a challenge based on a document challenge system, the document challenge system including: the cloud service end, the authorization management center, the first client end and the second client end, wherein the method is applied to the authorization management center and comprises the following steps: generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key; downloading the first key pair to a first client; generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key; downloading the second key pair to a second client; forming a proxy key based on the first private key and the second public key; and sending the proxy key down to a cloud server.

According to an embodiment of the disclosure, after the generating the second key pair in response to the access request from the second client intended to access the first client data, the method further includes: acquiring an intermediate key; and the intermediate key is sent down to a second client and a cloud server.

According to an embodiment of the disclosure, the downloading of the first key, the second key and the intermediate key is: based on preset protocol distribution rules and/or preset library distribution rules.

According to an embodiment of the disclosure, wherein the intermediate key is periodically updated.

According to an embodiment of the disclosure, the forming a proxy key based on the first private key and the second public key is: based on a proxy re-encryption algorithm.

A fifth aspect of the present disclosure provides another access method based on a file access system, the file access system comprising: the method comprises the steps of applying the cloud server to the cloud server, and enabling the cloud server to receive data from the first client, wherein the data comprise the following steps: receiving an initial ciphertext from a first client, the initial ciphertext comprising plaintext data resulting from the first client encrypting plaintext data based on a first public key; receiving a proxy key from an authorization management center, wherein the proxy key is formed by the authorization center based on encryption of a first private key and a second public key and is sent to a cloud server, the second public key is generated by the authorization management center, and the first private key and the first public key are generated by the authorization management center and are sent to a first client; encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; and sending the proxy ciphertext to a second client.

According to an embodiment of the disclosure, before the encrypting the initial ciphertext based on the proxy key, to obtain a proxy ciphertext, the method further includes: receiving an intermediate key from an entitlement management center; after the initial ciphertext is encrypted based on the proxy key to obtain a proxy ciphertext, before the proxy ciphertext is sent to a second client, the method further comprises: and encrypting the proxy ciphertext based on the intermediate key to obtain an updated proxy ciphertext.

A sixth aspect of the present disclosure provides another access method based on a file access system, the file access system comprising: the cloud service end, the authorization management center, the first client end and the second client end, wherein the method is applied to the second client end and comprises the following steps: uploading an access request intended to access the first client data to an authorization management center; receiving a second key pair from an authorization management center, the second key pair comprising a second public key and a second private key; receiving a proxy ciphertext from a cloud server, wherein the proxy ciphertext comprises an initial ciphertext which is obtained by the cloud server through proxy key encryption, the proxy key comprises a first private key and a second public key which are encrypted by an authorization center and then sent to the cloud server, the initial ciphertext comprises plaintext data which is encrypted by a first client based on the first public key and then sent to the cloud server, and the first private key and the first public key are generated by the authorization management center and then sent to the first client; and decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

According to an embodiment of the disclosure, the proxy ciphertext includes an updated proxy ciphertext obtained by encrypting an initial ciphertext by the cloud server through a proxy key and then encrypting by the cloud server through an intermediate key, and after the access request intended to access the first client data is sent to the authorization management center, the method further includes: receiving an intermediate key from an entitlement management center; after receiving the proxy ciphertext from the cloud server, decrypting the proxy ciphertext based on the second private key to obtain plaintext data, and before the proxy ciphertext is obtained, the method further comprises: and decrypting the proxy ciphertext based on the intermediate key to obtain a proxy ciphertext before updating.

According to an embodiment of the disclosure, the decrypting the proxy ciphertext based on the second private key, to obtain plaintext data is: based on proxy re-decryption algorithm.

A seventh aspect of the present disclosure provides another access method based on a file access system, the file access system including: the method comprises the following steps of: by the rights management center: generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key; by the rights management center: downloading the first key pair to a first client; by the rights management center: generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key; by the rights management center: downloading the second key pair to a second client; cloud service end: receiving an initial ciphertext from a first client, wherein the initial ciphertext comprises plaintext data encrypted by the first client based on a first public key and then sent to a cloud server; by the rights management center: forming a proxy key based on the first private key and the second public key; by the rights management center: the proxy key is sent down to a cloud server; cloud service end: receiving a proxy key from an authorization management center; cloud service end: encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; cloud service end: the proxy ciphertext is sent to a second client; and by the second client: and decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

An eighth aspect of the present disclosure provides an access apparatus based on a file access system, the file access system including: cloud service side, authorization management center, first customer end and second customer end, the device sets up in authorization management center, the device includes: a first data provider key pair generation module for generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key; a first data provider key downloading module, configured to download the first key pair to a first client; a first data user key generation module for generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key; the first data user key downloading module is used for downloading the second key pair to the second client; the first initial ciphertext obtaining module is used for responding to the access request and obtaining an initial ciphertext from a cloud server, wherein the initial ciphertext comprises the following components: the first client encrypts plaintext data based on the first public key and then uploads the plaintext data to the cloud server to obtain plaintext data; a first proxy key forming module for forming a proxy key based on the first private key and the second public key; the first proxy ciphertext forming module is used for encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; and the first proxy ciphertext downloading module is used for downloading the proxy ciphertext to the second client.

According to an embodiment of the disclosure, the apparatus further comprises: the system comprises a first intermediate key acquisition module, a first intermediate key downloading module and a first proxy ciphertext updating module, wherein the first intermediate key acquisition module is used for acquiring an intermediate key; the first intermediate key downloading module is used for downloading the intermediate key to a second client; the first proxy ciphertext updating module is used for encrypting the proxy ciphertext based on the intermediate key to obtain an updated proxy ciphertext.

According to an embodiment of the disclosure, the downloading of the first key, the second key and the intermediate key is: based on preset protocol distribution rules and/or preset library distribution rules.

According to an embodiment of the disclosure, wherein the intermediate key is periodically updated.

According to an embodiment of the disclosure, the forming a proxy key based on the first private key and the second public key includes: based on a proxy re-encryption algorithm.

A ninth aspect of the present disclosure provides an access apparatus based on a file access system, the file access system including: cloud service side, authorization management center, first customer end and second customer end, the device sets up in the second customer end, the device includes: the first data authorization request uploading module is used for uploading an access request for accessing the first client data to the authorization management center; the first key ciphertext receiving module is used for receiving a second key pair and a proxy ciphertext from the authorization management center, wherein the second key pair comprises a second public key and a second private key, the proxy ciphertext is obtained by the authorization management center through encryption of an initial ciphertext by the proxy key, the proxy key comprises a plaintext data encrypted by the authorization center based on the first private key and the second public key, the initial ciphertext is sent to the cloud server by the first client after the plaintext data is encrypted by the first client based on the first public key, and the first private key and the first public key are generated by the authorization management center and sent to the first client; and the first proxy ciphertext decryption module is used for decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

According to an embodiment of the disclosure, wherein the intermediate key is periodically updated.

According to an embodiment of the disclosure, the forming a proxy key based on the first private key and the second public key includes: based on a proxy re-encryption algorithm.

A tenth aspect of the present disclosure provides another access apparatus based on a file access system, the file access system including: cloud service side, authorization management center, first customer end and second customer end, the device sets up in authorization management center, the device includes: a second data provider key pair generation module for generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key; a second data provider key downfeed module for downfeeding the first key pair to a first client; a second data user key generation module for generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key; a second data user key downloading module, configured to download the second key pair to a second client; a second proxy key forming module for forming a proxy key based on the first private key and the second public key; and the second proxy ciphertext downloading module is used for downloading the proxy key to the cloud server.

According to an embodiment of the disclosure, the apparatus further comprises: the system comprises a second intermediate key generation module and a second intermediate key downloading module, wherein the second intermediate key generation module is used for acquiring an intermediate key; and the second intermediate key downloading module is used for downloading the intermediate key to a second client and the cloud server.

According to an embodiment of the disclosure, the downloading of the first key, the second key and the intermediate key is: based on preset protocol distribution rules and/or preset library distribution rules.

According to an embodiment of the disclosure, wherein the intermediate key is periodically updated.

According to an embodiment of the disclosure, the forming a proxy key based on the first private key and the second public key is: based on a proxy re-encryption algorithm.

An eleventh aspect of the present disclosure provides another access apparatus based on a file access system, the file access system comprising: cloud service end, authorization management center, first customer end and second customer end, the device sets up in cloud service end, the device includes: the second initial ciphertext receiving module is used for receiving initial ciphertext from the first client, wherein the initial ciphertext comprises plaintext data encrypted by the first client based on a first public key; the second proxy key receiving module is used for receiving a proxy key from the authorization management center, wherein the proxy key is formed by the authorization center based on encryption of a first private key and a second public key and is sent to the cloud service end, the second public key is generated by the authorization management center, and the first private key and the first public key are generated by the authorization management center and are sent to the first client end; the second proxy ciphertext forming module is used for encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; and the second proxy ciphertext downloading module is used for downloading the proxy ciphertext to the second client.

According to an embodiment of the disclosure, the apparatus further comprises: the system comprises a second intermediate key receiving module and a second proxy ciphertext updating module, wherein the second intermediate key receiving module is used for receiving an intermediate key from an authorization management center; and the second proxy ciphertext updating module is used for encrypting the proxy ciphertext based on the intermediate key to obtain an updated proxy ciphertext.

A twelfth aspect of the present disclosure provides a question-preventing device based on a document question-preventing system including: cloud service side, authorization management center, first customer end and second customer end, the device sets up in the second customer end, the device includes: the second data authorization request uploading module is used for uploading an access request for accessing the first client data to the authorization management center; a second key receiving module, configured to receive a second key pair from an authorization management center, where the second key pair includes a second public key and a second private key; the second ciphertext receiving module is used for receiving a proxy ciphertext from the cloud server, wherein the proxy ciphertext is obtained by encrypting an initial ciphertext by the cloud server through a proxy key, the proxy key is transmitted to the cloud server after being formed by encryption by an authorization center based on a first private key and a second public key, the initial ciphertext is transmitted to the cloud server after being encrypted by a first client based on a first public key, and the first private key and the first public key are generated by the authorization management center and are transmitted to the first client; and the second proxy ciphertext decryption module is used for decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

According to an embodiment of the disclosure, the proxy ciphertext includes an updated proxy ciphertext obtained by encrypting an initial ciphertext by a cloud server through a proxy key and then encrypting the initial ciphertext by the cloud server through an intermediate key, and the apparatus further includes: the system comprises a second intermediate key receiving module and a second intermediate key decrypting module, wherein the second intermediate key receiving module is used for receiving an intermediate key from an authorization management center; and the second intermediate key decryption module is used for decrypting the proxy ciphertext based on the intermediate key to obtain the proxy ciphertext before updating.

According to an embodiment of the disclosure, the decrypting the proxy ciphertext based on the second private key, to obtain plaintext data is: based on proxy re-decryption algorithm.

A thirteenth aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-described file access system based access method.

A fourteenth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described file access system-based access method.

A fifteenth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described file access system based challenge method.

In an embodiment of the disclosure, in order to solve a technical problem of data leakage risk in a data sharing scene, the embodiment of the disclosure designs a set of secure file access system, which comprises a cloud server, an authorization management center, a first client and a second client, wherein a key pair is generated through the authorization management center, reserved and sent to the first client and the second client, and an initial ciphertext in the cloud server is re-encrypted and then sent to the second client, so that the second client can access data sent on the first client. The embodiment of the disclosure can at least realize the following beneficial effects: 1. anonymity: the proposed encryption method can realize the anonymity of data and messages, namely, the identities of the user A and the user B can be hidden, thereby protecting the privacy of the user; 2. confidentiality: the encryption method can increase the confidentiality of data, and especially in the case that the storage node is not trusted, the storage node can only access the encrypted part of the data and cannot directly access the plaintext data, so that the security is improved; 3. flexibility: the secret key can be changed according to the requirement, so that the flexibility and the safety of the system are improved; 4. cross-platform properties: the encrypted data is sent to different server nodes, or the owners of the replacement nodes do not influence the anonymity, confidentiality and flexibility; 5. the first key pair, the second key pair and the proxy key are formed and are arranged in the trusted authorization management center in a centralized mode, and meanwhile, all encryption processes are also arranged in the trusted authorization center, so that timeliness of centralized processing of the encryption processes is guaranteed, and meanwhile, data encryption security is improved.

Drawings

The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:

FIG. 1A schematically illustrates an application scenario diagram of a file access system based access method according to an embodiment of the present disclosure;

FIG. 1B schematically illustrates a system diagram based on file access according to an embodiment of the present disclosure;

FIG. 2A schematically illustrates a flow chart of a method of accessing based on a file access system, in accordance with an embodiment of the present disclosure;

FIG. 2B schematically illustrates a flow chart of another method of accessing based on a file access system, in accordance with an embodiment of the present disclosure;

FIG. 3A schematically illustrates a flow chart of a method of accessing based on a file access system, in accordance with an embodiment of the present disclosure;

FIG. 3B schematically illustrates a flow chart of another method of accessing based on a file access system, in accordance with an embodiment of the present disclosure;

FIG. 4A schematically illustrates a flow chart of a method of accessing based on a file access system, in accordance with an embodiment of the present disclosure;

FIG. 4B schematically illustrates a flow chart of another method of accessing based on a file access system, in accordance with an embodiment of the present disclosure;

FIG. 5A schematically illustrates a flow chart of a method of accessing based on a file access system, in accordance with an embodiment of the present disclosure;

FIG. 5B schematically illustrates a flow chart of another method of accessing based on a file access system, in accordance with an embodiment of the present disclosure;

FIG. 6A schematically illustrates a flow chart of a method of accessing based on a file access system, in accordance with an embodiment of the present disclosure;

FIG. 6B schematically illustrates a flowchart of another method of accessing based on a file access system, in accordance with an embodiment of the present disclosure;

FIG. 7 schematically illustrates a block diagram of a file access system based access apparatus according to an embodiment of the present disclosure;

FIG. 8 schematically illustrates a block diagram of a file access system based access apparatus according to an embodiment of the present disclosure;

FIG. 9 schematically illustrates a block diagram of a file access system based access apparatus according to an embodiment of the present disclosure;

FIG. 10 schematically illustrates a block diagram of a file access system based access apparatus according to an embodiment of the present disclosure;

FIG. 11 schematically illustrates a block diagram of a file access system based access apparatus according to an embodiment of the present disclosure; and

Fig. 12 schematically illustrates a block diagram of an electronic device adapted to implement an access method based on a file access system, according to an embodiment of the disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.

Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

Before the present disclosure is disclosed in detail, key technical terms involved in the present disclosure are described one by one as follows:

Symmetric key: it means that the encryption and decryption processes use the same algorithm, which performs well and can be encrypted using a password or another key or even a certificate.

Asymmetric key: a pair of keys is used, including a public key and a private key, where either key is used for encryption and the other key is used for decryption.

Proxy re-encryption algorithm/proxy re-decryption algorithm: the key is essentially a ciphertext encrypted by the original A by using the public key, only the private key of the A can be unlocked, and the private key converted into the B can be unlocked. This process frees a, which only needs the proxy key.

Diffie-Hellman key exchange: or DH key agreement algorithm, which solves the problem that the key exchange is completed under the condition that the two parties do not directly transmit the key.

RSA key exchange: any client initiates a request to a server, and the server firstly replies own public key to the client; the client generates a secret key S by using a random algorithm, encrypts the secret key by using the received public key to generate C, and sends the C to the server; the server receives the C and decrypts the C by using a private key corresponding to the public key to obtain S; after the exchange step, both the client and the server get S.

ECDH key exchange: (Elliptic Curve Diffie-Hellman, abbreviated as ECDH) is a cryptographic protocol used to establish a shared key between two communicating parties. It is based on elliptic curve cryptography algorithm, and uses the difficulty of discrete logarithm problem to ensure the security of key exchange.

The kerberos authentication protocol: is a computer network authorization protocol for authenticating personal communications in a secure manner in an unsecure network.

Manual dispensing: the administrator manually distributes the keystore to the desired user or system, and the method is applicable to small network environments.

And (3) centralized management: the key library is managed on one or more servers in a centralized way, and a user obtains a required key from the server.

Automatic distribution: and the key library is automatically distributed to required users or systems by using an automation tool, so that the key library is suitable for a large-scale network environment.

Public key infrastructure distribution: by establishing public key infrastructure, the key library is distributed according to certificates, and the method is suitable for network environments requiring high security, such as finance, military and other fields.

In the prior art, under the condition that the data confidentiality requirement is high, the nodes are numerous and not directly controllable, potential intermediaries hijack and select routing attacks (ARP spoofing, BGP hijack and the like), for the sake of safety, the data are encrypted and put on the cloud to obtain a ciphertext form, and an authorized user hopes to access the distributed file system and obtain plaintext contents of the ciphertext.

Therefore, how to safely and efficiently share data on the cloud is a technical problem to be solved.

In order to solve the technical problems existing in the prior art, an embodiment of the present disclosure provides an access method based on a file access system, where the file access system includes: the cloud service end, the authorization management center, the first client end and the second client end, wherein the method is applied to the authorization management center and comprises the following steps: generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key; downloading the first key pair to a first client; generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key; downloading the second key pair to a second client; responding to the access request, and acquiring an initial ciphertext from a cloud server, wherein the initial ciphertext comprises: the first client encrypts plaintext data based on the first public key and then uploads the plaintext data to the cloud server to obtain plaintext data; forming a proxy key based on the first private key and the second public key; encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; and the proxy ciphertext is sent to a second client.

In an embodiment of the disclosure, in order to solve a technical problem of data leakage risk in a data sharing scene, the embodiment of the disclosure designs a set of secure file access system, which comprises a cloud server, an authorization management center, a first client and a second client, wherein a key pair is generated through the authorization management center, reserved and sent to the first client and the second client, and an initial ciphertext in the cloud server is re-encrypted and then sent to the second client, so that the second client can access data sent on the first client. The embodiment of the disclosure can at least realize the following beneficial effects: 1. anonymity: the proposed encryption method can realize the anonymity of data and messages, namely, the identities of the user A and the user B can be hidden, thereby protecting the privacy of the user; 2. confidentiality: the encryption method can increase the confidentiality of data, and especially in the case that the storage node is not trusted, the storage node can only access the encrypted part of the data and cannot directly access the plaintext data, so that the security is improved; 3. flexibility: the secret key can be changed according to the requirement, so that the flexibility and the safety of the system are improved; 4. cross-platform properties: the encrypted data is sent to different server nodes, or the owners of the replacement nodes do not influence the anonymity, confidentiality and flexibility; 5. the first key pair, the second key pair and the proxy key are formed and are arranged in the trusted authorization management center in a centralized mode, and meanwhile, all encryption processes are also arranged in the trusted authorization center, so that timeliness of centralized processing of the encryption processes is guaranteed, and meanwhile, data encryption security is improved.

Fig. 1A schematically illustrates an application scenario diagram of an access method based on a file access system according to an embodiment of the present disclosure.

As shown in fig. 1A, an application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 101, 102, 103.

The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.

The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.

It should be noted that, the access method based on the file access system provided in the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the access device based on the file access system provided in the embodiments of the present disclosure may be generally provided in the server 105. The access method based on the file access system provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the access means based on the file access system provided by the embodiments of the present disclosure may also be provided in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.

It should be understood that the number of terminal devices, networks and servers in fig. 1A is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

FIG. 1B schematically illustrates a system diagram based on file access according to an embodiment of the present disclosure.

As shown in fig. 1B, the system diagram based on file access according to this embodiment includes: the system comprises an authorization management center 110, a cloud service 120, a first client 130 and a second client 140.

The first client 130 and the second client 140 are respectively communicated with the authorization management center 110, and the first client 130 and the second client 140 are respectively communicated with the cloud service 120; the cloud server 120 is at least configured to store data from a client (the client includes a first client 130 and a second client 140), and in general, the cloud server 120 stores encrypted data stored by the client; the authorization management center 110 is used for managing access rights between different clients to encrypted data stored in the cloud server 120, and for a client corresponding to an authorized user, the authorized user is authorized to access encrypted data stored in the cloud server 120 by a certain user.

Wherein the rights management center 110 is trusted, the rights management center 110 can generate at least a symmetric key and an asymmetric key; the cloud service 120 may be trusted or semi-trusted.

It should be noted that, the cloud service end 120 may be various cloud service providers, when using services of these cloud service providers, trust levels are often required to be set for these service providers, and too trust may cause single node attack, insufficient trust may cause service degradation, so that the data authorization problem in the file system scene is solved to a certain extent, so that data stored in the cloud end by a user can be shared to a specified user or users, man-in-the-middle attack from a non-trusted service provider is avoided, confidentiality, integrity and availability of the data are ensured, exposure is reduced, and security is increased.

According to an embodiment of the present disclosure, the file access system includes: the method comprises the following steps of: by the rights management center: generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key; by the rights management center: downloading the first key pair to a first client; by the rights management center: generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key; by the rights management center: downloading the second key pair to a second client; by the rights management center: responding to the access request, and acquiring an initial ciphertext from a cloud server, wherein the initial ciphertext comprises: the first client encrypts plaintext data based on the first public key and then uploads the plaintext data to the cloud server to obtain plaintext data; by the rights management center: forming a proxy key based on the first private key and the second public key; by the rights management center: encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; by the rights management center: the proxy ciphertext is sent to a second client; and by the second client: and decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

According to an embodiment of the present disclosure, the file access system includes: the method comprises the following steps of: by the rights management center: generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key; by the rights management center: downloading the first key pair to a first client; by the rights management center: generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key; by the rights management center: downloading the second key pair to a second client; cloud service end: receiving an initial ciphertext from a first client, wherein the initial ciphertext comprises plaintext data encrypted by the first client based on a first public key and then sent to a cloud server; by the rights management center: forming a proxy key based on the first private key and the second public key; by the rights management center: the proxy key is sent down to a cloud server; cloud service end: receiving a proxy key from an authorization management center; cloud service end: encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; cloud service end: the proxy ciphertext is sent to a second client; and by the second client: and decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

Through the above two embodiments and in conjunction with fig. 1B, in the embodiment of the present disclosure, at least two sets of security access schemes are designed, specifically, the two sets of security access schemes are directed to that the logic of re-encrypting the initial ciphertext stored in the cloud service 120 is placed on different execution bodies, one set of schemes places these encryption logics in the authorization management center 110, and the other set of schemes places these encryption logics in the cloud service 120. The two schemes are suitable for different levels of trust levels of different cloud service providers, and for cloud service providers with low trust levels, storage logic is reserved only for cloud service terminals 120 of the cloud service providers with high trust levels, and for cloud service providers with high trust levels, encryption logic can be applied to cloud service terminals 120 of the cloud service providers with high trust levels on the basis of the reserved storage logic, and the cloud service providers with high trust levels are used as encrypted agents.

The access method based on the file access system of the disclosed embodiment will be described in detail below with reference to fig. 2A to 6B based on the scenes described in fig. 1A and 1B.

The scheme of placing these encryption logics in the entitlement management center 110 is first disclosed in detail below, as follows:

fig. 2A schematically illustrates a flow chart of an access method based on a file access system according to an embodiment of the disclosure.

As shown in fig. 2A, the file access system-based access method of this embodiment includes operations S201 to S208, which can be performed by the rights management center 110.

In operation S201, in response to a data upload request from a first client, a first key pair including a first public key and a first private key is generated.

The first key pair is downloaded to the first client in operation S202.

The first key pair is a key pair obtained by an asymmetric encryption algorithm, and is sent down to the first client 130, and is used for encrypting data sent to the cloud server 120 by the first client 130, and decrypting the data by other clients at a later time. Of course, the first key pair is also retained in the rights management center 110.

Specifically, the first client 130 is a provider of shared data, and the first client 130 sends a data upload request to the authorization management center 110 to implement submission and storage of data on the cloud service 120, where in some scenarios, the data uploaded by the first client 130 may be shared to some specific users (such as the second client 140). After the first client 130 sends the data upload request to the rights management center 110, the rights management center 110 returns its key pair, which includes the first public key and the first private key. Subsequently, the first client 130 encrypts the plaintext data to be uploaded through the first public key in the first key pair to obtain initial ciphertext data, and uploads the initial ciphertext data to the cloud server 120 for storage.

In operation S203, in response to an access request from the second client intended to access the first client data, a second key pair including a second public key and a second private key is generated.

According to an embodiment of the disclosure, the forming a proxy key based on the first private key and the second public key includes: based on a proxy re-encryption algorithm.

The second key pair is downloaded to the second client in operation S204.

Wherein the second key pair is a key pair derived from an asymmetric encryption algorithm, which is sent down to the second client 130 for decrypting some of the data encrypted by the remaining keys in the second key pair. Of course, this second key pair is also maintained in the rights management center 110.

In operation S205, in response to the access request, an initial ciphertext from the cloud service end is obtained, where the initial ciphertext includes: and the first client encrypts the plaintext data based on the first public key and then sends the plaintext data to the cloud server to obtain the plaintext data.

Wherein the access request is an access request designated by the second client 140 to prevent access to data deposited by a user, and the access request may also be an access request designated by the second client 140 to access certain specific data.

In operation S206, a proxy key is formed based on the first private key and the second public key.

In operation S207, the initial ciphertext is encrypted based on the proxy key, resulting in a proxy ciphertext.

The proxy key is generated by a proxy re-key generation algorithm by using the first private key of the first client 130 and the second public key of the second client 140, and then the initial ciphertext is encrypted by a proxy re-encryption algorithm according to the proxy key to obtain the proxy ciphertext. The proxy re-encryption process is used to update the proxy encrypted key, avoiding man-in-the-middle attacks caused by direct use of public key encryption (as anyone may acquire the public key of the second client), and improving its security.

Specifically, the first key pair is denoted as (pk 1, sk 1), the second key pair is denoted as (pk 2, sk 2), and the plaintext data of the first client 130 is denoted as m, then, according to the proxy re-encryption algorithm, the proxy ciphertext is formed as follows:

Generating (pk 1, sk 1) (pk 2, sk 2) by the entitlement management center for distribution to the first client 130 and the second client 140, respectively;

The first user side 130 encrypts the plaintext data "m" with the first public key "pk1" to obtain the initial ciphertext "c1", in other words denoted as c1=enc (pk 1, m), where "Enc ()" refers to an encryption algorithm.

The proxy key "rk" is generated by the authority through "sk1" and "pk2", in other words, denoted rk= ReKey (sk 1, pk 2), where "ReKey (,)" refers to a proxy re-key generation algorithm.

The initial ciphertext "c1" is encrypted by the authorization management center via the proxy key "rk" to obtain a proxy ciphertext "c2", in other words denoted c2= ReEnc (rk, c 1), where "ReEnc (,)" refers to a proxy re-encryption algorithm.

In operation S208, the proxy ciphertext is downloaded to the second client.

Specifically, the proxy ciphertext "c2" is downloaded to the second client in FIG. 2A.

In order to further improve the security of the data access method, in the embodiment of the present disclosure, a concept of an intermediate key is also introduced, and the specific process is as follows:

fig. 2B schematically illustrates a flow chart of another method of accessing based on a file access system according to an embodiment of the disclosure.

As shown in fig. 2B, the access method based on the file access system of this embodiment includes, in addition to the operations S201 to S208, an operation S209, an operation S210, and an operation S211, where the operations S209 to S210 are performed after the operation S203 and before the operation S206, and the operation S211 is performed after the operation S207 and before the operation S208.

In operation S209, an intermediate key is acquired.

The intermediate key is a symmetric key, can be generated in advance and obtained directly, and can also be generated on site.

The intermediate key is downloaded to the second client in operation S210.

In operation S211, the proxy ciphertext is encrypted based on the intermediate key, to obtain an updated proxy ciphertext.

Wherein the proxy ciphertext is encrypted by the intermediate key before being sent down to the client, and the intermediate key is sent down to the second client 130, so that the updated proxy ciphertext is decrypted by the subsequent second client 140 by the intermediate key.

Specifically, the proxy ciphertext "c2" is encrypted again by the intermediate key, and an updated proxy ciphertext "c×2" is obtained. It should be emphasized that in operation S208 in fig. 2B, the downloaded proxy ciphertext is the updated proxy ciphertext, that is, the downloaded proxy ciphertext is "c×2" instead of "c2".

It should be noted that, in this scheme, the initial ciphertext may be encrypted by the intermediate key and then encrypted by the proxy key. Similarly, the decryption process is the reverse process, and in the second client, decryption is performed by the second private key and then decryption is performed by the intermediate key.

According to an embodiment of the disclosure, the downloading of the first key, the second key and the intermediate key is: based on preset protocol distribution rules and/or preset library distribution rules.

Specifically, the key down (distribution) logic includes: a preset protocol distribution rule and a preset library distribution rule, wherein the preset protocol distribution rule comprises: diffie-Hellman key exchange, RSA key exchange, and ECDH key exchange kerberos authentication protocol; the preset library distribution rules comprise: manual distribution, centralized management, automatic distribution, and public infrastructure.

According to an embodiment of the disclosure, wherein the intermediate key is periodically updated.

The intermediate key is used as a bridge between the cloud service provider and the user, and the authorization management center uses the intermediate key to re-encrypt the proxy ciphertext and periodically updates the intermediate key k to ensure the security of the intermediate key.

Correspondingly, the logic executed by the first set of schemes in the second client 140 is disclosed in detail below, as follows:

fig. 3A schematically illustrates a flow chart of an access method based on a file access system according to an embodiment of the disclosure.

As shown in fig. 3A, the file access system-based access method of this embodiment includes operations S301 to S303, which may be performed by the second client 140.

In operation S301, an access request intended to access the first client data is uploaded to an authorization management center.

In operation S302, a second key pair and a proxy ciphertext from the authorization management center are received, where the second key pair includes a second public key and a second private key, the proxy ciphertext includes an initial ciphertext encrypted by the authorization management center based on the first private key and the second public key, the initial ciphertext includes plaintext data encrypted by the first client based on the first public key and then sent to the cloud server, and the first private key and the first public key include data generated by the authorization management center and sent to the first client.

In operation S303, the proxy ciphertext is decrypted based on the second private key, to obtain plaintext data.

According to an embodiment of the disclosure, the decrypting the proxy ciphertext based on the second private key to obtain plaintext data includes: and decrypting the proxy ciphertext through the second private key based on a proxy re-decryption algorithm.

Specifically, as shown in the above example, after receiving the proxy ciphertext "c2" at the second client 140, the proxy ciphertext "c2" is decrypted by a proxy re-decryption algorithm based on the second private key "sk2" of the second client to obtain plaintext data "m", in other words, m=dec (sk 2, c 2), where "Dec (,)" refers to a proxy re-decryption algorithm that can decrypt only by inputting the proxy plaintext and the second private key.

Fig. 3B schematically illustrates a flow chart of an access method based on a file access system according to an embodiment of the disclosure.

As shown in fig. 3B, the access method based on the file access system of this embodiment includes operations S304 and S305 in addition to operations S301 to S303, where the operation S304 is performed after the operation S301 is performed, and the operation S305 is performed after the operation S302 and before the operation S303.

According to an embodiment of the disclosure, the proxy ciphertext includes an updated proxy ciphertext encrypted by the authorization management center through an intermediate key after the initial ciphertext is encrypted by the authorization management center through the proxy key.

In operation S304, an intermediate key from the rights management center is received.

In operation S305, the proxy ciphertext is decrypted based on the intermediate key, and a proxy ciphertext before update is obtained.

Specifically, as shown in the above example, after receiving the proxy ciphertext "c×2" at the second client 140, the second client 140 decrypts the updated proxy ciphertext "c×2" based on the own intermediate key "k" to obtain the pre-updated proxy ciphertext "c2", and further decrypts the proxy ciphertext "c2" based on the own second private key "sk2" by a proxy re-decryption algorithm to obtain plaintext data "m", in other words, m=dec (sk 2, c 2), where "Dec (,)" refers to a proxy re-decryption algorithm that can decrypt only by inputting the proxy plaintext and the second private key.

In an embodiment of the disclosure, in order to solve a technical problem of data leakage risk in a data sharing scene, the embodiment of the disclosure designs a set of secure file access system, which comprises a cloud server, an authorization management center, a first client and a second client, wherein a key pair is generated through the authorization management center, reserved and sent to the first client and the second client, and an initial ciphertext in the cloud server is re-encrypted and then sent to the second client, so that the second client can access data sent on the first client. The embodiment of the disclosure can at least realize the following beneficial effects: 1. anonymity: the proposed encryption method can realize the anonymity of data and messages, namely, the identities of the user A and the user B can be hidden, thereby protecting the privacy of the user; 2. confidentiality: the encryption method can increase the confidentiality of data, and especially in the case that the storage node is not trusted, the storage node can only access the encrypted part of the data and cannot directly access the plaintext data, so that the security is improved; 3. flexibility: the secret key can be changed according to the requirement, so that the flexibility and the safety of the system are improved; 4. cross-platform properties: the encrypted data is sent to different server nodes, or the owners of the replacement nodes do not influence the anonymity, confidentiality and flexibility; 5. the first key pair, the second key pair and the proxy key are formed and are arranged in the trusted authorization management center in a centralized mode, and meanwhile, all encryption processes are also arranged in the trusted authorization center, so that timeliness of centralized processing of the encryption processes is guaranteed, and meanwhile, data encryption security is improved.

The following will disclose in detail another set of schemes in which these encryption logic are placed in the cloud server 120, as follows:

It should be noted that, in this embodiment, the authorization management center 110 only retains the logic of key generation or key acquisition, and then transmits the key to the cloud server 120, the first client 130, and the second client 140, respectively, and the cloud server 120 performs the encryption logic.

Fig. 4A schematically illustrates a flow chart of an access method based on a file access system according to an embodiment of the disclosure.

As shown in fig. 4A, the file access system-based access method of this embodiment includes operations S401 to S406, which can be performed by the rights management center 110.

In operation S401, in response to a data upload request from a first client, a first key pair including a first public key and a first private key is generated.

In operation S402, the first key pair is downloaded to the first client.

In operation S403, in response to an access request from the second client intended to access the first client data, a second key pair is generated, the second key pair including a second public key and a second private key.

In operation S404, the second key pair is downloaded to the second client.

In operation S405, a proxy key is formed based on the first private key and the second public key.

In operation S406, the proxy key is downloaded to the cloud service.

Fig. 4B schematically illustrates a flow chart of another method of accessing based on a file access system according to an embodiment of the present disclosure.

As shown in fig. 4B, the access method based on the file access system of this embodiment includes operations S407 to S408 in addition to operations S401 to S406, and operations S407 to S408 are performed after operation S403.

In operation S407, an intermediate key is acquired.

In operation S408, the intermediate key is downloaded to the second client and the cloud server.

According to an embodiment of the disclosure, the downloading of the first key, the second key and the intermediate key is: based on preset protocol distribution rules and/or preset library distribution rules.

According to an embodiment of the disclosure, wherein the intermediate key is periodically updated.

According to an embodiment of the disclosure, the forming a proxy key based on the first private key and the second public key is: based on a proxy re-encryption algorithm.

Specifically, in the embodiment of the present disclosure, the rights management center 110 retains only the first key pair, the second key pair, the proxy key, and the generation or acquisition method of the intermediate key. Without retaining the encrypted logic.

Fig. 5A schematically illustrates a flow chart of an access method based on a file access system according to an embodiment of the disclosure.

As shown in fig. 5A, the access method based on the file access system of this embodiment includes operations S501 to S504, and the method may be performed by the cloud service 120.

In operation S501, an initial ciphertext from a first client is received, the initial ciphertext comprising plaintext data resulting from the first client encrypting plaintext data based on a first public key.

In operation S502, a proxy key is received from an authorization management center, where the proxy key includes a proxy key encrypted by the authorization center based on a first private key and a second public key, where the second public key includes a proxy key generated by the authorization management center, and the first private key and the first public key include a proxy key generated by the authorization management center and sent to a first client.

In operation S503, the initial ciphertext is encrypted based on the proxy key, to obtain a proxy ciphertext.

In operation S504, the proxy ciphertext is downloaded to the second client.

Fig. 5B schematically illustrates a flowchart of an access method based on a file access system according to an embodiment of the present disclosure.

As shown in fig. 5B, the access method based on the file access system of this embodiment includes operations S505 to S506 in addition to operations S501 to S504, where the operation S505 is performed before the operation S503, and the operation S506 is performed after the operation S503 and before the operation S504.

In operation S505, an intermediate key from the rights management center is received.

In operation S506, the proxy ciphertext is encrypted based on the intermediate key, to obtain an updated proxy ciphertext.

Specifically, the cloud server 120 receives the proxy key "rk" and the intermediate key "k"; encrypting an initial ciphertext "c1" by the cloud service end 120 through a proxy key "rk" to obtain a proxy ciphertext "c2", in other words denoted as c2= ReEnc (rk, c 1), wherein "ReEnc ()" refers to a proxy re-encryption algorithm; and then the intermediate key k encrypts and updates the proxy ciphertext c2 to obtain updated proxy ciphertext c 2.

Fig. 6A schematically illustrates a flow chart of an access method based on a file access system according to an embodiment of the disclosure.

As shown in fig. 6A, the file access system-based access method of this embodiment includes operations S601 to S604, which can be performed by the second client 140.

In operation S601, an access request intended to access the first client data is uploaded to an authorization management center.

In operation S602, a second key pair from the rights management center is received, the second key pair including a second public key and a second private key.

In operation S603, a proxy ciphertext from the cloud server is received, where the proxy ciphertext includes an initial ciphertext encrypted by the cloud server through a proxy key, the proxy key includes an initial ciphertext encrypted by an authorization center based on a first private key and a second public key and then sent to the cloud server, the initial ciphertext includes plaintext data encrypted by a first client based on the first public key and then sent to the cloud server, and the first private key and the first public key include a ciphertext generated by the authorization management center and sent to the first client.

In operation S604, the proxy ciphertext is decrypted based on the second private key, resulting in plaintext data.

Fig. 6B schematically illustrates a flowchart of an access method based on a file access system according to an embodiment of the present disclosure.

As shown in fig. 6B, the access method based on the file access system of this embodiment includes operations S605 to S606 in addition to operations S601 to S604, and the operation S605 is performed after the operation S601, and the operation S606 is performed after the operation S603 and before the operation S604.

According to the embodiment of the disclosure, the proxy ciphertext includes an updated proxy ciphertext obtained by encrypting an initial ciphertext by the cloud server through a proxy key and then encrypting the initial ciphertext by the cloud server through an intermediate key.

In operation S605, an intermediate key from an entitlement management center is received.

In operation S606, the proxy ciphertext is decrypted based on the intermediate key, and a pre-update proxy ciphertext is obtained.

In the embodiment of the present disclosure, unlike fig. 3A and 3B, the proxy ciphertext obtained by the second client 140 in fig. 6A and 6B is from the cloud server 140 and is not an authorized management center, and the decryption manner for such proxy ciphertext is consistent with fig. 3A and 3B, which are not repeated herein.

According to an embodiment of the disclosure, the decrypting the proxy ciphertext based on the second private key, to obtain plaintext data is: based on proxy re-decryption algorithm.

Based on the access method based on the file access system, the disclosure also provides an access device based on the file access system. The corresponding apparatus will be described in detail below with reference to fig. 7, 8, 9, 10 and 11.

Fig. 7 schematically illustrates a block diagram of a file access system-based access apparatus according to an embodiment of the present disclosure.

As shown in fig. 7, the access device 700 based on a file access system of this embodiment is provided in the above-mentioned rights management center 110, and the access device 700 based on a file access system of this embodiment includes a first data provider key pair generation module 710, a first data provider key transfer module 720, a first data user key generation module 730, a first data user key transfer module 740, a first initial ciphertext acquisition module 750, a first proxy key formation module 760, a first proxy ciphertext formation module 770, and a first proxy ciphertext transfer module 780.

The first data provider key pair generation module 710 is configured to generate a first key pair in response to a data upload request from a first client, the first key pair including a first public key and a first private key. In an embodiment, the first data provider key pair generating module 710 may be configured to perform the operation S201 described above, which is not described herein.

The first data provider key downsending module 720 is configured to downsend the first key pair to the first client. In an embodiment, the first data provider key sending module 720 may be configured to perform the operation S202 described above, which is not described herein.

The first data user key generation module 730 is configured to generate a second key pair including a second public key and a second private key in response to an access request from a second client intended to access the first client data. In an embodiment, the first data user key generating module 730 may be used to perform the operation S203 described above, which is not described herein.

The first data user key downloading module 740 is configured to download the second key pair to the second client. In an embodiment, the first data user key sending module 740 may be used to perform the operation S204 described above, which is not described herein.

The first initial ciphertext obtaining module 750 is configured to obtain an initial ciphertext from a cloud service end in response to the access request, where the initial ciphertext includes: and the first client encrypts the plaintext data based on the first public key and then sends the plaintext data to the cloud server to obtain the plaintext data. In an embodiment, the first initial ciphertext obtaining module 750 may be used to perform the operation S205 described above, which is not described herein.

The first proxy key forming module 760 is configured to form a proxy key based on the first private key and the second public key. In an embodiment, the first proxy key forming module 760 may be used to perform the operation S206 described above, which is not described herein.

The first proxy ciphertext forming module 770 is configured to encrypt the initial ciphertext based on the proxy key to obtain a proxy ciphertext. In an embodiment, the first proxy ciphertext forming module 770 may be configured to perform the operation S207 described above, which is not described herein.

The first proxy ciphertext sending module 780 is configured to send the proxy ciphertext to the second client. In an embodiment, the first proxy ciphertext sending module 780 may be configured to perform the operation S208 described above, which is not described herein.

In an embodiment of the disclosure, in order to solve a technical problem of data leakage risk in a data sharing scene, the embodiment of the disclosure designs a set of secure file access system, which comprises a cloud server, an authorization management center, a first client and a second client, wherein a key pair is generated through the authorization management center, reserved and sent to the first client and the second client, and an initial ciphertext in the cloud server is re-encrypted and then sent to the second client, so that the second client can access data sent on the first client. The embodiment of the disclosure can at least realize the following beneficial effects: 1. anonymity: the proposed encryption method can realize the anonymity of data and messages, namely, the identities of the user A and the user B can be hidden, thereby protecting the privacy of the user; 2. confidentiality: the encryption method can increase the confidentiality of data, and especially in the case that the storage node is not trusted, the storage node can only access the encrypted part of the data and cannot directly access the plaintext data, so that the security is improved; 3. flexibility: the secret key can be changed according to the requirement, so that the flexibility and the safety of the system are improved; 4. cross-platform properties: the encrypted data is sent to different server nodes, or the owners of the replacement nodes do not influence the anonymity, confidentiality and flexibility; 5. the first key pair, the second key pair and the proxy key are formed and are arranged in the trusted authorization management center in a centralized mode, and meanwhile, all encryption processes are also arranged in the trusted authorization center, so that timeliness of centralized processing of the encryption processes is guaranteed, and meanwhile, data encryption security is improved.

According to an embodiment of the disclosure, the apparatus further comprises: the system comprises a first intermediate key acquisition module, a first intermediate key downloading module and a first proxy ciphertext updating module, wherein the first intermediate key acquisition module is used for acquiring an intermediate key; the first intermediate key downloading module is used for downloading the intermediate key to a second client; the first proxy ciphertext updating module is used for encrypting the proxy ciphertext based on the intermediate key to obtain an updated proxy ciphertext.

According to an embodiment of the disclosure, the downloading of the first key, the second key and the intermediate key is: based on preset protocol distribution rules and/or preset library distribution rules.

According to an embodiment of the disclosure, wherein the intermediate key is periodically updated.

According to an embodiment of the disclosure, the forming a proxy key based on the first private key and the second public key includes: based on a proxy re-encryption algorithm.

According to an embodiment of the present disclosure, any of the first data provider key pair generation module 710, the first data provider key transfer module 720, the first data user key generation module 730, the first data user key transfer module 740, the first initial ciphertext acquisition module 750, the first proxy key formation module 760, the first proxy ciphertext formation module 770, and the first proxy ciphertext transfer module 780 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the present disclosure, at least one of the first data provider key pair generation module 710, the first data provider key download module 720, the first data user key generation module 730, the first data user key download module 740, the first initial ciphertext acquisition module 750, the first proxy key formation module 760, the first proxy ciphertext formation module 770, and the first proxy ciphertext download module 780 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or any other reasonable manner of integrating or packaging the circuitry, or in hardware or firmware, or in any one of or a suitable combination of three implementations of software, hardware, and firmware. Or at least one of the first data provider key pair generation module 710, the first data provider key transfer module 720, the first data user key generation module 730, the first data user key transfer module 740, the first initial ciphertext acquisition module 750, the first proxy key formation module 760, the first proxy ciphertext formation module 770, and the first proxy ciphertext transfer module 780 may be implemented, at least in part, as a computer program module that, when executed, performs the corresponding functions.

Fig. 8 schematically illustrates a block diagram of a file access system-based access apparatus according to an embodiment of the present disclosure.

As shown in fig. 8, the access device 800 based on a file access system of this embodiment is disposed in the second client 140, and the access device 800 based on a file access system of this embodiment includes a first data authorization request sending module 810, a first key ciphertext receiving module 820, and a first proxy ciphertext decrypting module 830.

The first data authorization request upload module 810 is configured to upload an access request intended to access the first client data to an authorization management center. In an embodiment, the first data authorization request upload module 810 may be configured to perform the operation S301 described above, which is not described herein.

The first key ciphertext receiving module 820 is configured to receive a second key pair and a proxy ciphertext from the authorization management center, where the second key pair includes a second public key and a second private key, the proxy ciphertext is obtained by the authorization management center by encrypting an initial ciphertext with the proxy key, the proxy key includes a plaintext data encrypted by the authorization center based on the first private key and the second public key, the initial ciphertext is sent to the cloud server by the first client after encrypting the plaintext data based on the first public key, and the first private key and the first public key are generated by the authorization management center and sent to the first client. In an embodiment, the first key ciphertext receiving module 820 may be configured to perform the operation S302 described above, which is not described herein.

The first proxy ciphertext decrypting module 830 is configured to decrypt the proxy ciphertext based on the second private key to obtain plaintext data. In an embodiment, the first proxy ciphertext decryption module 830 may be configured to perform the operation S303 described above, which is not described herein.

According to an embodiment of the disclosure, wherein the intermediate key is periodically updated.

According to an embodiment of the disclosure, the forming a proxy key based on the first private key and the second public key includes: based on a proxy re-encryption algorithm.

According to an embodiment of the present disclosure, any of the plurality of modules of the first data authorization request upload module 810, the first key ciphertext receiving module 820, and the first proxy ciphertext decrypting module 830 may be combined in one module, or any of the plurality of modules may be split into a plurality of modules. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the present disclosure, at least one of the first data authorization request upload module 810, the first key ciphertext receiving module 820, and the first proxy ciphertext decrypting module 830 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Or at least one of the first data authorization request upload module 810, the first key ciphertext receiving module 820, and the first proxy ciphertext decrypting module 830 may be implemented at least partially as computer program modules that, when executed, perform the corresponding functions.

Fig. 9 schematically illustrates a block diagram of a file access system-based access apparatus according to an embodiment of the present disclosure.

As shown in fig. 9, the access device 900 based on a file access system of this embodiment is disposed in the above-mentioned rights management center 110, and the access device 900 based on a file access system of this embodiment includes a second data provider key pair generating module 910, a second data provider key downloading module 920, a second data user key generating module 930, a second data user key downloading module 940, a second proxy key forming module 950, and a second proxy ciphertext downloading module 960.

The second data provider key pair generation module 910 is configured to generate a first key pair in response to a data upload request from a first client, where the first key pair includes a first public key and a first private key. In an embodiment, the second data provider key pair generating module 910 may be configured to perform the operation S401 described above, which is not described herein.

The second data provider key downfeed module 920 is configured to downfeed the first key pair to the first client. In an embodiment, the second data provider key sending module 920 may be configured to perform the operation S402 described above, which is not described herein.

The second data user key generation module 930 is configured to generate a second key pair including a second public key and a second private key in response to an access request from the second client intended to access the first client data. In an embodiment, the second data user key generating module 930 may be used to perform the operation S403 described above, which is not described herein.

The second data user key downloading module 940 is configured to download the second key pair to a second client. In an embodiment, the second data user key sending module 940 may be used to perform the operation S404 described above, which is not described herein.

The second proxy key forming module 950 is configured to form a proxy key based on the first private key and the second public key. In an embodiment, the second proxy key forming module 950 may be configured to perform the operation S405 described above, which is not described herein.

The second proxy ciphertext sending module 960 is configured to send the proxy key to the cloud server. In an embodiment, the second proxy ciphertext sending module 960 may be configured to perform the operation S406 described above, which is not described herein.

According to an embodiment of the disclosure, the apparatus further comprises: the system comprises a second intermediate key generation module and a second intermediate key downloading module, wherein the second intermediate key generation module is used for acquiring an intermediate key; and the second intermediate key downloading module is used for downloading the intermediate key to a second client and the cloud server.

According to an embodiment of the disclosure, the downloading of the first key, the second key and the intermediate key is: based on preset protocol distribution rules and/or preset library distribution rules.

According to an embodiment of the disclosure, wherein the intermediate key is periodically updated.

According to an embodiment of the disclosure, the forming a proxy key based on the first private key and the second public key is: based on a proxy re-encryption algorithm.

According to an embodiment of the present disclosure, any of the second data provider key pair generation module 910, the second data provider key transfer module 920, the second data user key generation module 930, the second data user key transfer module 940, the second proxy key formation module 950, and the second proxy ciphertext transfer module 960 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the present disclosure, at least one of the second data provider key pair generation module 910, the second data provider key download module 920, the second data user key generation module 930, the second data user key download module 940, the second proxy key formation module 950, and the second proxy ciphertext download module 960 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or any other reasonable manner of integrating or packaging circuitry, or the like, hardware or firmware, or any one of or a suitable combination of three implementations of software, hardware, and firmware. Or at least one of the second data provider key pair generation module 910, the second data provider key transfer module 920, the second data user key generation module 930, the second data user key transfer module 940, the second proxy key formation module 950, and the second proxy ciphertext transfer module 960 may be implemented, at least in part, as a computer program module that, when executed, may perform the corresponding functions.

Fig. 10 schematically illustrates a block diagram of a file access system-based access apparatus according to an embodiment of the present disclosure.

As shown in fig. 10, the access device 1000 based on a file access system of this embodiment is disposed in the cloud server 120, and the access device 1000 based on a file access system of this embodiment includes a second initial ciphertext receiving module 1010, a second proxy key receiving module 1020, a second proxy ciphertext forming module 1030, and a second proxy ciphertext sending module 1040.

The second initial ciphertext receiving module 1010 is configured to receive an initial ciphertext from the first client, where the initial ciphertext includes plaintext data that is encrypted by the first client based on a first public key. In an embodiment, the second initial ciphertext receiving module 1010 may be configured to perform the operation S501 described above, which is not described herein.

The second proxy key receiving module 1020 is configured to receive a proxy key from the authorization management center, where the proxy key is formed by the authorization center based on encryption of a first private key and a second public key and is sent to the cloud service, the second public key is generated by the authorization management center, and the first private key and the first public key are generated by the authorization management center and are sent to the first client. In an embodiment, the second proxy key receiving module 1020 may be configured to perform the operation S502 described above, which is not described herein.

The second proxy ciphertext forming module 1030 may be configured to encrypt the initial ciphertext based on the proxy key to obtain a proxy ciphertext. In an embodiment, the second proxy ciphertext forming module 1030 may be used to perform the operation S503 described above, which is not described herein.

The second proxy ciphertext downloading module 1040 is configured to download the proxy ciphertext to the second client. In an embodiment, the second proxy ciphertext sending module 1040 may be configured to perform the operation S504 described above, which is not described herein.

According to an embodiment of the disclosure, the apparatus further comprises: the system comprises a second intermediate key receiving module and a second proxy ciphertext updating module, wherein the second intermediate key receiving module is used for receiving an intermediate key from an authorization management center; and the second proxy ciphertext updating module is used for encrypting the proxy ciphertext based on the intermediate key to obtain an updated proxy ciphertext.

According to an embodiment of the present disclosure, any of the second initial ciphertext receiving module 1010, the second proxy key receiving module 1020, the second proxy ciphertext forming module 1030, and the second proxy ciphertext transmitting module 1040 may be combined into one module to be implemented, or any of the modules may be split into a plurality of modules. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the present disclosure, at least one of the second initial ciphertext receiving module 1010, the second proxy key receiving module 1020, the second proxy ciphertext forming module 1030, and the second proxy ciphertext forwarding module 1040 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or in any one of, or in any suitable combination of, software, hardware, and firmware. Or at least one of the second initial ciphertext receiving module 1010, the second proxy key receiving module 1020, the second proxy ciphertext forming module 1030, and the second proxy ciphertext issuing module 1040 may be implemented, at least in part, as computer program modules that, when executed, may perform corresponding functions.

Fig. 11 schematically illustrates a block diagram of a file access system-based access apparatus according to an embodiment of the present disclosure.

As shown in fig. 11, the access device 1100 based on a file access system of this embodiment is disposed in the second client 140, and the access device 1100 based on a file access system of this embodiment includes a second data authorization request sending module 1110, a second key receiving module 1120, a second ciphertext receiving module 1130, and a second proxy ciphertext decrypting module 1140.

The second data authorization request upload module 1110 is a second data authorization request upload module, configured to upload an access request intended to access the first client data to an authorization management center. In an embodiment, the second data authorization request upload module 1110 may be used to perform the operation S601 described above, which is not described herein.

The second key receiving module 1120 is configured to receive a second key pair from the rights management center, where the second key pair includes a second public key and a second private key. In an embodiment, the second key receiving module 1120 may be used to perform the operation S602 described above, which is not described herein.

The second ciphertext receiving module 1130 is configured to receive a proxy ciphertext from the cloud server, where the proxy ciphertext is obtained by encrypting an initial ciphertext by the cloud server through a proxy key, the proxy key is sent to the cloud server after being encrypted by an authorization center based on a first private key and a second public key, the initial ciphertext is sent to the cloud server after being encrypted by a first client based on a first public key, and the first private key and the first public key are generated by the authorization management center and sent to the first client. In an embodiment, the second ciphertext receiving module 1130 may be configured to perform the operation S603 described above, which is not described herein.

The second proxy ciphertext decrypting module 1140 is configured to decrypt the proxy ciphertext based on the second private key to obtain plaintext data. In an embodiment, the second proxy ciphertext decrypting module 1140 may be used to perform the operation S604 described above, which is not described herein.

According to an embodiment of the disclosure, the proxy ciphertext includes an updated proxy ciphertext obtained by encrypting an initial ciphertext by a cloud server through a proxy key and then encrypting the initial ciphertext by the cloud server through an intermediate key, and the apparatus further includes: the system comprises a second intermediate key receiving module and a second intermediate key decrypting module, wherein the second intermediate key receiving module is used for receiving an intermediate key from an authorization management center; and the second intermediate key decryption module is used for decrypting the proxy ciphertext based on the intermediate key to obtain the proxy ciphertext before updating.

According to an embodiment of the disclosure, the decrypting the proxy ciphertext based on the second private key, to obtain plaintext data is: based on proxy re-decryption algorithm.

According to an embodiment of the present disclosure, any of the second data authorization request upload module 1110, the second key receiving module 1120, the second ciphertext receiving module 1130, and the second proxy ciphertext decrypting module 1140 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the present disclosure, at least one of the second data authorization request upload module 1110, the second key receive module 1120, the second ciphertext receive module 1130, and the second proxy ciphertext decrypt module 1140 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Or at least one of the second data authorization request upload module 1110, the second key receive module 1120, the second ciphertext receive module 1130, and the second proxy ciphertext decryption module 1140 may be implemented, at least in part, as a computer program module that, when executed, may perform the corresponding functions.

Fig. 12 schematically illustrates a block diagram of an electronic device adapted to implement an access method based on a file access system, according to an embodiment of the disclosure.

As shown in fig. 12, an electronic device 1200 according to an embodiment of the present disclosure includes a processor 1201, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1202 or a program loaded from a storage section 1208 into a Random Access Memory (RAM) 1203. The processor 1201 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 1201 may also include on-board memory for caching purposes. The processor 1201 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.

In the RAM 1203, various programs and data required for the operation of the electronic apparatus 1200 are stored. The processor 1201, the ROM 1202, and the RAM 1203 are connected to each other through a bus 1204. The processor 1201 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1202 and/or RAM 1203. Note that the program may be stored in one or more memories other than the ROM 1202 and the RAM 1203. The processor 1201 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the disclosure, the electronic device 1200 may also include an input/output (I/O) interface 1205, the input/output (I/O) interface 1205 also being connected to the bus 1204. The electronic device 1200 may also include one or more of the following components connected to the I/O interface 1205: an input section 1206 including a keyboard, a mouse, and the like; an output portion 1207 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 1208 including a hard disk or the like; and a communication section 1209 including a network interface card such as a LAN card, a modem, or the like. The communication section 1209 performs communication processing via a network such as the internet. The drive 1210 is also connected to the I/O interface 1205 as needed. A removable medium 1211 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 1210 so that a computer program read out therefrom is installed into the storage section 1208 as needed.

The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include the ROM 1202 and/or the RAM 1203 and/or one or more memories other than the ROM 1202 and the RAM 1203 described above.

Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the item recommendation method provided by embodiments of the present disclosure.

The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1201. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program can also be transmitted, distributed over a network medium in the form of signals, and downloaded and installed via a communication portion 1209, and/or from a removable medium 1211. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

In such an embodiment, the computer program can be downloaded and installed from a network via the communication portion 1209, and/or installed from the removable media 1211. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1201. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.

The embodiments of the present disclosure are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (28)

1. An access method based on a file access system, the file access system comprising: the cloud service end, the authorization management center, the first client end and the second client end, the method is applied to the authorization management center,

The method comprises the following steps:

generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key;

downloading the first key pair to a first client;

Generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key;

Downloading the second key pair to a second client;

Responding to the access request, and acquiring an initial ciphertext from a cloud server, wherein the initial ciphertext comprises: the first client encrypts plaintext data based on the first public key and then uploads the plaintext data to the cloud server to obtain plaintext data;

Forming a proxy key based on the first private key and the second public key;

Encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; and

And the proxy ciphertext is sent to a second client.

2. The method of claim 1, wherein,

After the generating of the second key pair in response to the access request from the second client intended to access the first client data, before the forming of the proxy key based on the first private key and the second public key, the method further comprises:

Acquiring an intermediate key;

downloading the intermediate key to a second client;

Wherein,

After the initial ciphertext is encrypted based on the proxy key to obtain a proxy ciphertext, before the proxy ciphertext is sent to the second client, the method further comprises:

and encrypting the proxy ciphertext based on the intermediate key to obtain an updated proxy ciphertext.

3. The method of claim 2, wherein,

The downloading of the first key, the second key and the intermediate key is: based on preset protocol distribution rules and/or preset library distribution rules.

4. The method of claim 2, wherein the intermediate key is periodically updated.

5. The method of any of claims 1-4, wherein the forming a proxy key based on the first private key and the second public key comprises: based on a proxy re-encryption algorithm.

6. An access method based on a file access system, the file access system comprising: the cloud service end, the authorization management center, the first client end and the second client end, the method is applied to the second client end,

The method comprises the following steps:

Uploading an access request intended to access the first client data to an authorization management center;

Receiving a second key pair and a proxy ciphertext from an authorization management center, wherein the second key pair comprises a second public key and a second private key, the proxy ciphertext is obtained by the authorization management center through encryption of an initial ciphertext by the proxy key, the proxy key comprises encryption formed by the authorization center based on a first private key and the second public key, the initial ciphertext comprises encryption of plaintext data based on the first public key by a first client and is then sent to a cloud server, and the first private key and the first public key comprise encryption generated by the authorization management center and are sent to the first client; and

And decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

7. The method of claim 6, wherein the proxy ciphertext comprises updated proxy ciphertext encrypted by the intermediate key by the rights management center after the initial ciphertext is encrypted by the rights management center,

After the access request for accessing the first client data is sent to the authorization management center, the method further comprises:

Receiving an intermediate key from an entitlement management center;

After receiving the second key pair and the proxy ciphertext from the authorization management center, before decrypting the proxy ciphertext based on the second private key to obtain plaintext data, the method further comprises:

And decrypting the proxy ciphertext based on the intermediate key to obtain a proxy ciphertext before updating.

8. The method of claim 6 or 7, wherein decrypting the proxy ciphertext based on the second private key, resulting in plaintext data comprises: and decrypting the proxy ciphertext through the second private key based on a proxy re-decryption algorithm.

9. An access method based on a file access system, the file access system comprising: cloud service end, authorization management center, first client end and second client end,

The method comprises the following steps:

By the rights management center: generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key;

by the rights management center: downloading the first key pair to a first client;

By the rights management center: generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key;

by the rights management center: downloading the second key pair to a second client;

By the rights management center: responding to the access request, and acquiring an initial ciphertext from a cloud server, wherein the initial ciphertext comprises: the first client encrypts plaintext data based on the first public key and then uploads the plaintext data to the cloud server to obtain plaintext data;

by the rights management center: forming a proxy key based on the first private key and the second public key;

by the rights management center: encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext;

by the rights management center: the proxy ciphertext is sent to a second client; and

By the second client: and decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

10. An access method based on a file access system, the file access system comprising: the cloud service end, the authorization management center, the first client end and the second client end, the method is applied to the authorization management center,

The method comprises the following steps:

generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key;

downloading the first key pair to a first client;

Generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key;

Downloading the second key pair to a second client;

Forming a proxy key based on the first private key and the second public key; and

And the proxy key is sent down to a cloud server.

11. The method of claim 10, wherein after the generating the second key pair in response to the access request from the second client intended to access the first client data, the method further comprises:

Acquiring an intermediate key;

And the intermediate key is sent down to a second client and a cloud server.

12. The method of claim 11, wherein,

The first key, the second key and the intermediate key are sent down: based on preset protocol distribution rules and/or preset library distribution rules.

13. The method of claim 11, wherein the intermediate key is periodically updated.

14. The method of any of claims 10-13, wherein the forming a proxy key based on the first private key and the second public key is: based on a proxy re-encryption algorithm.

15. An access method based on a file access system, the file access system comprising: the method is applied to the cloud server,

The method comprises the following steps:

Receiving an initial ciphertext from a first client, the initial ciphertext comprising plaintext data resulting from the first client encrypting plaintext data based on a first public key;

Receiving a proxy key from an authorization management center, wherein the proxy key is formed by the authorization center based on encryption of a first private key and a second public key and is sent to a cloud server, the second public key is generated by the authorization management center, and the first private key and the first public key are generated by the authorization management center and are sent to a first client;

encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; and

And the proxy ciphertext is sent to a second client.

16. The method of claim 15, wherein,

Before encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext, the method further comprises:

Receiving an intermediate key from an entitlement management center;

Wherein,

After the initial ciphertext is encrypted based on the proxy key to obtain a proxy ciphertext, before the proxy ciphertext is sent to a second client, the method further comprises:

and encrypting the proxy ciphertext based on the intermediate key to obtain an updated proxy ciphertext.

17. An access method based on a file access system, the file access system comprising: the cloud service end, the authorization management center, the first client end and the second client end, the method is applied to the second client end,

The method comprises the following steps:

Uploading an access request intended to access the first client data to an authorization management center;

Receiving a second key pair from an authorization management center, the second key pair comprising a second public key and a second private key;

Receiving a proxy ciphertext from a cloud server, wherein the proxy ciphertext comprises an initial ciphertext which is obtained by the cloud server through proxy key encryption, the proxy key comprises a first private key and a second public key which are encrypted by an authorization center and then sent to the cloud server, the initial ciphertext comprises plaintext data which is encrypted by a first client based on the first public key and then sent to the cloud server, and the first private key and the first public key are generated by the authorization management center and then sent to the first client; and

And decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

18. The method of claim 17, wherein the proxy ciphertext comprises an initial ciphertext encrypted by the cloud server via a proxy key, and an updated proxy ciphertext encrypted by the cloud server via an intermediate key,

After the access request for accessing the first client data is sent to the authorization management center, the method further comprises:

Receiving an intermediate key from an entitlement management center;

Wherein,

After receiving the proxy ciphertext from the cloud server, decrypting the proxy ciphertext based on the second private key to obtain plaintext data, and before the proxy ciphertext is obtained, the method further comprises:

And decrypting the proxy ciphertext based on the intermediate key to obtain a proxy ciphertext before updating.

19. The method of claim 18, wherein the decrypting the proxy ciphertext based on the second private key, resulting in plaintext data, is: based on proxy re-decryption algorithm.

20. An access method based on a file access system, the file access system comprising: cloud service end, authorization management center, first client end and second client end,

The method comprises the following steps:

By the rights management center: generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key;

by the rights management center: downloading the first key pair to a first client;

By the rights management center: generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key;

by the rights management center: downloading the second key pair to a second client;

cloud service end: receiving an initial ciphertext from a first client, wherein the initial ciphertext comprises plaintext data encrypted by the first client based on a first public key and then sent to a cloud server;

by the rights management center: forming a proxy key based on the first private key and the second public key;

By the rights management center: the proxy key is sent down to a cloud server;

cloud service end: receiving a proxy key from an authorization management center;

Cloud service end: encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext;

Cloud service end: the proxy ciphertext is sent to a second client; and

By the second client: and decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

21. An access device based on a file access system, the file access system comprising: the cloud service end, the authorization management center, the first client end and the second client end, the device is arranged in the authorization management center,

The device comprises:

a first data provider key pair generation module for generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key;

a first data provider key downloading module, configured to download the first key pair to a first client;

A first data user key generation module for generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key;

the first data user key downloading module is used for downloading the second key pair to the second client;

the first initial ciphertext obtaining module is used for responding to the access request and obtaining an initial ciphertext from a cloud server, wherein the initial ciphertext comprises the following components: the first client encrypts plaintext data based on the first public key and then uploads the plaintext data to the cloud server to obtain plaintext data;

A first proxy key forming module for forming a proxy key based on the first private key and the second public key;

The first proxy ciphertext forming module is used for encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; and

And the first proxy ciphertext downloading module is used for downloading the proxy ciphertext to the second client.

22. An access device based on a file access system, the file access system comprising: the cloud service end, the authorization management center, the first client end and the second client end, the device is arranged in the second client end,

The device comprises:

the first data authorization request uploading module is used for uploading an access request for accessing the first client data to the authorization management center;

The first key ciphertext receiving module is used for receiving a second key pair and a proxy ciphertext from the authorization management center, wherein the second key pair comprises a second public key and a second private key, the proxy ciphertext is obtained by the authorization management center through encryption of an initial ciphertext by the proxy key, the proxy key comprises a plaintext data encrypted by the authorization center based on the first private key and the second public key, the initial ciphertext is sent to the cloud server by the first client after the plaintext data is encrypted by the first client based on the first public key, and the first private key and the first public key are generated by the authorization management center and sent to the first client; and

And the first proxy ciphertext decryption module is used for decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

23. An access device based on a file access system, the file access system comprising: the cloud service end, the authorization management center, the first client end and the second client end, the device is arranged in the authorization management center,

The device comprises:

A second data provider key pair generation module for generating a first key pair in response to a data upload request from a first client, the first key pair comprising a first public key and a first private key;

A second data provider key downfeed module for downfeeding the first key pair to a first client;

a second data user key generation module for generating a second key pair in response to an access request from a second client intended to access the first client data, the second key pair comprising a second public key and a second private key;

a second data user key downloading module, configured to download the second key pair to a second client;

A second proxy key forming module for forming a proxy key based on the first private key and the second public key; and

And the second proxy ciphertext downloading module is used for downloading the proxy key to the cloud server.

24. An access device based on a file access system, the file access system comprising: the device comprises a cloud server, an authorization management center, a first client and a second client, wherein the device is arranged in the cloud server,

The device comprises:

the second initial ciphertext receiving module is used for receiving initial ciphertext from the first client, wherein the initial ciphertext comprises plaintext data encrypted by the first client based on a first public key;

the second proxy key receiving module is used for receiving a proxy key from the authorization management center, wherein the proxy key is formed by the authorization center based on encryption of a first private key and a second public key and is sent to the cloud service end, the second public key is generated by the authorization management center, and the first private key and the first public key are generated by the authorization management center and are sent to the first client end;

The second proxy ciphertext forming module is used for encrypting the initial ciphertext based on the proxy key to obtain a proxy ciphertext; and

And the second proxy ciphertext downloading module is used for downloading the proxy ciphertext to the second client.

25. An access device based on a file access system, the file access system comprising: the cloud service end, the authorization management center, the first client end and the second client end, the device is arranged in the second client end,

The device comprises:

The second data authorization request uploading module is used for uploading an access request for accessing the first client data to the authorization management center;

A second key receiving module, configured to receive a second key pair from an authorization management center, where the second key pair includes a second public key and a second private key;

The second ciphertext receiving module is used for receiving a proxy ciphertext from the cloud server, wherein the proxy ciphertext is obtained by encrypting an initial ciphertext by the cloud server through a proxy key, the proxy key is transmitted to the cloud server after being formed by encryption by an authorization center based on a first private key and a second public key, the initial ciphertext is transmitted to the cloud server after being encrypted by a first client based on a first public key, and the first private key and the first public key are generated by the authorization management center and are transmitted to the first client; and

And the second proxy ciphertext decryption module is used for decrypting the proxy ciphertext based on the second private key to obtain plaintext data.

26. An electronic device, comprising:

One or more processors;

Storage means for storing one or more programs,

Wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-19.

27. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1 to 19.

28. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 19.