Method, apparatus, and system for access control of shared data

US 10,050,968 B2
Filed: 12/31/2014
Issued: 08/14/2018
Est. Priority Date: 12/31/2014
Status: Active Grant

First Claim

Patent Images

1. A method for access control of shared data in an apparatus for access control of shared data comprising a computer readable storage medium and a processor configured to execute software programs stored in the storage medium in the form of software units, the method comprising:

pre-establishing, by a data storage dealer, an update parameter list for recording those various versions of attributes under control and corresponding update parameters of cipher text attribute components;

generating, by attribute authorizers, a new attribute master DEA key and a new attribute version number according to the received attribute component updating parameter according to the new attribute master DEA key and a stored original attribute master DEA key;

transmitting, by the attribute authorizers, the new attribute version number and the update parameter of the cipher text attribute component to a data storage dealer;

storing, by the storage dealer, the received new attribute version number and the update parameter of the cipher text attribute component in the pre-established update parameter list;

transmitting, from a data access requester, an access request to a data storage dealer for accessing a shared data;

obtaining, from the data storage dealer, a cipher text of the shared data, a cipher text of an encryption key, an access strategy, and a cipher text attribute component corresponding to the shared data from the data storage dealer, the cipher text attribute component is a first number value, which characterizes an attribute of the data access requester, the encryption key is configured for encrypting the shared data;

inquiring, by the data access requester, whether a corresponding user attribute component is stored in a preset user attribute component database or not according to the cipher text of the shared data, the cipher text of the encryption key, the access strategy, and the cipher text attribute component returned by the data storage dealer;

when the data access requester does not store the corresponding user attribute component, transmitting from the data access requester a request for obtaining user attribute component thereof respectively to K attribute authorizers relevant to the access strategy, the user attribute component is a second number value, which means that the data access requester owns an attribute corresponding to the second number value;

generating, via the K attribute authorizers, the user attribute components of the data access requester respectively when the K attribute authorizers receive the request for obtaining the user attribute component, and transmitting the user attribute component to the data access requester;

restoring, via the data access requester, the encryption key according to the access strategy, the cipher text of the encryption key, the cipher text attribute component, and the user attribute component received by the data access requester;

decrypting, via the data access requester, the cipher text of the shared data by using the encryption key, thereby obtaining the shared data requested for accessing.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for access control of shared data includes a data access requester transmitting a request for accessing a shared data to a data storage dealer, obtaining a cipher text of the shared data, a cipher text of an encryption key, an access strategy, and a cipher text attribute component from the data storage dealer, and transmitting a request for obtaining the user attribute component of the data access requester respectively to the attribute authorizers. The attribute authorizers generate the user attribute components of the data access requester respectively and transmit the user attribute components of the data access requester to the data access requester. The data access requester restores the encryption key, and decrypts the cipher text of the shared data according to the encryption key for obtaining the shared data requested to be accessed.

Citations

9 Claims

1. A method for access control of shared data in an apparatus for access control of shared data comprising a computer readable storage medium and a processor configured to execute software programs stored in the storage medium in the form of software units, the method comprising:
- pre-establishing, by a data storage dealer, an update parameter list for recording those various versions of attributes under control and corresponding update parameters of cipher text attribute components;
  
  generating, by attribute authorizers, a new attribute master DEA key and a new attribute version number according to the received attribute component updating parameter according to the new attribute master DEA key and a stored original attribute master DEA key;
  
  transmitting, by the attribute authorizers, the new attribute version number and the update parameter of the cipher text attribute component to a data storage dealer;
  
  storing, by the storage dealer, the received new attribute version number and the update parameter of the cipher text attribute component in the pre-established update parameter list;
  
  transmitting, from a data access requester, an access request to a data storage dealer for accessing a shared data;
  
  obtaining, from the data storage dealer, a cipher text of the shared data, a cipher text of an encryption key, an access strategy, and a cipher text attribute component corresponding to the shared data from the data storage dealer, the cipher text attribute component is a first number value, which characterizes an attribute of the data access requester, the encryption key is configured for encrypting the shared data;
  
  inquiring, by the data access requester, whether a corresponding user attribute component is stored in a preset user attribute component database or not according to the cipher text of the shared data, the cipher text of the encryption key, the access strategy, and the cipher text attribute component returned by the data storage dealer;
  
  when the data access requester does not store the corresponding user attribute component, transmitting from the data access requester a request for obtaining user attribute component thereof respectively to K attribute authorizers relevant to the access strategy, the user attribute component is a second number value, which means that the data access requester owns an attribute corresponding to the second number value;
  
  generating, via the K attribute authorizers, the user attribute components of the data access requester respectively when the K attribute authorizers receive the request for obtaining the user attribute component, and transmitting the user attribute component to the data access requester;
  
  restoring, via the data access requester, the encryption key according to the access strategy, the cipher text of the encryption key, the cipher text attribute component, and the user attribute component received by the data access requester;
  
  decrypting, via the data access requester, the cipher text of the shared data by using the encryption key, thereby obtaining the shared data requested for accessing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein generating the user attribute components of the data access requester comprises:
    - generating a first hash value according to a unique global identifier of the data access requester contained in the request for obtaining the user attribute component, generating a second hash value according to an identifier of the attribute of the data access requester, and generating the user attribute component according to the first hash value, the second hash value, and a pre-generated attribute master DEA key.
  - 3. The method according to claim 2, wherein one or a plurality of preset attributes which are managed by the attribute authorizer correspond to a same attribute master DEA key.
  - 4. The method according to claim 1, wherein before obtaining the cipher text of the shared data, the cipher text of the encryption key, the access strategy, and the cipher text attribute component corresponding to the shared data from the data storage dealer, the method further comprises:
    - generating the cipher text of the encryption key and the cipher text attribute component according to the encryption key, an attribute public key, a second hash number value, and the access strategy, and transmitting the cipher text of the encryption key, the cipher text attribute component to the data storage dealer.
  - 5. The method according to claim 1, further comprising:
    - judging, by the data access requester, whether the version number relevant to the stored user attribute component is consistent with the version number relevant to the cipher text attribute component when the data access requester stores the corresponding user attribute component;
      
      if yes, storing, by the data access requester, the encryption key according to the received access strategy, the cipher text of the encryption key, the cipher text attribute component, and the stored user attribute component, anddecrypting, by a data decrypting unit, the cipher text of shared data so as to obtain the shared data requested to be obtained;
      
      if no, transmitting, by the data access requester, the request for obtaining user attribute component update parameter to the attribute authorizer corresponding to the user attribute component which has an inconsistent version number.
  - 6. The method according to claim 1, further comprising:
    - updating, by the attribute authorizers, the cipher text attribute component in time corresponding to the attributes managed by the attribute authorizers when an attribute of a user changes with the requirement of the management and time.
  - 7. The method according to claim 1, further comprising:
    - signing the request for obtaining user attribute component digitally before transmitting the request for obtaining user attribute component to the attribute authorizers relevant to the access strategy.
  - 8. The method according to claim 7, further comprising:
    - performing, by the attribute authorizers, identity verification for the data access requester when they receive the request for obtaining user attribute component from the data access requester.
  - 9. The method according to claim 1, wherein the access strategy is referred to as a tree-like logic structure capable of decrypting a series of attributes of cipher text, that is, an access strategy tree, a step of restoring, via the data access requester, the encryption key according to the access strategy, the cipher text of the encryption key, the cipher text attribute component, and the user attribute component received by the data access requester specifically comprises:
    - regarding cipher text attribute components relevant to the leaf nodes of the access strategy tree of the access strategy and user attribute components relevant to a same attribute as an input of a bilinear mapping function so as to obtain the node correlation value of the leaf nodes;
      
      according to the hierarchical structure of the access strategy tree, starting from hierarchy of the leaf nodes of the access strategy tree, bottom-up, an inverse operation needs to be performed for each hierarchy according to a preset secret shared function, regarding a correlation value of the hierarchy as the input, obtaining the node correlation value of the father node of the hierarchy by calculation, keeping performing the inverse operation of secretly shared function iteratively from bottom to up until a node correlation value of a root node of the access strategy tree is obtained finally, wherein the correlation value is regarded as being a first intermediate recovery data; and
      
      obtaining the encryption key by multiplying the first intermediate recovery data by the cipher text of the encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shenzhen University (Guangdong Education Department)
Original Assignee
Shenzhen University (Guangdong Education Department)
Inventors
Wang, Bo, Chen, Jianyong, Yu, Jianping
Primary Examiner(s)
Wang, Harris C

Application Number

US15/024,379
Publication Number

US 20160359856A1
Time in Patent Office

1,322 Days
Field of Search

713150
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/10   for controlling access to d...

H04L 67/1097   for distributed storage of ...

H04L 69/00   Network arrangements, proto...

H04L 9/0894   Escrow, recovery or storing...

Method, apparatus, and system for access control of shared data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus, and system for access control of shared data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links