《计算机应用》唯一官方网站 ›› 2021, Vol. 41 ›› Issue (11): 3251-3256.DOI: 10.11772/j.issn.1001-9081.2020121998

• 网络空间安全 • 上一篇    下一篇

基于身份多条件代理重加密的文件分级访问控制方案

李莉1(), 杨鸿飞2, 董秀则1   

  1. 1.北京电子科技学院 电子与通信工程系,北京 100070
    2.西安电子科技大学 计算机科学与技术学院,西安 710071
  • 收稿日期:2020-12-18 修回日期:2021-08-08 接受日期:2021-08-18 发布日期:2021-08-08 出版日期:2021-11-10
  • 通讯作者: 李莉
  • 作者简介:李莉(1974—),女,山东青岛人,副教授,博士,主要研究方向:网络与系统安全、嵌入式系统安全
    杨鸿飞(1998—),男,河南洛 阳人,硕士研究生,主要研究方向:信息系统安全
    董秀则(1976—),男,山东莒县人,副教授,硕士,主要研究方向:信息安全、密码工程。
  • 基金资助:
    国家重点研发计划项目(2017YFB0801803)

Hierarchical file access control scheme with identity-based multi-conditional proxy re-encryption

Li LI1(), Hongfei YANG2, Xiuze DONG1   

  1. 1.Department of Electronic and Communication Engineering,Beijing Electronic Science and Technology Institute,Beijing 100070,China
    2.School of Computer Science and Technology,Xidian University,Xi’an Shaanxi 710071,China
  • Received:2020-12-18 Revised:2021-08-08 Accepted:2021-08-18 Online:2021-08-08 Published:2021-11-10
  • Contact: Li LI
  • About author:LI Li,born in 1974,Ph. D.,associate professor. Her research interests include network and system security,embedded system security
    YANG Hongfei,born in 1998,M. S. candidate. His research interests include information system security
    DONG Xiuze,born in 1976,M. S.,associate professor. His research interests include information security,cryptography engineering.
  • Supported by:
    the National Key Research and Development Program of China(2017YFB0801803)

摘要:

针对传统文件共享方案存在文件易泄露、文件去向难以控制、访问控制复杂等问题,以及云端文件分级分类管理及共享的应用需求,提出了一种基于身份多条件代理重加密的文件分级访问控制方案。首先,将文件的权限等级作为密文生成条件,并引入可信分级管理单元确定并管理用户等级;然后,生成用户分级访问权限重加密密钥,解决了基于身份的条件代理重加密方案只能限制代理服务器的重加密行为而对用户权限限制不足的问题;同时,减轻了用户端的负担,即用户只需进行加解密操作。不同方案的对比分析结果表明,所提方案与现有访问控制方案相比有明显优势,无需用户直接参与即可完成用户访问权限的更新,并且具有上传者匿名的特点。

关键词: 基于身份的代理重加密, 文件分级访问控制, 分级管理单元, 访问权限, 上传者匿名

Abstract:

In view of the problems of traditional file sharing schemes, such as easy leakage of files, difficult control of file destination, and complex access control, as well as the application requirements of cloud file hierarchical classification management and sharing, a hierarchical file access control scheme with identity-based multi-conditional proxy re-encryption was proposed. Firstly, the permission level of file was taken as the condition of ciphertext generation, and the trusted hierarchical management unit was introduced to determine and manage the user levels. Secondly, the re-encryption key of user’s hierarchical access permission was generated, which solved the problem that the identity-based conditional proxy re-encryption scheme only restricts the re-encryption behavior of proxy servers, and lacks the limitation of the user’s permission. Meanwhile, the burden of client was reduced, which means only encryption and decryption operations were needed for users. The results of comparison and analysis of different schemes show that, compared with the existing access control schemes, the proposed scheme has obvious advantages, it can complete the update of the user’s access permission without the direct participation of users, and has the characteristic of uploader anonymity.

Key words: identity-based proxy re-encryption, hierarchical file access control, hierarchical management unit, access permission, uploader anonymity

中图分类号: