| CPC H04L 9/0861 (2013.01) [H04L 9/0819 (2013.01); H04L 9/0847 (2013.01); H04L 9/085 (2013.01); H04L 9/14 (2013.01); H04L 9/3073 (2013.01); H04L 9/3231 (2013.01); H04L 9/3263 (2013.01); H04L 2209/16 (2013.01)] | 10 Claims |
|
1. A full-link data security protection method, comprising:
initializing, by an initialization module, a key generation center;
generating, by the key generation center, public parameters;
registering, by a data owner, an identity IDu of the data owner with the key generation center;
calculating, by the key generation center, a public key for verifying a signature of the data owner;
generating, by the data owner, a private key;
signing, by the data owner, a ciphertext based on the private key;
registering, by a data user, an identity IDt of the data user with the key generation center;
generating, by the key generation center, a private key for the data user for signing;
signing, by the data user, an operation message based on the private key;
at a data creation and collection stage:
building, by an identifier building module, a data security identification based on a category and security level of an object data;
verifying, by the identifier building module, a signed identifier;
acquiring, by a hub node, a data security attribute set;
generating, by the data owner, a symmetric key based on a symmetric encryption algorithm;
encrypting, by the data owner, a plaintext file with the symmetric key to generate a ciphertext file;
associating, by the data owner, the symmetric key with a security attribute of an encrypted data for implementing access control; and
generating, by the hub node, a decryption key;
at a data transmission and storage stage:
dividing, by the data owner, the ciphertext file into blocks to generate ciphertext components;
calculating, by the data owner, a virtual index and a data label for a data block;
transmitting, by the data owner, the ciphertext components to a distributed hash table (DHT) network node; and
uploading, by the data owner, a tuple comprising the virtual index, the data block, and the data label to a cloud server;
at a data processing and exchange stage:
applying, by the hub node, re-encryption based on a re-encryption key generation algorithm to generate a re-encrypted ciphertext;
acquiring, by the data user, the re-encrypted ciphertext, which is then decrypted to obtain the signed identifier and a secret value;
generating, by the data user, multiple distribution indexes based on the signed identifier;
acquiring, by the data user, from the DHT network node the tuple having a ciphertext component associated with the virtual index;
calculating, by the data user, a new virtual index based on the signed identifier;
acquiring, by the data user, the tuple consisting of the virtual index, the data block and the data label from the cloud server;
verifying, by the data user, integrity of the ciphertext via a data signature and a ciphertext label;
recovering, by the data user, the data blocks of the ciphertext file corresponding to the ciphertext components using a Lagrange interpolation method;
assembling, by the data user, the data blocks to acquire a complete ciphertext file that is decrypted to obtain the plaintext file based on the symmetric key;
at a data destruction stage:
under a preset condition, discarding, by the DHT network node, an index tuple associated with a stored ciphertext component based on the data security identification.
|