A file multi-point encryption encapsulation storage and transmission method and related device

By combining attribute-based encryption with blockchain, a method of one-time encryption and multi-point decryption of electronic documents during the exchange process is realized, which solves the problems of inconvenient key distribution and leakage risk in existing technologies, and provides security and traceability of permissions for cross-domain transmission.

CN122160109APending Publication Date: 2026-06-05CHINA ELECTRONICS STANDARDIZATION INST

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA ELECTRONICS STANDARDIZATION INST
Filing Date
2026-02-12
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies cannot achieve one-time encryption and multiple-point decryption of electronic documents during the exchange and transmission process, which poses a risk of leakage and makes key distribution and system construction inconvenient.

Method used

It adopts a trust mechanism that integrates attribute-based encryption and blockchain, combined with smart contract dynamic permission management, to encrypt file content through symmetric keys, and binds the file encryption key and access policy to the blockchain for evidence storage, forming a key ciphertext that is compatible with decryption by multiple parties.

Benefits of technology

It achieves one-time encryption and multiple-point decryption, ensuring that files are only known to authorized personnel during the exchange process, and that permission changes are traceable, preventing unauthorized access to information.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160109A_ABST
    Figure CN122160109A_ABST
Patent Text Reader

Abstract

The application discloses a file multi-point encryption packaging storage and transmission method and related devices, and the trust mechanism based on attribute-based encryption and blockchain fusion is combined with intelligent contract dynamic permission management to realize the encryption of the file, and a distributed ledger-based packaging and storage structure is provided, accurate matching of exchanged information and sensitive file content is realized through attribute association, cross-domain transmission requirements of one-time encryption and multi-point decryption are met, permission change can be traced through blockchain storage, and the technical level prevents the overreach of the personnel in the exchange link to obtain relevant information.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of electronic document technology, and in particular to a method and related apparatus for multi-point encrypted encapsulation, storage and transmission of documents. Background Technology

[0002] Electronic documents, due to their high value density, significant content impact, and stringent confidentiality requirements, necessitate strict control during their exchange and transmission. Currently, the exchange and transmission of electronic documents employs either plaintext transmission with form information or encryption before exchange, with controls implemented at each stage. However, both methods have significant limitations. Plaintext transmission, while controlled by procedures and accessible only to designated personnel, still carries the risk of leaks as individuals may gain access to the document's content during the exchange. Conversely, fully encrypted transmission requires knowledge of the decryption key, causing inconvenience in key distribution and system construction. In other words, current document transmission methods do not support one-time encryption and multiple-point decryption. Summary of the Invention

[0003] This invention provides a method and related apparatus for multi-point encrypted encapsulation, storage, and transmission of files, in order to solve the problem that existing methods cannot achieve one-time encryption and multi-point decryption while ensuring file security.

[0004] In a first aspect, the present invention provides a method for multi-point encrypted encapsulation, storage, and transmission of files. The method includes: acquiring exchange information and recipient information of an exchange file to be transmitted, wherein the exchange information includes a security level parameter, an urgency level parameter, and an exchange title; setting an attribute base for the recipient based on the recipient's operation permissions and access scope for the exchange file, wherein the attribute base includes unit attributes, department attributes, position attributes, print permission parameters, reading count limit parameters, and reading time limit parameters; encrypting the exchange file using a file encryption key based on the recipient's attribute base, such that the visibility scope of the exchange file matches the recipient's attribute base, and encapsulating the file encryption key and the recipient's access policy using an attribute base encryption algorithm to form a key ciphertext adapted for multi-subject decryption, wherein the file encryption key is randomly generated using a symmetric key system; encapsulating the key ciphertext and the attribute base encrypted exchange file to obtain an encapsulation structure, and constructing a blockchain-based distributed indexing mechanism to bind the file encryption key and the access policy and store them on the blockchain.

[0005] Optionally, the method further includes: dividing the exchanged information into basic flow information and sensitive core information, and dividing the exchanged files into attachments and encrypted text, so as to use the recipient's attribute base to perform hierarchical management of the exchanged information and the exchanged files.

[0006] Optionally, the step of encrypting the exchanged file using a file encryption key based on the recipient's attribute base includes: encrypting the attachments, the secret transmission body, the basic flow information, and the sensitive core information using independent file encryption keys based on the recipient's attribute base, so that the attachments, the secret transmission body, the basic flow information, and the sensitive core information are logically isolated in terms of encryption; after encryption, storing the secret transmission body in ciphertext form in the file area of ​​the encapsulation structure, and storing the attachments, basic flow information, and sensitive core information in ciphertext form in the attachment area of ​​the encapsulation structure, so as to block unauthorized access from the physical storage level.

[0007] Optionally, a digest value of the encrypted secret transmission text is calculated, and the digest value is stored together with the encrypted secret transmission text in the corresponding data area and associated with the recipient's signature information, so as to use the digest value to verify the integrity of the secret transmission text.

[0008] Optionally, the method further includes: obtaining sender information and embedding the obtained sender information into the trusted identifier field of the encapsulation structure header, wherein the sender information includes structured information of the sender's organization, the sender's job title, the sender's public key, and a digest of the sender's public key; the structured information of the sender's organization includes an organization code field and a hierarchy attribute field; the sender's job title includes a job level parameter and a permission scope parameter; the sender's public key is an index of the sender's corresponding private key; and the digest of the sender's public key is a fixed-length feature value generated by a hash algorithm, used to verify the integrity of the public key.

[0009] Secondly, the present invention provides a file multi-point encrypted encapsulation storage and transmission device, the device comprising: The acquisition unit is used to acquire the exchange information and recipient information of the exchange file to be transmitted. The exchange information includes a security level parameter, an urgency level parameter, and an exchange header. The setting unit is used to set the recipient's attribute base according to the recipient's operation permissions and access scope for the exchanged files. The attribute base includes unit attribute, department attribute, position attribute, print permission parameter, reading count limit parameter, and reading time limit parameter. An encryption unit is used to perform attribute-based encryption on the exchanged file using a file encryption key based on the recipient's attribute base, so that the visibility range of the exchanged file matches the recipient's attribute base, and to encapsulate the file encryption key and the recipient's access policy in a policy-based manner through an attribute-based encryption algorithm to form a key ciphertext that is compatible with multi-subject decryption, wherein the file encryption key is randomly generated through a symmetric key system. The encapsulation unit is used to encapsulate the key ciphertext and the attribute-based encrypted exchange file to obtain an encapsulation structure, and to build a blockchain-based distributed indexing mechanism to bind the file encryption key with the access policy and store it on the blockchain.

[0010] Thirdly, the present invention provides an encrypted terminal, which includes the above-mentioned file multi-point encryption encapsulation storage and transmission device.

[0011] Fourthly, the present invention provides a method for multi-point decryption of files, the method comprising: Obtain the attribute base information of the current decryption terminal, and calculate the digest based on the attribute base information; The calculated summary information is input into the encapsulation structure, the access permissions are verified through the blockchain and the corresponding file is decrypted, and the access record is stored on the blockchain.

[0012] Fifthly, the present invention provides a decryption terminal, characterized in that the decryption terminal comprises: The calculation unit is used to obtain the attribute base information of the current decryption terminal and calculate the digest based on the attribute base information; The decryption unit is used to input the calculated digest information into the encapsulation structure, verify the permissions through the blockchain, decrypt the corresponding file accessed, and store the access record on the blockchain.

[0013] In a sixth aspect, the present invention provides a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the file multi-point encryption encapsulation storage and transmission method described above and the file multi-point decryption method described in claim 8.

[0014] The beneficial effects of this invention are as follows: This invention achieves file encryption through a trust mechanism that integrates attribute-based encryption and blockchain, combined with smart contract dynamic permission management. It also provides a distributed ledger-based encapsulation and storage structure, and achieves precise matching of exchanged information with sensitive file content through attribute association. This satisfies the cross-domain transmission requirements of one-time encryption and multi-point decryption, and ensures traceability of permission changes through blockchain evidence storage, thereby preventing unauthorized access to relevant information by personnel handling the exchange process from a technical perspective.

[0015] The above description is merely an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention and to implement it in accordance with the contents of the specification, and in order to make the above and other objects, features and advantages of the present invention more apparent and understandable, specific embodiments of the present invention are described below. Attached Figure Description

[0016] Various other advantages and benefits will become apparent to those skilled in the art upon reading the following detailed description of preferred embodiments. The accompanying drawings are for illustrative purposes only and are not intended to limit the invention. Furthermore, the same reference numerals denote the same parts throughout the drawings. In the drawings: Figure 1 This is a flowchart illustrating a method for multi-point encrypted encapsulation, storage, and transmission of files provided in an embodiment of the present invention; Figure 2 This is a flowchart illustrating another method for multi-point encrypted encapsulation, storage, and transmission of files provided in an embodiment of the present invention; Figure 3 This is a schematic diagram of the structure of a file multi-point encryption encapsulation storage and transmission device provided in an embodiment of the present invention; Figure 4 This is a flowchart illustrating a decryption method provided in an embodiment of the present invention; Figure 5 This is a schematic diagram of the structure of a decryption terminal provided in an embodiment of the present invention. Detailed Implementation

[0017] The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the scope of the invention.

[0018] To address the shortcomings of existing methods for encapsulating classified documents, which fail to guarantee that personnel exchanging information will not obtain the actual content of sensitive documents, and which cannot achieve a closed-loop logic for controlled exchange and readability among multiple designated personnel with a single encryption, this invention provides a method for multi-point encrypted encapsulation, storage, and transmission of files. (See [link to relevant documentation]). Figure 1 The method includes: S101. Obtain the exchange information and recipient information of the exchange file to be transmitted; Specifically, embodiments of the present invention involve obtaining various information required for encrypted transmission, such as exchange information, recipient information, and sender information of the exchange file to be transmitted.

[0019] In this embodiment of the invention, the exchanged information includes security level parameters, urgency parameters, and exchange headers; the sender information includes structured information about the sender's organization, the sender's job title, the sender's public key, and a digest of the sender's public key; the recipient information includes structured information about the recipient's organization, the recipient's public key, a digest of the recipient's public key, and the recipient's job title; specifically, the structured information about the sender's organization may include an organization code field and a hierarchy attribute field; the sender's job title includes a job level parameter and a permission scope parameter; the sender's public key is an index of the sender's corresponding private key; the digest of the sender's public key is a fixed-length feature value generated by a hash algorithm, used to verify the integrity of the public key.

[0020] It should be noted that the exchange information, sender information, and recipient information mentioned above are just examples of this invention. In specific implementation, those skilled in the art can make arbitrary settings according to actual needs, and this invention does not impose any specific limitations on them.

[0021] In practical implementation, embodiments of the present invention require dividing the exchanged information into basic flow information and sensitive core information, and dividing the exchanged files into attachments and encrypted text. This detailed subdivision of the exchanged information and files facilitates subsequent hierarchical control of the exchanged information and files using the recipient's attribute base. It should be noted that the above division of exchanged information and files is merely an example of the present invention. In practical implementation, multiple encrypted texts may be involved. Those skilled in the art can further classify the encrypted text files according to the encrypted text that different recipients need to know, thereby facilitating subsequent attribute-based encryption of files for different recipients. In other words, embodiments of the present invention can classify exchanged files and the corresponding exchanged information in various ways, and then perform attribute-based encryption of the files according to the recipient's attribute base, thereby ensuring that different recipients can only obtain the content they request to see, ultimately achieving multi-point decryption functionality.

[0022] In this embodiment of the invention, the basic flow information includes information about the person receiving the encapsulation structure. The sensitive core information includes sender information, recipient information, security level parameters, urgency parameters, and exchange headers, etc. The attachments to the exchanged files can be a directory or description of the secret transmission text, etc., and the secret transmission text of the exchanged files can be multiple Word, PDF, or image files, etc.

[0023] S102. Set the recipient's attribute base according to the recipient's operation permissions and access scope for the exchanged files; Specifically, in this embodiment of the invention, the recipient's attribute base is set according to the recipient's permissions to the exchanged files. The attribute base may include printing unit attributes, department attributes, position attributes, printing permission parameters, reading number limit parameters, and reading time limit parameters, etc., which can be set according to actual needs. It should be noted that, in this embodiment of the invention, the sender possesses the highest level of access to the encapsulated structure, and can fully view all element information within the encapsulated structure, including but not limited to basic flow data and sensitive core fields in the exchanged information, metadata and encrypted content in the file information. Simultaneously, the sender possesses permission exemption characteristics, enabling them to perform unrestricted reading, modification, replacement, and permission reconfiguration operations on files within the encapsulated structure without being subject to the preset permission control rules of the information layering control module, ensuring absolute control over core information throughout the entire file distribution process.

[0024] In specific implementation, this embodiment of the invention uses the sender's identity information as a core element of the encapsulation structure, embedding it into the trusted identifier field of the encapsulation header. Based on a preset permission tracing mechanism, the element structure of the sender's related information is as follows: F s =(S u ,S p ,K p ,K abs ), where F s For sender element identification; S u Structured information representing the sender's organization, including key fields such as organization code and hierarchical attributes; S p Used to describe the sender's job information, including characteristic parameters such as job level and scope of authority; K p The public key representing the sender can serve as a precise index to the corresponding private key in critical decryption scenarios or authentication processes, ensuring the uniqueness and accuracy of key pairings; K abs The hash algorithm generates a fixed-length feature value from the sender's public key digest. This feature value is used to verify the integrity of the public key and prevent it from being illegally tampered with during transmission or storage, thereby ensuring the trustworthiness of the encryption system.

[0025] S103. Based on the recipient's attribute base, the exchanged file is encrypted using the file encryption key, so that the visibility range of the exchanged file matches the recipient's attribute base. The file encryption key and the recipient's access policy are encapsulated in a policy-based manner through the attribute base encryption algorithm to form a key ciphertext that is compatible with multi-subject decryption. In this embodiment of the invention, the file encryption key is randomly generated using a symmetric key system; Specifically, the embodiments of the present invention are based on the recipient's attribute base and use a randomly generated symmetric key to encrypt the exchanged files using the attribute base, so that the visibility range of the exchanged files matches the recipient's attribute base.

[0026] In specific implementation, this embodiment of the invention uses the recipient's attribute base to encrypt the attachments, the secret text, the basic flow information, and the sensitive core information using independent file encryption keys, thereby isolating the attachments, the secret text, the basic flow information, and the sensitive core information in terms of encryption logic. After encryption, the encrypted secret text is stored in the file area of ​​the encapsulation structure, and the encrypted attachments, basic flow information, and sensitive core information are stored in the attachment area of ​​the encapsulation structure, thereby blocking unauthorized access from the physical storage level.

[0027] In addition, the present invention also encapsulates the file encryption key and the recipient's access policy in a policy-based manner through an attribute-based encryption algorithm, forming a key ciphertext that is compatible with multi-subject decryption. In other words, the file exchange and file encryption key encryption in the embodiments of the present invention are based on the recipient's attribute base. Therefore, the method described in the present invention can effectively ensure that the recipient can only see the file content authorized by them. For example, for the person transmitting the encapsulation structure, their attribute base can only see the basic flow information, that is, they can only see who the encapsulation structure is sent to. If the attribute base of recipient A is that they can read word1-3, then recipient A can only see word1-3 and cannot see other files.

[0028] In simple terms, the attribute-based encryption method described in the embodiments of the present invention can bind decryption permissions to user attributes (such as department, job level, business role, etc.), thereby enabling multiple nodes that meet the attribute conditions to decrypt after one encryption, which achieves the requirement of one encryption and multiple decryption.

[0029] S104. The key ciphertext and the attribute-based encrypted exchange file are encapsulated to obtain an encapsulation structure, and a blockchain-based distributed indexing mechanism is constructed to bind the file encryption key with the access policy and store it on the blockchain.

[0030] Specifically, in this embodiment of the invention, the encrypted key ciphertext and the attribute-based encrypted exchange file are encapsulated to obtain an encapsulation structure, and then the encapsulation structure is burned onto a disc for transmission.

[0031] It should be noted that the embodiments of the present invention are designed to leverage the distributed ledger characteristics of blockchain, enabling real-time storage of permission change records and file transfer trajectories. This avoids the complexity of certificate management in existing public key systems and resolves the contradiction between key distribution and multi-point authorization in existing encryption methods, thus forming a unique technical advantage in terms of granular control of permissions and efficiency of cross-domain mutual recognition.

[0032] As described above, the embodiments of the present invention achieve file encryption through a trust mechanism based on attribute-based encryption and blockchain, combined with dynamic permission management of smart contracts. At the same time, it provides a distributed ledger-based encapsulation and storage structure, and achieves accurate matching of exchanged information and sensitive file content through attribute association. This satisfies the cross-domain transmission requirements of one-time encryption and multi-point decryption, and ensures traceability of permission changes through blockchain evidence storage, thereby preventing unauthorized access to relevant information by personnel handling the exchange process from a technical perspective.

[0033] It is understood that this invention provides a method for multi-point encrypted encapsulation, storage, and transmission of files. The method described in this invention can encrypt files based on a trust mechanism that integrates attribute-based encryption and blockchain, combined with dynamic permission management through smart contracts. At the same time, it provides an encapsulation and storage structure based on a distributed ledger, and achieves accurate matching between exchanged information and sensitive file content through attribute association. This not only meets the cross-domain transmission requirements of one-time encryption and multi-point decryption, but also ensures traceability of permission changes through blockchain evidence storage, thereby preventing unauthorized access to relevant information by personnel handling the exchange process from a technical perspective.

[0034] In specific implementation, the packaging structure described in this embodiment of the invention is as follows: D s =((FM s FM abs ),(FAs,FA abs ) n ), where D s Attribute-based encryption is a set of identifiers for the overall encapsulation structure of the file area, used to integrate related data of the secret transmission body and attachments; Among them, (FM) s FM abs ) is the main document unit, FM s Attribute-based encryption represents the ciphertext result of encrypting the secret transmission text with a symmetric key. Its data format is consistent with the output format of the encryption algorithm, including the initialization vector field and the encryption mode identifier field; FM abs Attribute-based encryption represents the digest information of the encrypted message, used to verify the integrity of the encrypted message before, during, and after encryption. (FA s ,FA abs Attribute-based encryption is a set of attachment file units, where the attribute-based encryption represents the number of attachments, and the attribute-based encryption FA is...s This represents the encrypted ciphertext result of a single attachment, whose encryption algorithm is consistent with the main body of the encrypted message, ensuring a unified decryption mechanism; FA abs Attribute-based encryption represents the digest information of the corresponding attachment, which is also generated using a hash algorithm; In terms of storage logic, the digest information attribute of each attachment is encrypted using FA. abs Attribute-based encryption follows its encryption result, attribute-based encryption FA. s After attribute-based encryption, paired storage units of attribute-based encryption "encryption result-digest" are formed, which facilitates the system to quickly establish an association mapping during file verification.

[0035] In specific implementation, in order to achieve rapid identity verification, this embodiment of the invention first calculates the digest value of the encrypted secret text (specifically, this invention calculates the corresponding digest value based on the recipient's attribute base; for example, if recipient A can only see words 1-3 of the secret text, then the digest value is calculated based on words 1-3). This digest value is stored together with the encrypted secret text in the corresponding data area and is associated with and bound to the recipient's signature information. During decryption, the corresponding file can be decrypted based only on the recipient's attribute base, and the integrity of the secret text can be quickly verified using the digest value verification.

[0036] Specifically, the element structure of the sender-related information is as follows: F s =(S u ,S p ,K p ,K abs Among them, F s For sender element identification; S u Structured information for the sender's organization, including the organization code field and hierarchical attribute field; S p This describes the sender's job title information, including job level parameters and permission scope parameters; K p The public key representing the sender serves as an index to the corresponding private key, ensuring the uniqueness and accuracy of key pairings; K abs The digest information of the sender's public key is generated into a fixed-length feature value using a hash algorithm. This feature value is used to verify the integrity of the public key and prevent it from being illegally tampered with during transmission or storage.

[0037] The following will combine Figure 2 The method described in the embodiments of the present invention will be explained and illustrated in detail through a specific example: To address the shortcomings of existing technologies in electronic document transmission, such as insufficient control over known content and limited encryption methods, this invention provides a method for multi-point encrypted encapsulation, storage, and exchange of files. The method described in this invention enables standardized encapsulation of electronic documents. Furthermore, by combining attribute-based encryption with a blockchain-based trust mechanism, this invention achieves dynamic access control encryption for sensitive files.

[0038] The method described in this invention can form encryption protection at each stage of electronic document transmission, accurately control the scope of knowledge of document content at different nodes, effectively solve the content leakage risk and knowledge access management problems existing in traditional transmission methods, and provide more reliable technical protection for the secure transmission of electronic documents.

[0039] Specifically, this invention enables precise definition of the encapsulation structure, implements hierarchical control over exchanged information, and deeply binds access permissions to user attributes (department, job level, business role, etc.), helping personnel at different levels configure differentiated information visibility permissions. Different types of personnel can match the corresponding permission range according to their attribute conditions and obtain exchanged information content that matches their responsibilities, ensuring both the accuracy and security of information transmission, while meeting the differentiated information access needs of different roles, and effectively preventing the disorderly spread of information.

[0040] Furthermore, this invention employs a symmetric key to encrypt the file content, while simultaneously using attribute-based encryption to strategically encapsulate the file encryption key. This dual encryption mechanism organically integrates the efficiency of symmetric encryption with the fine-grained access control of attribute-based encryption. It ensures efficient large-file encryption through the symmetric key while leveraging the attribute association characteristics of attribute-based encryption to achieve flexible control of attribute-based encryption through "one-time encryption, dynamic authorization," forming an encryption protection system that balances efficiency and security, providing superior technical protection for file encryption.

[0041] Meanwhile, this invention constructs a blockchain-based distributed indexing mechanism, binding encryption keys with preset access policies and storing them on the blockchain. This design enables file content encrypted once to be automatically decrypted and accessed by all authorized users who meet the attribute conditions. This ensures the convenience of encryption operations and, through the immutability of blockchain, achieves full traceability of permission changes, effectively meeting the file security sharing needs in multi-entity collaborative scenarios.

[0042] In practical implementation, this invention implements refined hierarchical management and control of exchanged information and exchanged documents during the electronic document exchange process. Specifically, it divides exchanged information into basic circulation information and sensitive core information, and exchanged documents into attachments and encrypted main text. Through preset attribute-permission mapping rules (such as a combination strategy of department attribute base encryption + attribute base encryption job level attribute base encryption + attribute base encryption business scenario), it achieves isolated storage and dynamic access control of information at different levels, ensuring that the information visibility range strictly matches the user attributes.

[0043] Meanwhile, this invention employs a hybrid encryption mechanism that integrates attribute-based encryption and blockchain, enabling the generation of encrypted data packets compatible with multi-attribute decryption entities through a single encryption operation on the target file. During the encryption process, the system first encrypts the file content using a symmetric key, then binds the symmetric key to a preset access policy via a smart contract and stores it on the blockchain, forming an association mapping between the key ciphertext, access policy, and file ciphertext, replacing the traditional public key indexing mechanism.

[0044] The method described in this invention ensures that intermediate personnel can only access basic circulation information and attachments that match their attributes, and cannot obtain the content of encrypted documents due to non-compliance with the access conditions for sensitive information. All authorized recipients meeting the preset attribute conditions can automatically verify their permissions and decrypt the same encrypted file via blockchain, without the need for separate key distribution. This design technically resolves the conflict between information confidentiality and authorized access in the multi-node circulation process of electronic documents, and is particularly suitable for the dynamic permission adjustment needs in cross-level, multi-entity collaborative office scenarios. Furthermore, blockchain-based evidence storage ensures full traceability of permission changes.

[0045] See Figure 2 The method described in this embodiment of the invention specifically includes: (1) Obtaining sender authentication information: The sender's identity information, as a core element of the encapsulation structure, is embedded in the trusted identifier field of the encapsulation header. Based on the preset permission tracing mechanism, the sender has the highest level of access permission to the encapsulation structure and can fully view all element information within the encapsulation, including but not limited to basic flow data and sensitive core fields in the exchanged information, metadata and encrypted content in the file information. At the same time, the sender has permission exemption characteristics, and can perform unrestricted reading, modification, replacement and permission reconfiguration operations on the files within the encapsulation structure without being subject to the preset permission control rules of the information layer control module, ensuring absolute control over core information throughout the entire file distribution process.

[0046] The elements of sender-related information are structured as follows: F s =(S u ,S p ,K p ,Kabs ), where F s For sender element identification; S u Structured information representing the sender's organization, including key fields such as organization code and hierarchical attributes; S p Used to describe the sender's job information, including characteristic parameters such as job level and scope of authority; K p The public key representing the sender can serve as a precise index to the corresponding private key in critical decryption scenarios or authentication processes, ensuring the uniqueness and accuracy of key pairings; K abs The hash algorithm generates a fixed-length feature value from the sender's public key digest. This feature value is used to verify the integrity of the public key and prevent it from being illegally tampered with during transmission or storage, thereby ensuring the trustworthiness of the encryption system.

[0047] Setting up exchange information: Exchange information, as a structured prompt element for the exchanged content, together with sender and recipient information, constitutes the core prompt information set in the document exchange process, providing crucial decision-making basis for intermediate personnel and the exchange system to perform document transfer operations. Its core content includes key attributes such as security classification, urgency level, and document title, each attribute being standardized and mapped through preset coding rules. The element structure of exchange information can be represented as: M s =(C,U,T), where C represents the security level parameter, used to identify the security level of the exchanged files. As a core control element in the file exchange process, its value usually defaults to the highest security level of the exchanged files, but can also be independently set to a different security level than the exchanged files according to actual business needs; U represents the urgency level parameter, used to quantify the urgency status of the exchanged files. The system can automatically match the exchange priority based on this parameter and select the corresponding transmission method and channel for file transfer; T represents the exchange title, which usually references the original title of the exchanged files, but can also be customized by the sender according to the business scenario. This title information has dynamic access control characteristics. During the file exchange process, the system can dynamically decide whether to display the title content based on the access level of the personnel, realizing controlled reading of the title information.

[0048] Setting access control information involves precisely limiting file operation permissions and access scope to further strengthen the security management of electronic documents during distribution and circulation. This controlled information directly affects the use of documents, effectively preventing their unauthorized dissemination and retention. Specific details include whether the document can be printed, limits on the number of times it can be read, and limits on the duration it can be read.

[0049] The basic structure is as follows: P c =(P,R nR(T), where P represents the print permission flag, a Boolean parameter. When the value is "true", printing the file is allowed; when the value is "false", any form of printing is prohibited, including direct printing, print preview and save as, and other indirect printing operations. n The `read count limit` parameter is a non-negative integer used to limit the maximum number of times a file can be decrypted and read. When this parameter is 1, a "read-and-burn" mechanism is triggered, meaning that after a file is read once, the system automatically clears the decrypted content cache and locks the file, preventing it from being opened and read again. The `T` parameter represents the reading time limit parameter, a timestamp range value used to set the valid duration for which the file can be normally accessed and read. When the current system time exceeds this range, the file will automatically become unreadable until permissions are reconfigured.

[0050] Generating a recipient list: In the electronic document exchange and distribution process, selecting recipients and generating a recipient list is a crucial preliminary step for achieving multi-point encryption and authorized access. To ensure the accuracy of key pairing and the credibility of recipient identities during encryption, it is necessary to obtain and verify complete recipient information in advance. This information specifically includes core data such as the recipient's public key information, affiliated organization, and position. There are two methods for obtaining this information: one is to retrieve pre-stored recipient information from a trusted local storage area within the system. This storage area uses an encrypted storage mechanism and is periodically updated in sync with the authentication source; the other is to obtain the information in real-time through an interface connected to an authoritative authentication platform. During this process, identity authentication and permission verification by the platform are required to ensure the timeliness and authenticity of the obtained information. The structure of the recipient list is as follows: F r =(R u ,R p ,K p ,K abs ), where F r Attribute-based encryption is used to identify the structural elements of a single recipient's information; R u Attribute-based encryption represents the structured information of the recipient's organization, including key parameters such as organization code and organization type, and is related to the attribute-based encryption S in the sender's element structure. u Maintaining a consistent format for attribute-based encrypted fields facilitates unified organizational structure mapping within the system; R p Attribute-based encryption is used to describe the recipient's job information, covering features such as job title and scope of authority, providing a job-related dimension for permission allocation; K p Attribute-based encryption, representing the recipient's public key, is a core element in the key encryption stage of multi-point encryption. Its format is compatible with the sender's public key to ensure the consistency of the encryption algorithm; K absAttribute-based encryption is a digest of the recipient's public key, generated using the same hash algorithm as the sender's public key digest. It is used to verify whether the recipient's public key has been tampered with during transmission or storage, ensuring the integrity of the public key. It should be noted that the recipient's element structure is consistent with the sender's element structure in terms of field composition to achieve standardization of identity information processing in the system. However, there is a fundamental difference between the two: the sender is unique throughout the entire file exchange process, that is, one encapsulation structure corresponds to only one sender; while the recipient exists in the form of a set, and one encapsulation structure can contain multiple recipients. Each recipient distinguishes and manages information through an independent attribute-based encryption structure. Multiple recipient information is associated and integrated through a unified recipient set identifier to form a complete recipient list, providing data support for multi-point encryption and authorized access.

[0051] In the file encryption process, the system first dynamically generates a file encryption key using an encryption algorithm. This key generation process employs a collaborative mechanism combining a pseudo-random number generator and a Hardware Security Module (HSM) to ensure the randomness and unpredictability of the key. The generated file encryption key uses a symmetric key system. The core advantage of choosing a symmetric key lies in its low computational complexity and fast processing speed during encryption and decryption. It is particularly suitable for encrypting large electronic documents and attachments, significantly improving encryption efficiency while maintaining encryption strength, thus meeting the business needs of efficient electronic document circulation. After generating the file encryption key, the system invokes a symmetric encryption algorithm to encrypt the encrypted text and associated attachments of the electronic document. During encryption, the encrypted text and attachments use independent encrypted data streams to ensure their isolation in encryption logic. After encryption, the system stores the encrypted text in the file area of ​​the encapsulated structure and the encrypted attachments in the attachment area of ​​the encapsulated structure, thus converting the original plaintext file into an encrypted file and preventing unauthorized access at the physical storage level. Meanwhile, to ensure file integrity during transmission and storage, all files (including the encrypted text and attachments) undergo digest processing. Specifically, the system calculates a digest value for the plaintext file before encryption. This digest value is stored along with the encrypted file in the corresponding data area and associated with the sender's signature information. At the receiving end, by recalculating the file digest and comparing it with the stored digest value, it is possible to quickly verify whether the file has been tampered with during transmission, further enhancing the security and reliability of file exchange.

[0052] The file area encapsulation structure is as follows: D s =((FM s FM abs ),(FA s ,FAabs )n), where D s Attribute-based encryption is a set of identifiers for the overall encapsulation structure of the file area, used to unify the related data of the encrypted text and attachments. (FM) s FM abs ) is the main document unit, FM s Attribute-based encryption represents the ciphertext result of encrypted secret text using a symmetric key. Its data format is consistent with the output format of the encryption algorithm, including auxiliary fields such as initialization vector and encryption mode identifier; FM abs Attribute-based encryption represents a digest of the encrypted message, used to verify the integrity of the encrypted message before, during, and after encryption. (FA) s ,FA abs Attribute-based encryption (n-attribute-based encryption) is a set of attachment file units, where n represents the number of attachments (n is a non-negative integer). The attribute-based encryption FA... s Attribute-based encryption represents the ciphertext result of a single attachment after encryption. Its encryption algorithm is consistent with the encrypted main text, ensuring a unified decryption mechanism; FA ab The s-attribute base encryption represents the digest information of the corresponding attachment, also generated using a hash algorithm. Logically, the digest information of each attachment is encrypted using the attribute base encryption FA. abs Attribute-based encryption follows its encryption result, attribute-based encryption FA. s After attribute-based encryption, paired storage units of attribute-based encryption "encryption result-digest" are formed, which facilitates the system to quickly establish an association mapping during file verification. It is important to note that in electronic document exchange scenarios, the confidential transmission text is unique and serves as the core content carrier of the entire document exchange. When the system needs to extract key information such as security classification, urgency, and title, it primarily extracts the relevant information from the confidential transmission text. This rule ensures the consistency and accuracy of information extraction, avoids confusion caused by differences in information from multiple attachments, and enables intermediate personnel and the exchange system to efficiently execute workflow decisions based on the confidential transmission text information.

[0053] After the dynamic generation of the file encryption key is completed, high-strength security protection is required to prevent the symmetric key from being illegally stolen or tampered with during transmission and storage. Based on the collaborative mechanism of attribute-based encryption and blockchain, the system uses a preset access strategy to strategically encapsulate the file encryption key, generating a unique key ciphertext. Specifically, the system constructs a multi-dimensional attribute combination strategy according to the confidentiality level and circulation requirements of the document, and calls the attribute-based encryption algorithm to bind and encrypt the file encryption key with the strategy, forming a key ciphertext suitable for decryption by multiple parties.

[0054] To achieve efficient matching during the decryption process, an association mapping relationship between access policies and blockchain permission indexes is established in the encapsulation structure, including policy feature values, key ciphertext hashes, and block index addresses. The policy feature values ​​are generated by standardizing the access policies and serve as the core field for permission matching. The block index address points to the blockchain block location where the key ciphertext is stored. Through the fast addressing capabilities of the distributed ledger, the efficiency of permission verification and ciphertext retrieval in cross-domain scenarios is significantly improved. Simultaneously, the immutability of the blockchain ensures the integrity and trustworthiness of the mapping relationship.

[0055] The key mapping structure in the encapsulation structure is as follows: R F =((K ph M k )n), where K ph M represents the key hash value of a recipient. k This represents the encryption result of encrypting the encryption key with this person's key; since there can be multiple recipients, this mapping relationship corresponds to multiple calculated values, forming a correspondence between recipients and encryption key ciphertext.

[0056] As described above, this invention refines the information in the electronic document exchange process by dividing the exchanged information into basic circulation information and sensitive core information. Through a preset attribute-based encryption-attribute-based encryption permission mapping rule, dynamic isolation control of storage and access for information at different levels is achieved. This layered management model deeply binds access permissions to user attributes, ensuring that sensitive information is only accessible to authorized personnel who meet the attribute conditions. This effectively improves the security of electronic documents during circulation, representing an innovative breakthrough in electronic document information management architecture, distinct from traditional single-method information management. Furthermore, this invention employs a hybrid encryption mechanism integrating attribute-based encryption and blockchain. In the document encryption process, the document content is first encrypted using a symmetric key, and then the symmetric key is bound to a preset access policy and stored on the blockchain via a smart contract, constructing an association mapping between the key ciphertext, access policy, and document ciphertext. This technology allows for the generation of encrypted data packets adapted to multiple attributes for decryption by encrypting the target file once. It leverages the efficiency of symmetric encryption for handling large files while utilizing the attribute association characteristics of attribute-based encryption to achieve flexible control of attribute-based encryption with "one-time encryption and dynamic authorization." This meets the specific needs of file encryption in multi-entity collaborative work scenarios and demonstrates significant innovation in the combined application of encryption algorithms and the design of encryption processes. Furthermore, the sender's identity information and initial authorization strategy are written as core elements into the blockchain's trusted storage area. Based on a preset smart contract permission mechanism, the sender has the highest-level permission configuration right for the encapsulated structure. All permission changes can be traced through on-chain transaction records, and access policies can be dynamically adjusted according to business needs (such as temporarily adding emergency access permissions, revoking permissions for departing employees, etc.), with all operations recorded on the blockchain. This dynamic control design for the entire lifecycle of permissions ensures the traceability and flexibility of permission adjustments throughout the entire file distribution process, making it innovative and unique in the field of electronic document permission management. Meanwhile, the file area of ​​this invention serves as a crucial region for storing core data. The secretly transmitted text and attachments are stored separately with corresponding blockchain hash digests, forming attribute-based encrypted paired storage units: "encryption result attribute-based encryption - attribute-based encryption on-chain digest". Furthermore, a distributed index clearly defines the uniqueness of the secretly transmitted text and the rules for extracting key information, ensuring consistency and accuracy in information extraction across domains. This file area encapsulation and management structure combines the immutability of blockchain with the advantages of distributed storage, demonstrating innovation in ensuring the orderliness and security of file storage, and differing from common centralized file storage structure designs.

[0057] In addition, embodiments of the present invention also provide a file multi-point encrypted encapsulation storage and transmission device, see [link to related document]. Figure 3 The device includes: The acquisition unit is used to acquire the exchange information and recipient information of the exchange file to be transmitted. The exchange information includes a security level parameter, an urgency level parameter, and an exchange header. The setting unit is used to set the recipient's attribute base according to the recipient's operation permissions and access scope for the exchanged files. The attribute base includes print permission parameters, reading count limit parameters, and reading time limit parameters. An encryption unit is used to perform attribute-based encryption on the exchanged file using a file encryption key based on the recipient's attribute base, so that the visibility range of the exchanged file matches the recipient's attribute base, and to encapsulate the file encryption key and the recipient's access policy in a policy-based manner through an attribute-based encryption algorithm to form a key ciphertext that is compatible with multi-subject decryption, wherein the file encryption key is randomly generated through a symmetric key system. The encapsulation unit is used to encapsulate the key ciphertext and the attribute-based encrypted exchange file to obtain an encapsulation structure, and to build a blockchain-based distributed indexing mechanism to bind the file encryption key with the access policy and store it on the blockchain.

[0058] In other words, this invention, through attribute-based encryption and attribute-based encryption permission mapping rules, divides information into different levels and implements dynamic isolation and control, accurately matching user attributes with information access scope, thus reducing the risk of sensitive information leakage at its source. Furthermore, based on attribute-based encryption and blockchain multi-point dynamic encryption technology, combining the efficiency of symmetric encryption with the fine-grained permission control characteristics of attribute-based encryption, it ensures efficient large file encryption processing while ensuring the immutability of key storage and permission changes through blockchain evidence storage. This forms a dual guarantee of attribute-based encryption: "encryption protection attribute-based encryption + attribute-based encryption trajectory traceability," significantly improving the security of electronic documents in all stages of transmission, storage, and use, effectively resisting illegal theft, tampering, and unauthorized access.

[0059] Furthermore, the multi-point dynamic encryption technology of this invention supports one-time encryption for decryption by all recipients meeting the attribute conditions, eliminating the need to generate encrypted data packets separately for each recipient, avoiding the cumbersome process of repeated encryption, and significantly reducing operation steps and system resource consumption. The standardized encapsulation and distributed management structure of attribute-based encryption in the file area, namely "encryption result attribute-based encryption - attribute-based encryption on-chain digest," not only makes file storage more orderly, but also enables rapid verification of file integrity in cross-domain scenarios by relying on blockchain hash digests, greatly reducing the time cost of file verification and the communication cost of cross-system collaboration, perfectly adapting to the efficient workflow needs of multi-entity collaborative office scenarios.

[0060] Furthermore, this invention employs a blockchain-based permission traceability and dynamic adjustment system. This system grants the sender ultimate control over permission configuration, enabling them to adjust access policies in real time via smart contracts (such as temporarily authorizing emergency transactions or revoking permissions for departing employees). It also ensures full traceability of permission changes through on-chain notarization. Simultaneously, by combining multiple attributes (such as department, job level, and business role), the system clearly defines the permission boundaries for different levels of personnel, ensuring that each person can only access information within the scope of their own attribute match. This permission management is both precise and dynamically adaptable, meeting the permission control requirements of electronic documents in complex workflows.

[0061] Furthermore, the encapsulation structure of this invention provides a unified and standardized technical framework for file processing, reducing system adaptation errors caused by structural differences and significantly improving operational stability. The standardized design of the information format enables seamless integration with existing electronic document systems, identity authentication platforms, and cross-departmental business systems, eliminating the need for large-scale modifications to existing systems, greatly reducing integration difficulty and promotion costs, and facilitating rapid implementation in the actual work of government agencies at all levels.

[0062] Furthermore, this embodiment of the invention also provides an encrypted terminal, which includes the aforementioned file multi-point encryption encapsulation storage and transmission device, so as to perform attribute-based encryption through the encrypted terminal, so that a single encryption can be used for corresponding decryption by all recipients that meet the attribute conditions.

[0063] In addition, this invention also provides a method for multi-point decryption of files, see [link to relevant documentation]. Figure 4 The method includes: S401. Obtain the attribute base information of the current decryption terminal, and calculate the digest based on the attribute base information; S402. Input the calculated summary information into the encapsulation structure, verify the permissions through the blockchain and decrypt the corresponding file accessed, and store the access record on the blockchain.

[0064] Specifically, in the decryption phase, the recipient initiates a decryption request by submitting their attribute-based encryption private key and identity attribute credentials. The system first verifies the match between the recipient's attribute set and the preset access policy based on the attribute whitelist stored on the blockchain. After successful verification, the system retrieves the corresponding ciphertext key from the blockchain index address. Subsequently, the recipient uses their attribute-based encryption private key to decrypt the ciphertext key, restoring the original file encryption key. Attribute-based encryption—this process does not require interaction with other nodes; authorization is completed solely through local attribute verification.

[0065] Finally, a symmetric decryption algorithm is invoked, and the restored file encryption key is used to decrypt the encrypted main text and attachments in the file area, yielding readable plaintext content, thus completing the entire authorized access process for the encrypted file. This mechanism replaces traditional public key pairing verification with attribute policies, eliminating the restriction of binding private keys to a single public key, and leveraging the distributed verification capabilities of blockchain to improve cross-domain decryption efficiency, perfectly adapting to the secure access requirements in multi-party dynamic authorization scenarios.

[0066] Accordingly, embodiments of the present invention also provide a decryption terminal, see [link to documentation]. Figure 5 The decryption terminal includes: The calculation unit is used to obtain the attribute base information of the current decryption terminal and calculate the digest based on the attribute base information; The decryption unit is used to input the calculated digest information into the encapsulation structure, verify the permissions through the blockchain, decrypt the corresponding file accessed, and store the access record on the blockchain.

[0067] Meanwhile, embodiments of the present invention also provide a computer-readable storage medium storing a computer program, which, when executed by a processor, implements any of the above-described methods for multi-point encrypted encapsulation, storage, and transmission of files, and multi-point decryption of files.

[0068] The relevant content of the device embodiment and storage medium embodiment of the present invention can be understood by referring to the method embodiment of the present invention, and will not be discussed in detail here.

[0069] Although preferred embodiments of the invention have been disclosed for illustrative purposes, those skilled in the art will recognize that various modifications, additions, and substitutions are possible, and therefore the scope of the invention should not be limited to the embodiments described above.

Claims

1. A method for multi-point encrypted encapsulation, storage, and transmission of files, characterized in that, The method includes: Obtain the exchange information and recipient information of the exchange file to be transmitted. The exchange information includes a security level parameter, an urgency level parameter, and an exchange header. The recipient's attribute base is set according to the recipient's operation permissions and access scope for the exchanged files. The attribute base includes unit attribute, department attribute, position attribute, print permission parameter, reading count limit parameter, and reading time limit parameter. Based on the recipient's attribute base, the exchanged file is encrypted using a file encryption key, so that the visibility range of the exchanged file matches the recipient's attribute base. The file encryption key and the recipient's access policy are encapsulated in a policy-based manner through an attribute base encryption algorithm to form a key ciphertext that is compatible with multi-subject decryption. The file encryption key is randomly generated using a symmetric key system. The key ciphertext and the attribute-based encrypted exchange file are encapsulated to obtain an encapsulation structure, and a blockchain-based distributed indexing mechanism is constructed to bind the file encryption key with the access policy and store it on the blockchain.

2. The method according to claim 1, characterized in that, The method further includes: The exchanged information is divided into basic flow information and sensitive core information, and the exchanged files are divided into attachments and encrypted text, so as to use the recipient's attribute base to perform hierarchical management of the exchanged information and the exchanged files.

3. The method according to claim 1, characterized in that, The step of encrypting the exchanged files using a file encryption key based on the recipient's attribute base includes: Based on the recipient's attribute base, the attachment, the secret transmission body, the basic flow information, and the sensitive core information are each encrypted using an independent file encryption key, so that the attachment, the secret transmission body, the basic flow information, and the sensitive core information are isolated in encryption logic; After encryption is completed, the encrypted transmitted text is stored in the file area of ​​the encapsulation structure, and the encrypted attachments, basic flow information and sensitive core information are stored in the attachment area of ​​the encapsulation structure to block unauthorized access from the physical storage level.

4. The method according to claim 3, characterized in that, Calculate the digest value of the encrypted secret message, store the digest value together with the encrypted secret message in the corresponding data area, and associate it with the recipient's signature information to verify the integrity of the secret message.

5. The method according to any one of claims 1-4, characterized in that, The method further includes: Obtain sender information and embed the obtained sender information into the trusted identifier field of the encapsulation structure header. The sender information includes structured information of the sender's organization, the sender's job title, the sender's public key, and a digest of the sender's public key. The structured information of the sender's organization includes an organization code field and a hierarchy attribute field; The sender's job information includes job level parameters and permission scope parameters; The sender's public key is the index of the sender's corresponding private key; The digest information of the sender's public key is a fixed-length feature value generated by a hash algorithm, which is used to verify the integrity of the public key.

6. A file multi-point encrypted encapsulation storage and transmission device, characterized in that, The device includes: The acquisition unit is used to acquire the exchange information and recipient information of the exchange file to be transmitted. The exchange information includes a security level parameter, an urgency level parameter, and an exchange header. The setting unit is used to set the recipient's attribute base according to the recipient's operation permissions and access scope for the exchanged files. The attribute base includes print permission parameters, reading count limit parameters, and reading time limit parameters. An encryption unit is used to perform attribute-based encryption on the exchanged file using a file encryption key based on the recipient's attribute base, so that the visibility range of the exchanged file matches the recipient's attribute base, and to encapsulate the file encryption key and the recipient's access policy in a policy-based manner through an attribute-based encryption algorithm to form a key ciphertext that is compatible with multi-subject decryption, wherein the file encryption key is randomly generated through a symmetric key system. The encapsulation unit is used to encapsulate the key ciphertext and the attribute-based encrypted exchange file to obtain an encapsulation structure, and to build a blockchain-based distributed indexing mechanism to bind the file encryption key with the access policy and store it on the blockchain.

7. An encrypted terminal, characterized in that, The encrypted terminal includes the device described in claim 6.

8. A method for multi-point decryption of a file, characterized in that, The method includes: Obtain the attribute base information of the current decryption terminal, and calculate the digest based on the attribute base information; The calculated summary information is input into the encapsulation structure, the access permissions are verified through the blockchain and the corresponding file is decrypted, and the access record is stored on the blockchain.

9. A decryption terminal, characterized in that, The decryption terminal includes: The calculation unit is used to obtain the attribute base information of the current decryption terminal and calculate the digest based on the attribute base information; The decryption unit is used to input the calculated digest information into the encapsulation structure, verify the permissions through the blockchain, decrypt the corresponding file accessed, and store the access record on the blockchain.

10. A computer-readable storage medium storing a computer program, which, when executed by a processor, implements the method for multi-point encrypted encapsulation, storage, and transmission of files as described in any one of claims 1-5 and the method for multi-point decryption of files as described in claim 8.