| 摘要 |
A method of performing an operation on a data storage(101) for storing data being encrypted with a key KD associated with an owner (102) of the data is provided. The method comprises deriving, for each authorized client Cj, a first key K Cj and a second key KTj, providing the client Cj with the first key KCj and providing a Trusted Third Party (TTP)(104) with the second key KTj. The method further comprises, at a Policy Enforcement Point (PEP)(103), receiving(401) a request for performing the operation on the data storage from a client Ck (105) of the authorized clients, acquiring(401) a first key KCk from the client Ck, acquiring(404–406) a second key KTk from the TTP, deriving(407) the key KD from the first key KCk and the second key KTk, and performing(408–411) the operation on the data storage using the derived key KD. The disclosed trust model is based on a two-part secret sharing involving the clients and the TTP. |
