| 摘要 |
Embodiments of the invention provide a method and system which allow for ready revocation of end user access rights by virtue of storing data in an encrypted form in a network environment, and using a trusted proxy server to re-encrypt the data itself to permit eventual decryption of the data by an authorised end user. However, if the end user's access rights are revoked then the trusted proxy does not perform the re-encryption of the data, and the end user is not then able to subsequently decrypt data stored in the network environment, even if it is able to access the data without permission. Embodiments therefore have advantages that access control is decoupled from data confidentiality to provide scalability, and revocation of user access rights can be accomplished without requiring re-encryption of the stored data. |
